Merge branch 'master' of github.com:mgeeky/Penetration-Testing-Tools

2025-09-03 02:28:34 +02:00 · 2018-05-02 01:48:15 +02:00
parent 9abaa572f3 cece81cdf6
commit 9bc0df2e0c
4 changed files with 69 additions and 8 deletions
--- a/web/README.md
+++ b/web/README.md
@ -54,7 +54,7 @@

 - **`post.php`** - (GIST discontinued, for recent version check: https://github.com/mgeeky/PhishingPost ) PHP Credentials Harversting script to be used during Social Engineering Phishing campaigns/projects. ([gist](https://gist.github.com/mgeeky/32375178621a5920e8c810d2d7e3b2e5))

- **`reencode.py`** - ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding. To be used for instance in fuzzing purposes. Requires: jwt (pip install pyjwt). ([gist](https://gist.github.com/mgeeky/1052681318a8164b112edfcdcb30798f))
+- **`reencode.py`** - ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding. To be used for instance in fuzzing purposes. Imagine you want to fuzz XML parameters within **PaReq** packet of 3DSecure standard. This packet has been ZLIB compressed, then Base64 encoded, then URLEncoded. In order to modify the inner XML you would need to peel off that encoding layers and then reaplly them in reversed order. This script allows you to do that in an automated manner. ([gist](https://gist.github.com/mgeeky/1052681318a8164b112edfcdcb30798f))

    Sample output could look like:

@ -143,3 +143,7 @@ Node('/None/Base64/URLEncoder', decoded='AAAA')

 - **`XXE Payloads`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/181c6836488e35fcbf70290a048cd51d))

+- **`ysoserial-generator.py`** - This tool helps fuzzing applications that use Java serialization under the hood, by automating `ysoserial` proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. 
+This tool generates every possible payload for every implemented gadget, thus resulting in number of payload files (or one file with number of lines), being URL/Base64 encoded along the way or not - which can be later used for manual penetration testing assignments like pasting that file to BurpSuite intruder, or enumerating every payload from within bash/python script.
+
+
--- a/web/reencode.py
+++ b/web/reencode.py
@ -2,7 +2,10 @@

 # 
 # ReEncoder.py - script allowing for recursive encoding detection, decoding and then re-encoding. 
-# To be used for instance in fuzzing purposes.
+# To be used for instance in fuzzing purposes. Imagine you want to fuzz XML parameters within 
+# **PaReq** packet of 3DSecure standard. This packet has been ZLIB compressed, then Base64 encoded, 
+# then URLEncoded. In order to modify the inner XML you would need to peel off that encoding layers 
+# and then reaplly them in reversed order. This script allows you to do that in an automated manner
 # 
 # NOTICE:
 #   If the input string's length is divisble by 4, Base64 will be able to decode it - thus, the script
@ -21,6 +24,7 @@
 import re
 import sys
 import jwt
+import zlib
 import math
 import base64
 import urllib
@ -35,6 +39,22 @@ class ReEncoder:
    # Switch this to show some verbose informations about decoding process.
    DEBUG = False

+    class Utils:
+        @staticmethod
+        def isBinaryData(data):
+            nonBinary = 0
+            percOfBinaryToAssume = 0.10
+
+            for d in data:
+                c = ord(d)
+                if c in (10, 13): 
+                    nonBinary += 1
+                elif c >= 0x20 and c <= 0x7f:
+                    nonBinary += 1
+
+            binary = len(data) - nonBinary
+            return binary >= int(percOfBinaryToAssume * len(data))
+
    # ============================================================
    # ENCODERS SECTION
    #
@ -75,7 +95,7 @@ class ReEncoder:
            if urllib.quote(urllib.unquote(data)) == data and (urllib.unquote(data) != data):
                return True

-            if re.match(r'^(?:%[0-9a-f]{2})+$', data, re.I):
+            if re.search(r'(?:%[0-9a-f]{2})+', data, re.I):
                return True

            return False
@ -157,6 +177,28 @@ class ReEncoder:
        def decode(self, data):
            return jwt.decode(data, verify = False)

+    class ZlibEncoder(Encoder):
+        def name(self):
+            return 'ZLIB'
+
+        def check(self, data):
+            if not ReEncoder.Utils.isBinaryData(data):
+                return False
+
+            try:
+                if zlib.compress(zlib.decompress(data)) == data:
+                    return True
+            except:
+                pass
+            return False
+            
+        def encode(self, data):
+            return zlib.compress(data)
+
+        def decode(self, data):
+            return zlib.decompress(data)
+
+

    # ============================================================
    # ENCODING DETECTION IMPLEMENTATION
@ -172,6 +214,7 @@ class ReEncoder:
            ReEncoder.Base64Encoder(),
            ReEncoder.Base64URLSafeEncoder(),
            ReEncoder.JWTEncoder(),
+            ReEncoder.ZlibEncoder(),

            # None must always be the last detector
            ReEncoder.NoneEncoder(),
@ -352,6 +395,9 @@ class ReEncoder:

        return encodings

+    def getWinningDecodePath(self, root):
+        return [x for x in self.evaluateEncodingTree(root) if x != 'None']
+
    def process(self, data):
        root = anytree.Node('None', decoded = data)
        prev = root
@ -368,9 +414,10 @@ class ReEncoder:
                prev = currNode

        for pre, fill, node in anytree.RenderTree(root):
-            ReEncoder.log("%s%s (%s)" % (pre, node.name, node.decoded[:20].decode('ascii', 'ignore')))
+            if node.name != 'None':
+                ReEncoder.log("%s%s (%s)" % (pre, node.name, node.decoded[:20].decode('ascii', 'ignore')))

-        self.encodings = self.evaluateEncodingTree(root)
+        self.encodings = self.getWinningDecodePath(root)
        ReEncoder.log('[+] Selected encodings: {}'.format(str(self.encodings)))

    def decode(self, data, encodings = []):
@ -399,6 +446,10 @@ class ReEncoder:
        return data

 def main(argv):
+    # Sample 1: ZLIB -> Base64 -> URLEncode
+    sample = 'eJzzSM3JyVcozy%2FKSVFIK8rPVQhKdc1Lzk9JLVIEAIr8Cck%3D'
+
+    # Sample 2: URLEncode -> Base64 -> HexEncode
    sample = '4a5451344a5459314a545a6a4a545a6a4a545a6d4a5449774a5463334a545a6d4a5463794a545a6a4a5459304a5449784a5449774a544e684a544a6b4a544935'

    if len(argv) != 2:
@ -421,4 +472,4 @@ def main(argv):
    print('(3) ENCODED FORM: "{}"'.format(decoded))

 if __name__ == '__main__':
-    main(sys.argv)
+    main(sys.argv)