[40] | 1 | #!/usr/bin/env python3 |
---|
[73] | 2 | #-*- mode: Python;-*- |
---|
| 3 | # |
---|
[40] | 4 | # Requires Python 3+ |
---|
[4] | 5 | |
---|
| 6 | ''' |
---|
[40] | 7 | This script reads a raw HTTP request and writes to stdout a Python |
---|
| 8 | script. The generated script sends the same (or a very similar) |
---|
[116] | 9 | request using the Requests library, or optionally, the built-in |
---|
| 10 | http.client library. |
---|
[4] | 11 | |
---|
| 12 | Certainly if you have a raw request, you could simply send it via TCP |
---|
| 13 | sockets, but if for some reason the server behaves oddly with flow control, |
---|
| 14 | insists on using gzip/deflate encoding, insists on using chunked encoding, |
---|
| 15 | or any number of other annoying things, then using an HTTP library is a |
---|
[79] | 16 | lot more convenient. This script attempts to make the conversion from a |
---|
[116] | 17 | raw HTTP request to HTTP library calls easy for pentesting automation. |
---|
[4] | 18 | |
---|
| 19 | |
---|
[39] | 20 | Copyright (C) 2011-2013 Virtual Security Research, LLC |
---|
[116] | 21 | Copyright (C) 2014-2016 Blindspot Security LLC |
---|
[4] | 22 | Author: Timothy D. Morgan |
---|
| 23 | |
---|
| 24 | This program is free software: you can redistribute it and/or modify |
---|
| 25 | it under the terms of the GNU Lesser General Public License, version 3, |
---|
| 26 | as published by the Free Software Foundation. |
---|
| 27 | |
---|
| 28 | This program is distributed in the hope that it will be useful, |
---|
| 29 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 30 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 31 | GNU General Public License for more details. |
---|
| 32 | |
---|
| 33 | You should have received a copy of the GNU General Public License |
---|
| 34 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
---|
| 35 | ''' |
---|
| 36 | |
---|
| 37 | import sys |
---|
| 38 | import argparse |
---|
[80] | 39 | import pprint |
---|
| 40 | import urllib.parse |
---|
[4] | 41 | |
---|
[47] | 42 | bopen = lambda f: open(f, 'rb') |
---|
| 43 | |
---|
[28] | 44 | parser = argparse.ArgumentParser( |
---|
| 45 | description='A script which accepts an HTTP request and prints out a' |
---|
| 46 | ' generated Python script which sends a similar request. This is useful' |
---|
| 47 | ' when one wants to automate sending a large number of requests to a' |
---|
| 48 | ' particular page or application.' |
---|
| 49 | ' For more information, see: http://code.google.com/p/bletchley/wiki/Overview') |
---|
| 50 | parser.add_argument( |
---|
[47] | 51 | 'requestfile', type=bopen, nargs='?', default=sys.stdin.buffer, |
---|
[28] | 52 | help='A file containing an HTTP request. Defaults to stdin if omitted.') |
---|
[116] | 53 | group = parser.add_mutually_exclusive_group() |
---|
| 54 | group.add_argument('--requests', action='store_true', |
---|
| 55 | help='Generate a script that uses the Requests module' |
---|
| 56 | ' rather than http.client (default).') |
---|
| 57 | group.add_argument('--native', action='store_false', dest='requests', |
---|
| 58 | help='Generate a script that uses Pythons built-in http.client' |
---|
| 59 | ' rather than the Requests module.') |
---|
| 60 | parser.set_defaults(requests=True) |
---|
[40] | 61 | |
---|
[4] | 62 | args = parser.parse_args() |
---|
[40] | 63 | input_req = args.requestfile.read() |
---|
[4] | 64 | |
---|
| 65 | |
---|
[47] | 66 | if b'\r\n\r\n' in input_req: |
---|
| 67 | raw_headers,body = input_req.split(b'\r\n\r\n', 1) |
---|
| 68 | elif b'\n\n' in input_req: |
---|
