From 42806da5125d0774c700e9c0cc84b85726daed14 Mon Sep 17 00:00:00 2001 From: six2dez Date: Tue, 25 May 2021 09:08:43 +0200 Subject: [PATCH 01/15] Fix web mode requires target list --- reconftw.sh | 17 ++++++++++------- reconftw_axiom.sh | 19 +++++++++++-------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 0dd20fda..b615e911 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -446,9 +446,9 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" [ "$DEEP" = true ] && [ -s "subdomains/subdomains.txt" ] && DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 100 ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 200 ] && [ $(cat subdomains/subdomains.txt | wc -l) -le 100 ] && DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 100 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 100 ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 200 ] && DNScewl --tL .tmp/subs_no_resolved.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 200 ] && [ "$(cat subdomains/subdomains.txt | wc -l)" -le 100 ] && DNScewl --tL subdomains/subdomains.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl1.txt [ -s ".tmp/DNScewl1.txt" ] && puredns resolve .tmp/DNScewl1.txt -w .tmp/permute1_tmp.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/permute1_tmp.txt" ] && cat .tmp/permute1_tmp.txt | anew -q .tmp/permute1.txt [ -s ".tmp/permute1.txt" ] && DNScewl --tL .tmp/permute1.txt -p $tools/permutations_list.txt --level=0 --subs --no-color 2>>"$LOGFILE" | tail -n +14 | grep ".$domain$" > .tmp/DNScewl2.txt @@ -1135,7 +1135,7 @@ function ssrf_checks(){ echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt fi @@ -1147,7 +1147,7 @@ function ssrf_checks(){ echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} @@ -1212,7 +1212,7 @@ function ssti(){ if [ -s "gf/ssti.txt" ]; then cat gf/ssti.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssti.txt for url in $(cat .tmp/tmp_ssti.txt); do - ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt done fi end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} @@ -2148,13 +2148,16 @@ case $opt_mode in fi ;; 'w') - start if [ -n "$list" ]; then + start if [[ "$list" = /* ]]; then cp $list $dir/webs/webs.txt else cp $SCRIPTPATH/$list $dir/webs/webs.txt fi + else + printf "\n\n${bred} Web mode needs a website list file as target (./reconftw.sh -l target.txt -w) ${reset}\n\n" + exit fi webs_menu exit diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index e074d864..bad21249 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -458,9 +458,9 @@ function sub_permut(){ start_subfunc "Running : Permutations Subdomain Enumeration" [ "$DEEP" = true ] && [ -s "subdomains/subdomains.txt" ] && axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 100 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 100 ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -le 200 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null - [ "$DEEP" = false ] && [ $(cat .tmp/subs_no_resolved.txt | wc -l) -gt 200 ] && [ $(cat subdomains/subdomains.txt | wc -l) -le 100 ] && axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 100 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 100 ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -le 200 ] && axiom-scan .tmp/subs_no_resolved.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null + [ "$DEEP" = false ] && [ "$(cat .tmp/subs_no_resolved.txt | wc -l)" -gt 200 ] && [ "$(cat subdomains/subdomains.txt | wc -l)" -le 100 ] && axiom-scan subdomains/subdomains.txt -m dnscewl -o .tmp/DNScewl1_.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/DNScewl1_.txt" ] && cat .tmp/DNScewl1_.txt | grep ".$domain$" > .tmp/DNScewl1.txt [ -s ".tmp/DNScewl1.txt" ] && axiom-scan .tmp/DNScewl1.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/permute1_tmp.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/permute1_tmp.txt" ] && cat .tmp/permute1_tmp.txt | anew -q .tmp/permute1.txt @@ -1160,7 +1160,7 @@ function ssrf_checks(){ echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt fi @@ -1172,7 +1172,7 @@ function ssrf_checks(){ echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt done python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} @@ -1237,7 +1237,7 @@ function ssti(){ if [ -s "gf/ssti.txt" ]; then cat gf/ssti.