Context Navigation

source: trunk/bin/bletchley-http2py @ 124

Last change on this file since 124 was 118, checked in by tim, 8 years ago
.
Property svn:executable set to ``*
File size: 10.2 KB

Rev	Line
[40]	1	#!/usr/bin/env python3
[73]	2	#-- mode: Python;--
	3	#
[40]	4	# Requires Python 3+
[4]	5
	6	'''
[40]	7	This script reads a raw HTTP request and writes to stdout a Python
	8	script. The generated script sends the same (or a very similar)
[116]	9	request using the Requests library, or optionally, the built-in
	10	http.client library.
[4]	11
	12	Certainly if you have a raw request, you could simply send it via TCP
	13	sockets, but if for some reason the server behaves oddly with flow control,
	14	insists on using gzip/deflate encoding, insists on using chunked encoding,
	15	or any number of other annoying things, then using an HTTP library is a
[79]	16	lot more convenient. This script attempts to make the conversion from a
[116]	17	raw HTTP request to HTTP library calls easy for pentesting automation.
[4]	18
	19
[39]	20	Copyright (C) 2011-2013 Virtual Security Research, LLC
[116]	21	Copyright (C) 2014-2016 Blindspot Security LLC
[4]	22	Author: Timothy D. Morgan
	23
	24	This program is free software: you can redistribute it and/or modify
	25	it under the terms of the GNU Lesser General Public License, version 3,
	26	as published by the Free Software Foundation.
	27
	28	This program is distributed in the hope that it will be useful,
	29	but WITHOUT ANY WARRANTY; without even the implied warranty of
	30	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	31	GNU General Public License for more details.
	32
	33	You should have received a copy of the GNU General Public License
	34	along with this program. If not, see <http://www.gnu.org/licenses/>.
	35	'''
	36
	37	import sys
	38	import argparse
[80]	39	import pprint
	40	import urllib.parse
[4]	41
[47]	42	bopen = lambda f: open(f, 'rb')
	43
[28]	44	parser = argparse.ArgumentParser(
	45	description='A script which accepts an HTTP request and prints out a'
	46	' generated Python script which sends a similar request. This is useful'
	47	' when one wants to automate sending a large number of requests to a'
	48	' particular page or application.'
	49	' For more information, see: http://code.google.com/p/bletchley/wiki/Overview')
	50	parser.add_argument(
[47]	51	'requestfile', type=bopen, nargs='?', default=sys.stdin.buffer,
[28]	52	help='A file containing an HTTP request. Defaults to stdin if omitted.')
[116]	53	group = parser.add_mutually_exclusive_group()
	54	group.add_argument('--requests', action='store_true',
	55	help='Generate a script that uses the Requests module'
	56	' rather than http.client (default).')
	57	group.add_argument('--native', action='store_false', dest='requests',
	58	help='Generate a script that uses Pythons built-in http.client'
	59	' rather than the Requests module.')
	60	parser.set_defaults(requests=True)
[40]	61
[4]	62	args = parser.parse_args()
[40]	63	input_req = args.requestfile.read()
[4]	64
	65
[47]	66	if b'\r\n\r\n' in input_req:
	67	raw_headers,body = input_req.split(b'\r\n\r\n', 1)
	68	elif b'\n\n' in input_req:
	69	raw_headers,body = input_req.split(b'\n\n', 1)
[4]	70	else:
	71	raw_headers = input_req
[47]	72	body = b''
[4]	73
[47]	74	raw_headers = raw_headers.decode('utf-8')
	75
[4]	76	header_lines = raw_headers.split('\n')
	77	method,path,version = header_lines[0].split(' ', 2)
	78
	79	host = 'TODO'
[80]	80	port = None
	81	protocol = None
[4]	82
	83	headers = []
	84	for l in header_lines[1:]:
	85	if len(l) < 1:
	86	break
	87	# Handle header line continuations
[40]	88	if l[0] in ' \t':
[4]	89	if len(headers) == 0:
	90	continue
	91	name,values = headers[-1]
	92	values.append(l.lstrip('\t'))
	93	headers[-1] = (name,values)
	94	continue
	95
	96	name,value = l.split(':',1)
	97	value = value.lstrip(' ').rstrip('\r')
	98
[116]	99	# Skip headers that have to do with transfer encodings, connection longevity, and caching
	100	# XXX: maybe add these back as commented-out headers to the output?
[4]	101	if name.lower() not in ['accept','accept-language',
	102	'accept-encoding','accept-charset',
	103	'connection', 'keep-alive', 'host',
[116]	104	'content-length', 'proxy-connection',
	105	'if-none-match']:
[4]	106	headers.append((name,[value]))
	107
	108	if name.lower() == 'host':
	109	if ':' in value:
	110	host,port = value.split(':',1)
[51]	111	port = int(port, 10)
[4]	112	if port == 443:
[40]	113	protocol = 'https'
[4]	114	else:
	115	host = value
	116
[80]	117	# Attempt to guess the port and protocol from the referer header, since
	118	# often it is the same site. Defer to the host header though, if the
	119	# info is there.
	120	elif name.lower() == 'referer':
	121	rurl = urllib.parse.urlparse(value)
	122	if rurl.netloc == host:
	123	if rurl.scheme == 'https' and protocol == None:
	124	protocol = 'https'
	125	if rurl.port != None and port == None:
	126	port = rurl.port
[39]	127
[80]	128	if protocol == None:
[116]	129	protocol = 'http'
[80]	130	if port == None:
	131	if protocol == 'https':
	132	port = 443
	133	else:
	134	port = 80
	135
	136
	137	# XXX: use pprint
[47]	138	formatted_body = '\n '.join([repr(body[i:i+40]) for i in range(0,len(body),40)])
[51]	139	if formatted_body == '':
[40]	140	formatted_body = "b''"
[39]	141
[40]	142
[79]	143	print('''#!/usr/bin/env python3
	144	# This script was generated by bletchley-http2py
	145	# See the "TODO" comments below for places to edit your request as needed for your situation.
[40]	146
[39]	147	import sys
[79]	148	from bletchley import blobtools,buffertools
	149	from bletchley import chosenct
	150	from bletchley.CBC import *
	151
[80]	152	# TODO: ensure the host, port, and protocol settings are correct.
[79]	153	host = %s
	154	port = %s
	155	protocol = %s
	156
	157	def decode(token):
	158	# TODO: Perhaps you needs something like this?
	159	# (See 'bletchley-decode -e ?' for a list of encodings)
[82]	160	# return blobtools.decodeChain(['percent/mixed','base64/rfc3548'], token)
[79]	161	return token
	162
	163
	164	def encode(binary):
	165	# TODO: Perhaps you needs something like this?
[82]	166	# return blobtools.encodeChain(['base64/rfc3548', 'percent/mixed'], binary)
[79]	167	return binary
	168	''' % (repr(host),repr(port),repr(protocol)))
	169
	170	if args.requests:
	171	print('''
[39]	172	try:
[40]	173	import requests
[39]	174	except:
[40]	175	sys.stderr.write('ERROR: Could not import requests module. Ensure it is installed.\\n')
	176	sys.stderr.write(' Under Debian, the package name is "python3-requests"\\n.')
[116]	177	sys.stderr.write(' Alternatively, re-generate this script using the --native option.\\n.')
[40]	178	sys.exit(1)
[79]	179	''')
[40]	180
	181	headers = dict(headers)
	182	# XXX: We don't currently support exactly formatted header
	183	# continuations with python requests, but this should be
	184	# semantically equivalent.
	185	for h in headers.keys():
	186	headers[h] = ' '.join(headers[h])
	187
	188	print('''
	189	session = requests.Session()
	190	def sendRequest(session, data=None):
[79]	191	data = data.decode('utf-8')
[116]	192	# TODO: Replace the token you wish to target in this request with the "data" variable.
	193	# Then specify the starting value for that token at the end of this script.
[40]	194	method = %s
	195	path = %s
	196	headers = %s
	197	url = "%%s://%%s:%%d%%s" %% (protocol,host,port,path)
	198	body = (%s)
	199
[80]	200	# Set verify=True if you want to validate the server cert
	201	return session.request(method, url, headers=headers, data=body, allow_redirects=False, verify=False)
[116]	202	''' % (repr(method), repr(path),
	203	pprint.pformat(headers, width=80-14).replace('\n','\n'+' '*14),
	204	formatted_body))
[40]	205
	206	print('''
	207
