source: trunk/bin/bletchley-http2py @ 126

Last change on this file since 126 was 118, checked in by tim, 8 years ago

.

  • Property svn:executable set to *
File size: 10.2 KB
RevLine 
[40]1#!/usr/bin/env python3
[73]2#-*- mode: Python;-*-
3#
[40]4# Requires Python 3+
[4]5
6'''
[40]7This script reads a raw HTTP request and writes to stdout a Python
8script.  The generated script sends the same (or a very similar)
[116]9request using the Requests library, or optionally, the built-in
10http.client library.
[4]11
12Certainly if you have a raw request, you could simply send it via TCP
13sockets, but if for some reason the server behaves oddly with flow control,
14insists on using gzip/deflate encoding, insists on using chunked encoding,
15or any number of other annoying things, then using an HTTP library is a
[79]16lot more convenient.  This script attempts to make the conversion from a
[116]17raw HTTP request to HTTP library calls easy for pentesting automation.
[4]18
19
[39]20Copyright (C) 2011-2013 Virtual Security Research, LLC
[116]21Copyright (C) 2014-2016 Blindspot Security LLC
[4]22Author: Timothy D. Morgan
23
24 This program is free software: you can redistribute it and/or modify
25 it under the terms of the GNU Lesser General Public License, version 3,
26 as published by the Free Software Foundation.
27
28 This program is distributed in the hope that it will be useful,
29 but WITHOUT ANY WARRANTY; without even the implied warranty of
30 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
31 GNU General Public License for more details.
32
33 You should have received a copy of the GNU General Public License
34 along with this program.  If not, see <http://www.gnu.org/licenses/>.
35'''
36
37import sys
38import argparse
[80]39import pprint
40import urllib.parse
[4]41
[47]42bopen = lambda f: open(f, 'rb')
43
[28]44parser = argparse.ArgumentParser(
45    description='A script which accepts an HTTP request and prints out a'
46    ' generated Python script which sends a similar request.  This is useful'
47    ' when one wants to automate sending a large number of requests to a'
48    ' particular page or application.'
49    ' For more information, see: http://code.google.com/p/bletchley/wiki/Overview')
50parser.add_argument(
[47]51    'requestfile', type=bopen, nargs='?', default=sys.stdin.buffer, 
[28]52    help='A file containing an HTTP request.  Defaults to stdin if omitted.')
[116]53group = parser.add_mutually_exclusive_group()
54group.add_argument('--requests', action='store_true',
55                   help='Generate a script that uses the Requests module'
56                        ' rather than http.client (default).')
57group.add_argument('--native', action='store_false', dest='requests',
58                   help='Generate a script that uses Pythons built-in http.client'
59                        ' rather than the Requests module.')
60parser.set_defaults(requests=True)
[40]61
[4]62args = parser.parse_args()
[40]63input_req = args.requestfile.read()
[4]64
65
[47]66if b'\r\n\r\n' in input_req:
67    raw_headers,body = input_req.split(b'\r\n\r\n', 1)
68elif b'\n\n' in input_req:
69    raw_headers,body = input_req.split(b'\n\n', 1)
[4]70else:
71    raw_headers = input_req
[47]72    body = b''
[4]73
[47]74raw_headers = raw_headers.decode('utf-8')
75
[4]76header_lines = raw_headers.split('\n')
77method,path,version = header_lines[0].split(' ', 2)
78
79host = 'TODO'
[80]80port = None
81protocol = None
[4]82
83headers = []
84for l in header_lines[1:]:
85    if len(l) < 1: 
86        break
87    # Handle header line continuations
[40]88    if l[0] in ' \t':
[4]89        if len(headers) == 0:
90            continue
91        name,values = headers[-1]
92        values.append(l.lstrip('\t'))
93        headers[-1] = (name,values)
94        continue
95
96    name,value = l.split(':',1)
97    value = value.lstrip(' ').rstrip('\r')
98
[116]99    # Skip headers that have to do with transfer encodings, connection longevity, and caching
100    # XXX: maybe add these back as commented-out headers to the output?
