Exploitation
After finding a vulnerability, smugglex can attempt exploitation to demonstrate impact.
Five exploit types are available via -e, --exploit (comma-separated):
localhost-access, path-fuzz, smuggle, capture, and reveal.
localhost-access and path-fuzz reuse the detected vulnerability, while
smuggle, capture, and reveal fire their own desync directly and need no
prior detection.
Localhost Access
Test for SSRF-like access to internal services through smuggled requests.
smugglex -e localhost-access https://target.com
Custom ports:
smugglex -e localhost-access --exploit-ports 80,8080,9090,3000 https://target.com
Path Fuzzing
Discover internal paths by smuggling requests with a wordlist.
smugglex -e path-fuzz --exploit-wordlist /path/to/wordlist.txt https://target.com
Smuggle
Smuggle an attacker-chosen request to the back-end so the next request it
processes is the smuggled one. Tries both CL.TE and TE.CL wrappers across a
range of Transfer-Encoding obfuscations; divergent responses across rounds are
the evidence the smuggle landed. Defaults to making the back-end process a
GPOST request (the classic lab objective).
smugglex -e smuggle https://target.com
smugglex -e smuggle --smuggle-request "GET /admin HTTP/1.1\r\nHost: target\r\n\r\n" https://target.com
Capture
Recover a smuggled request's response via response-queue desync: a follow-up
request on the poisoned connection receives the queued response (e.g. an admin
panel reached past a front-end control). Defaults to smuggling GET /admin.
smugglex -e capture https://target.com
Reveal Front-End Rewriting
Reveal the headers a front-end proxy injects before forwarding (e.g.
X-Forwarded-For, a rewritten Host, internal auth/routing headers) — the
recon step that unlocks header-spoofing attacks. smugglex smuggles a POST to a
reflecting endpoint (a page that echoes a submitted form field) whose
Content-Length overshoots its body, so the back-end swallows the next,
front-end-rewritten request into the reflected value and echoes it back.
# Point at the reflecting endpoint and the parameter it echoes
smugglex -e reveal --reveal-endpoint /search --reveal-param q https://target.com
The endpoint defaults to the scanned path and the parameter defaults to q.
This exploit needs an endpoint that reflects the parameter in its response; on a
target without one the marker simply won't come back.
Combined
smugglex -e localhost-access,path-fuzz \
--exploit-ports 80,8080 \
--exploit-wordlist paths.txt \
https://target.com
Detection
The exploit module analyzes responses for:
- Status code changes
- Service-specific signatures
- Timing differences
- Error messages indicating internal access