| 69 | raw_headers,body = input_req.split(b'\n\n', 1) |
---|
[4] | 70 | else: |
---|
| 71 | raw_headers = input_req |
---|
[47] | 72 | body = b'' |
---|
[4] | 73 | |
---|
[47] | 74 | raw_headers = raw_headers.decode('utf-8') |
---|
| 75 | |
---|
[4] | 76 | header_lines = raw_headers.split('\n') |
---|
| 77 | method,path,version = header_lines[0].split(' ', 2) |
---|
| 78 | |
---|
| 79 | host = 'TODO' |
---|
[80] | 80 | port = None |
---|
| 81 | protocol = None |
---|
[4] | 82 | |
---|
| 83 | headers = [] |
---|
| 84 | for l in header_lines[1:]: |
---|
| 85 | if len(l) < 1: |
---|
| 86 | break |
---|
| 87 | # Handle header line continuations |
---|
[40] | 88 | if l[0] in ' \t': |
---|
[4] | 89 | if len(headers) == 0: |
---|
| 90 | continue |
---|
| 91 | name,values = headers[-1] |
---|
| 92 | values.append(l.lstrip('\t')) |
---|
| 93 | headers[-1] = (name,values) |
---|
| 94 | continue |
---|
| 95 | |
---|
| 96 | name,value = l.split(':',1) |
---|
| 97 | value = value.lstrip(' ').rstrip('\r') |
---|
| 98 | |
---|
[116] | 99 | # Skip headers that have to do with transfer encodings, connection longevity, and caching |
---|
| 100 | # XXX: maybe add these back as commented-out headers to the output? |
---|
[4] | 101 | if name.lower() not in ['accept','accept-language', |
---|
| 102 | 'accept-encoding','accept-charset', |
---|
| 103 | 'connection', 'keep-alive', 'host', |
---|
[116] | 104 | 'content-length', 'proxy-connection', |
---|
| 105 | 'if-none-match']: |
---|
[4] | 106 | headers.append((name,[value])) |
---|
| 107 | |
---|
| 108 | if name.lower() == 'host': |
---|
| 109 | if ':' in value: |
---|
| 110 | host,port = value.split(':',1) |
---|
[51] | 111 | port = int(port, 10) |
---|
[4] | 112 | if port == 443: |
---|
[40] | 113 | protocol = 'https' |
---|
[4] | 114 | else: |
---|
| 115 | host = value |
---|
| 116 | |
---|
[80] | 117 | # Attempt to guess the port and protocol from the referer header, since |
---|
| 118 | # often it is the same site. Defer to the host header though, if the |
---|
| 119 | # info is there. |
---|
| 120 | elif name.lower() == 'referer': |
---|
| 121 | rurl = urllib.parse.urlparse(value) |
---|
| 122 | if rurl.netloc == host: |
---|
| 123 | if rurl.scheme == 'https' and protocol == None: |
---|
| 124 | protocol = 'https' |
---|
| 125 | if rurl.port != None and port == None: |
---|
| 126 | port = rurl.port |
---|
[39] | 127 | |
---|
[80] | 128 | if protocol == None: |
---|
[116] | 129 | protocol = 'http' |
---|
[80] | 130 | if port == None: |
---|
| 131 | if protocol == 'https': |
---|
| 132 | port = 443 |
---|
| 133 | else: |
---|
| 134 | port = 80 |
---|
| 135 | |
---|
| 136 | |
---|
| 137 | # XXX: use pprint |
---|
[47] | 138 | formatted_body = '\n '.join([repr(body[i:i+40]) for i in range(0,len(body),40)]) |
---|
[51] | 139 | if formatted_body == '': |
---|
[40] | 140 | formatted_body = "b''" |
---|
[39] | 141 | |
---|
[40] | 142 | |
---|
[79] | 143 | print('''#!/usr/bin/env python3 |
---|
| 144 | # This script was generated by bletchley-http2py |
---|
| 145 | # See the "TODO" comments below for places to edit your request as needed for your situation. |
---|
[40] | 146 | |
---|
[39] | 147 | import sys |
---|
[79] | 148 | from bletchley import blobtools,buffertools |
---|
| 149 | from bletchley import chosenct |
---|
| 150 | from bletchley.CBC import * |
---|
| 151 | |
---|
[80] | 152 | # TODO: ensure the host, port, and protocol settings are correct. |
---|
[79] | 153 | host = %s |
---|
| 154 | port = %s |
---|
| 155 | protocol = %s |
---|
| 156 | |
---|
| 157 | def decode(token): |
---|
| 158 | # TODO: Perhaps you needs something like this? |