[4]101    if name.lower() not in ['accept','accept-language',
102                            'accept-encoding','accept-charset',
103                            'connection', 'keep-alive', 'host', 
[116]104                            'content-length', 'proxy-connection',
105                            'if-none-match']:
[4]106        headers.append((name,[value]))
107
108    if name.lower() == 'host':
109        if ':' in value:
110            host,port = value.split(':',1)
[51]111            port = int(port, 10)
[4]112            if port == 443:
[40]113                protocol = 'https'
[4]114        else:
115            host = value
116
[80]117    # Attempt to guess the port and protocol from the referer header, since
118    # often it is the same site.  Defer to the host header though, if the
119    # info is there.
120    elif name.lower() == 'referer':
121        rurl = urllib.parse.urlparse(value)
122        if rurl.netloc == host:
123            if rurl.scheme == 'https' and protocol == None:
124                protocol = 'https'
125            if rurl.port != None and port == None:
126                port = rurl.port
[39]127
[80]128if protocol == None:
[116]129    protocol = 'http'
[80]130if port == None:
131    if protocol == 'https':
132        port = 443
133    else:
134        port = 80
135
136
137# XXX: use pprint
[47]138formatted_body = '\n            '.join([repr(body[i:i+40]) for i in range(0,len(body),40)])
[51]139if formatted_body == '':
[40]140    formatted_body = "b''"
[39]141
[40]142
[79]143print('''#!/usr/bin/env python3
144# This script was generated by bletchley-http2py
145# See the "TODO" comments below for places to edit your request as needed for your situation.
[40]146
[39]147import sys
[79]148from bletchley import blobtools,buffertools
149from bletchley import chosenct
150from bletchley.CBC import *
151
[80]152# TODO: ensure the host, port, and protocol settings are correct.
[79]153host = %s
154port = %s
155protocol = %s
156
157def decode(token):
158    # TODO: Perhaps you needs something like this?
159    #       (See 'bletchley-decode -e ?' for a list of encodings)
[82]160    # return blobtools.decodeChain(['percent/mixed','base64/rfc3548'], token)
[79]161    return token
162
163
164def encode(binary):
165    # TODO: Perhaps you needs something like this?
[82]166    # return blobtools.encodeChain(['base64/rfc3548', 'percent/mixed'], binary)
[79]167    return binary
168''' % (repr(host),repr(port),repr(protocol)))
169
170if args.requests:
171    print('''
[39]172try:
[40]173    import requests
[39]174except:
[40]175    sys.stderr.write('ERROR: Could not import requests module.  Ensure it is installed.\\n')
176    sys.stderr.write('       Under Debian, the package name is "python3-requests"\\n.')
[116]177    sys.stderr.write('       Alternatively, re-generate this script using the --native option.\\n.')
[40]178    sys.exit(1)
[79]179''')
[40]180
181    headers = dict(headers)
182    # XXX: We don't currently support exactly formatted header
183    #      continuations with python requests, but this should be
184    #      semantically equivalent.
185    for h in headers.keys():
186        headers[h] = ' '.join(headers[h])
187
188    print('''
189session = requests.Session()
190def sendRequest(session, data=None):
[79]191    data = data.decode('utf-8')
[116]192    # TODO: Replace the token you wish to target in this request with the "data" variable.
193    #       Then specify the starting value for that token at the end of this script.
