forked from h0mbre/CTP-OSCE
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHTTPS-Boo-Gen.py
189 lines (152 loc) · 5.83 KB
/
HTTPS-Boo-Gen.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/usr/bin/python3
import argparse
parser = argparse.ArgumentParser(add_help=True)
parser.add_argument("request", type=str, help="request template to fuzz")
parser.add_argument("-f", "--filename", default="LetsGetFuzzing.py", type=str, nargs="?", help="select name of fuzzing script (default is LetsGetFuzzing.py)", metavar='filename')
parser.add_argument("-g", "--get", help="for GET request",
action="store_true")
parser.add_argument("-p", "--post", help="for POST request",
action="store_true")
args = parser.parse_args()
request = args.request
filename = args.filename
myfile = open(request, "rt")
contents = myfile.read()
# this bit goes over the imported file and swaps all double quotes for single quotes.
content = contents.replace('"', "'")
contents =content
myfile.close()
host = contents.splitlines()[1]
host = host.split(":")[1]
host = host.replace(" ", "")
#extracts the port from the second line of the provided file and assigns it to the variable port.
port = contents.splitlines()[1]
port = port.split(":")[2]
port = port.replace(" ", "")
#print(port)
#print(host)
URI = contents.split(" ")[1]
contents = contents.replace('\r', '')
list1 = contents.split("\n")[1:-2]
list2 = contents.split("\n")[-1]
list2 = list2.split("&")
Return = 2
space = 3
def post():
global Return
global space
global host
global method
global URI
fuzz = open(filename, "w")
#The following chunk has imported the ssl and then initiated the ssl connection as well as using the defined host and port defined above.
fuzz.write('''#!/usr/bin/env python
from boofuzz import *
#import multiprocessing
import ssl
def main():
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
session = Session(
target=Target(
connection=SocketConnection("''' + host + '''",''' + port +''', proto='ssl', server=False, sslcontext=context, server_hostname="https://''' + host + ''':'''+ port+'''" )
),
)
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", ["POST"])
s_delim(" ", name='space-1', fuzzable = False)
s_string("''' + URI + '''", name='Request-URI', fuzzable = False)
s_delim(" ", name='space-2', fuzzable = False)
s_string("HTTP/1.1", name='HTTP-Version', fuzzable = False)
s_delim("\\r\\n", name='return-1', fuzzable = False)\n''')
fuzz.close()
for x in list1:
first = x.split(" ", 1)[0]
second = x.split(" ", 1)[1]
fuzz2 = open(filename, "a")
fuzz2.write(''' s_string("''' + first + '''", name="''' + first.strip(":") + '''", fuzzable = False)
s_delim(" ", name="space-''' + str(space) + '''", fuzzable = False)
s_string("''' + second + '''", name="''' + first.strip(":") + '''-Value", fuzzable = False)
s_delim("\\r\\n", name="return-''' + str(Return) + '''", fuzzable = False)\n''')
Return = Return + 1
space = space + 1
fuzz2.close()
equal = 0
amp = 0
fuzz3 = open(filename, "a")
fuzz3.write(''' s_delim("\\r\\n", name="return-''' + str(Return) + '''", fuzzable = False)\n''')
fuzz3.close()
for x in list2:
first = x.split("=")[0]
second = x.split("=")[1]
fuzz4 = open(filename, "a")
fuzz4.write(''' s_string("''' + first + '''", name="''' + first + '''-Param", fuzzable = False)
s_delim("=", name="Equal-''' + str(equal + 1) + '''", fuzzable = False)
s_string("''' + second + '''", name="''' + first + '''-Value", fuzzable = False)
s_delim("&", name="Ampersand-''' + str(amp + 1) + '''", fuzzable = False)\n''')
equal = equal + 1
amp = amp + 1
fuzz4.close()
fuzz5 = open(filename, "a")
fuzz5.write('''
session.connect(s_get("Request"))
session.fuzz()
if __name__ == "__main__":
main()''')
fuzz5.close()
def get():
global Return
global space
global host
global method
global URI
fuzz = open(filename, "w")
fuzz.write('''#!/usr/bin/env python
from boofuzz import *
#import multiprocessing
import ssl
def main():
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
session = Session(
target=Target(
connection=SocketConnection("''' + host + '''",''' + port +''', proto='ssl', server=False, sslcontext=context, server_hostname="https://''' + host + ''':'''+ port+'''")
),
)
s_initialize(name="Request")
with s_block("Request-Line"):
s_group("Method", ["GET"])
s_delim(" ", name='space-1', fuzzable = False)
s_string("''' + URI + '''", name='Request-URI', fuzzable = False)
s_delim(" ", name='space-2', fuzzable = False)
s_string("HTTP/1.1", name='HTTP-Version', fuzzable = False)
s_delim("\\r\\n", name='return-1', fuzzable = False)\n''')
fuzz.close()
for x in list1:
first = x.split(" ", 1)[0]
second = x.split(" ", 1)[1]
fuzz2 = open(filename, "a")
fuzz2.write(''' s_string("''' + first + '''", name="''' + first.strip(":") + '''", fuzzable = False)
s_delim(" ", name="space-''' + str(space) + '''", fuzzable = False)
s_string("''' + second + '''", name="''' + first.strip(":") + '''-Value", fuzzable = False)
s_delim("\\r\\n", name="return-''' + str(Return) + '''", fuzzable = False)\n''')
Return = Return + 1
space = space + 1
fuzz2.close()
fuzz3 = open(filename, "a")
fuzz3.write(''' s_static("\\r\\n", name="Request-Line-CRLF")
s_static("\\r\\n", "Request-CRLF")
session.connect(s_get("Request"))
session.fuzz()
if __name__ == "__main__":
main()''')
fuzz3.close()
if args.post:
post()
elif args.get:
get()
else:
print("Specify the type of HTTP request with the --post or --get flags!")