---|
| 159 | # (See 'bletchley-decode -e ?' for a list of encodings) |
---|
[82] | 160 | # return blobtools.decodeChain(['percent/mixed','base64/rfc3548'], token) |
---|
[79] | 161 | return token |
---|
| 162 | |
---|
| 163 | |
---|
| 164 | def encode(binary): |
---|
| 165 | # TODO: Perhaps you needs something like this? |
---|
[82] | 166 | # return blobtools.encodeChain(['base64/rfc3548', 'percent/mixed'], binary) |
---|
[79] | 167 | return binary |
---|
| 168 | ''' % (repr(host),repr(port),repr(protocol))) |
---|
| 169 | |
---|
| 170 | if args.requests: |
---|
| 171 | print(''' |
---|
[39] | 172 | try: |
---|
[40] | 173 | import requests |
---|
[39] | 174 | except: |
---|
[40] | 175 | sys.stderr.write('ERROR: Could not import requests module. Ensure it is installed.\\n') |
---|
| 176 | sys.stderr.write(' Under Debian, the package name is "python3-requests"\\n.') |
---|
[116] | 177 | sys.stderr.write(' Alternatively, re-generate this script using the --native option.\\n.') |
---|
[40] | 178 | sys.exit(1) |
---|
[79] | 179 | ''') |
---|
[40] | 180 | |
---|
| 181 | headers = dict(headers) |
---|
| 182 | # XXX: We don't currently support exactly formatted header |
---|
| 183 | # continuations with python requests, but this should be |
---|
| 184 | # semantically equivalent. |
---|
| 185 | for h in headers.keys(): |
---|
| 186 | headers[h] = ' '.join(headers[h]) |
---|
| 187 | |
---|
| 188 | print(''' |
---|
| 189 | session = requests.Session() |
---|
| 190 | def sendRequest(session, data=None): |
---|
[79] | 191 | data = data.decode('utf-8') |
---|
[116] | 192 | # TODO: Replace the token you wish to target in this request with the "data" variable. |
---|
| 193 | # Then specify the starting value for that token at the end of this script. |
---|
[40] | 194 | method = %s |
---|
| 195 | path = %s |
---|
| 196 | headers = %s |
---|
| 197 | url = "%%s://%%s:%%d%%s" %% (protocol,host,port,path) |
---|
| 198 | body = (%s) |
---|
| 199 | |
---|
[80] | 200 | # Set verify=True if you want to validate the server cert |
---|
| 201 | return session.request(method, url, headers=headers, data=body, allow_redirects=False, verify=False) |
---|
[116] | 202 | ''' % (repr(method), repr(path), |
---|
| 203 | pprint.pformat(headers, width=80-14).replace('\n','\n'+' '*14), |
---|
| 204 | formatted_body)) |
---|
[40] | 205 | |
---|
| 206 | print(''' |
---|
| 207 | |
---|
[116] | 208 | def processResponse(data, other=None): |
---|
[40] | 209 | global session |
---|
| 210 | ret_val = None |
---|
[79] | 211 | response = sendRequest(session, encode(data)) |
---|
[40] | 212 | |
---|
| 213 | # TODO: customize code here to retrieve what you need from the response(s) |
---|
| 214 | # For information on the response object's interface, see: |
---|
| 215 | # http://docs.python-requests.org/en/latest/api/#requests.Response |
---|
[79] | 216 | |
---|
| 217 | # These are useful for debugging, but once your response processing is working, |
---|
| 218 | # remove them so it isn't so verbose. |
---|
[80] | 219 | print(response.status_code) |
---|
[40] | 220 | print(response.headers) |
---|
| 221 | print(repr(response.content)) |
---|
| 222 | |
---|
| 223 | return ret_val |
---|
[39] | 224 | ''') |
---|
| 225 | |
---|
| 226 | |
---|
[40] | 227 | else: |
---|
[79] | 228 | print(''' |
---|
[80] | 229 | import http.client |
---|
[40] | 230 | |
---|
[39] | 231 | def sendRequest(connection, data=None): |
---|
[79] | 232 | data = data.decode('utf-8') |
---|
| 233 | # TODO: use "data" below, wherever your token normally appears |
---|
[4] | 234 | method = %s |
---|
| 235 | path = %s |
---|
[14] | 236 | body = (%s) |
