coolervoid / 0d1n Goto Github PK

Tool for automating customized attacks against web applications. Fully made in C language with pthreads, it has fast performance.

License: BSD 3-Clause "New" or "Revised" License

C 89.03% Makefile 0.32% HTML 5.07% CSS 5.57% Shell 0.01%

web-server security hacking fuzzing sqlinjection xss bruteforce libcurl thread-pool

0d1n's Introduction

0d1n

0d1n is a tool for automating customized attacks against web applications. This tool is significantly faster because it uses thread pool and C language.

0d1n is a tool for automating customized attacks against web applications. Video demo: https://www.youtube.com/watch?v=1L22mbbVge0

Tool functions:

Brute force login and passwords in auth forms
Directory disclosure ( use PATH list to the brute, and find HTTP status code )
Test to find SQL Injection and XSS vulnerabilities
Test to find SSRF
Test to find Command injection
Options to load ANTI-CSRF token each request
Options to use random proxy per request
Options to use random useragent per request
Option for keep alive test (slowloris test)
other functions.

To run and install, follow these steps:

require libcurl-dev or libcurl-devel(on rpm linux based)

$ git clone https://github.com/CoolerVoid/0d1n/

It would be best if you had lib curl to run. Look at the following to install:

$ sudo apt-get install libcurl-dev
or try libcurl4-de or libcurl*

if rpm distro

$ sudo yum install libcurl-devel

To install follow this cmd:

$ cd 0d1n

$ make; sudo make install USER=name_your_user; 

$ cd 0d1n_viewer; make; sudo make install USER=name_your_user;

Up the view server to look at the reports online:

$ sudo 0d1n_view

Now in another console, you can run the tool:


$ 0d1n

If you need to uninstall, follow these steps:

$ cd 0d1n; sudo make uninstall

$ cd 0d1n_view; sudo make uninstall

Attack examples:

Brute force to find the directory

$ 0d1n --host http://127.0.0.1/^ --payloads /opt/0d1n/payloads/dir_brute.txt --threads 500 --timeout 3 --log bartsimpsom4 --save_response

Note: You can change the value of threads. If you have a good machine, you can try 800, 1200 each device has a different context.

For SQL injection attack

$ 0d1n --host 'http://site.com/view/1^/product/^/' --payloads /opt/0d1n/payloads/sqli_list.txt --find_string_list /opt/0d1n/payloads/sqli_str2find_list.txt --log log1337 --tamper randcase --threads 800 --timeout 3 --save_response\n"

Note: Tamper is a resource to try to bypass the web application firewall

To brute force auth system

0d1n --host 'http://site.com/auth.py' --post 'user=admin&password=^' --payloads /opt/0d1n/payloads/wordlist.txt --log log007 --threads 500 --timeout 3\n"

Note: if you have a csrf token, you can use argv to get this token for each request and brute.

Search SQLi in hard mode in login system with csrf token:

0d1n  --host "http://127.0.0.1/vulnerabilities/sqli/index.php?id=^" --payloads /opt/0d1n/payloads/sqli.txt --find_string_list /opt/0d1n/payloads/find_responses.txt --token_name user_token --log logtest_fibonaci49 --cookie_jar /home/user_name/cookies.txt --save_response --tamper randcase --threads 100

Note: Load the cookies jar from the browser and save in cookies.txt to load.

Notes External libs

To gain extreme performance, 0d1n uses a thread pool of POSIX threads. You can study this small library: https://github.com/Pithikos/C-Thread-Pool
The 0d1n uses OpenBSD/NetBSD functions to work with strings something like strlcat() and strlcpy() to prevent buffer overflow. https://man.openbsd.org/strlcpy.3

Project Overview on cloc

cooler@gentoo:~/codes$ cloc 0d1n/
     937 text files.
     532 unique files.                                          
     451 files ignored.

-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
JavaScript                     361           9951          15621          52178
C                               51           4986           4967          26642
C/C++ Header                    30           1184           2858           4295
CSS                             10            434            369           2142
HTML                             7             59              0           1616
TeX                              2             52              4            206
Markdown                         3             81              0            137
make                             4             36              9            130
Bourne Shell                     2              0              0              4
-------------------------------------------------------------------------------
SUM:                           487          16835          23846          91213
-------------------------------------------------------------------------------

Read the docs, and help menu when you execute the "0d1n" binary...

Do you have any doubt about 0d1n? Please create an issue in this repository. I can help you.

To study old versions, look at the following:

http://sourceforge.net/projects/odin-security-tool/files/?source=navbar

Point of attention

The purpose of this tool is to use in pentest, take attention if you have a proper authorization before to use that. I do not have responsibility for your actions. You can use a hammer to construct a house or destroy it, choose the law path, don't be a bad guy, remember.

