From f6513f8f230b1be05cd9c5bbe831a6811205161e Mon Sep 17 00:00:00 2001 From: hktalent <18223385+hktalent@users.noreply.github.com> Date: Mon, 27 Nov 2023 16:47:47 +0800 Subject: [PATCH] optimization 2023-11-27 --- geCurIp_test.go | 3 ++- lib/Smuggling/CheckSmuggling.go | 43 ++++++++++++++++--------------- lib/socket/ConnTarget.go | 45 ++++++++++----------------------- 3 files changed, 38 insertions(+), 53 deletions(-) diff --git a/geCurIp_test.go b/geCurIp_test.go index e3ac4cd30..87b365df0 100644 --- a/geCurIp_test.go +++ b/geCurIp_test.go @@ -9,6 +9,7 @@ import ( func TestGetIp(t *testing.T) { os.Setenv("CacheName", "TmpXx1") + os.Setenv("HTTPS_PROXY", "socks5://127.0.0.1:7890") util.DoInit(nil) //t.Run("获取当前用户的ip", func(t *testing.T) { // if got := util.GetIp(); !reflect.DeepEqual(got, "") { @@ -16,7 +17,7 @@ func TestGetIp(t *testing.T) { // } //}) - Smuggling.DoCheckSmuggling("http://127.0.0.1/", "") + Smuggling.DoCheckSmuggling("https://ttblaze.iifl.com:4021/", "") util.Wg.Wait() util.CloseAll() } diff --git a/lib/Smuggling/CheckSmuggling.go b/lib/Smuggling/CheckSmuggling.go index 9ab8859a8..74b797de8 100644 --- a/lib/Smuggling/CheckSmuggling.go +++ b/lib/Smuggling/CheckSmuggling.go @@ -43,22 +43,22 @@ func checkSmuggling4Poc(ClTePayload *[]string, nTimes int, r1 *Smuggling, r *soc } /* - check HTTP Request Smuggling - 可以利用走私尝试访问,被常规手段屏蔽的路径,例如 weblogic 的页面 - https://portswigger.net/web-security/request-smuggling/finding - https://hackerone.com/reports/1630668 - https://github.com/nodejs/llhttp/blob/master/src/llhttp/http.ts#L483 - 1、每个目标的登陆页面只做一次检测,也就是发现你登陆页面的路径可以做一次检测 - 2、每个目标相同上下文的页面只做一次检测,爬虫发现的不同上下文各做一次检测 - szBody 是为了 相同url 相同payload 的情况下,只发一次请求,进行多次判断而设计,Smuggling 的场景通常不存在 + check HTTP Request Smuggling + 可以利用走私尝试访问,被常规手段屏蔽的路径,例如 weblogic 的页面 + https://portswigger.net/web-security/request-smuggling/finding + https://hackerone.com/reports/1630668 + https://github.com/nodejs/llhttp/blob/master/src/llhttp/http.ts#L483 + 1、每个目标的登陆页面只做一次检测,也就是发现你登陆页面的路径可以做一次检测 + 2、每个目标相同上下文的页面只做一次检测,爬虫发现的不同上下文各做一次检测 + szBody 是为了 相同url 相同payload 的情况下,只发一次请求,进行多次判断而设计,Smuggling 的场景通常不存在 - 做一次 http - util.PocCheck_pipe <- &util.PocCheck{ - Wappalyzertechnologies: &[]string{"httpCheckSmuggling"}, - URL: finalURL, - FinalURL: finalURL, - Checklog4j: false, - } + 做一次 http + util.PocCheck_pipe <- &util.PocCheck{ + Wappalyzertechnologies: &[]string{"httpCheckSmuggling"}, + URL: finalURL, + FinalURL: finalURL, + Checklog4j: false, + } */ func DoCheckSmuggling(szUrl string, szBody string) { for _, x := range payload { @@ -66,7 +66,7 @@ func DoCheckSmuggling(szUrl string, szBody string) { go func(j Smuggling, szUrl string) { defer util.Wg.Done() if "" == szBody { - x1 := socket.NewCheckTarget(szUrl, "tcp", 3) + x1 := socket.NewCheckTarget(szUrl, "tcp", 30) defer x1.Close() checkSmuggling4Poc(j.GetPayloads(x1), j.GetTimes(), &j, x1) } else { @@ -77,11 +77,12 @@ func DoCheckSmuggling(szUrl string, szBody string) { } // 构造走私,用来访问被屏蔽的页面 -// 确认存在走私漏洞后,可以继续基于走私 走以便filefuzz -// 1、首先 szUrl必须是可访问的 200,否则可能会导致误判 -// @szUrl 设施走私的目标 -// @smugglinUrlPath 希望走私能访问到到页面,例如 /console -// @secHost 第二段头的host +// +// 确认存在走私漏洞后,可以继续基于走私 走以便filefuzz +// 1、首先 szUrl必须是可访问的 200,否则可能会导致误判 +// @szUrl 设施走私的目标 +// @smugglinUrlPath 希望走私能访问到到页面,例如 /console +// @secHost 第二段头的host func GenerateHttpSmugglingPay(szUrl, smugglinUrlPath, secHost string) string { a := []string{`POST %s HTTP/1.1 Host: %s diff --git a/lib/socket/ConnTarget.go b/lib/socket/ConnTarget.go index b0f3307b5..68f1c46a1 100644 --- a/lib/socket/ConnTarget.go +++ b/lib/socket/ConnTarget.go @@ -8,6 +8,7 @@ import ( "github.com/hktalent/scan4all/lib/util" "net" "net/url" + "regexp" "strconv" "strings" "time" @@ -49,15 +50,10 @@ func NewCheckTarget(szUrl, SzType string, readWriteTimeout int) *CheckTarget { r11.Port = 80 // https://eli.thegreenplace.net/2021/go-socket-servers-with-tls/ r11.IsTLS = strings.HasPrefix(strings.ToLower(u.Scheme), "https") - if "" == u.Port() { - if r11.IsTLS { - r11.Port = 443 - } - } else { - n, err := strconv.Atoi(u.Port()) - if nil == err { - r11.Port = n - } + if "" == u.Port() && r11.IsTLS { + r11.Port = 443 + } else if n, err := strconv.Atoi(u.Port()); nil == err { + r11.Port = n } if "" != u.Path { r11.UrlPath = u.Path @@ -180,6 +176,8 @@ func (r *CheckTarget) Log(s string) { //log.Println(s) } +var ipReg = regexp.MustCompile(`^(\d{1,3}\.){3}\d{1,3}$`) + // 连接目标 // sysctl -w net.ipv4.tcp_keepalive_time=300 // sysctl -w net.ipv4.tcp_keepalive_intvl=30 @@ -191,38 +189,23 @@ func (r *CheckTarget) ConnTarget() (*CheckTarget, error) { conf := &tls.Config{ InsecureSkipVerify: true, } - r.Conn, err = tls.Dial(r.ConnType, fmt.Sprintf("%s:%d", r.Target, r.Port), conf) - if err == nil { - //r.Conn.SetKeepAlive(true) - // 设置读取超时 - err = r.Conn.SetReadDeadline(time.Now().Add(time.Duration(r.ReadTimeout) * time.Second)) - if err != nil { - defer r.Close() - r.Log(szErr) - return r, err - } - r.ConnState = true + ServerName := strings.Split(r.Target, ":")[0] + if !ipReg.Match([]byte(ServerName)) { + conf.ServerName = ServerName } + r.Conn, err = tls.Dial(r.ConnType, fmt.Sprintf("%s:%d", r.Target, r.Port), conf) } else { r.Conn, err = net.DialTimeout(r.ConnType, fmt.Sprintf("%s:%d", r.Target, r.Port), time.Duration(r.ReadTimeout)*time.Second) - if err != nil { - r.Log(szErr) - return r, err - } + } + if err == nil { + //defer r.Close() //r.Conn.SetKeepAlive(true) // 设置读取超时 err = r.Conn.SetReadDeadline(time.Now().Add(time.Duration(r.ReadTimeout) * time.Second)) if err != nil { - defer r.Close() r.Log(szErr) return r, err } - // 设置写超时 - //conn1.SetWriteDeadline(time.Now().Add(time.Duration(r.ReadTimeout) * time.Second)) - //if err != nil { - // return r, err - //} - //log.Printf("connect ok: %s", r.UrlRaw) r.ConnState = true } return r, nil