Last active
August 15, 2018 12:37
-
-
Save joenorton8014/c2c9f59071f33fcbb2f2b50171093172 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
import random | |
import argparse | |
import ssl | |
import time | |
import sys | |
# Some customizations on a fuzzer from SANS660 | |
# Original SANS script is here - https://gist.github.com/joenorton8014/f6ac55d7f26023b8d5169edae6e8218a | |
def main(): | |
http_verbs = [] | |
args = buildargparser() | |
timestamp = Get_File_Timestamp() | |
f = open("httpfuzz-log-" + str(timestamp) + ".txt", "w") | |
if args.i: | |
print("Starting interactive mode:") | |
Send_Interactive(f) | |
else: | |
if args.t: | |
target = args.t | |
else: | |
print("Please provide a fuzzing target") | |
if args.p: | |
port = args.p | |
else: | |
print("Please provide a port for the HTTP web app") | |
sys.exit() | |
if args.v: | |
if args.v == "ALL": | |
http_verbs = ["GET", "HEAD", "DELETE", "PUT", "TRACE", "POST", "OPTIONS", "CONNECT"] | |
else: | |
http_verbs = [args.v] | |
else: | |
print("Please define a verb to use during the fuzzing - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, CONNECT or ALL'") | |
sys.exit() | |
if args.m: | |
string_length = args.m | |
else: | |
print("Please a numeric value for the max string length") | |
sys.exit() | |
if args.s: | |
secure_connection = True | |
else: | |
secure_connection = False | |
if secure_connection == True: | |
print("Sending junk to the local webserver") | |
Send_HTTPS_Packets(http_verbs,target,port,string_length,f) | |
elif secure_connection == False: | |
print("Sending junk to the local webserver") | |
Send_HTTP_Packets(http_verbs,target,port,string_length,f) | |
def buildargparser(): | |
parser = argparse.ArgumentParser(prog='http-fuzz.py', description='A Simple HTTP/s Fuzzer') | |
parser.add_argument('-i', help='Interactive questions to define fuzzing techniques.' , required=False, action='store_true') | |
parser.add_argument('-t', help='Fuzzing target',required=False) | |
parser.add_argument('-p', help='Port the web app is running on',required=False) | |
parser.add_argument('-v', help='HTTP verb to fuzz. Options are - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, CONNECT or ALL',required=False) | |
parser.add_argument('-m', help='Max string length to fuzz',required=False) | |
parser.add_argument('-s', help='Is the site https? If so add the -s argument',required=False, action='store_true') | |
return parser.parse_args() | |
def Get_File_Timestamp(): | |
day = time.strftime("%Y-%m-%d_") | |
clock = time.strftime("%I%M%S") | |
timestamp = day+clock | |
return timestamp | |
def randstring(string_length): | |
s = "" | |
for i in range(random.randint(1,int(string_length))): | |
s += chr(random.randint(0x30,0x7a)) | |
return s | |
def Send_HTTP_Packets(http_verbs,target,port,string_length,f): | |
x = 0 | |
while 1: | |
print("Fuzzing verbs set " + str(x)) | |
f.write("Fuzzing verbs set " + str(x) + "\n") | |
for verb in http_verbs: | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((target,int(port))) | |
junkA = randstring(string_length) | |
junkB = randstring(string_length) | |
junkC = randstring(string_length) | |
junkD = randstring(string_length) | |
junkE = randstring(string_length) | |
pckt = verb +" /" + junkA + " HTTP/1.1\r\nReferer: http://" + junkB + "\r\nHost: http://" + junkC + "\r\n" + junkD + ": " + junkE + "\r\n\r\n" | |
f.write(pckt) | |
s.send(pckt.encode('utf-8')) | |
s.close() | |
x += 1 | |
def Send_HTTPS_Packets(http_verbs,target,port,string_length,f): | |
