[40] | 1 | #!/usr/bin/env python3 |
---|
[73] | 2 | #-*- mode: Python;-*- |
---|
| 3 | # |
---|
[40] | 4 | # Requires Python 3+ |
---|
[4] | 5 | |
---|
| 6 | ''' |
---|
[40] | 7 | This script reads a raw HTTP request and writes to stdout a Python |
---|
| 8 | script. The generated script sends the same (or a very similar) |
---|
| 9 | request using the standard httplib/http.client library, or optionally |
---|
| 10 | using the more user friendly python-requests library. |
---|
[4] | 11 | |
---|
| 12 | Certainly if you have a raw request, you could simply send it via TCP |
---|
| 13 | sockets, but if for some reason the server behaves oddly with flow control, |
---|
| 14 | insists on using gzip/deflate encoding, insists on using chunked encoding, |
---|
| 15 | or any number of other annoying things, then using an HTTP library is a |
---|
[79] | 16 | lot more convenient. This script attempts to make the conversion from a |
---|
| 17 | raw HTTP request to HTTP library calls easy. |
---|
[4] | 18 | |
---|
| 19 | |
---|
[39] | 20 | Copyright (C) 2011-2013 Virtual Security Research, LLC |
---|
[79] | 21 | Copyright (C) 2014-2015 Blindspot Security LLC |
---|
[4] | 22 | Author: Timothy D. Morgan |
---|
| 23 | |
---|
| 24 | This program is free software: you can redistribute it and/or modify |
---|
| 25 | it under the terms of the GNU Lesser General Public License, version 3, |
---|
| 26 | as published by the Free Software Foundation. |
---|
| 27 | |
---|
| 28 | This program is distributed in the hope that it will be useful, |
---|
| 29 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 30 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 31 | GNU General Public License for more details. |
---|
| 32 | |
---|
| 33 | You should have received a copy of the GNU General Public License |
---|
| 34 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
---|
| 35 | ''' |
---|
| 36 | |
---|
| 37 | import sys |
---|
| 38 | import argparse |
---|
| 39 | |
---|
[47] | 40 | bopen = lambda f: open(f, 'rb') |
---|
| 41 | |
---|
[28] | 42 | parser = argparse.ArgumentParser( |
---|
| 43 | description='A script which accepts an HTTP request and prints out a' |
---|
| 44 | ' generated Python script which sends a similar request. This is useful' |
---|
| 45 | ' when one wants to automate sending a large number of requests to a' |
---|
| 46 | ' particular page or application.' |
---|
| 47 | ' For more information, see: http://code.google.com/p/bletchley/wiki/Overview') |
---|
| 48 | parser.add_argument( |
---|
[47] | 49 | 'requestfile', type=bopen, nargs='?', default=sys.stdin.buffer, |
---|
[28] | 50 | help='A file containing an HTTP request. Defaults to stdin if omitted.') |
---|
| 51 | parser.add_argument( |
---|
[40] | 52 | '--requests', action='store_true', help='Generate a script that uses the' |
---|
| 53 | ' python-requests module rather than httplib/http.client (experimental).') |
---|
| 54 | |
---|
[4] | 55 | args = parser.parse_args() |
---|
[40] | 56 | input_req = args.requestfile.read() |
---|
[4] | 57 | |
---|
| 58 | |
---|
[47] | 59 | if b'\r\n\r\n' in input_req: |
---|
| 60 | raw_headers,body = input_req.split(b'\r\n\r\n', 1) |
---|
| 61 | elif b'\n\n' in input_req: |
---|
| 62 | raw_headers,body = input_req.split(b'\n\n', 1) |
---|
[4] | 63 | else: |
---|
| 64 | raw_headers = input_req |
---|
[47] | 65 | body = b'' |
---|
[4] | 66 | |
---|
[47] | 67 | raw_headers = raw_headers.decode('utf-8') |
---|
| 68 | |
---|
[4] | 69 | header_lines = raw_headers.split('\n') |
---|
| 70 | method,path,version = header_lines[0].split(' ', 2) |
---|
| 71 | |
---|
| 72 | host = 'TODO' |
---|
[14] | 73 | port = 80 |
---|
[4] | 74 | use_ssl = False |
---|
[40] | 75 | protocol = 'http' |
---|
[4] | 76 | |
---|
| 77 | headers = [] |
---|
| 78 | for l in header_lines[1:]: |
---|
| 79 | if len(l) < 1: |
---|
| 80 | break |
---|
| 81 | # Handle header line continuations |
---|
[40] | 82 | if l[0] in ' \t': |
---|
[4] | 83 | if len(headers) == 0: |
---|
| 84 | continue |
---|
| 85 | name,values = headers[-1] |
---|
| 86 | values.append(l.lstrip('\t')) |
---|
| 87 | headers[-1] = (name,values) |
---|
