Penetration Testing mailing list archives

Re: HTTP Manipulation

From: Rogan Dawes <lists@NO_dawes.SPAM_za.net>
Date: Wed, 21 Apr 2004 18:19:37 +0200

Jeremy Junginger wrote:

Hey guys,

I'm putting together a perl script to do some HTTP manipulation (Methods,
versions, overflow strings, etc), and am having some trouble reading from the
socket.  From tcpdump, I can see that it is completing the TCP three way
handshake, and successfully GETting the default page with a 200 OK response,
but I'm not sure how to capture this data from the socket prior to closing
it.  Could any of you PERL gurus see if I've missed something important here?
Thanks,

#!c:\Perl\bin\Perl.exe

use CGI qw(:standard);
#use strict;
use Socket;

#Initialize the host, port, and protocols
$host = shift||'ip.address.of.remote.host';
$port = shift||80;
$proto = getprotobyname('tcp');

#Get the port address
$remoteip = inet_aton($host);
$remoteport = sockaddr_in($port,$remoteip);

#$localhost   = pack('S n a4 x8', AF_INET, 0, "\0\0\0\0");
#$remotehost   = pack('S n a4 x8', AF_INET, $port, $host);

#Create the socket and connect to the port
socket(SOCKET,PF_INET,SOCK_STREAM,$proto) or die "socket:$!";
connect(SOCKET,$remoteport) or die "connect:$!";

print SOCKET "GET / HTTP/1.0\n\n";


while (<SOCKET>) {
  print $_;
}

You should also rather be doing
print SOCKET "GET / HTTP/1.0\r\n\r\n";

according to the RFC's

For something like this, libwhisker is probably a good starting point,or just use LWP, rather.


Regards

Rogan
--
Rogan Dawes
email: lists AT dawes DOT za DOT net

"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

HTTP Manipulation Jeremy Junginger (Apr 21)
- Re: HTTP Manipulation Kenneth Peiruza (Apr 21)
- Re: HTTP Manipulation cdowns (Apr 21)
- Re: HTTP Manipulation Rogan Dawes (Apr 21)
- <Possible follow-ups>
- HTTP Manipulation Arthur Clune (Apr 21)