HostHeaderInjection/ImprovedHostHeaderInj.sh at main · SecurityBong/HostHeaderInjection · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/bash

RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color

# Display author name
echo -e "Author: ${RED}Security Bong${NC}"
echo ""

if [ -z "$1" ]; then
  echo "Please provide a URL or a file containing URLs."
  exit 1
fi

if [ -f "$1" ]; then
  # Read URLs from a file
  urls=$(cat "$1")
else
  # Use single URL provided as argument
  urls="$1"
fi

payloads=(
  "example.com"
  "127.0.0.1"
  "localhost"
  "malicious.com"
  "evil.com"
)

headers=(
  "X-Forwarded-Host: malicious.com"
  "Referer: malicious.com"
  "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537"
)

for url in $urls; do
  echo "Testing: $url"

  # Check if the URL is alive
  if ! curl -s --head --connect-timeout 5 "$url" > /dev/null; then
    echo -e "${RED}The URL is not alive${NC}"
    echo ""
    if [ -f "$1" ]; then
      continue
    else
      exit 1
    fi
  fi

  vulnerable=false

  # Test host header injection
  for payload in "${payloads[@]}"; do
    response=$(curl -s -I -H "Host: $payload" "$url")

    if [[ "$response" =~ "$payload" ]]; then
      echo -e "${RED}Host Header: Host: $payload - Vulnerable${NC}"
      vulnerable=true
      break
    fi
  done

  # Test additional headers injection
  for header in "${headers[@]}"; do
    response=$(curl -s -I -H "$header" "$url")

    if [[ "$response" =~ "malicious.com" ]]; then
      echo -e "${RED}Additional Header: $header - Vulnerable${NC}"
      vulnerable=true
      break
    fi
  done

  if [ "$vulnerable" = false ]; then
    echo -e "${GREEN}Not Vulnerable${NC}"
  fi

  echo ""
done