| 88 | continue |
---|
| 89 | |
---|
| 90 | name,value = l.split(':',1) |
---|
| 91 | value = value.lstrip(' ').rstrip('\r') |
---|
| 92 | |
---|
| 93 | # Skip headers that have to do with transfer encodings and connection longevity |
---|
| 94 | if name.lower() not in ['accept','accept-language', |
---|
| 95 | 'accept-encoding','accept-charset', |
---|
| 96 | 'connection', 'keep-alive', 'host', |
---|
[39] | 97 | 'content-length', 'proxy-connection']: |
---|
[4] | 98 | headers.append((name,[value])) |
---|
| 99 | |
---|
| 100 | if name.lower() == 'host': |
---|
| 101 | if ':' in value: |
---|
| 102 | host,port = value.split(':',1) |
---|
[51] | 103 | port = int(port, 10) |
---|
[4] | 104 | if port == 443: |
---|
| 105 | use_ssl = True |
---|
[40] | 106 | protocol = 'https' |
---|
[4] | 107 | else: |
---|
| 108 | host = value |
---|
| 109 | |
---|
[39] | 110 | |
---|
[47] | 111 | formatted_body = '\n '.join([repr(body[i:i+40]) for i in range(0,len(body),40)]) |
---|
[51] | 112 | if formatted_body == '': |
---|
[40] | 113 | formatted_body = "b''" |
---|
[39] | 114 | |
---|
[40] | 115 | |
---|
[79] | 116 | print('''#!/usr/bin/env python3 |
---|
| 117 | # This script was generated by bletchley-http2py |
---|
| 118 | # See the "TODO" comments below for places to edit your request as needed for your situation. |
---|
[40] | 119 | |
---|
[39] | 120 | import sys |
---|
[79] | 121 | from bletchley import blobtools,buffertools |
---|
| 122 | from bletchley import chosenct |
---|
| 123 | from bletchley.CBC import * |
---|
| 124 | |
---|
| 125 | # TODO: ensure the host, port, and SSL settings are correct. |
---|
| 126 | host = %s |
---|
| 127 | port = %s |
---|
| 128 | protocol = %s |
---|
| 129 | |
---|
| 130 | def decode(token): |
---|
| 131 | # TODO: Perhaps you needs something like this? |
---|
| 132 | # (See 'bletchley-decode -e ?' for a list of encodings) |
---|
| 133 | # return blobtools.decodeAll(['percent/mixed','base64/rfc3548'], data) |
---|
| 134 | return token |
---|
| 135 | |
---|
| 136 | |
---|
| 137 | def encode(binary): |
---|
| 138 | # TODO: Perhaps you needs something like this? |
---|
| 139 | # return blobtools.encodeAll(['base64/rfc3548', 'percent/mixed'], data) |
---|
| 140 | return binary |
---|
| 141 | ''' % (repr(host),repr(port),repr(protocol))) |
---|
| 142 | |
---|
| 143 | if args.requests: |
---|
| 144 | print(''' |
---|
[39] | 145 | try: |
---|
[40] | 146 | import requests |
---|
[39] | 147 | except: |
---|
[40] | 148 | sys.stderr.write('ERROR: Could not import requests module. Ensure it is installed.\\n') |
---|
| 149 | sys.stderr.write(' Under Debian, the package name is "python3-requests"\\n.') |
---|
| 150 | sys.exit(1) |
---|
[79] | 151 | ''') |
---|
[40] | 152 | |
---|
| 153 | headers = dict(headers) |
---|
| 154 | # XXX: We don't currently support exactly formatted header |
---|
| 155 | # continuations with python requests, but this should be |
---|
| 156 | # semantically equivalent. |
---|
| 157 | for h in headers.keys(): |
---|
| 158 | headers[h] = ' '.join(headers[h]) |
---|
| 159 | |
---|
| 160 | print(''' |
---|
| 161 | session = requests.Session() |
---|
| 162 | def sendRequest(session, data=None): |
---|
[79] | 163 | data = data.decode('utf-8') |
---|
| 164 | # TODO: use "data" below, wherever your token normally appears |
---|
[40] | 165 | method = %s |
---|
| 166 | path = %s |
---|
| 167 | headers = %s |
---|
| 168 | url = "%%s://%%s:%%d%%s" %% (protocol,host,port,path) |
---|
| 169 | body = (%s) |
---|
| 170 | |
---|
[70] | 171 | return session.request(method, url, headers=headers, data=body, allow_redirects=False) |
---|
[40] | 172 | ''' % (repr(method), repr(path), repr(headers), formatted_body)) |
---|
| 173 | |
---|
| 174 | print(''' |
---|
| 175 | |
---|
[79] | 176 | def fetch(data, other=None): |
---|
[40] | 177 | global session |
---|
| 178 | ret_val = None |
---|
[79] | 179 | response = sendRequest(session, encode(data)) |
---|
[40] | 180 | |
---|
| 181 | # TODO: customize code here to retrieve what you need from the response(s) |
---|
| 182 | # For information on the response object's interface, see: |
---|
