Scratchpad – python notes

This page contains random notes and snippets of stuff learned during my python coding projects. It’s more or less a living page which will get modified over time. Consider it a random, completely unstructured scratchpad with stuff I think is interesting or worth noting down somewhere.

Notes

Shebang gets ignored when using python <pyfile> and included when running with ./<pyfile>

08:13 user@host >>> [~] $ cat version.py 
#!/usr/bin/env python3
import platform
print(platform.python_version())
08:13 user@host >>> [~] $ python version.py 
2.7.13
08:13 user@host >>> [~] $ ./version.py 
3.5.3

Vulnerable python code using shell=True in subprocess call

11:01 user@host >>> [pythondir] $ python #2.7
Python 2.7.13 (default, Sep 26 2018, 18:42:22)
[GCC 6.3.0 20170516] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import subprocess
>>> filename = 'file.txt; /bin/bash'
>>> subprocess.call(['cat ' + filename],shell=True)
11:01 user@host >>> [pythondir] $

Why is ifconfig output base64 decodable?

>>> import base64
>>> import subprocess
>>> ifconfig=subprocess.Popen("ifconfig", shell=True, stdout=subprocess.PIPE).stdout
>>> base64.b64decode(ifconfig.read())
b'\x96\x8d\x1f\x95\xa8,\xf3N=P\xf2\xce8\xf0@\x08\xa4T4\xd2\r\x18\xc5\x0bL\x80\x80I9\xad\xbb^\xb7\xf3\x8a)\xb6*\'\xb3]\xb4\xdd\x15\xc2IC\x13\\$\x9415\xd2L\x04\xd4I%\x93 \xc1\x12L\x03\x0f\x8aw\xad\xd7n\xf4\xd3Y\xde\xb6f\xac\x93L_\x7fM4\xd3M"\x9d\xebz\xd6\x9a\xde~,ez}v\xf2)\xde\xb7\xa7\xde\xf3Me\xa3Jky\xf8\xb1\x95\xe9\xfa\xe2\xc7(\xa5\xe8\x9d\xd3\x1dgw\xaa)\xb6*\'\xb3m5

Raw sample for doing a simple portscan with python

#!/usr/bin/env python
import socket
import sys

def scan(iprange,port):
    for i in range(255):
        address=iprange+"."+str(i)
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.settimeout(2)
        if not s.connect_ex((address,port)):
            print("alive: "+address)
        s.close()

ipr = raw_input("please provide ip range ")
port = int(raw_input("port please "))
scan(ipr,port)

Python proxy through burp

Debugging inline with python

import requests
proxy = { "http" : "http://localhost:8080" }
requests.post(targeturl, data{}, proxies=proxy)

Python Debugging

Debugging inline with python

import pdb

pdb.set_trace()

Simple pythonbased web-cmd-shell interaction thingy

#!/usr/bin/env python3
import requests 
import argparse
from urllib.parse import quote
from cmd import Cmd

parser = argparse.ArgumentParser()
parser.add_argument("-t","--target", help="provide the exact url location of the webshell i.e. http://<host>/shell.php?cmd=", required=True)
cmdargs = parser.parse_args()

class Terminal(Cmd):
 def __init__(self):
   self.prompt = "shell> "
   Cmd.__init__(self)

 def default(self, args):
       r = requests.post(cmdargs.target + quote(args)) 
       print(r.text)

terminal = Terminal()
terminal.cmdloop()

Regular expressions with non-capturing name groups

When using regular expressions with grouping, such as in matching US-Style phone numbers, variation may exist between 444-555-1010 and (999) 555-9998. Matching both can be done but requires non-capturing groups.
Example with capturing groups

>>> pattern = r'(\(\d\d\d\) |\d\d\d-)\d\d\d-\d\d\d\d'                                               
>>> phoneNum=re.compile(pattern)                                                                    
>>> mo = phoneNum.findall("Number = 444-555-1010 or (999) 555-9998")
>>> mo                                                                                              
['444-', '(999) ']

Example with non-capturing groups using ?: at the beginning of the regular expression

>>> pattern = r'(?:\(\d{3}\) |\d{3}-)\d{3}-\d{4}'                                                   
>>> phoneNum = re.compile(pattern)                                                                  
>>> mo = phoneNum.findall("Number = 444-555-1010 or (999) 555-9998")                                
>>> mo                                                                                              
['444-555-1010', '(999) 555-9998']

Greedy vs Non-greedy match example

This is an example from the Udemy Course ‘Automate the Boring Stuff with Python’:

>>> serve = '<To serve humans> for dinner.>'                                                        
>>>                                                                                                 
>>> nongreedy = re.compile(r'<(.*?)>')                                                              
>>> nongreedy.findall(serve)                                                                        
['To serve humans']

non-greedy so matches only until first closing >

>>> greedy = re.compile(r'<(.*)>')                                                                  
>>> greedy.findall(serve)                                                                           
['To serve humans> for dinner.']

Greedy matches until last closing >

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.