Permalink
Browse files

init

init
  • Loading branch information...
irsdl committed Jul 7, 2017
1 parent b9c0184 commit 7f67a8208e929bcf74bd80f4a3f5976d97976907
@@ -0,0 +1,197 @@
#!/usr/bin/python
import re
import socket
import urlparse
import ssl
import urllib
import time
# See HTTPPipelineTest() for a simple usage
# Example:
# RequestObject('POST', 'https://soroush.secproject.com/?q1=q2','var=val',{'cookie':'x=2;r=5','connection':'close','Content-Type': 'application/x-www-form-urlencoded'}, True)
class RequestObject(object):
url = ''
_path = ''
_CRLF = '\r\n'
qs = ''
cookie = ''
body = ''
headers = None
autoContentLength = True
autoHOSTHeader = True
useAbsolutePath = False
isSSL = False
HTTPVersion = ''
targetName = ''
targetPort = ''
targetProtocol = ''
# The class "constructor" - It's actually an initializer
def __init__(self, method='GET', url='', body='', headers=None, autoContentLength=True, autoHOSTHeader=True, useAbsolutePath=False, HTTPVersion='HTTP/1.1'):
self.method = method
self.url = url
self.body = body
self.headers = headers
self.autoContentLength = autoContentLength
self.autoHOSTHeader = autoHOSTHeader
self.useAbsolutePath = useAbsolutePath
self.HTTPVersion = HTTPVersion
self._setParams()
def _setParams(self):
parsedURL = urlparse.urlparse(self.url)
# setting the path
if self.useAbsolutePath == True:
self._path = self.url
else:
self._path = parsedURL.path
self.qs = parsedURL.query
if self._path == '':
self._path = '/'
# fix the body if it is in dict format
if isinstance(self.body,dict):
self.body = urllib.urlencode(self.body)
# set other necessary parameters
self.targetName = parsedURL.netloc
self.targetPort = parsedURL.port
self.targetProtocol = (parsedURL.scheme).lower()
if self.targetProtocol == 'https':
self.isSSL = True
if self.targetPort == None: self.targetPort = 443
elif self.targetPort == None:
self.targetPort = 80
def rawRequest(self):
self._setParams()
#building the raw request
queryString = ''
hostHeader = ''
contentLengthHeader = ''
incomingHeaders = ''
if self.autoHOSTHeader:
hostHeader = self._CRLF + "Host: " + self.targetName + self._CRLF
if self.headers != None:
for key, value in self.headers.iteritems():
incomingHeaders = incomingHeaders + str(key) + ": " + str(value) + self._CRLF
if incomingHeaders.endswith(self._CRLF):
incomingHeaders = incomingHeaders[:-2]
if self.autoContentLength:
contentLengthHeader = self._CRLF + "Content-Length: " + str(len(self.body))
if self.qs != '':
queryString = '?' + self.qs
httpdata = self.method + " " + self._path + queryString + " " + self.HTTPVersion + hostHeader + incomingHeaders + \
contentLengthHeader + self._CRLF + self._CRLF + self.body
return httpdata
def SendHTTPRequestBySocket(rawHTTPRequest = '', targetName='127.0.0.1', targetPort=80, isSSL = False, timeout=1,
includeTimeoutErr=False, isRateLimited=False, sendInitialChars=0, sendBodyCharRate=1, delayInBetween=0.2):
if len(rawHTTPRequest) == 0: return
# create an INET, STREAMing socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if isSSL:
s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) # Perhaps this needs to be changed when other protocols should be used
s.settimeout(timeout)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.connect((targetName, targetPort))
# s.send(unicode(rawHTTPRequest, 'utf-8'))
if isRateLimited is False or sendBodyCharRate <= 0 or sendBodyCharRate <= 0 or delayInBetween < 0:
s.send(rawHTTPRequest)
else:
if sendInitialChars > 0:
s.send(rawHTTPRequest[:sendInitialChars])
rawHTTPRequest = rawHTTPRequest[sendInitialChars:]
for i in range(0, len(rawHTTPRequest), sendBodyCharRate):
time.sleep(delayInBetween)
s.send(rawHTTPRequest[i:i + sendBodyCharRate])
response = b''
while True:
try:
buf = s.recv(1024)
if not buf: break
response = response + buf
except socket.timeout, e:
err = e.args[0]
if err == 'timed out' and includeTimeoutErr:
if response != '':
response = response + '\nErr: last part was timed out'
else:
response = 'Err: timed out'
break
s.close()
return response
def RequestObjectsToHTTPPipeline(RequestObjects):
result = ''
if len(RequestObjects) <= 0: raise ValueError('less_than_two_elements_received_by_RequestObjectsToHTTPPipeline()')
CRLF = '\r\n'
mainTarget = ''
mainPort = ''
lastElement = True
for reqObjects in reversed(RequestObjects):
if mainTarget == '':
mainTarget = reqObjects.targetName
mainPort = reqObjects.targetPort
IsConnectionSet = False
if reqObjects.headers != None:
for key, value in reqObjects.headers.iteritems():
if re.search(r'(connection:\s*close)|(connection:\s*keep\-alive)', str(key) +":" + str(value),
flags=re.IGNORECASE) != None:
IsConnectionSet = True
reqObjects.headers[key] = 'keep-alive'
if IsConnectionSet == False:
if lastElement:
reqObjects.headers['Connection'] = 'close'
else:
reqObjects.headers['Connection'] = 'keep-alive'
lastElement = False
result = reqObjects.rawRequest() + CRLF + result
result = result + CRLF
#result = result + "GET /IDontExist HTTP/1.1" + CRLF + "Host: " + mainTarget + ":" + str(mainPort) +\
#CRLF + "connection: close" + CRLF + CRLF
return result
def HTTPPipelineTest():
result = False
testReq1 = RequestObject('OPTIONS', 'https://0me.me/calc.php?a=2222&b=2','',
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Referer': 'https://www.google.com/',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-GB,en;q=0.5',
'Max-Forwards': '0',
'Connection': 'close'})
testReq2 = RequestObject('OPTIONS', 'https://0me.me/calc.php?a=3333&b=3','',
{'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Max-Forwards': '0','connection':'close'})
testRequests = [testReq1,testReq2]
pipelineResult = RequestObjectsToHTTPPipeline(testRequests)
#print pipelineResult
try:
reqResult = SendHTTPRequestBySocket(pipelineResult, testReq1.targetName, testReq1.targetPort, testReq1.isSSL, 20)
#reqResult = SendHTTPRequestBySocket(pipelineResult, 'localhost', 8081, False, 5)
except:
reqResult = ''
#print reqResult
if reqResult.find('4444') > 0 and reqResult.find('9999') > 0:
result = True
return result
@@ -0,0 +1,46 @@
Test Page (at least vulnerable to xss - don't use on live)<br/>
<%
On Error Resume Next
Response.write("<br/>GET input0:<br/>")
Response.write("<br/>input0="&(Request.querystring("input0"))&"<br/>")
Response.write("Len(input0)="&Len(Request.querystring("input0"))&"<br/>")
Response.write("LenB(input0)="&LenB(Request.querystring("input0"))&"<br/><br/>")
Response.write("<br/>POST input1:<br/>")
Response.write("<br/>input1="&(Request.form("input1"))&"<br/>")
Response.write("Len(input1)="&Len(Request.form("input1"))&"<br/>")
Response.write("LenB(input1)="&LenB(Request.form("input1"))&"<br/><br/>")
Response.write("<br/>COOKIE input2:<br/>")
Response.write("<br/>input2="&(Request.Cookies("input2"))&"<br/>")
Response.write("Len(input2)="&Len(Request.Cookies("input2"))&"<br/>")
Response.write("LenB(input2)="&LenB(Request.Cookies("input2"))&"<br/><br/>")
Response.write("<br/>All GET:<br/><br/>")
For each item in request.querystring
Response.write("<br/>" & item & "="&request.querystring(item)&"<br/>")
Response.write("<br/>")
Next
Response.write("<br/>All POST:<br/>")
For each item in request.form
Response.write("<br/>" & item & "="&request.form(item)&"<br/>")
Next
Response.write("<br/>All COOKIES:<br/><br/>")
For each item in request.Cookies
Response.write("<br/>" & item & "="&request.Cookies(item)&"<br/>")
Response.write("<br/>")
Next
Response.write("<br/>Server Variables:<br/><br/>")
For each item in Request.ServerVariables
Response.write("<br/>" & item & "="&Request.ServerVariables(item)&"<br/>")
Response.write("<br/>")
Next
Response.write("<br/>generic parameter ( REQUEST(""input"") ) input:<br/>")
Response.write("<br/>input="&(Request("input"))&"<br/>")
Response.write("Len(input)="&Len(Request("input"))&"<br/>")
Response.write("LenB(input)="&LenB(Request("input"))&"<br/><br/>")
%>
@@ -0,0 +1,46 @@
Test Page (at least vulnerable to xss - don't use on live)<br/>
<%
On Error Resume Next
Response.write("<br/>GET input0:<br/>")
Response.write("<br/>input0="&(Request.querystring("input0"))&"<br/>")
Response.write("Len(input0)="&Len(Request.querystring("input0"))&"<br/>")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input0)="&System.Text.Encoding.Unicode.GetByteCount(Request.querystring("input0"))&"<br/><br/>")
Response.write("<br/>POST input1:<br/>")
Response.write("<br/>input1="&(Request.form("input1"))&"<br/>")
Response.write("Len(input1)="&Len(Request.form("input1"))&"<br/>")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input1)="&System.Text.Encoding.Unicode.GetByteCount(Request.form("input1"))&"<br/><br/>")
Response.write("<br/>COOKIE input2:<br/>")
Response.write("<br/>input2="&(Request.Cookies("input2").Value)&"<br/>")
Response.write("Len(input2)="&Len(Request.Cookies("input2").Value)&"<br/>")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input2)="&System.Text.Encoding.Unicode.GetByteCount(Request.Cookies("input2").Value)&"<br/><br/>")
Response.write("<br/>All GET:<br/><br/>")
For each item in request.querystring
Response.write("<br/>" & item & "="&request.querystring(item)&"<br/>")
Response.write("<br/>")
Next
Response.write("<br/>All POST:<br/>")
For each item in request.form
Response.write("<br/>" & item & "="&request.form(item)&"<br/>")
Next
Response.write("<br/>All COOKIES:<br/><br/>")
For each item in request.Cookies
Response.write("<br/>" & item & "="&request.Cookies(item)&"<br/>")
Response.write("<br/>")
Next
Response.write("<br/>Server Variables:<br/><br/>")
For each item in Request.ServerVariables
Response.write("<br/>" & item & "="&Request.ServerVariables(item)&"<br/>")
Response.write("<br/>")
Next
Response.write("<br/>generic parameter ( REQUEST(""input"") ) input:<br/>")
Response.write("<br/>input="&(Request("input"))&"<br/>")
Response.write("Len(input)="&Len(Request("input"))&"<br/>")
Response.write("System.Text.Encoding.Unicode.GetByteCount(input)="&System.Text.Encoding.Unicode.GetByteCount(Request("input"))&"<br/><br/>")
%>
@@ -0,0 +1,71 @@
<%@page pageEncoding="utf-8"%>
<%@page import="java.util.*"%>
Test Page (at least vulnerable to xss - don't use on live)<br/>
<%
out.println("<br/>Parameters:<br/><br/>");
Enumeration parameterList = request.getParameterNames();
while( parameterList.hasMoreElements())
{
String sName = parameterList.nextElement().toString();
String[] sMultiple = request.getParameterValues( sName );
if( 1 >= sMultiple.length ){
// parameter has a single value. print it.