[116]	208	def processResponse(data, other=None):
[40]	209	global session
	210	ret_val = None
[79]	211	response = sendRequest(session, encode(data))
[40]	212
	213	# TODO: customize code here to retrieve what you need from the response(s)
	214	# For information on the response object's interface, see:
	215	# http://docs.python-requests.org/en/latest/api/#requests.Response
[79]	216
	217	# These are useful for debugging, but once your response processing is working,
	218	# remove them so it isn't so verbose.
[80]	219	print(response.status_code)
[40]	220	print(response.headers)
	221	print(repr(response.content))
	222
	223	return ret_val
[39]	224	''')
	225
	226
[40]	227	else:
[79]	228	print('''
[80]	229	import http.client
[40]	230
[39]	231	def sendRequest(connection, data=None):
[79]	232	data = data.decode('utf-8')
	233	# TODO: use "data" below, wherever your token normally appears
[4]	234	method = %s
	235	path = %s
[14]	236	body = (%s)
	237
[4]	238	connection.putrequest(method, path)
[40]	239	''' % (repr(method), repr(path), formatted_body))
[4]	240
[40]	241	for name,values in headers:
	242	if len(values) > 1:
	243	continuations = ','.join([repr(v) for v in values[1:]])
	244	print(''' connection.putheader(%s, %s, %s)''' % (repr(name),repr(values[0]),continuations))
	245	else:
	246	print(''' connection.putheader(%s, %s)''' % (repr(name),repr(values[0])))
[4]	247
[40]	248	print('''
[4]	249	if len(body) > 0:
	250	connection.putheader('Content-Length', len(body))
	251	connection.endheaders()
	252	connection.send(body)
	253
	254	return connection.getresponse()
	255
	256
[39]	257	def newConnection():
[80]	258	global protocol
	259	if protocol == 'https':
	260	return http.client.HTTPSConnection(host, port)
[39]	261	else:
[80]	262	return http.client.HTTPConnection(host, port)
[4]	263
	264
[116]	265	def processResponse(data, other=None):
[62]	266	ret_val = False
[39]	267	connection = newConnection()
[79]	268	response = sendRequest(connection, encode(data))
[39]	269
	270	# TODO: customize code here to retrieve what you need from the response(s)
	271	# For information on the response object's interface, see:
	272	# http://docs.python.org/library/httplib.html#httpresponse-objects
[79]	273
	274	# These are useful for debugging, but once your response processing is working,
	275	# remove them so it isn't so verbose.
[80]	276	print(response.status)
[39]	277	print(response.getheaders())
	278	print(repr(response.read()))
	279
	280	connection.close()
	281	return ret_val
[4]	282	''')
[62]	283
[79]	284
[62]	285	print('''
[116]	286	token = b'TODO: paste your encoded ciphertext here (typically moved from the sendRequest function)'
[79]	287	ciphertext = decode(token)
[62]	288
[79]	289	# TODO: Use this to verify you get the response you expect.
	290	# Once everything is working, use the commented code below to conduct specific attacks.
[116]	291	processResponse(ciphertext)
[79]	292
	293
[62]	294	# Padding Oracle Attacks
[118]	295	# poa = POA(processResponse, {block size}, ciphertext, iv=None, threads=1, log_file=sys.stderr)
[62]	296	# print(poa.probe_padding()) # sanity check
	297	# print(poa.decrypt())
[68]	298
[79]	299
[68]	300	# Byte-by-byte probing of ciphertext
[79]	301	# Maybe start with this as a fast but gentle probe:
[116]	302	# result = chosenct.probe_bytes(processResponse, ciphertext, [1,128], max_threads=2)
[79]	303	# This is more in-depth (every bit of each byte) and more threads
[116]	304	# result = chosenct.probe_bytes(processResponse, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5)
[79]	305	# Yet more intensive (every byte value against every byte):
[116]	306	# result = chosenct.probe_bytes(processResponse, ciphertext, list(range(1,256)), max_threads=8)
[79]	307	#
[68]	308	# print(result.toHTML())
[62]	309	''')

Note: See TracBrowser for help on using the repository browser.

Download in other formats: