Jump to content

website bots


thefatmoop
 Share

Recommended Posts

I work for a pc/server security consulting company. it's normal for us to have legal permission to 'test' security on business networks.

We're finding more and more clients are getting their makeshift sites exploited. Normally I just write a small program to go through and auto fill out sites for displaying... is there a good program for doing this instead of me writing something for every site?

Link to comment
Share on other sites

Normally I just write a small program to go through and auto fill out sites for displaying
What do you mean by this? "auto fill out"?
Link to comment
Share on other sites

I think he means spider the site for inputs the web server will accept, then fuzz the inputs until the server falls over indicating a flaw with the site.

Thats good, as I was thinking he was looking for spam bots or something to spam sites with. Like finding wordpress blogs that don't use captchas or something like that which can exploit MySql or such.

Link to comment
Share on other sites

Sites that are just basic html forms. Someone can spam them to death.

What i mean by writing a program to auto fill it out... i haven't done it in a while, but using integrated IE in vb one can look at the html and search for variables. make the variable = a value and then action click the submit button.

I originally did this back in highschool to the verizon wireless website to send text messages to people. Once a program was filling it out it was easy to really spam it.

There are plenty of times when a website is totally insecure and open to possibilities

for example:

http://www.peoriabloomingtoncarloans.com/creditapp.html

I'm looking for a program designed for this... don't want to remake all the programs

Link to comment
Share on other sites

Well I think the best way to do it would be a standalone app. Not an addon to IE...

Have it read a list of urls from a text file... It will download and read each page individually...

for example when it finds a form:

<form action="/path/to/script.php" method="post">
<input name="fname" type="text" size="24" maxlength="15">
<input name="pass" type="text" size="24" maxlength="15">
<input name="postform" type="submit" value="Submit!">
</form>

Get the input names and then post your data to them...

It will be kind of difficult to make it dynamic (where as it will work for any page) You'd have to read the different input types and know the name's of the fields, and know what to put in them...

How will you know what to put in the fields is the biggest problem? because not all fields are named the same on different sites, and they all need different values. For example, how will you know your not putting a name in a zipcode field?

You called it "auto-fill" it should be called "auto-post"... What have you normally done? What do you "fill" in the boxes? just random stuff or what?

Another benefit of downloading the html with winsock and then posting to the page is that you bypass any javascript/clientsided form-field validation... (however where your submitting the form to most likely has checks there which can't be bypassed since they are server sided!)

I would suggest looking up HTTP protocol, particularly HTTP POST...

This can also help you out too:

http://hak5.org/forums/index.php?showtopic=10535

It's a recent thing I made which does what you want, it auto-posts form data to a server sided script...

EDIT: I just came up with an idea actually but what are you going to be inputting into the fields? random numbers and letters or what?

an app similar to that except it lets you specify the field names and values, something like this:

lets say the app is called "formsubmit"

formsubmit -h www.peoriabloomingtoncarloans.com -s /scripts/App.dll :fname="Bob" :lname="0x539" :WPhone="123-456-7890" :Addr="123 Burning Tree Lane" :city="Somecity" :State="somestate" :zip="zipcode" :comments="I'm interested in getting pre-approved for a vehicle"

etc... * I only did the required fields on that form ;)

where -h is the host, -s is the path to the script which its probably not a real Win32 "DLL" file , its probably some sort of scripting language like php disguised, maybe CGI, or ASP...

then the fields are identified by some kind of marker, here I chose : marks the start of a field name, and = marks the end of it, then between the quotes is what to put in that field... make sense?

It would take quite some time manually writing things to put into the fields, so I don't really get it... So are you wanting random values in the fields ? or ones that make sense?

Anyway what would this do for you? I don't see what your getting out of it spamming junk to auto-loan forms? It doesn't seem like theres any benefit...

Link to comment
Share on other sites

Well I think the best way to do it would be a standalone app. Not an addon to IE...

Have it read a list of urls from a text file... It will download and read each page individually...

for example when it finds a form:

<form action="/path/to/script.php" method="post">
<input name="fname" type="text" size="24" maxlength="15">
<input name="pass" type="text" size="24" maxlength="15">
<input name="postform" type="submit" value="Submit!">
</form>

Get the input names and then post your data to them...

It will be kind of difficult to make it dynamic (where as it will work for any page) You'd have to read the different input types and know the name's of the fields, and know what to put in them...

How will you know what to put in the fields is the biggest problem? because not all fields are named the same on different sites, and they all need different values. For example, how will you know your not putting a name in a zipcode field?

You called it "auto-fill" it should be called "auto-post"... What have you normally done? What do you "fill" in the boxes? just random stuff or what?

