Updated

Author: root

19 bruteforce_login_form/extract_forms.py

@@ -0,0 +1,30 @@
+#!/usr/bin/python
+
+import requests
+from BeautifulSoup import BeautifulSoup
+
+def request(url):
+	try:
+		return requests.get(url)
+	except requests.exceptions.ConnectionError:
+		pass
+
+target_url = "http://192.168.44.101/mutillidae/index.php?page=dns-lookup.php"
+response = request(target_url)
+
+parsed_html = BeautifulSoup(response.content)
+forms_list = parsed_html.findAll("form")
+
+for form in forms_list:
+	print "Action: ",form.get("action")
+	print "Method: ",form.get("method")
+	print "EncType: ",form.get("enctype")
+	print "ID: ",form.get("id")
+
+
+	inputs_list = form.findAll("input")
+
+	for input in inputs_list:
+		input_name = input.get("name")
+		print "Name: ",input_name
+ 	

19 bruteforce_login_form/post.py renamed to 19 bruteforce_login_form/post_request.py

@@ -0,0 +1,39 @@
+#!/usr/bin/python
+
+import requests
+from BeautifulSoup import BeautifulSoup
+import urlparse
+
+def request(url):
+	try:
+		return requests.get(url)
+	except requests.exceptions.ConnectionError:
+		pass
+
+target_url = "http://192.168.44.101/mutillidae/index.php?page=dns-lookup.php"
+response = request(target_url)
+
+parsed_html = BeautifulSoup(response.content)
+forms_list = parsed_html.findAll("form")
+
+for form in forms_list:
+	action = form.get("action")
+	post_url = urlparse.urljoin(target_url,action)
+	print post_url
+	method = form.get("method")
+	
+	inputs_list = form.findAll("input")
+	post_data = {}
+
+	for input in inputs_list:
+		input_name = input.get("name")
+		input_type = input.get("type")
+		input_value = input.get("value")
+		if input_type == "text":
+			input_value = "test"
+
+		post_data[input_name] = input_value
+
+	result = requests.post(post_url,data=post_data)
+	print result.content
+ 	

19 bruteforce_login_form/posting_form.py

@@ -0,0 +1,26 @@
+[<form action="index.php?page=dns-lookup.php" method="post" enctype="application/x-www-form-urlencoded" onsubmit="return onSubmitBlogEntry(this);" id="idDNSLookupForm">
+<table style="margin-left:auto; margin-right:auto;">
+<tr id="id-bad-cred-tr" style="display: none;">
+<td colspan="2" class="error-message">
+				Error: Invalid Input
+			</td>
+</tr>
+<tr><td></td></tr>
+<tr>
+<td colspan="2" class="form-header">Who would you like to do a DNS lookup on?<br /><br />Enter IP or hostname</td>
+</tr>
+<tr><td></td></tr>
+<tr>
+<td class="label">Hostname/IP</td>
+<td><input type="text" id="idTargetHostInput" name="target_host" size="20" /></td>
+</tr>
+<tr><td></td></tr>
+<tr>
+<td colspan="2" style="text-align:center;">
+<input name="dns-lookup-php-submit-button" class="button" type="submit" value="Lookup DNS" />
+</td>
+</tr>
+<tr><td></td></tr>
+<tr><td></td></tr>
+</table>
+</form>]

19 bruteforce_login_form/wwe

@@ -0,0 +1,88 @@
+#!/usr/bin/python
+
+import requests
+import re
+import urlparse
+from BeautifulSoup import BeautifulSoup
+
+class Scanner:
+	def __init__(self,url,ignore_links):
+		self.session = requests.Session()
+		self.target_url = url
+		self.target_links = []
+		self.links_to_ignore = ignore_links
+
+	def extract_links_from(self,url):
+		response = self.session.get(url)
+		return re.findall('(?:href=")(.*?)"',response.content)
+
+	def crawl(self,url=None):
+		if url == None:
+			url = self.target_url
+		href_links = self.extract_links_from(url)
+
+		for link in href_links:
+			link = urlparse.urljoin(url,link)
+
+			if "#" in link:	# #r refers to original page so avoid duplicate page again and again
+				link = link.split("#")[0]
+
+			if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore:
+			#to avoid repeating the same url and ignore logout url
+				self.target_links.append(link)
+				print link
+				self.crawl(link)
+
+	def extract_forms(self,url):
+		response = self.session.get(url)
+		parsed_html = BeautifulSoup(response.content)
+		return parsed_html.findAll("form")
+
+	def submit_form(self,form,value,url):
+		action = form.get("action")
+		post_url = urlparse.urljoin(url,action)
+		method = form.get("method")
+		
+		inputs_list = form.findAll("input")
+		post_data = {}
+
+		for input in inputs_list:
+			input_name = input.get("name")
+			input_type = input.get("type")
+			input_value = input.get("value")
+			if input_type == "text":
+				input_value = value
+
+			post_data[input_name] = input_value
+		if method == "post":
+			return self.session.post(post_url,data=post_data)
+		return self.session.get(post_url,params=post_data)
+
+	def run_scanner(self):
+		for link in self.target_links:
+			forms = self.extract_forms(link)
+			for form in forms:
+				print "[+] Testing form in " + link
+				is_vulnerable_to_xss = self.test_xss_in_form(form,link)
+				if is_vulnerable_to_xss:
+					print "\n\n[***] XSS discovered in "+link+" in the follwing form"
+					print form
+
+
+			if "=" in link:
+				print "\n\n[+] Testing " + link
+				if_vulnerable_to_xss = self.test_xss_in_link(link)
+				if is_vulnerable_to_xss:
+					print "[***] Discovered XSS in " + link
+
+	def test_xss_in_link(self,url):
+		xss_test_script = "<sCript>alert('test')</scriPt>"
+		url = url.replace("=","="+ xss_test_script)
+		response = self.session.get(url)
+
+		return xss_test_script in response.content
+
+	def test_xss_in_form(self,form,url):
+		xss_test_script = "<sCript>alert('test')</scriPt>"
+		response = self.submit_form(form,xss_test_script,url)
+		return xss_test_script in response.content

20 vulnerability_scanner/scanner.py

@@ -0,0 +1,22 @@
+#!/usr/bin/python
+
+import scanner
+
+target_url = "http://192.168.44.101/dvwa/"
+links_to_ignore = ["http://192.168.44.101/dvwa/logout.php"]
+
+data_dict = {"username":"admin","password":"password","Login":"submit"}
+
+vuln_scanner = scanner.Scanner(target_url,links_to_ignore)
+vuln_scanner.session.post("http://192.168.44.101/dvwa/login.php",data=data_dict)
+
+vuln_scanner.crawl()
+vuln_scanner.run_scanner()
+
+#forms = vuln_scanner.extract_forms("http://192.168.44.101/dvwa/vulnerabilities/xss_r/")
+#print forms
+#response = vuln_scanner.test_xss_in_form(forms[0],"http://192.168.44.101/dvwa/vulnerabilities/xss_r/")
+#print response
+#response = vuln_scanner.test_xss_in_link("http://192.168.44.101/dvwa/vulnerabilities/xss_r/?name=")
+#print response
+