Skip to content

README.md

Latest commit

 

History

History
90 lines (71 loc) · 3.29 KB

README.md

File metadata and controls

90 lines (71 loc) · 3.29 KB

Description

The purpose of this server is to easily serve exploit functionality

currently working on CSRF using xhr

Setup

git clone git@github.com:SirAppSec/exploit-server.git

Get some Azure/EC2 light server https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Compute%2FVirtualMachines

establish ssh into the server

add pem to keychain

sudo ssh-add exploit-server_key.pem

init Nginx

sudo apt-get update
sudo apt-get install nginx

In your local files, update the IP address of your server in nginx/nginx.conf config and ./update-server.sh bash script

upload files

add execute permissions

sudo chmod +x ./update-server.sh
./update-server.sh

Optionals

Let's Encrypt

set up a domain in Azure

http://exploit.germanywestcentral.cloudapp.azure.com/

  • Open firewall:

     sudo ufw allow 80
 sudo ufw allow 443

  • Add it as a server in the config

  • Install Let's Encrypt in the server:

     sudo apt install letsencrypt
 sudo systemctl status certbot.timer
 apt install python3-certbot-nginx
 sudo certbot --nginx --agree-tos --preferred-challenges http -d exploit.germanywestcentral.cloudapp.azure.com --noninteractive

    The ./update-server.sh script will try add certs without any further interations

    https://exploit.germanywestcentral.cloudapp.azure.com/

Usage

note that CORS are set to Allow-Origin *; You cant test the CORS: https://exploit.germanywestcentral.cloudapp.azure.com//xhr.html?n=3&url=https://www.test-cors.org/

XHR

Dynamically generate an XHR request n = [number] number of requests(each on his own thread, each request is waiting for the one before to finish) url = [string] target url to send request action = [string] ( 'POST' or 'GET' ) #the request method payload = [string] (the request payload relevant to POST requests) content = [string] the content type of the request (default: application/json)

https://exploit.germanywestcentral.cloudapp.azure.com/xhr.html?action=POST&payload=email%3dwiener%40admin.net&n=2&url=http://demo.testfire.net

Javascript utilities:

  • setCookie(string:cookiename,string:cvalue) #sets all the cookie header by adjusting document.cookie
  • setSpecificCookie(document.cookie,string:cookiename,string:cookievalue) # sets a specific cookie
  • getCookie(string:cookiename) # get an array with cookie name=value pairs

dynamic clickjacking

an attempt at dynamically generating mouseover click jacking | admittingly works about 90% of the time, depending on a few factors such as: Web browser,page loading times,speed of mouse movment etc. https://exploit.germanywestcentral.cloudapp.azure.com/clickjacking/click.html?selector=a&x=20&y=75

url = [string] the url of the iframe target
selector = [string] css selector representing the element to hover
x = [number] the x position from top left side of the page to set the iframe
y = [number] the y position from top left side of the page to set the iframe
buttonX = [number] the x position from top left side of the page to set the button
buttonY = [number] the y position from top left side of the page to set the button

Notes

  • The Nginx config is set to allow CORS for all origins and handles preflight
  • XHR is async in accordance with: https://xhr.spec.whatwg.org/ and send subsequent requests in a series ( Stops when 1 fail ).