0d1n's People

Contributors

Stargazers

Watchers

Forkers

r00tb0x securityigi idkwim lordlight marcstraube-zz ksmaheshkumar drewet sh1nu11bi borbelyau linkp2p xul4y theralfbrown shark2016 joyhuang-ctftool affix bb1ox1bb samyoyo brandontict unexpectedby openube initpwn spnow v4n1sh beelives fernandoarandasanchez qardeneden gregtampa soulless313 securitywarrior pythonone 00derp magnologan gamehacker digideskio hax0rg1rl y0d4a jackhuyh taibaiyifeng llovoll weeshlow olivierh59500 chencool kaicastledine linux4sa jjborie bryant1410 socketpy lovebair2022 ch4p34un0ir mgcfish pawankumar9 xianlimei timofonicjunkroom megat136 ox-b johnjohnsp1 mehrdad-shokri subzeroking slowmistio uruscg-llc jdawg82 bilportistivraboti magma2 cjjduck foxweek zhouat d1pakda5 m00zh33 r00tarded krashman szliuyujie b-s-t nawfling paulyd210 abuyv sonahri wizard2773 intmaxmood lx0 dr4g0nbyt3 chensiqia darrynza cephurs meetusadadiya ye-man seabreg qing-q viviane788 vogt420 robertolimacorp masterscott 76428778fada blacktool pentest-tools 5l1v3r1 datarecover marciopocebon rolsen949 gh0st0ne richardsonjf

0d1n's Issues

XML output

argument to save result at XML

change atoi() to strtol()

https://www.securecoding.cert.org/confluence/display/seccode/INT06-C.+Use+strtol%28%29+or+a+related+function+to+convert+a+string+token+to+an+integer

SSL error - Invalid SSL cert

kali@kali:~/0d1n/0d1n_viewer$ bin/0d1n_view
Starting SSL server on port 40111, cert from /opt/0d1n/server/cert/certkey.pem, key from /opt/0d1n/server/cert/privateKey.key

--- DEBUG-START ---

Mon Jan 4 15:08:03 2021 src/0d1n_view.c[64] main():
Failed to create listener: Invalid SSL cert

--- DEBUG-END ---

How can I fix this error?

Modo Verbose para visualização e troubleshooting

Ao executar a tool a mesma não produz nenhum tipo de saída, deixando o analista completamente cego em relação ao o que está sendo enviado e o que está sendo "grepado".

Um modo verbose mostrando as requisições e seu status code de resposta seria muito bom, assim como uma opção de grep para status de resposta isso para testes de fuzz de diretorios.

Create Tamper plugins and Python Connector

I think use this to load python modules to use tamper at payloads...
https://docs.python.org/2/extending/extending.html

options to choice SSL VERSION

So need to use MACRO "CURLOPT_SSLVERSION"

Error on make: multiple definition of (param) and first defined here

Hello,
On Ubuntu groovy, I install the prerequisite libcurl4-gnutls-dev (I don't find libcurl-dev)

when I launch make, I have this message (sorry in French):

gcc -W -Wall -Wextra -Wformat-security -fstack-protector-all -pie -fPIE -c src/*.c -Isrc/headers/
gcc -fstack-protector-all -pie -fPIE  -o bin/0d1n *.o  -Wl,-z,relro,-z,now -lcurl -lpthread
/usr/bin/ld : file_ops.o:(.bss+0x0) : définitions multiples de « param »; 0d1n.o:(.bss+0x0) : défini pour la première fois ici
/usr/bin/ld : get_csrf_token.o:(.bss+0x0) : définitions multiples de « param »; 0d1n.o:(.bss+0x0) : défini pour la première fois ici
/usr/bin/ld : opt_extract.o:(.bss+0x0) : définitions multiples de « param »; 0d1n.o:(.bss+0x0) : défini pour la première fois ici
/usr/bin/ld : results.o:(.bss+0x0) : définitions multiples de « param »; 0d1n.o:(.bss+0x0) : défini pour la première fois ici
/usr/bin/ld : scan.o:(.bss+0x0) : définitions multiples de « param »; 0d1n.o:(.bss+0x0) : défini pour la première fois ici
/usr/bin/ld : spider.o:(.bss+0x0) : définitions multiples de « param »; 0d1n.o:(.bss+0x0) : défini pour la première fois ici
collect2: error: ld returned 1 exit status
make: *** [Makefile:21 : 0d1n] Erreur 1

I try with v3.4, v3.2, v3.1 of 0d1n and I have the same messages.