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssti.txt for url in $(cat .tmp/tmp_ssti.txt); do - ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" &>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt + ffuf -v -t $FFUF_THREADS -H "${HEADER}" -w $ssti_wordlist -u $url -mr "ssti49" 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt done fi end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]} @@ -2270,13 +2270,16 @@ case $opt_mode in fi ;; 'w') - start - if [ -n "$list" ]; then + if [ -n "$list" ]; then + start if [[ "$list" = /* ]]; then cp $list $dir/webs/webs.txt else cp $SCRIPTPATH/$list $dir/webs/webs.txt fi + else + printf "\n\n${bred} Web mode needs a website list file as target (./reconftw.sh -l target.txt -w) ${reset}\n\n" + exit fi webs_menu exit From 33e95168e2be5869d638c5f5285139126256face Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 30 May 2021 00:57:09 +0200 Subject: [PATCH 02/15] Various fixes --- install.sh | 7 +++---- reconftw.sh | 13 +++++-------- reconftw_axiom.sh | 11 ++++++----- 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/install.sh b/install.sh index 38c0b68c..a0f042e8 100755 --- a/install.sh +++ b/install.sh @@ -138,7 +138,6 @@ fi # Installing latest Golang version #version=$(curl -s https://golang.org/VERSION?m=text) version=go1.15.10 -eval type -P go $DEBUG_STD || { golang_installed=false; } printf "${bblue} Running: Installing/Updating Golang ${reset}\n\n" if [[ $(eval type go $DEBUG_ERROR | grep -o 'go is') == "go is" ]] && [ "$version" = $(go version | cut -d " " -f3) ] then @@ -179,7 +178,7 @@ mkdir -p ~/.config/amass/ mkdir -p ~/.config/nuclei/ touch $dir/.github_tokens -eval wget https://bootstrap.pypa.io/get-pip.py $DEBUG_STD && eval python3 get-pip.py $DEBUG_STD +eval wget -N -c https://bootstrap.pypa.io/get-pip.py $DEBUG_STD && eval python3 get-pip.py $DEBUG_STD eval ln -s /usr/local/bin/pip3 /usr/bin/pip3 $DEBUG_STD eval pip3 install -U -r requirements.txt $DEBUG_STD @@ -233,7 +232,7 @@ for repo in "${!repos[@]}"; do elif [ "Gf-Patterns" = "$repo" ]; then eval mv *.json ~/.gf $DEBUG_ERROR fi - cd $dir + cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done if [ "True" = "$IS_ARM" ] @@ -297,7 +296,7 @@ if [ "$double_check" = "true" ]; then elif [ "Gf-Patterns" = "$repo" ]; then eval mv *.json ~/.gf $DEBUG_ERROR fi - cd $dir + cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done fi diff --git a/reconftw.sh b/reconftw.sh index b615e911..37c6bd35 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -609,11 +609,8 @@ function webprobe_full(){ [ -s "subdomains/subdomains.txt" ] && sudo unimap --fast-scan -f subdomains/subdomains.txt --ports $UNCOMMON_PORTS_WEB -q -k --url-output 2>>"$LOGFILE" | anew -q .tmp/nmap_uncommonweb.txt [ -s ".tmp/nmap_uncommonweb.txt" ] && cat .tmp/nmap_uncommonweb.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout $HTTPX_UNCOMMONPORTS_TIMEOUT -silent -retries 2 -no-color 2>>"$LOGFILE" | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt - #timeout_secs=$(($(cat subdomains/subdomains.txt | wc -l)*5+10)) - #cat subdomains/subdomains.txt | timeout $timeout_secs naabu -p $UNCOMMON_PORTS_WEB -o .tmp/nmap_uncommonweb.txt &>>"$LOGFILE" && uncommon_ports_checked=$(cat .tmp/nmap_uncommonweb.txt | cut -d ':' -f2 | sort -u | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d') - #if [ -n "$uncommon_ports_checked" ]; then - #cat subdomains/subdomains.txt | httpx -ports $uncommon_ports_checked -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout 10 -silent -retries 2 -no-color | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt - #fi + #cat subdomains/subdomains.txt | httpx -ports $UNCOMMON_PORTS_WEB -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout $HTTPX_UNCOMMONPORTS_TIMEOUT -silent -retries 2 -no-color 2>>"$LOGFILE" | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt + NUMOFLINES=$(cat .tmp/probed_uncommon_ports_tmp.txt 2>>"$LOGFILE" | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites" good [ -s "webs/webs_uncommon_ports.txt" ] && cat webs/webs_uncommon_ports.txt @@ -691,7 +688,7 @@ function portscan(){ done fi if [ "$PORTSCAN_ACTIVE" = true ]; then - [ -s ".tmp/ips_nowaf.txt" ] && sudo nmap --top-ports 1000 -sV -n --max-retries 2 -Pn -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt -oG .tmp/nmap_grep.gnmap 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/ips_nowaf.txt" ] && sudo nmap --top-ports 1000 -sV -n --max-retries 2 -Pn -iL .tmp/ips_nowaf.txt -oN hosts/portscan_active.txt -oG .tmp/portscan_active.gnmap 2>>"$LOGFILE" &>/dev/null fi end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else @@ -1264,9 +1261,9 @@ function spraying(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SPRAY" = true ]; then start_func "Password spraying" cd "$tools/brutespray" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - python3 brutespray.py --file $dir/.tmp/nmap_grep.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt 2>>"$LOGFILE" &>/dev/null + python3 brutespray.py --file $dir/.tmp/portscan_active.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray 2>>"$LOGFILE" &>/dev/null cd "$dir" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} + end_func "Results are saved in hosts/brutespray folder" ${FUNCNAME[0]} else if [ "$SPRAY" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index bad21249..9f4355b8 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -713,7 +713,8 @@ function portscan(){ done fi if [ "$PORTSCAN_ACTIVE" = true ]; then - [ -s ".tmp/ips_nowaf.txt" ] && axiom-scan .tmp/ips_nowaf.txt -m nmapx --top-ports 1000 -sV -n -Pn --max-retries 2 -o hosts/portscan_active.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/ips_nowaf.txt" ] && axiom-scan .tmp/ips_nowaf.txt -m nmapx --top-ports 1000 -sV -n -Pn --max-retries 2 -o hosts/portscan_active.gnmap 2>>"$LOGFILE" &>/dev/null + [ -s "hosts/portscan_active.gnmap" ] && cat hosts/portscan_active.gnmap | egrep -v "^#|Status: Up" | cut -d' ' -f2,4- | sed -n -e 's/Ignored.*//p' | awk '{print "Host: " $1 " Ports: " NF-1; $1=""; for(i=2; i<=NF; i++) { a=a" "$i; }; split(a,s,","); for(e in s) { split(s[e],v,"/"); printf "%-8s %s/%-7s %s\n" , v[2], v[3], v[1], v[5]}; a="" }' > hosts/portscan_active.txt 2>>"$LOGFILE" &>/dev/null fi end_func "Results are saved in hosts/portscan_[passive|active].txt" ${FUNCNAME[0]} else @@ -811,7 +812,7 @@ function fuzz(){ sub_out=$(echo $sub | sed -e 's|^[^/]*//||' -e 's|/.*$||') grep "$sub" $dir/fuzzing/ffuf-content.tmp | awk '{print $2" "$3" "$1}' | sort -k1 | anew -q $dir/fuzzing/${sub_out}.txt done - rm -f $dir/fuzzing/ffuf-content.tmp + rm -f $dir/fuzzing/ffuf-content.tmp $dir/fuzzing/ffuf-content.csv end_func "Results are saved in $domain/fuzzing/*subdomain*.txt" ${FUNCNAME[0]} else end_func "No $domain/web/webs.txts file found, fuzzing skipped " ${FUNCNAME[0]} @@ -1289,9 +1290,9 @@ function spraying(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SPRAY" = true ]; then start_func "Password spraying" cd "$tools/brutespray" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - python3 brutespray.py --file $dir/hosts/portscan_active.txt --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray.txt 2>>"$LOGFILE" &>/dev/null + python3 brutespray.py --file $dir/hosts/portscan_active.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/hosts/brutespray 2>>"$LOGFILE" &>/dev/null cd "$dir" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } - end_func "Results are saved in hosts/brutespray.txt" ${FUNCNAME[0]} + end_func "Results are saved in hosts/brutespray folder" ${FUNCNAME[0]} else if [ "$SPRAY" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" @@ -1306,7 +1307,7 @@ function 4xxbypass(){ if [[ $(cat fuzzing/*.txt 2>/dev/null | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 | wc -l) -le 1000 ]] || [ "$DEEP" = true ]; then start_func "403 bypass" cat fuzzing/*.txt 2>>"$LOGFILE" | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 > .tmp/dirdar_test.txt - axiom-scan .tmp/dirdar_test.txt -m dirdar -threads $DIRDAR_THREADS -only-ok > .tmp/dirdar.txt + axiom-scan .tmp/dirdar_test.txt -m dirdar -threads $DIRDAR_THREADS -only-ok -o .tmp/dirdar.txt [ -s ".tmp/dirdar.txt" ] && cat .tmp/dirdar.txt | sed -e '1,12d' | sed '/^$/d' | anew -q vulns/4xxbypass.txt end_func "Results are saved in vulns/4xxbypass.txt" ${FUNCNAME[0]} else From 4f76b75b317ead8c648088da144321374c221015 Mon Sep 17 00:00:00 2001 From: six2dez Date: Sun, 30 May 2021 01:28:37 +0200 