Gamal/gamal.py at main · Fadavvi/Gamal · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#!/usr/bin/python3

from flask import Flask, request, jsonify, send_from_directory
import json
import argparse
import ssl
import os
import uuid
from werkzeug.utils import secure_filename
from datetime import datetime as date
############# Flask Routes #################
app = Flask(__name__,static_url_path='')
UploadPath = "received"
os.makedirs(UploadPath, exist_ok=True)
#------------------------------------------
@app.route('/info', methods=['GET','POST']) # Print info
def info():
    return "<h3>Gamal v1.0.5 | Milad Fadavvi</h3>"
#------------------------------------------
@app.route('/f/<path:path>') #Servs files
def send_js(path):
    LogFile = open (Arguments.log, "a+")
    LogFile.write("-" * 33 + '\n')
    LogFile.write("Time: {} \n".format(date.now()))
    LogFile.write("URL: {} \n".format(request.url))
    LogFile.write("Requester: {} \n".format(request.remote_addr))
    LogFile.write("Method: {} \n".format(request.method))
    if request.path != '':
        LogFile.write("Path: {} \n".format(request.path))
    LogFile.write("Headers: {}\n".format(request.headers).replace('\r\n',' | ').replace(' |  |',''))
    if request.args:
        LogFile.write("Get Args: {} \n".format(request.args.to_dict()))
    LogFile.close()
    return send_from_directory('f', path)
#------------------------------------------
@app.route("/e/upload", methods=["POST"])
def upload_file():
    if "file" not in request.files:
        return jsonify({"error": "No file part in request"}), 400

    file = request.files["file"]
    if file.filename == "":
        return jsonify({"error": "No file selected"}), 400

    # Save file to 'received' directory
    FilePath = os.path.join(UploadPath, request.remote_addr + '-' + str(uuid.uuid1()) + '-' + file.filename)

    LogFile = open (Arguments.log, "a+")
    LogFile.write("-" * 33 + '\n')
    LogFile.write("Time: {} \n".format(date.now()))
    LogFile.write("URL: {} \n".format(request.url))
    LogFile.write("Requester: {} \n".format(request.remote_addr))
    LogFile.write("Method: {} \n".format(request.method))
    if request.path != '':
        LogFile.write("Path: {} \n".format(request.path))
    LogFile.write("Headers: {}\n".format(request.headers).replace('\r\n',' | ').replace(' |  |',''))
    if request.args:
        LogFile.write("Get Args: {} \n".format(request.args.to_dict()))
    try:
        LogFile.write("Post Args: {} \n".format(json.dumps(request.form.to_dict())))
    except:
        pass
    try:
        HostName = secure_filename(request.args.get('host',''))
        User = secure_filename(request.args.get('user',''))
        FileName = secure_filename(file.filename)
        UniqueName = f"{User}--{request.remote_addr}-{FileName}"
        os.makedirs(name= UploadPath+ '/'+ HostName, exist_ok=True)
        FilePath = os.path.join(UploadPath, HostName + '/' + UniqueName)
        LogFile.write("File: {} will save in {} \n".format(FileName,FilePath))
    except:
        pass

    if not os.path.abspath(FilePath).startswith(os.path.abspath(UploadPath) + os.sep):
        return jsonify({"error": "Go Hack Yourself!"}), 400

    LogFile.close()
    file.save(FilePath)

    return jsonify({"message": f"File uploaded successfully!"}), 200
#------------------------------------------
@app.errorhandler(404)
@app.errorhandler(400)
@app.route('/<path:path>', methods=['GET','POST']) #Logs info
def SaveData(e='',path=''):
    LogFile = open (Arguments.log, "a+")
    LogFile.write("-" * 33 + '\n')
    LogFile.write("Time: {} \n".format(date.now()))
    LogFile.write("URL: {} \n".format(request.url))
    LogFile.write("Requester: {} \n".format(request.remote_addr))
    LogFile.write("Method: {} \n".format(request.method))
    if request.path != '':
        LogFile.write("Path: {} \n".format(request.path))
    LogFile.write("Headers: {}\n".format(request.headers).replace('\r\n',' | ').replace(' |  |',''))
    if request.args:
        LogFile.write("Get Args: {} \n".format(request.args.to_dict()))
    try:
        LogFile.write("Post Args: {} \n".format(json.dumps(request.form.to_dict())))
    except:
        pass
    try:
        LogFile.write("JSON Data: {}\n".format(request.get_json()))
    except:
        pass
    LogFile.close()
    return '<html><b>{}</b></html>'.format(Arguments.canary) , 200
#------------------------------------------
############# Payloads list ########################
def PrirntFileURLs(path: str, hostname: str):
    if not os.path.exists(path):
        print(f"The path [./f/] does not exist.")
        return
    print('-='*13)
    for root, _, files in os.walk(path):
        for file in files:
            RelPath = os.path.relpath(os.path.join(root, file), start=path)
            url = f"https://{hostname}/f/{RelPath.replace(os.sep, '/')}"
            print(url)
    print('-='*13)
############# Main Function ########################
if __name__ == "__main__":
    global Arguments #!!!
    #------------------------------------------
    parser = argparse.ArgumentParser(description='Gamal v1.0.5:\nA tiny flask app for helping red-teamers, purple teamers, and pentesters in delivery, data exfiltration, and some attacks (SSRF, XXE, XSS, Session Hijacking, Session Riding).\n\n')
    parser.add_argument('--log', default='gamal.log' , help='Path to the log file')
    parser.add_argument('--port', default=1337 , help='Port / HTTPs')
    parser.add_argument('--ip', default='0.0.0.0' , help='IP e.g. : 0.0.0.0 or 127.0.0.1')
    parser.add_argument('--canary', default='booqbooqGamal' , help='Canary token')
    parser.add_argument('--cert', help='Your fullchain.pem file')
    parser.add_argument('--key', help='Your ssl private key file')
    parser.add_argument('--host', help='Your hostname or external IP add, Format: <FQDN>:<PORT>')
    parser.add_argument('--delivery', help='Shows available files in the ./f path for delivery. Use it in combination with --host', action='store_true')
    Arguments = parser.parse_args()
    #------------------------------------------
    if Arguments.cert and Arguments.key:
        cert_file = Arguments.cert
        key_file = Arguments.key
        if Arguments.delivery:
            if Arguments.host:
                PrirntFileURLs('./f', Arguments.host)
            else:
                PrirntFileURLs('./f', Arguments.ip)
        context = ssl.SSLContext(ssl.PROTOCOL_TLS)
        context.load_cert_chain(certfile=cert_file, keyfile=key_file)
        app.run(host=Arguments.ip , port=int(Arguments.port),threaded=True, ssl_context=context)
    else:
        try:
            if Arguments.delivery:
                if Arguments.host:
                    PrirntFileURLs('./f', Arguments.host)
                else:
                    PrirntFileURLs('./f', Arguments.ip)
            app.run(host=Arguments.ip , port=int(Arguments.port),threaded=True, ssl_context='adhoc')
        except:
            parser.print_help()