What I have been missing ?

Thanks

Use Libmongoose to create web interface

http://cesanta.com/docs/Embed.shtml

Test argv "CURLOPT_CUSTOMREQUEST"

I think get a file and transform at http request is good idea, after change variables on dynamic form to test...

Create windows version

Use mingwin32 to create EXE file...

FIX security pitfalls

Neet fix security pitfalls
*-Off-by-One
*-NULL pointer dereference
*-Race COnditions...

https://github.com/CoolerVoid/0d1n_test

need fix new memory leaks

https://github.com/CoolerVoid/0d1n/blob/master/spider.c#L433

change strncpy() to strlcpy()

all uses of strncat() and strncpy() dont have nullbyte at 0d1n this is not good thing...

need add nullbyte or strlcat(), strlcpy()

install failed

FIX security pitfalls

Need fix security problems:
1- NULL pointer deference
2- Memory Leak
3- Off-by-one error
4- Race conditions
...

https://github.com/CoolerVoid/0d1n_test

save log in html format

hello pro

with this command line
sudo ./0d1n --host "http://www.localhost/-locations.jsp?sort=^" --payloads payloads/xss_robertux.txt --log log123test --save_response

the log is saved in texte format
hos to save the log in html format

change strncat() 2 strlcat()

strncat is not a secure version of strcat (strlcat is), and the third argument is not the destination capacity

Change strstr() to other function

At https://groups.google.com/forum/?hl=en#!topic/comp.lang.c/jRQYhxhKG1Y
Melzzzzz response

On Mon, 24 Feb 2014 10:43:10 -0800 (PST)
Cooler_x0a [email protected] wrote:

So when i need find a "string" i use "strstr()", but this form not
seems better form...

Some peoples talk me about bitap algorithm:
http://en.wikipedia.org/wiki/Bitap_algorithm

Someone know another method to find string ?
(my priority of research is fast algorithms)

Cheers

Well I have made small benchmark of different substring search
algorithms and in general case best performers are SSE42 pcmpistri
pcmpestri instructions with brute force search. strstr and memmem are
pretty good, too. (gcc)
referent points are memmemopt which is optimized memmemsse2 (both in
asm) and strstrasm which is naive brute force asm.
strstrsse42 memmemsse42 are also asm routines that use sse42 string
instructions.

bmaxa@maxa:~/examples/assembler$ time ./strings
haystack alice.html 202167, needle (added to end) "this has to be found" 20

     strstrsse42     0x7f0b697865cb    19.3
          strstr     0x7f0b697865cb    31.0
     memmemsse42     0x7f0b697865cb    38.6
      strcasestr     0x7f0b697865cb    43.2
     BM horspool     0x7f0b697865cb    58.2
   bmhorspoolasm     0x7f0b697865cb    61.0
              BM     0x7f0b697865cb    82.1
        BM Turbo     0x7f0b697865cb    86.7
      memmemsse2     0x7f0b697865cb    97.3
       memmemopt     0x7f0b697865cb   103.9
      strstrsse2     0x7f0b697865cb   106.2
         memmem2     0x7f0b697865cb   181.9
          memmem     0x7f0b697865cb   233.9
       strstrasm     0x7f0b697865cb   262.1
     string find     0x7f0b697865cb   270.1
             KMP     0x7f0b697865cb   483.3
           bitap     0x7f0b697865cb  5745.0

haystack 1048576 random data, needle 1024 random data

   bmhorspoolasm              (nil)    30.7
     BM horspool              (nil)    31.1
          memmem              (nil)    33.7
              BM              (nil)    38.5
        BM Turbo              (nil)    40.9
     strstrsse42              (nil)    61.2
       memmemopt              (nil)    80.6
      memmemsse2              (nil)    89.9
          strstr              (nil)    90.3
      strstrsse2              (nil)   102.2
         memmem2              (nil)   108.9
      strcasestr              (nil)   141.8
     memmemsse42              (nil)   152.2
     string find              (nil)   689.0
       strstrasm              (nil)   827.9
             KMP              (nil)  1414.8
           bitap              (nil) 562742.6

haystack 1048576 random data, needle 7 random data

     strstrsse42              (nil)    59.6
       memmemopt              (nil)    80.9
      memmemsse2              (nil)    90.1
         memmem2              (nil)    99.8
      strstrsse2              (nil)   104.5
     memmemsse42              (nil)   151.3
          strstr              (nil)   375.3
     BM horspool              (nil)   464.0
      strcasestr              (nil)   469.0
   bmhorspoolasm              (nil)   477.1
          memmem              (nil)   586.6
        BM Turbo              (nil)   633.2
              BM              (nil)   656.5
     string find              (nil)   684.3
       strstrasm              (nil)   825.2
             KMP              (nil)  1410.8
           bitap              (nil)  9032.7

