Search the Community

p0wnpr0xy.py is a simply python script that acts as a http/https proxy and launches commands such as sqlmap against targets that are in-scope. It relies on httpservers.py from gnucitizen to do the heavy lifting. You can download his module from here and save it to the same directory as p0wnpr0xy. When you launch p0wnpr0xy you supply it with two arguments: 1) Part of the domain name for the in-scope hosts 2) The full command line for the tool you want to use against the target URL p0wnpr0xy will start a proxy listener on port 8080. You modify your browsers proxy settings to browse through the proxy. The proxy will collect in-scope URLs and the cookies associated with each URL. It then walks you through all of the URL that have been collected and gives you the option to launch the specified command on each URL. If you choose to attack the URL it will launch the command specified on the command line replacing the string "{url}" with the URL collected and the string "{cookies}" with cookies it has collected. Pretty simple, but it can make repetitive tasks easier. Here is an demonstration of how you can use p0wnpr0xy along with sqlmap. http://vimeo.com/14667308 # p0wnpr0xy.py by Mark Baggett # Download from www.pauldotcom.com # create a self signed certificate and modify /path/to/cert/file string to avoid HTTPS socket errors # download httpservers.py from http://code.google.com/p/gnucitizen/source/browse/trunk/httpservers.py and place it in the same directory import httpservers import SocketServer from Queue import Queue from threading import Thread import time,re,sys,os import pdb class Handler(httpservers.SimpleObservableProxyHTTPReque stHandler): def observe_request(self, data): #pdb.set_trace() global inscopeurls, target_domain #print "REQ>>"+repr(data)[:50] matchstring="Host:\s[\w_.]+%s" % target_domain matchscope = re.findall(matchstring, data, re.I) if matchscope: inscopeurls.put(repr(data)) return data def observe_response(self, data): #print "RSP<<"+repr(data)[:50] return data def log_request(self, code): pass class Server(SocketServer.ThreadingMixIn, httpservers.SimpleObservableProxyHTTPServer): pass def proxyserver(): print 'Starting server on localhost:8080...' srv = Server(('localhost', 8080), Handler, '/path/to/cert/file') srv.serve_forever() def printhelp(): print """Here is your help. sample p0wnpr0xy.py -t targetdomain.com -c "./sqlmap -u {url} --cookie: {cookies}" """ # Set up some global variables num_attack_threads = 2 inscopeurls = Queue() if not "-t" in sys.argv or not "-c" in sys.argv: printhelp() sys.exit(2) for i in range(1,len(sys.argv),1): if sys.argv == '-t': target_domain=str(sys.argv[i+1]) elif sys.argv == '-c': cmd = " ".join(sys.argv[i+1:]) elif sys.argv == '-v': verbose=1 proxythread = Thread(target=proxyserver) proxythread.setDaemon(True) proxythread.start() while 1: if inscopeurls.qsize()==0: #print "Nothing in Queue, Waiting." time.sleep(5) continue queueitem = inscopeurls.get() matches = re.findall("GET (/[\w._/\\-?=&]+).*Host:\s([\w_.]+)", queueitem, re.I) if matches: matchuri,matchdomain = matches[0] checkit = raw_input(":"+str(inscopeurls.qsize())+":P0wn http://"+matchdomain+matchuri+"? [Y/N/Q]") if checkit == "q" or checkit == "Q": sys.exit(2) if checkit =="y" or checkit=="Y": cookies = "".join(re.findall("cookie:\s([\w+;= ]+)", queueitem, re.I)) cmd1 = cmd.replace("{cookies}",cookies) cmd2 = cmd1.replace("{url}","http://"+matchdomain+matchuri) print "Launching "+cmd2 os.system(cmd2) Source: PaulDotCom: Archives