Subject: [PATCH 03/15] Added more templates --- install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/install.sh b/install.sh index a0f042e8..3a280de1 100755 --- a/install.sh +++ b/install.sh @@ -201,8 +201,10 @@ printf "${bblue}\n Running: Installing repositories (${#repos[@]})${reset}\n\n" # Repos with special configs eval git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates $DEBUG_STD +eval git clone https://github.com/geeknik/the-nuclei-templates.git ~/nuclei-templates/extra_templates $DEBUG_STD eval nuclei -update-templates $DEBUG_STD -eval sed -i 's/^miscellaneous/#miscellaneous/' ~/nuclei-templates/.nuclei-ignore $DEBUG_ERROR +eval cd ~/nuclei-templates/extra_templates && git pull $DEBUG_STD +cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } eval sed -i 's/^#random-agent: false/random-agent: true/' ~/.config/nuclei/config.yaml $DEBUG_ERROR eval git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git $dir/sqlmap $DEBUG_STD eval git clone --depth 1 https://github.com/drwetter/testssl.sh.git $dir/testssl.sh $DEBUG_STD From bb64be96d285cf70b305671c746b43a692ea1e38 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 31 May 2021 08:59:19 +0200 Subject: [PATCH 04/15] urldedupe instead uddup && axiom dirdar fix --- install.sh | 7 ++++++- reconftw.sh | 5 +++-- reconftw_axiom.sh | 5 +++-- requirements.txt | 1 - 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/install.sh b/install.sh index 3a280de1..31e40cda 100755 --- a/install.sh +++ b/install.sh @@ -60,6 +60,7 @@ repos["ip2provider"]="oldrho/ip2provider" repos["commix"]="commixproject/commix" repos["JSA"]="w9w/JSA" repos["AnalyticsRelationships"]="Josue87/AnalyticsRelationships" +repos["urldedupe"]="ameenmaali/urldedupe" dir=${tools} double_check=false @@ -233,6 +234,10 @@ for repo in "${!repos[@]}"; do eval cp -r examples ~/.gf $DEBUG_ERROR elif [ "Gf-Patterns" = "$repo" ]; then eval mv *.json ~/.gf $DEBUG_ERROR + elif [ "urldedupe" = "$repo" ]; then + eval cmake CMakeLists.txt $DEBUG_STD + eval make $DEBUG_STD + eval cp ./urldedupe /usr/bin/ $DEBUG_STD fi cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done @@ -313,7 +318,7 @@ eval h8mail -g $DEBUG_STD ## Stripping all Go binaries eval strip -s $HOME/go/bin/* $DEBUG_STD -eval $SUDO cp $HOME/go/bin/* /usr/bin $DEBUG_STD +eval $SUDO cp $HOME/go/bin/* /usr/bin/ $DEBUG_STD printf "${yellow} Remember set your api keys:\n - amass (~/.config/amass/config.ini)\n - subfinder (~/.config/subfinder/config.yaml)\n - GitHub (~/Tools/.github_tokens)\n - SHODAN (SHODAN_API_KEY in reconftw.cfg)\n - SSRF Server (COLLAB_SERVER in reconftw.cfg) \n - Blind XSS Server (XSS_SERVER in reconftw.cfg) \n - notify (~/.config/notify/notify.conf) \n - theHarvester (~/Tools/theHarvester/api-keys.yml)\n - H8mail (~/Tools/h8mail_config.ini)\n\n${reset}" printf "${bgreen} Finished!${reset}\n\n" diff --git a/reconftw.sh b/reconftw.sh index 37c6bd35..d519b23e 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -102,6 +102,7 @@ function tools_installed(){ type -P gdn &>/dev/null || { printf "${bred} [*] gdn [NO]${reset}\n"; allinstalled=false;} type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} + type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" @@ -610,7 +611,7 @@ function webprobe_full(){ [ -s ".tmp/nmap_uncommonweb.txt" ] && cat .tmp/nmap_uncommonweb.txt | httpx -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout $HTTPX_UNCOMMONPORTS_TIMEOUT -silent -retries 2 -no-color 2>>"$LOGFILE" | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt #cat subdomains/subdomains.txt | httpx -ports $UNCOMMON_PORTS_WEB -follow-host-redirects -random-agent -status-code -threads $HTTPX_UNCOMMONPORTS_THREADS -timeout $HTTPX_UNCOMMONPORTS_TIMEOUT -silent -retries 2 -no-color 2>>"$LOGFILE" | cut -d ' ' -f1 | grep ".$domain" | anew -q .tmp/probed_uncommon_ports_tmp.txt - + NUMOFLINES=$(cat .tmp/probed_uncommon_ports_tmp.txt 2>>"$LOGFILE" | anew webs/webs_uncommon_ports.txt | wc -l) notification "Uncommon web ports: ${NUMOFLINES} new websites" good [ -s "webs/webs_uncommon_ports.txt" ] && cat webs/webs_uncommon_ports.txt @@ -896,7 +897,7 @@ function urlchecks(){ [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | python3 $tools/JSA/jsa.py | anew -q .tmp/url_extract_tmp.txt fi cat .tmp/url_extract_tmp.txt webs/param.txt 2>>"$LOGFILE" | grep "${domain}" | grep "=" | qsreplace -a 2>>"$LOGFILE" | grep -Eiv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | anew -q .tmp/url_extract_tmp2.txt - [ -s ".tmp/url_extract_tmp2.txt" ] && uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/url_extract_tmp2.txt" ] && cat .tmp/url_extract_tmp2.txt | urldedupe -s -qs | anew -q .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/url_extract_uddup.txt 2>>"$LOGFILE" | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in $domain/webs/url_extract.txt" ${FUNCNAME[0]} diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 9f4355b8..2c7a1345 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -102,6 +102,7 @@ function tools_installed(){ type -P gdn &>/dev/null || { printf "${bred} [*] gdn [NO]${reset}\n"; allinstalled=false;} type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} + type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} type -P axiom-ls &>/dev/null || { printf "${bred} [*] axiom [NO]${reset}\n${reset}"; allinstalled=false;} if [ "${allinstalled}" = true ]; then @@ -926,7 +927,7 @@ function urlchecks(){ [ -s "js/url_extract_js.txt" ] && cat js/url_extract_js.txt | python3 $tools/JSA/jsa.py | anew -q .tmp/url_extract_tmp.txt fi cat .tmp/url_extract_tmp.txt webs/param.txt 2>>"$LOGFILE" | grep "${domain}" | grep "=" | qsreplace -a 2>>"$LOGFILE" | grep -Eiv "\.(eot|jpg|jpeg|gif|css|tif|tiff|png|ttf|otf|woff|woff2|ico|pdf|svg|txt|js)$" | anew -q .tmp/url_extract_tmp2.txt - uddup -u .tmp/url_extract_tmp2.txt -o .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null + [ -s ".tmp/url_extract_tmp2.txt" ] && cat .tmp/url_extract_tmp2.txt | urldedupe -s -qs | anew -q .tmp/url_extract_uddup.txt 2>>"$LOGFILE" &>/dev/null NUMOFLINES=$(cat .tmp/url_extract_uddup.txt 2>>"$LOGFILE" | anew webs/url_extract.txt | wc -l) notification "${NUMOFLINES} new urls with params" info end_func "Results are saved in $domain/webs/url_extract.txt" ${FUNCNAME[0]} @@ -1307,7 +1308,7 @@ function 4xxbypass(){ if [[ $(cat fuzzing/*.txt 2>/dev/null | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 | wc -l) -le 1000 ]] || [ "$DEEP" = true ]; then start_func "403 bypass" cat fuzzing/*.txt 2>>"$LOGFILE" | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 > .tmp/dirdar_test.txt - axiom-scan .tmp/dirdar_test.txt -m dirdar -threads $DIRDAR_THREADS -only-ok -o .tmp/dirdar.txt + axiom-scan .tmp/dirdar_test.txt -m dirdar -o .tmp/dirdar.txt [ -s ".tmp/dirdar.txt" ] && cat .tmp/dirdar.txt | sed -e '1,12d' | sed '/^$/d' | anew -q vulns/4xxbypass.txt end_func "Results are saved in vulns/4xxbypass.txt" ${FUNCNAME[0]} else diff --git a/requirements.txt b/requirements.txt index c0ce4d7c..c2e1ad11 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,7 +18,6 @@ aiohttp termcolors==0.1.0 future fuzzywuzzy -uddup metafinder aiodns==2.0.0 aiomultiprocess==0.8.0 From 96700f87e1fa5d4fa64e71bcc5f69a93aedc4014 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 31 May 2021 09:02:39 +0200 Subject: [PATCH 05/15] Fix IP/CIDR detection --- reconftw.sh | 14 +++++++------- reconftw_axiom.sh | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index d519b23e..2f986eb0 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1463,7 +1463,6 @@ function resolvers_update(){ } function ipcidr_detection(){ - if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then if [[ $1 =~ /[0-9]+$ ]]; then prips $1 | hakrevdns prips $1 | gdn @@ -1471,15 +1470,16 @@ function ipcidr_detection(){ echo $1 | hakrevdns echo $1 | gdn fi - fi } function ipcidr_target(){ - ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt - if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then - domain=$(cat ./target_reconftw_ipcidr.txt) - elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then - list=${PWD}/target_reconftw_ipcidr.txt + if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then + ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt + if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then + domain=$(cat ./target_reconftw_ipcidr.txt) + elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then + list=${PWD}/target_reconftw_ipcidr.txt + fi fi } diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 2c7a1345..fb56407c 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -1497,7 +1497,6 @@ function resolvers_update(){ } function ipcidr_detection(){ - if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then if [[ $1 =~ /[0-9]+$ ]]; then prips $1 | hakrevdns prips $1 | gdn @@ -1505,15 +1504,16 @@ function ipcidr_detection(){ echo $1 | hakrevdns echo $1 | gdn fi - fi } function ipcidr_target(){ - ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt - if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then - domain=$(cat ./target_reconftw_ipcidr.txt) - elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then - list=${PWD}/target_reconftw_ipcidr.txt + if [[ $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then + ipcidr_detection $1 | cut -d' ' -f3 | unfurl -u domains 2>/dev/null | sed 's/\.$//' | sort -u > ./target_reconftw_ipcidr.txt + if [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -eq 1 ]]; then + domain=$(cat ./target_reconftw_ipcidr.txt) + elif [[ $(cat ./target_reconftw_ipcidr.txt | wc -l) -gt 1 ]]; then + list=${PWD}/target_reconftw_ipcidr.txt + fi fi } From 1dd309e90d1371a064646a168c96ea99c8c2214a Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 31 May 2021 09:56:46 +0200 Subject: [PATCH 06/15] Intaller cmake added --- install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/install.sh b/install.sh index 31e40cda..64d27c7f 100755 --- a/install.sh +++ b/install.sh @@ -92,7 +92,7 @@ install_apt(){ eval $SUDO apt update -y $DEBUG_STD eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium-browser -y $DEBUG_STD eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install chromium -y $DEBUG_STD - eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip gcc build-essential ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb -y $DEBUG_STD + eval $SUDO DEBIAN_FRONTEND="noninteractive" apt install python3 python3-pip gcc build-essential cmake ruby git curl libpcap-dev wget zip python3-dev pv dnsutils libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev nmap jq apt-transport-https lynx tor medusa xvfb -y $DEBUG_STD eval $SUDO systemctl enable tor $DEBUG_STD } @@ -204,7 +204,7 @@ printf "${bblue}\n Running: Installing repositories (${#repos[@]})${reset}\n\n" eval git clone https://github.com/projectdiscovery/nuclei-templates ~/nuclei-templates $DEBUG_STD eval git clone https://github.com/geeknik/the-nuclei-templates.git ~/nuclei-templates/extra_templates $DEBUG_STD eval nuclei -update-templates $DEBUG_STD -eval cd ~/nuclei-templates/extra_templates && git pull $DEBUG_STD +cd ~/nuclei-templates/extra_templates && eval git pull $DEBUG_STD cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } eval sed -i 's/^#random-agent: false/random-agent: true/' ~/.config/nuclei/config.yaml $DEBUG_ERROR eval git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git $dir/sqlmap $DEBUG_STD @@ -237,7 +237,7 @@ for repo in "${!repos[@]}"; do elif [ "urldedupe" = "$repo" ]; then eval cmake CMakeLists.txt $DEBUG_STD eval make $DEBUG_STD - eval cp ./urldedupe /usr/bin/ $DEBUG_STD + eval $SUDO cp ./urldedupe /usr/bin/ $DEBUG_STD fi cd "$dir" || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } done @@ -245,7 +245,7 @@ done if [ "True" = "$IS_ARM" ] then eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-armv7 $DEBUG_STD - eval $SUDO mv findomain-armv7 /usr/local/bin/findomain + eval $SUDO mv findomain-armv7 /usr/bin/findomain else eval wget -N -c https://github.com/Findomain/Findomain/releases/latest/download/findomain-linux $DEBUG_STD eval wget -N -c https://github.com/sensepost/gowitness/releases/download/2.3.4/gowitness-2.3.4-linux-amd64 $DEBUG_STD From dc3fdf554fd33f1c803fba4982520fd177b411c3 Mon Sep 17 00:00:00 2001 From: six2dez Date: Mon, 31 May 2021 10:28:47 +0200 Subject: [PATCH 07/15] emailfinder fix && pip installer --- install.sh | 2 +- reconftw.sh | 2 +- reconftw_axiom.