ndavison

# github.com/ndavison

import requests
import random
import string
from argparse import ArgumentParser


parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")

ndavison

The following describes a technique to achieve HTTP request smuggling against infrastructure behind a HAProxy server when using specific configuration around backend connection reuse. This was tested against HAProxy versions 1.7.9, 1.7.11, 1.8.19, 1.8.21, 1.9.10, and 2.0.5. Of all these tested versions, only 2.0.5 was not vulnerable out of the box, although it is when using the no option http-use-htx configuration, which reverts back to the legacy HTTP decoder. 2.1 removed the legacy decoder so it is not affected.

To actually exploit HTTP smuggling using the issue described in this writeup, the backend server(s) behind HAProxy would also have to be vulnerable in the sense they too would need to suffer from a bug, but one which parses and accepts a poorly formed Transfer-Encoding header (almost certainly violating RFC7230), and allows HTTP keep-alive.

The HAProxy bug - sending both Transfer-Encoding and Content-Length

This is how HAProxy handles a request when Transfer-Encoding and Content-Length is p

ndavison

import requests
import yaml
import re
import json
import time
import logging
import sys
from argparse import ArgumentParser

ndavison

input {
	tcp {
		port => 5000
	}
}

filter {
  json {
    source => "message"
  }

ndavison

#!/bin/env python
"""
A simple example of using Python sockets for a client HTTPS connection.
"""

import ssl
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('github.com', 443))

ndavison

import requests
from urllib.parse import urlparse
from argparse import ArgumentParser


parser = ArgumentParser(description="Checks a URL for CORS header security posture")
parser.add_argument("-u", "--url", help="the URL to check")
parser.add_argument("-o", "--origin", help="the origin to supply (defaults to the origin in the URL)")
parser.add_argument("-H", "--header", action="append", help="add a request header")
parser.add_argument("-v", "--verbose", action="store_true", help="More output")

ndavison

import requests
import json
import os
import urllib.parse
from argparse import ArgumentParser


parser = ArgumentParser(description="Downloads build logs from travisci for a particular project.")
parser.add_argument("-p", "--project", help="project to request travisci build logs for")
parser.add_argument("-r", "--repo", default=None, help="repo to request travisci build logs for")

ndavison

alias rcupdate='BRANCH=$(git rev-parse --abbrev-ref HEAD) && git checkout rc && git pull origin rc && git pull origin "$BRANCH" && git push origin rc && git checkout "$BRANCH"'
alias alphaupdate='BRANCH=$(git rev-parse --abbrev-ref HEAD) && git checkout alpha && git pull origin alpha && git pull origin "$BRANCH" && git push origin alpha && git checkout "$BRANCH"'

ndavison

import requests
import json
import os
from argparse import ArgumentParser


parser = ArgumentParser(description="Downloads build logs from circleci for a particular project and repo.")
parser.add_argument("-p", "--project", help="project and repo to request circleci build logs for, in the format of project/repo")
parser.add_argument("-t", "--token", default=None, help="API token for non public readable builds")

ndavison

Wordpress Visualizer plugin blind SSRF CVE-2019-16932

The Visualizer plugin for Wordpress suffers from an unauthenticated blind SSRF vulnerability. This was tested against v3.3.0.

PoC setup

Setup a Docker environment using this compose config: https://docs.docker.com/compose/wordpress/

However, rather than running docker-compose up -d, just run docker-compose up as we want to see the output from the MySQL server to prove SSRF.