haystack 1048593 8 byte repeated pattern, needle 9 byte data (begins with pattern)

     strstrsse42     0x7f0b688f1030   345.0
     BM horspool     0x7f0b688f1030   396.8
   bmhorspoolasm     0x7f0b688f1030   410.5
     memmemsse42     0x7f0b688f1030   449.8
          memmem     0x7f0b688f1030   533.8
        BM Turbo     0x7f0b688f1030   543.6
      memmemsse2     0x7f0b688f1030   552.5
              BM     0x7f0b688f1030   564.7
       memmemopt     0x7f0b688f1030   573.1
      strstrsse2     0x7f0b688f1030   585.3
          strstr     0x7f0b688f1030   733.7
         memmem2     0x7f0b688f1030   760.7
      strcasestr     0x7f0b688f1030   910.5
     string find     0x7f0b688f1030   995.7
       strstrasm     0x7f0b688f1030  1677.3
             KMP     0x7f0b688f1030  2748.7
           bitap     0x7f0b688f1030 11363.7

haystack 1048580 1 byte repeated pattern, needle 4 byte data (begins with pattern)

     strstrsse42     0x7f0b688f1028   393.4
          strstr     0x7f0b688f1028   462.4
     memmemsse42     0x7f0b688f1028   515.5
          memmem     0x7f0b688f1028   529.9
      strcasestr     0x7f0b688f1028   574.4
       memmemopt     0x7f0b688f1028   799.2
   bmhorspoolasm     0x7f0b688f1028  1787.4
     BM horspool     0x7f0b688f1028  3190.6
             KMP     0x7f0b688f1028  3380.5
     string find     0x7f0b688f1028  3449.8
           bitap     0x7f0b688f1028  3741.0
       strstrasm     0x7f0b688f1028  4052.4
      memmemsse2     0x7f0b688f1028  4443.1
        BM Turbo     0x7f0b688f1028  4501.4
              BM     0x7f0b688f1028  4565.5
      strstrsse2     0x7f0b688f1028  4681.0
         memmem2     0x7f0b688f1028  6867.1

haystack 1048576 1 byte repeated pattern, needle 4 byte data (all fail)

         memmem2              (nil)    30.5
          memmem              (nil)    32.2
       memmemopt              (nil)    40.6
      memmemsse2              (nil)    44.8
     strstrsse42              (nil)    56.7
      strstrsse2              (nil)    62.4
     memmemsse42              (nil)   149.4
          strstr              (nil)   383.7
      strcasestr              (nil)   471.7
     string find              (nil)   646.4
       strstrasm              (nil)   793.4
     BM horspool              (nil)   801.0
   bmhorspoolasm              (nil)   805.7
              BM              (nil)  1133.2
        BM Turbo              (nil)  1326.4
             KMP              (nil)  1328.3
           bitap              (nil)  3114.4

cumulative list by time

     strstrsse42   935.2
     memmemsse42  1456.8
       memmemopt  1678.2
          memmem  1950.2
          strstr  2076.4
      strcasestr  2610.6
   bmhorspoolasm  3572.6
     BM horspool  4941.6
      memmemsse2  5317.7
      strstrsse2  5641.5
     string find  6735.3
              BM  7040.5
        BM Turbo  7132.2
         memmem2  8048.9
       strstrasm  8438.3
             KMP 10766.4
           bitap 595739.5

cumulative list by place

     strstrsse42 15
     memmemsse42 36
       memmemopt 37
     BM horspool 37
          memmem 38
          strstr 39
   bmhorspoolasm 40
      memmemsse2 44
      strcasestr 52
         memmem2 57
      strstrsse2 58
        BM Turbo 60
              BM 61
     string find 77
       strstrasm 82
             KMP 89
           bitap 96

Need add multiple tamper layers

I think add append multiple tamper options
like a: urlencode+randcase+add_comments etc...

Create Argument to send JSON

http://stackoverflow.com/questions/11973994/json-requests-in-c-using-libcurl

New Encode payloads function and bypass WAF features

I think to use encode64(),HPP,sha1,md5,utf8_binary,blank_2_comment(change " " to "/**/"),Change the Case of the Letters...

other ways to help bypass waf, like use some http headers
x-originating-IP: 127.0.0.1
x-forwarded-for: 127.0.0.1
x-remote-IP: 127.0.0.1
x-remote-addr: 127.0.0.1

http://wafbypass.me/w/index.php/Bypass_Techniques