HTTP to HTTPS Proxy Tunnel using Python

06:41:00 , 0 Comments

From title you might think that its a useless piece of code.But let me tell you its not.I dint write this to timepass.A a pretty much good automated SQLi tool called Havij(Hope you guys are already familiar with) forced me to write this. Not exactly but its a kind of an external plugin for the tool Havij(Free Version).


 Havij is an automated SQL Injection tool.No doubt its a great tool for doing automated SQL injection.But one problem with this tool is its not fully free! :(
The free version also has many great features but one problem I have faced while using this free version that is,it does not allows users to scan/run database enumeration on sites which uses SSL (https://) :(

 So to overcome this limitation I have decided to write a proxy for it. But this proxy is not like most common http proxies. This proxy can be used to scan a ssl enabled site using Free Version of Havij.
Suppose you wanna try SQLi on "https://www.target.com/search.php?name=debasish" using Havij.So when you try to fire a scan using Havij you get an error like 
"Havij Free does not allow https://".blah blah ....

So to overcome this limitation what you have to do is :

   1. Configure your Havij Free to use a http proxy 127.0.0.1:8080 while scanning.
  2. Run this python script.(It will start a proxy server on port 127.0.0.1:8080)
  3. In the target field of Havij instead of entering "https://www.target.com.search.php?name=debasish" you need to add "http://www.target.com/search.php?name=debasish".So when you start scanning through havij the proxy script will do following:

        3.1. Take plain http request(SQLi request) from Havij.2
       3.2. Create a SSL connection to target.3
       3.3. Forward the same request received from Havij to target server.
       3.4. After receiving the response from server through secure shell it will feed the response to Havij.

 This proxy is not suitable for web browsing. You will face some problems. Normal request/response generally used for SQLi it can handle. But one bad thing about this script is,it will make the speed of you SQLi process bit slower. It has the ability to handle gzip compressed response.

 So here is the code: Enjoy SQLi on SSL sites using Havij Free!I dint test it much, so let me know if it is not working properly. 
#This is a tiny http proxy server which accept requests in plain http and tunnel the traffic through SSL(HTTPS)
#Author : Debasish Mandal.
#Authors Blog : http://www.debasish.in/
import SocketServer,urllib,httplib,gzip,StringIO

def decode_gzip(compresseddata):
    	compressedstream = StringIO.StringIO(compresseddata)
    	gzipper = gzip.GzipFile(fileobj = compressedstream)
    	return gzipper.read()	
def craft_res(code,reason,ver,res_head,res_body):
	if ver == 10:
		http_ver = "HTTP/1.0"
	if ver == 11:
		http_ver = "HTTP/1.1"
	head_buff = ''
	for i in range(0,len(res_head)):
        	e1 =  res_head[i]
		if e1[1] == "gzip":
			res_body = decode_gzip(res_body)
        	head_buff += e1[0]+": "+e1[1]+"\r\n"
	head_buff = head_buff.replace('\r\ncontent-encoding: gzip','')
	final_res = http_ver+" "+str(code)+" "+reason+"\r\n"+head_buff+"\r\n\r\n"+res_body
	return final_res

def fire_request(HOST,method,path,headers,params):
	print method,HOST,path,params
	conn = httplib.HTTPSConnection(HOST)
    	conn.request(method, path, params, headers)
    	response = conn.getresponse()
    	return craft_res(response.status,response.reason,response.version,response.getheaders(),response.read())

def parsebody(bdy):				
	bodypart = bdy.split('&',bdy.count('&'))
	encode_body = {}			
	for i in range(0, bdy.count('&')+1):				
		encode_body[bodypart[i].split('=',1)[0]] = bodypart[i].split('=',1)[1]
	return encode_body
def parseheader(head,body):
	c1 = head.split('\n',head.count('\n'))
	method = c1[0].split(' ',2)[0]				
	path = c1[0].split(' ',2)[1]
	headers = {}
	for i in range(1, head.count('\n')+1):
		c1[i] = c1[i].replace('\r','')
		slice1 = c1[i].split(': ',1)
		headers[slice1[0]] = slice1[1]
	if body != "":
		body = parsebody(body)
		body = urllib.urlencode(body)
	HOST = headers['Host']
	return HOST,method,path,headers,body
def send(r_header,r_body):
	info = parseheader(r_header,r_body)
	return fire_request(info[0],info[1],info[2],info[3],info[4])

class MyTCPHandler(SocketServer.BaseRequestHandler):
	def handle(self):
        	self.data = self.request.recv(1024).strip()	
        	rcvd = self.data
		if rcvd[:3] == "POS":
			post = rcvd.split('\r\n\r\n',1)
			all = send(post[0],post[1])
		else:
			all = send(rcvd,"")
		self.request.sendall(all)
if __name__ == "__main__":
	HOST, PORT = '', 8080
    	server = SocketServer.TCPServer((HOST, PORT), MyTCPHandler)
	print "[*] Proxy Server Started(Tunneling HTTP to HTTPS).Listening on",PORT
	server.serve_forever()

0 comments :

Subscribe to: Post Comments ( Atom )