x = 0 | |
while 1: | |
print("Fuzzing verbs set " + str(x)) | |
f.write("Fuzzing verbs set " + str(x) + "\n") | |
for verb in http_verbs: | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s_secure = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS) | |
s_secure.connect((target,int(port))) | |
junkA = randstring(string_length) | |
junkB = randstring(string_length) | |
junkC = randstring(string_length) | |
junkD = randstring(string_length) | |
junkE = randstring(string_length) | |
pckt = verb +" /" + junkA +" HTTP/1.1\r\nReferer: http://"+ junkB +"\r\nHost: http://" + junkC + "\r\n" + junkD + ": " + junkE + "\r\n\r\n" | |
f.write(pckt) | |
s_secure.send(pckt.encode('utf-8')) | |
s_secure.close() | |
x += 1 | |
# Still working on this one: | |
def Send_Interactive(f): | |
target = input('Fuzzing target? ') | |
port = input('Port to fuzz? ') | |
tls = input('Is the target web app TLS? ') | |
string_length = input('What is the max size of the fuzzing string? ') | |
verb = input('Which verb do you want to use? - GET, HEAD, DELETE, PUT, TRACE, POST, OPTIONS, or CONNECT ? ') | |
fuzz_verb = input('Do you want to fuzz the value sent in the verb? ') | |
fuzz_referer = input('Fuzz the referer field in the header? ') | |
fuzz_host = input('Fuzz the host field in the header? ') | |
fuzz_useragent = input('Fuzz the user agent field in the header? ') | |
fuzz_data = input('Fuzz the data field in the packet? ') | |
print("Sending junk to the local webserver") | |
stuff_to_fuzz = [] | |
if fuzz_verb == 'yes': | |
stuff_to_fuzz.append('fuzz_verb') | |
if fuzz_referer == 'yes': | |
stuff_to_fuzz.append('fuzz_referer') | |
if fuzz_host == 'yes': | |
stuff_to_fuzz.append('fuzz_host') | |
if fuzz_useragent == 'yes': | |
stuff_to_fuzz.append('fuzz_useragent') | |
if fuzz_data == 'yes': | |
stuff_to_fuzz.append('fuzz_data') | |
x = 0 | |
while 1: | |
print("Fuzzing verbs set " + str(x)) | |
f.write("Fuzzing verbs set " + str(x) + "\n") | |
junkA = randstring(string_length) | |
junkB = randstring(string_length) | |
junkC = randstring(string_length) | |
junkD = randstring(string_length) | |
junkE = randstring(string_length) | |
if "fuzz_verb" in stuff_to_fuzz: | |
fuzz_verb = junkA | |
else: | |
fuzz_verb = 'index.html' | |
if "fuzz_referer" in stuff_to_fuzz: | |
fuzz_referer = junkB | |
else: | |
fuzz_referer = '127.0.0.1' | |
if "fuzz_host" in stuff_to_fuzz: | |
fuzz_host = junkC | |
else: | |
fuzz_host = target | |
if "fuzz_useragent" in stuff_to_fuzz: | |
fuzz_useragent = junkD | |
else: | |
fuzz_useragent = 'Mozilla5.0/just_kidding_im_fuzzing' | |
if fuzz_data in stuff_to_fuzz: | |
fuzz_data = junkE | |
else: | |
fuzz_data = 'This is a fuzzing test :)' | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
if tls == 'yes': | |
s_secure = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS) | |
s_secure.connect((target,int(port))) | |
pckt = verb +" /"+ fuzz_verb +" HTTP/1.1\r\nUserAgent: " + fuzz_useragent + "\r\nReferer: http://"+ fuzz_referer +"\r\nHost: http://"+ fuzz_host +"\r\n"+ fuzz_data +": " +"\r\n\r\n" | |
f.write(pckt) | |
s_secure.send(pckt.encode('utf-8')) | |
s_secure.close() | |
x += 1 | |
else: | |
s.connect((target,int(port))) | |
pckt = verb +" /"+ fuzz_verb +" HTTP/1.1\r\nUserAgent: " + fuzz_useragent + "\r\nReferer: http://"+ fuzz_referer +"\r\nHost: http://"+ fuzz_host +"\r\n"+ fuzz_data +": " +"\r\n\r\n" | |
f.write(pckt) | |
s.send(pckt.encode('utf-8')) | |
s.close() | |
x += 1 | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment