Skip to content

Commit a552f3d

Browse files
rootphantomerrootphantomer
committed
jetty tools
jetty tools
1 parent 8dcbc7c commit a552f3d

File tree

2 files changed

+67
-0
lines changed

2 files changed

+67
-0
lines changed

Jetleak-Testing-Script-master/README.txt

+24
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Jetleak Testing Script
2+
3+
This tool is intended to provide a quick-and-dirty way for organizations to test whether their Jetty web server versions are vulnerable to JetLeak. Currently, this script does not handle sites with invalid SSL certs. This will be fixed in a future iteration.
4+
5+
For additional details on the Jetleak vulnerability refer to our blog post:
6+
http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
7+
8+
Sample Usage: python jetleak_tester.py [url] [port]
9+
10+
Sample Output for a server that is not vulnerable:
11+
12+
```
13+
$ python jetleak_tester.py http://[ENTER HOSTNAME] 80
14+
15+
This version of Jetty is NOT vulnerable to JetLeak.
16+
```
17+
18+
Sample Output for a server that is vulnerable:
19+
20+
```
21+
$ python jetleak_tester.py http://[ENTER HOSTNAME] 80
22+
23+
This version of Jetty is VULNERABLE to JetLeak!
24+
```

Jetleak-Testing-Script-master/jetleak_tester.py

+43
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
import httplib, urllib, ssl, string, sys, getopt
2+
from urlparse import urlparse
3+
4+
'''
5+
6+
Author: Gotham Digital Science
7+
8+
Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether
9+
their Jetty web server versions are vulnerable to JetLeak. Currently, this script does
10+
not handle sites with invalid SSL certs. This will be fixed in a future iteration.
11+
12+
'''
13+
14+
if len(sys.argv) < 3:
15+
print("Usage: jetleak.py [url] [port]")
16+
sys.exit(1)
17+
18+
url = urlparse(sys.argv[1])
19+
if url.scheme == '' and url.netloc == '':
20+
print("Error: Invalid URL Entered.")
21+
sys.exit(1)
22+
23+
port = sys.argv[2]
24+
25+
conn = None
26+
27+
if url.scheme == "https":
28+
conn = httplib.HTTPSConnection(url.netloc + ":" + port)
29+
elif url.scheme == "http":
30+
conn = httplib.HTTPConnection(url.netloc + ":" + port)
31+
else:
32+
print("Error: Only 'http' or 'https' URL Schemes Supported")
33+
sys.exit(1)
34+
35+
x = "\x00"
36+
headers = {"Referer": x}
37+
conn.request("POST", "/", "", headers)
38+
r1 = conn.getresponse()
39+
40+
if (r1.status == 400 and ("Illegal character 0x0 in state" in r1.reason)):
41+
print("\r\nThis version of Jetty is VULNERABLE to JetLeak!")
42+
else:
43+
print("\r\nThis version of Jetty is NOT vulnerable to JetLeak.")

0 commit comments

Comments
 (0)