---|
| 237 | |
---|
[4] | 238 | connection.putrequest(method, path) |
---|
[40] | 239 | ''' % (repr(method), repr(path), formatted_body)) |
---|
[4] | 240 | |
---|
[40] | 241 | for name,values in headers: |
---|
| 242 | if len(values) > 1: |
---|
| 243 | continuations = ','.join([repr(v) for v in values[1:]]) |
---|
| 244 | print(''' connection.putheader(%s, %s, %s)''' % (repr(name),repr(values[0]),continuations)) |
---|
| 245 | else: |
---|
| 246 | print(''' connection.putheader(%s, %s)''' % (repr(name),repr(values[0]))) |
---|
[4] | 247 | |
---|
[40] | 248 | print(''' |
---|
[4] | 249 | if len(body) > 0: |
---|
| 250 | connection.putheader('Content-Length', len(body)) |
---|
| 251 | connection.endheaders() |
---|
| 252 | connection.send(body) |
---|
| 253 | |
---|
| 254 | return connection.getresponse() |
---|
| 255 | |
---|
| 256 | |
---|
[39] | 257 | def newConnection(): |
---|
[80] | 258 | global protocol |
---|
| 259 | if protocol == 'https': |
---|
| 260 | return http.client.HTTPSConnection(host, port) |
---|
[39] | 261 | else: |
---|
[80] | 262 | return http.client.HTTPConnection(host, port) |
---|
[4] | 263 | |
---|
| 264 | |
---|
[116] | 265 | def processResponse(data, other=None): |
---|
[62] | 266 | ret_val = False |
---|
[39] | 267 | connection = newConnection() |
---|
[79] | 268 | response = sendRequest(connection, encode(data)) |
---|
[39] | 269 | |
---|
| 270 | # TODO: customize code here to retrieve what you need from the response(s) |
---|
| 271 | # For information on the response object's interface, see: |
---|
| 272 | # http://docs.python.org/library/httplib.html#httpresponse-objects |
---|
[79] | 273 | |
---|
| 274 | # These are useful for debugging, but once your response processing is working, |
---|
| 275 | # remove them so it isn't so verbose. |
---|
[80] | 276 | print(response.status) |
---|
[39] | 277 | print(response.getheaders()) |
---|
| 278 | print(repr(response.read())) |
---|
| 279 | |
---|
| 280 | connection.close() |
---|
| 281 | return ret_val |
---|
[4] | 282 | ''') |
---|
[62] | 283 | |
---|
[79] | 284 | |
---|
[62] | 285 | print(''' |
---|
[116] | 286 | token = b'TODO: paste your encoded ciphertext here (typically moved from the sendRequest function)' |
---|
[79] | 287 | ciphertext = decode(token) |
---|
[62] | 288 | |
---|
[79] | 289 | # TODO: Use this to verify you get the response you expect. |
---|
| 290 | # Once everything is working, use the commented code below to conduct specific attacks. |
---|
[116] | 291 | processResponse(ciphertext) |
---|
[79] | 292 | |
---|
| 293 | |
---|
[62] | 294 | # Padding Oracle Attacks |
---|
[118] | 295 | # poa = POA(processResponse, {block size}, ciphertext, iv=None, threads=1, log_file=sys.stderr) |
---|
[62] | 296 | # print(poa.probe_padding()) # sanity check |
---|
| 297 | # print(poa.decrypt()) |
---|
[68] | 298 | |
---|
[79] | 299 | |
---|
[68] | 300 | # Byte-by-byte probing of ciphertext |
---|
[79] | 301 | # Maybe start with this as a fast but gentle probe: |
---|
[116] | 302 | # result = chosenct.probe_bytes(processResponse, ciphertext, [1,128], max_threads=2) |
---|
[79] | 303 | # This is more in-depth (every bit of each byte) and more threads |
---|
[116] | 304 | # result = chosenct.probe_bytes(processResponse, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5) |
---|
[79] | 305 | # Yet more intensive (every byte value against every byte): |
---|
[116] | 306 | # result = chosenct.probe_bytes(processResponse, ciphertext, list(range(1,256)), max_threads=8) |
---|
[79] | 307 | # |
---|
[68] | 308 | # print(result.toHTML()) |
---|
[62] | 309 | ''') |
---|