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install.sh b/install.sh index 64d27c7f..30fb9b3e 100755 --- a/install.sh +++ b/install.sh @@ -181,7 +181,7 @@ touch $dir/.github_tokens eval wget -N -c https://bootstrap.pypa.io/get-pip.py $DEBUG_STD && eval python3 get-pip.py $DEBUG_STD eval ln -s /usr/local/bin/pip3 /usr/bin/pip3 $DEBUG_STD -eval pip3 install -U -r requirements.txt $DEBUG_STD +eval pip3 install -I -r requirements.txt $DEBUG_STD printf "${bblue} Running: Installing Golang tools (${#gotools[@]})${reset}\n\n" go_step=0 diff --git a/reconftw.sh b/reconftw.sh index 2f986eb0..18946076 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -178,7 +178,7 @@ function metadata(){ function emails(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$EMAILS" = true ] && [ "$OSINT" = true ]; then start_func "Searching emails/users/passwords leaks" - emailfinder -d $domain | anew -q .tmp/emailfinder.txt + emailfinder -d $domain 2>>"$LOGFILE" | anew -q .tmp/emailfinder.txt [ -s ".tmp/emailfinder.txt" ] && cat .tmp/emailfinder.txt | awk 'matched; /^-----------------$/ { matched = 1 }' | anew -q osint/emails.txt cd "$tools/theHarvester" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } python3 theHarvester.py -d $domain -b all 2>>"$LOGFILE" > $dir/.tmp/harvester.txt diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index fb56407c..eaef1039 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -179,7 +179,7 @@ function metadata(){ function emails(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$EMAILS" = true ] && [ "$OSINT" = true ]; then start_func "Searching emails/users/passwords leaks" - emailfinder -d $domain | anew -q .tmp/emailfinder.txt + emailfinder -d $domain 2>>"$LOGFILE" | anew -q .tmp/emailfinder.txt [ -s ".tmp/emailfinder.txt" ] && cat .tmp/emailfinder.txt | awk 'matched; /^-----------------$/ { matched = 1 }' | anew -q osint/emails.txt cd "$tools/theHarvester" || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}"; exit 1; } python3 theHarvester.py -d $domain -b all 2>>"$LOGFILE" > $dir/.tmp/harvester.txt From 4ffc787c61ce893d455d3ff58d5b47ba7590b611 Mon Sep 17 00:00:00 2001 From: six2dez Date: Tue, 1 Jun 2021 13:48:34 +0200 Subject: [PATCH 08/15] webscreenshot fix --- reconftw.sh | 2 +- reconftw_axiom.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 18946076..84503f7d 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -633,7 +633,7 @@ function screenshot(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$WEBSCREENSHOT" = true ]; then start_func "Web Screenshots" cat webs/webs.txt webs/webs_uncommon_ports.txt 2>>"$LOGFILE" | anew -q .tmp/webs_screenshots.txt - [ -s ".tmp/webs_screenshots.txt" ] && webscreenshot --no-xserver -r chrome -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots + [ -s ".tmp/webs_screenshots.txt" ] && webscreenshot -r chromium -i .tmp/webs_screenshots.txt -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null #gowitness file -f .tmp/webs_screenshots.txt --disable-logging 2>>"$LOGFILE" end_func "Results are saved in $domain/screenshots folder" ${FUNCNAME[0]} else diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index eaef1039..22151051 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -658,7 +658,7 @@ function screenshot(){ start_func "Web Screenshots" cat webs/webs.txt webs/webs_uncommon_ports.txt 2>>"$LOGFILE" | anew -q .tmp/webs_screenshots.txt [ "$AXIOM_SCREENSHOT_MODULE" = "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -w $WEBSCREENSHOT_THREADS -o screenshots 2>>"$LOGFILE" &>/dev/null - [ "$AXIOM_SCREENSHOT_MODULE" != "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -o screenshots &>>"$LOGFILE" + [ "$AXIOM_SCREENSHOT_MODULE" != "webscreenshot" ] && axiom-scan .tmp/webs_screenshots.txt -m $AXIOM_SCREENSHOT_MODULE -o screenshots 2>>"$LOGFILE" &>/dev/null end_func "Results are saved in $domain/screenshots folder" ${FUNCNAME[0]} else if [ "$WEBSCREENSHOT" = false ]; then From 7531c052e05eeefdd5f9a7428cb50bfd67637b06 Mon Sep 17 00:00:00 2001 From: six2dez Date: Tue, 1 Jun 2021 16:40:49 +0200 Subject: [PATCH 09/15] New SSRF approach --- install.sh | 3 ++- reconftw.sh | 63 +++++++++++++++++++++++++---------------------- reconftw_axiom.sh | 63 +++++++++++++++++++++++++---------------------- 3 files changed, 68 insertions(+), 61 deletions(-) diff --git a/install.sh b/install.sh index 30fb9b3e..02ff5bda 100755 --- a/install.sh +++ b/install.sh @@ -32,6 +32,7 @@ gotools["puredns"]="GO111MODULE=on go get github.com/d3mondev/puredns/v2" gotools["hakrevdns"]="go get github.com/hakluke/hakrevdns" gotools["gdn"]="GO111MODULE=on