out.println("<br/>" + sName + "=" + request.getParameter( sName ) + "<br/>");
out.println("-> Value Length: " + request.getParameter( sName ).length() +"<br/>" );
out.println("-> Byte Value Length: " + request.getParameter( sName ).getBytes("UTF-8").length +"<br/>" );
}else{
for( int i=0; i<sMultiple.length; i++ ){
// if a paramater contains multiple values, print all of them
out.println("<br/>" + sName + "[" + i + "]=" + sMultiple[i] + "<br/>" );
out.println("-> Value Length: " + sMultiple[i].length() +"<br/>" );
out.println("-> Byte Value Length: " + sMultiple[i].getBytes("UTF-8").length +"<br/>" );
}
}
}
out.println("<br/>COOKIE input2:<br/><br/>");
Cookie cookie = null;
Cookie[] cookies = null;
cookies = request.getCookies();
if( cookies != null)
{
for (int i = 0; i < cookies.length; i++){
cookie = cookies[i];
if (cookie.getName().equals("input2"))
out.println("<br/>input2="+cookie.getValue()+"<br/>");
}
}
out.println("<br/>");
out.println("<br/>Headers:<br/><br/>");
java.util.Enumeration names=request.getHeaderNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
String value = request.getHeader(name);
out.println("<br/>"+name + "=" + value+"<br/>");
}
out.println("<br/>");
out.println("<br/>Servlet Equivalent of Standard CGI Variables:<br/><br/>");
%>
<pre>
AUTH_TYPE: <%= request.getAuthType() %>
CONTENT_LENGTH: <%= request.getContentLength() %>
CONTENT_TYPE: <%= request.getContentType() %>
PATH_INFO: <%= request.getPathInfo() %>
PATH_TRANSLATED: <%= request.getPathTranslated() %>
QUERY_STRING: <%= request.getQueryString() %>
REMOTE_ADDR: <%= request.getRemoteAddr() %>
REMOTE_HOST: <%= request.getRemoteHost() %>
REMOTE_USER: <%= request.getRemoteUser() %>
REQUEST_METHOD: <%= request.getMethod() %>
SCRIPT_NAME: <%= request.getServletPath() %>
SERVER_NAME: <%= request.getServerName() %>
SERVER_PORT: <%= request.getServerPort() %>
SERVER_PROTOCOL: <%= request.getProtocol() %>
SERVER_SOFTWARE: <%= getServletContext().getServerInfo() %>
Request URI: <%= request.getRequestURI() %>
Request URL: <%= request.getRequestURL() %>
Request Context Path: <%= request.getContextPath() %>
Real Path: <%= getServletContext().getRealPath("/") %>
</pre>
@@ -0,0 +1,30 @@
Test Page (at least vulnerable to xss - don't use on live)<br/>
<?php
echo "<br/>GET input0:<br/>";
echo "<br/>input0=".($_GET["input0"])."<br/>";
echo "strlen(input0)=".strlen($_GET["input0"])."<br/>";
echo "mb_strlen(input0)=".mb_strlen($_GET["input0"], '8bit')."<br/><br/>";
echo "<br/>POST input1:<br/>";
echo "<br/>input1=".($_POST["input1"])."<br/>";
echo "strlen(input1)=".strlen($_POST["input1"])."<br/>";
echo "mb_strlen(input1)=".mb_strlen($_POST["input1"], '8bit')."<br/><br/>";
echo "<br/>COOKIE input2:<br/>";
echo "<br/>input2=".($_COOKIE["input2"])."<br/>";
echo "strlen(input2)=".strlen($_COOKIE["input2"])."<br/>";
echo "mb_strlen(input2)=".mb_strlen($_COOKIE["input2"], '8bit')."<br/><br/>";
?>
<?php
parse_str(file_get_contents("php://input"), $_POST_RAW);
$req_dump=str_repeat("-=", 20)."\r\n\$_SERVER:\r\n".print_r($_SERVER,true)."\r\n\$_POST:\r\n".print_r($_POST,true)."\r\n\$_GET:\r\n".print_r($_GET,true)."\r\n\$_FILES:\r\n".print_r($_FILES,true)."\r\n\$_POST_RAW:\r\n".print_r($_POST_RAW,true)."\r\n\$_COOKIE:\r\n".print_r($_COOKIE,true)."\r\n";
echo "<pre>".$req_dump."</pre>";
echo "<br/>generic parameter ( \$_REQUEST[\"input\"] ) input:<br/>";
echo "<br/>input=".($_REQUEST["input"])."<br/>";
echo "strlen(input)=".strlen($_REQUEST["input"])."<br/>";
echo "mb_strlen(input)=".mb_strlen($_REQUEST["input"], '8bit')."<br/><br/>";
?>
Oops, something went wrong.

0 comments on commit 7f67a82

Please sign in to comment.