3

I am working on the auto-routing functionality of Codeigniter 4 and I'd like to test it by sending some nasty exploit-type HTTPS requests to make sure it properly resists mischief. E.g., request a uri with .. in the path to see if we might execute some arbitrary PHP file on the server. I've tried a url like https://example.com/subdir/../nested-directory but the double period segments get immediately evaluated prior to the request being sent by whatever client I use. Both Firefox and curl requests evaluated this prior to the server request being sent and in the apache log I just see request for GET /nested-directory HTTP/1.1.

I also tried telnet:

telnet example.com 443
GET /subdir/nested-directory HTTP/1.1 Host:example.com

But this yields a 400 error and this response:

Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

Can anyone suggest a tool or approach where I can formulate a list of uris to test and rip through them all, writing the resulting output to somewhere where I can inspect it?

S. Imp
  • 206
  • 1
  • 3
  • The request you sent is wrong in many aspects. It is not a valid HTTP request in the first place. You also sent it to port 443 which is for HTTPS, but don't use TLS. None of these is actually a security related problem, it is simply not understanding how HTTP and HTTPS work. Therefore I consider this question off-topic. I recommend that you use a client which is actually capable of HTTPS already to do your tests. Or get the necessary understanding of the protocols first before trying to create custom exploits using these protocols. – Steffen Ullrich Feb 20 '21 at 05:26
  • Steffen you are clearly an expert around here, I hope you will reconsider. I think you are mistaken in two respects. Firstly, my post is about exploitation and penetration testing. I should not be constrained to valid HTTP requests because attackers will not be constrained. Second, my question is primarily about testing tools. I first tried tools which implement the necessary SSL/TLS protocols but they perform cleanup on the supplied uri. I showed my telnet experiment to indicate that it's not practical to type in all the protocol steps. I clearly request a tool in my final paragraph. – S. Imp Feb 20 '21 at 16:53
  • 1
    If you want to have something like telnet but with TLS you can use `openssl s_client` for example. You still need to know how to properly construct a HTTP request. If you want to do it with a program a few lines of Python will do - see the ssl module in Python. – Steffen Ullrich Feb 20 '21 at 19:09
  • @SteffenUllrich thank you for that suggestion. I had seen it suggested elsewhere and had, in fact, tried it some yesterday without success. I tried again because of your suggestion and have discovered the `crlf` option and it's working. I just need to concoct a script of some kind to avoid copying and pasting all the various lines of the command and request into a single command. – S. Imp Feb 20 '21 at 22:44
  • If you want to script something have a look at Python. Again, it is only a few lines of code there. – Steffen Ullrich Feb 21 '21 at 06:15
  • 1
    You can get curl to not interpret your `../` using `--path-as-is` – multithr3at3d Feb 21 '21 at 22:58

1 Answers1

2

For Linux systems, gnutls-cli is available. For example:

gnutls-cli qnap --no-ca-verification
GET index.html

gets the index.html from my Qnap-NAS via port 443. You can of course easily make invalid http requests like your example this way.

If you just want to exploit all sorts of possible URLs with valid requests, then perhaps curl is the better tool.

Ljm Dullaart
  • 1,897
  • 4
  • 11
  • Thank you for your suggestion! I have a fair amount of experience with curl and, as I state in my original post, do not want to be constrained to valid requests. In your short code example, you refer to qnap, which is not a FQDN. Is this an entry in your hosts file? You also don't specify the port. I presume 443 is the default? It's not clarified in the [docs](https://www.gnutls.org/manual/html_node/) – S. Imp Feb 20 '21 at 17:07
  • 1
    Qnap's full name here is `qnap.home`, which is resolved by my own name server. In my `/etc/resolv.conf` I have `search home`, so that is how that works. Default is indeed 443, though I could not find it in any docs either; otherwise, specify `-p 443` to be on the safe side. – Ljm Dullaart Feb 20 '21 at 17:39