- Timestamp:
- 10/11/16 14:12:00 (8 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/bin/bletchley-http2py
r82 r116 7 7 This script reads a raw HTTP request and writes to stdout a Python 8 8 script. The generated script sends the same (or a very similar) 9 request using the standard httplib/http.client library, or optionally10 using the more user friendly python-requestslibrary.9 request using the Requests library, or optionally, the built-in 10 http.client library. 11 11 12 12 Certainly if you have a raw request, you could simply send it via TCP … … 15 15 or any number of other annoying things, then using an HTTP library is a 16 16 lot more convenient. This script attempts to make the conversion from a 17 raw HTTP request to HTTP library calls easy .17 raw HTTP request to HTTP library calls easy for pentesting automation. 18 18 19 19 20 20 Copyright (C) 2011-2013 Virtual Security Research, LLC 21 Copyright (C) 2014-201 5Blindspot Security LLC21 Copyright (C) 2014-2016 Blindspot Security LLC 22 22 Author: Timothy D. Morgan 23 23 … … 51 51 'requestfile', type=bopen, nargs='?', default=sys.stdin.buffer, 52 52 help='A file containing an HTTP request. Defaults to stdin if omitted.') 53 parser.add_argument( 54 '--requests', action='store_true', help='Generate a script that uses the' 55 ' python-requests module rather than http.client (this will likely become' 56 ' the default in the future).') 53 group = parser.add_mutually_exclusive_group() 54 group.add_argument('--requests', action='store_true', 55 help='Generate a script that uses the Requests module' 56 ' rather than http.client (default).') 57 group.add_argument('--native', action='store_false', dest='requests', 58 help='Generate a script that uses Pythons built-in http.client' 59 ' rather than the Requests module.') 60 parser.set_defaults(requests=True) 57 61 58 62 args = parser.parse_args() … … 93 97 value = value.lstrip(' ').rstrip('\r') 94 98 95 # Skip headers that have to do with transfer encodings and connection longevity 99 # Skip headers that have to do with transfer encodings, connection longevity, and caching 100 # XXX: maybe add these back as commented-out headers to the output? 96 101 if name.lower() not in ['accept','accept-language', 97 102 'accept-encoding','accept-charset', 98 103 'connection', 'keep-alive', 'host', 99 'content-length', 'proxy-connection']: 104 'content-length', 'proxy-connection', 105 'if-none-match']: 100 106 headers.append((name,[value])) 101 107 … … 121 127 122 128 if protocol == None: 123 protocol = = 'http'129 protocol = 'http' 124 130 if port == None: 125 131 if protocol == 'https': … … 169 175 sys.stderr.write('ERROR: Could not import requests module. Ensure it is installed.\\n') 170 176 sys.stderr.write(' Under Debian, the package name is "python3-requests"\\n.') 177 sys.stderr.write(' Alternatively, re-generate this script using the --native option.\\n.') 171 178 sys.exit(1) 172 179 ''') … … 183 190 def sendRequest(session, data=None): 184 191 data = data.decode('utf-8') 185 # TODO: use "data" below, wherever your token normally appears 192 # TODO: Replace the token you wish to target in this request with the "data" variable. 193 # Then specify the starting value for that token at the end of this script. 186 194 method = %s 187 195 path = %s … … 192 200 # Set verify=True if you want to validate the server cert 193 201 return session.request(method, url, headers=headers, data=body, allow_redirects=False, verify=False) 194 ''' % (repr(method), repr(path), pprint.pformat(headers, indent=14), formatted_body)) 202 ''' % (repr(method), repr(path), 203 pprint.pformat(headers, width=80-14).replace('\n','\n'+' '*14), 204 formatted_body)) 195 205 196 206 print(''' 197 207 198 def fetch(data, other=None):208 def processResponse(data, other=None): 199 209 global session 200 210 ret_val = None … … 253 263 254 264 255 def fetch(data, other=None):265 def processResponse(data, other=None): 256 266 ret_val = False 257 267 connection = newConnection() … … 274 284 275 285 print(''' 276 token = b'TODO: paste your encoded ciphertext here '286 token = b'TODO: paste your encoded ciphertext here (typically moved from the sendRequest function)' 277 287 ciphertext = decode(token) 278 288 279 289 # TODO: Use this to verify you get the response you expect. 280 290 # Once everything is working, use the commented code below to conduct specific attacks. 281 fetch(ciphertext)291 processResponse(ciphertext) 282 292 283 293 284 294 # Padding Oracle Attacks 285 # poa = POA( fetch, {block size}, ciphertext, threads=1, log_file=sys.stderr)295 # poa = POA(processResponse, {block size}, ciphertext, threads=1, log_file=sys.stderr) 286 296 # print(poa.probe_padding()) # sanity check 287 297 # print(poa.decrypt()) … … 290 300 # Byte-by-byte probing of ciphertext 291 301 # Maybe start with this as a fast but gentle probe: 292 # result = chosenct.probe_bytes( fetch, ciphertext, [1,128], max_threads=2)302 # result = chosenct.probe_bytes(processResponse, ciphertext, [1,128], max_threads=2) 293 303 # This is more in-depth (every bit of each byte) and more threads 294 # result = chosenct.probe_bytes( fetch, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5)304 # result = chosenct.probe_bytes(processResponse, ciphertext, [1,2,4,8,16,32,64,128], max_threads=5) 295 305 # Yet more intensive (every byte value against every byte): 296 # result = chosenct.probe_bytes( fetch, ciphertext, list(range(1,256)), max_threads=8)306 # result = chosenct.probe_bytes(processResponse, ciphertext, list(range(1,256)), max_threads=8) 297 307 # 298 308 # print(result.toHTML())
Note: See TracChangeset
for help on using the changeset viewer.