| 183 | # http://docs.python-requests.org/en/latest/api/#requests.Response |
---|
[79] | 184 | |
---|
| 185 | # These are useful for debugging, but once your response processing is working, |
---|
| 186 | # remove them so it isn't so verbose. |
---|
[40] | 187 | print(response.headers) |
---|
| 188 | print(repr(response.content)) |
---|
| 189 | |
---|
| 190 | return ret_val |
---|
[39] | 191 | ''') |
---|
| 192 | |
---|
| 193 | |
---|
[40] | 194 | |
---|
| 195 | else: |
---|
[79] | 196 | print(''' |
---|
[40] | 197 | import http.client as httpc |
---|
| 198 | |
---|
[39] | 199 | def sendRequest(connection, data=None): |
---|
[79] | 200 | data = data.decode('utf-8') |
---|
| 201 | # TODO: use "data" below, wherever your token normally appears |
---|
[4] | 202 | method = %s |
---|
| 203 | path = %s |
---|
[14] | 204 | body = (%s) |
---|
| 205 | |
---|
[4] | 206 | connection.putrequest(method, path) |
---|
[40] | 207 | ''' % (repr(method), repr(path), formatted_body)) |
---|
[4] | 208 | |
---|
[40] | 209 | for name,values in headers: |
---|
| 210 | if len(values) > 1: |
---|
| 211 | continuations = ','.join([repr(v) for v in values[1:]]) |
---|
| 212 | print(''' connection.putheader(%s, %s, %s)''' % (repr(name),repr(values[0]),continuations)) |
---|
| 213 | else: |
---|
| 214 | print(''' connection.putheader(%s, %s)''' % (repr(name),repr(values[0]))) |
---|
[4] | 215 | |
---|
[40] | 216 | print(''' |
---|
[4] | 217 | if len(body) > 0: |
---|
| 218 | connection.putheader('Content-Length', len(body)) |
---|
| 219 | connection.endheaders() |
---|
| 220 | connection.send(body) |
---|
| 221 | |
---|
| 222 | return connection.getresponse() |
---|
| 223 | |
---|
| 224 | |
---|
[39] | 225 | def newConnection(): |
---|
| 226 | if use_ssl: |
---|
| 227 | return httpc.HTTPSConnection(host, port) |
---|
| 228 | else: |
---|
| 229 | return httpc.HTTPConnection(host, port) |
---|
[4] | 230 | |
---|
| 231 | |
---|
[71] | 232 | def fetch(data, other=None): |
---|
[62] | 233 | ret_val = False |
---|
[39] | 234 | connection = newConnection() |
---|
[79] | 235 | response = sendRequest(connection, encode(data)) |
---|
[39] | 236 | |
---|
| 237 | # TODO: customize code here to retrieve what you need from the response(s) |
---|
| 238 | # For information on the response object's interface, see: |
---|
| 239 | # http://docs.python.org/library/httplib.html#httpresponse-objects |
---|
[79] | 240 | |
---|
| 241 | # These are useful for debugging, but once your response processing is working, |
---|
| 242 | # remove them so it isn't so verbose. |
---|
[39] | 243 | print(response.getheaders()) |
---|
| 244 | print(repr(response.read())) |
---|
| 245 | |
---|
| 246 | connection.close() |
---|
| 247 | return ret_val |
---|
[4] | 248 | ''') |
---|
[62] | 249 | |
---|
[79] | 250 | |
---|
[62] | 251 | print(''' |
---|
[79] | 252 | token = b'TODO: paste your encoded ciphertext here' |
---|
| 253 | ciphertext = decode(token) |
---|
[62] | 254 | |
---|
[79] | 255 | # TODO: Use this to verify you get the response you expect. |
---|
| 256 | # Once everything is working, use the commented code below to conduct specific attacks. |
---|
| 257 | fetch(ciphertext) |
---|
| 258 | |
---|
| 259 | |
---|
[62] | 260 | # Padding Oracle Attacks |
---|
| 261 | # poa = POA(fetch, {block size}, ciphertext, threads=1, log_file=sys.stderr) |
---|
| 262 | # print(poa.probe_padding()) # sanity check |
---|
| 263 | # print(poa.decrypt()) |
---|
[68] | 264 | |
---|
[79] | 265 | |
---|
[68] | 266 | # Byte-by-byte probing of ciphertext |
---|
[79] | 267 | # Maybe start with this as a fast but gentle probe: |
---|
| 268 | # result = chosenct.probe_bytes(fetch, ciphertext, [1,128], max_threads=2) |
---|
| 269 | # This is more in-depth (every bit of each byte) and more threads |
---|
[71] | 270 | # result = chosenct.probe_bytes(fetch, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5) |
---|
[79] | 271 | # Yet more intensive (every byte value against every byte): |
---|
| 272 | # result = chosenct.probe_bytes(fetch, ciphertext, list(range(1,256)), max_threads=8) |
---|
| 273 | # |
---|
[68] | 274 | # print(result.toHTML()) |
---|
[62] | 275 | ''') |
---|