[40]194    method = %s
195    path = %s
196    headers = %s
197    url = "%%s://%%s:%%d%%s" %% (protocol,host,port,path)
198    body = (%s)
199
[80]200    # Set verify=True if you want to validate the server cert
201    return session.request(method, url, headers=headers, data=body, allow_redirects=False, verify=False)
[116]202    ''' % (repr(method), repr(path),
203           pprint.pformat(headers, width=80-14).replace('\n','\n'+' '*14),
204           formatted_body))
[40]205
206    print('''   
207
[116]208def processResponse(data, other=None):
[40]209    global session
210    ret_val = None
[79]211    response = sendRequest(session, encode(data))
[40]212
213    # TODO: customize code here to retrieve what you need from the response(s)
214    # For information on the response object's interface, see:
215    #   http://docs.python-requests.org/en/latest/api/#requests.Response
[79]216
217    # These are useful for debugging, but once your response processing is working,
218    # remove them so it isn't so verbose.
[80]219    print(response.status_code)
[40]220    print(response.headers)
221    print(repr(response.content))
222
223    return ret_val
[39]224''')
225
226
[40]227else:
[79]228    print('''
[80]229import http.client
[40]230
[39]231def sendRequest(connection, data=None):
[79]232    data = data.decode('utf-8')
233    # TODO: use "data" below, wherever your token normally appears
[4]234    method = %s
235    path = %s
[14]236    body = (%s)
237   
[4]238    connection.putrequest(method, path)
[40]239    ''' % (repr(method), repr(path), formatted_body))
[4]240
[40]241    for name,values in headers:
242        if len(values) > 1:
243            continuations = ','.join([repr(v) for v in values[1:]])
244            print('''    connection.putheader(%s, %s, %s)''' % (repr(name),repr(values[0]),continuations))
245        else:
246            print('''    connection.putheader(%s, %s)''' % (repr(name),repr(values[0])))
[4]247
[40]248    print('''   
[4]249    if len(body) > 0:
250        connection.putheader('Content-Length', len(body))
251    connection.endheaders()
252    connection.send(body)
253   
254    return connection.getresponse()
255
256
[39]257def newConnection():
[80]258    global protocol
259    if protocol == 'https':
260        return http.client.HTTPSConnection(host, port)
[39]261    else:
[80]262        return http.client.HTTPConnection(host, port)
[4]263
264
[116]265def processResponse(data, other=None):
[62]266    ret_val = False
[39]267    connection = newConnection()
[79]268    response = sendRequest(connection, encode(data))
[39]269
270    # TODO: customize code here to retrieve what you need from the response(s)
271    # For information on the response object's interface, see:
272    #   http://docs.python.org/library/httplib.html#httpresponse-objects
[79]273
274    # These are useful for debugging, but once your response processing is working,
275    # remove them so it isn't so verbose.
[80]276    print(response.status)
[39]277    print(response.getheaders())
278    print(repr(response.read()))
279
280    connection.close()
281    return ret_val
[4]282''')
[62]283
[79]284
[62]285print('''
[116]286token = b'TODO: paste your encoded ciphertext here (typically moved from the sendRequest function)'
[79]287ciphertext = decode(token)
[62]288
[79]289# TODO: Use this to verify you get the response you expect. 
290#       Once everything is working, use the commented code below to conduct specific attacks.
[116]291processResponse(ciphertext)
[79]292
293
[62]294# Padding Oracle Attacks
[118]295# poa = POA(processResponse, {block size}, ciphertext, iv=None, threads=1, log_file=sys.stderr)
[62]296# print(poa.probe_padding()) # sanity check
297# print(poa.decrypt())
[68]298
[79]299
[68]300# Byte-by-byte probing of ciphertext
[79]301#   Maybe start with this as a fast but gentle probe:
[116]302# result = chosenct.probe_bytes(processResponse, ciphertext, [1,128], max_threads=2)
[79]303#   This is more in-depth (every bit of each byte) and more threads
[116]304# result = chosenct.probe_bytes(processResponse, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5)
[79]305#   Yet more intensive (every byte value against every byte):
[116]306# result = chosenct.probe_bytes(processResponse, ciphertext, list(range(1,256)), max_threads=8)
[79]307#
[68]308# print(result.toHTML())
[62]309''')
Note: See TracBrowser for help on using the repository browser.