Another benefit of downloading the html with winsock and then posting to the page is that you bypass any javascript/clientsided form-field validation... (however where your submitting the form to most likely has checks there which can't be bypassed since they are server sided!)

I would suggest looking up HTTP protocol, particularly HTTP POST...

This can also help you out too:

http://hak5.org/forums/index.php?showtopic=10535

It's a recent thing I made which does what you want, it auto-posts form data to a server sided script...

EDIT: I just came up with an idea actually but what are you going to be inputting into the fields? random numbers and letters or what?

an app similar to that except it lets you specify the field names and values, something like this:

lets say the app is called "formsubmit"

formsubmit -h www.peoriabloomingtoncarloans.com -s /scripts/App.dll :fname="Bob" :lname="0x539" :WPhone="123-456-7890" :Addr="123 Burning Tree Lane" :city="Somecity" :State="somestate" :zip="zipcode" :comments="I'm interested in getting pre-approved for a vehicle"

etc... * I only did the required fields on that form ;)

where -h is the host, -s is the path to the script which its probably not a real Win32 "DLL" file , its probably some sort of scripting language like php disguised, maybe CGI, or ASP...

then the fields are identified by some kind of marker, here I chose : marks the start of a field name, and = marks the end of it, then between the quotes is what to put in that field... make sense?

It would take quite some time manually writing things to put into the fields, so I don't really get it... So are you wanting random values in the fields ? or ones that make sense?

Anyway what would this do for you? I don't see what your getting out of it spamming junk to auto-loan forms? It doesn't seem like theres any benefit...

thanks for the in-depth reply. let met look into this, and I would like to show the owners of the site this.

Link to comment
Share on other sites

Alright I was messing around with it today and made the example app...

It works similar to what I said previously except instead of using double quotes "

you use single quotes!

So for example instead of

:name="Steve"

you do

:name='Steve'

I did it that way because if you wanted to use double quotes you'd have to write a backslash \ before each " (to escape it) and I thought that would be annoying so I just made it a single quote...

;)

You can also use most special characters[because I encode the field data before sending it], except for single quote(obviously since it will end the value early) and & the & sign is used to separate field=value's from each other this is an example of the content the app actually posts

name=Steve&comment=hello+my+name+is+steve%21

So you can't put another & in there anywhere other wise somethings going to get cut off as it thinks your specifying a new field name and value..

the +'s are just spaces(you don't have to write plus though when doing spaces it converts it for you)

the %21 is what all special characters are changed into its the hex byte of the character. %21 or 0x21 is a !

here's some example usage:

frmpost.png

You can test it on

http://popeax.com/x/

and see the result of your post... there is no actual html form, only a script to accept posted data... the two values that it looks for for input are "name" and "comment"

so doing a:

frmpost -h popeax.com -s /x/index.php :name='My Name' :comment='Hello World!'

would submit at comment to that web page ;)

source code + binary: (Release folder contains binary executable)

http://popeax.com/x/frmpost.zip

batch scripting anyone? :)

That should help you out with whatever your trying to do...

Link to comment
Share on other sites

  • 2 weeks later...

Nice program! Actually if you work with perl/PHP , curl is a way to go or with LWP (http://search.cpan.org/~gaas/libwww-perl-5.800/lib/LWP.pm) . Write a little perl script that downloads the webpage, parses it and then fills out all the form fields with and posts them. With LWP you can specify nearly anything you like.

and then make a file with all SQL exploits in it, and loop trough it until you get a result from the website.

$response = $browser->get($url,
   'User-Agent' => 'Mozilla/4.76 [en] (Win98; U)',
   'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, 
        image/pjpeg, image/png, */*',
   'Accept-Charset' => 'iso-8859-1,*,utf-8',
   'Accept-Language' => 'en-US',
  );

use strict;
  use warnings;
  use LWP 5.64;
  my $browser = LWP::UserAgent->new;
  
  my $word = 'tarragon';
  
  my $url = 'http://www.altavista.com/sites/search/web';
  my $response = $browser->post( $url,
    [ 'q' => $word,  # the Altavista query string
      'pg' => 'q', 'avkw' => 'tgz', 'kl' => 'XX',
    ]
  );
  die "$url error: ", $response->status_line
   unless $response->is_success;
  die "Weird content type at $url -- ", $response->content_type
   unless $response->content_type eq 'text/html';

  if( $response->content =~ m{AltaVista found ([0-9,]+) results} ) {
    # The substring will be like "AltaVista found 2,345 results"
    print "$word: $1\n";
  } else {
    print "Couldn't find the match-string in the response\n";
  }

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...