ESC

Exploitation

After finding a vulnerability, smugglex can attempt exploitation to demonstrate impact.

Five exploit types are available via -e, --exploit (comma-separated): localhost-access, path-fuzz, smuggle, capture, and reveal. localhost-access and path-fuzz reuse the detected vulnerability, while smuggle, capture, and reveal fire their own desync directly and need no prior detection.

Localhost Access

Test for SSRF-like access to internal services through smuggled requests.

smugglex -e localhost-access https://target.com

Custom ports:

smugglex -e localhost-access --exploit-ports 80,8080,9090,3000 https://target.com

Path Fuzzing

Discover internal paths by smuggling requests with a wordlist.

smugglex -e path-fuzz --exploit-wordlist /path/to/wordlist.txt https://target.com

Smuggle

Smuggle an attacker-chosen request to the back-end so the next request it processes is the smuggled one. Tries both CL.TE and TE.CL wrappers across a range of Transfer-Encoding obfuscations; divergent responses across rounds are the evidence the smuggle landed. Defaults to making the back-end process a GPOST request (the classic lab objective).

smugglex -e smuggle https://target.com
smugglex -e smuggle --smuggle-request "GET /admin HTTP/1.1\r\nHost: target\r\n\r\n" https://target.com

Capture

Recover a smuggled request's response via response-queue desync: a follow-up request on the poisoned connection receives the queued response (e.g. an admin panel reached past a front-end control). Defaults to smuggling GET /admin.

smugglex -e capture https://target.com

Reveal Front-End Rewriting

Reveal the headers a front-end proxy injects before forwarding (e.g. X-Forwarded-For, a rewritten Host, internal auth/routing headers) — the recon step that unlocks header-spoofing attacks. smugglex smuggles a POST to a reflecting endpoint (a page that echoes a submitted form field) whose Content-Length overshoots its body, so the back-end swallows the next, front-end-rewritten request into the reflected value and echoes it back.

# Point at the reflecting endpoint and the parameter it echoes
smugglex -e reveal --reveal-endpoint /search --reveal-param q https://target.com

The endpoint defaults to the scanned path and the parameter defaults to q. This exploit needs an endpoint that reflects the parameter in its response; on a target without one the marker simply won't come back.

Combined

smugglex -e localhost-access,path-fuzz \
  --exploit-ports 80,8080 \
  --exploit-wordlist paths.txt \
  https://target.com

Detection

The exploit module analyzes responses for:

  • Status code changes
  • Service-specific signatures
  • Timing differences
  • Error messages indicating internal access