go get -v github.com/kmskrishna/gdn" gotools["resolveDomains"]="go get -v github.com/Josue87/resolveDomains" +gotools["interactsh-client"]="GO111MODULE=on go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-client" declare -A repos repos["degoogle_hunter"]="six2dez/degoogle_hunter" @@ -273,10 +274,10 @@ eval wget -nc -O subdomains_big.txt https://wordlists-cdn.assetnote.io/data/manu eval wget -O resolvers_trusted.txt https://gist.githubusercontent.com/six2dez/ae9ed7e5c786461868abd3f2344401b6/raw $DEBUG_STD eval wget -O subdomains.txt https://gist.github.com/six2dez/a307a04a222fab5a57466c51e1569acf/raw $DEBUG_STD eval wget -O permutations_list.txt https://gist.github.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw $DEBUG_STD -eval wget -nc -O ssrf.py https://gist.github.com/h4ms1k/adcc340495d418fcd72ec727a116fea2/raw $DEBUG_STD eval wget -nc -O fuzz_wordlist.txt https://raw.githubusercontent.com/six2dez/OneListForAll/main/onelistforallmicro.txt $DEBUG_STD eval wget -O lfi_wordlist.txt https://gist.githubusercontent.com/six2dez/a89a0c7861d49bb61a09822d272d5395/raw $DEBUG_STD eval wget -O ssti_wordlist.txt https://gist.githubusercontent.com/six2dez/ab5277b11da7369bf4e9db72b49ad3c1/raw $DEBUG_STD +eval wget -O headers_inject.txt https://gist.github.com/six2dez/d62ab8f8ffd28e1c206d401081d977ae/raw $DEBUG_STD ## Last check if [ "$double_check" = "true" ]; then diff --git a/reconftw.sh b/reconftw.sh index 84503f7d..489f38bb 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -103,6 +103,7 @@ function tools_installed(){ type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} + type -P interactsh-client &>/dev/null || { printf "${bred} [*] interactsh-client [NO]${reset}\n"; allinstalled=false;} if [ "${allinstalled}" = true ]; then printf "${bgreen} Good! All installed! ${reset}\n\n" @@ -1124,39 +1125,41 @@ function open_redirect(){ function ssrf_checks(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ]; then + start_func "SSRF checks" if [ -n "$COLLAB_SERVER" ]; then - start_func "SSRF checks" - if [ "$DEEP" = true ]; then - if [ -s "gf/ssrf.txt" ]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - fi - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} - else - if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} - else - end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} - fi + interactsh-client 2>.tmp/server.txt &>.tmp/ssrf_callback.txt & + INTERACT_PID=$! + COLLAB_SERVER_FIX=$(cat server.txt | tail -n1 | cut -c 16-) + else + COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") + fi + [ -s "$tools/headers_inject.txt" ] && cp $tools/headers_inject.txt .tmp/headers_inject.txt + sed -e "s/$/${COLLAB_SERVER_FIX}/" -i .tmp/headers_inject.txt + if [ "$DEEP" = true ]; then + if [ -s "gf/ssrf.txt" ]; then + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt fi + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else - notification "No COLLAB_SERVER defined" error - end_func "Skipping function" ${FUNCNAME[0]} - printf "${bgreen}#######################################################################${reset}\n" + if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then + COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} + else + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} + fi fi else if [ "$SSRF_CHECKS" = false ]; then diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 22151051..78ef6b8c 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -103,6 +103,7 @@ function tools_installed(){ type -P resolveDomains &>/dev/null || { printf "${bred} [*] resolveDomains [NO]${reset}\n"; allinstalled=false;} type -P emailfinder &>/dev/null || { printf "${bred} [*] emailfinder [NO]${reset}\n"; allinstalled=false;} type -P urldedupe &>/dev/null || { printf "${bred} [*] urldedupe [NO]${reset}\n"; allinstalled=false;} + type -P interactsh-client &>/dev/null || { printf "${bred} [*] interactsh-client [NO]${reset}\n"; allinstalled=false;} type -P axiom-ls &>/dev/null || { printf "${bred} [*] axiom [NO]${reset}\n${reset}"; allinstalled=false;} if [ "${allinstalled}" = true ]; then @@ -1153,39 +1154,41 @@ function open_redirect(){ function ssrf_checks(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ]; then + start_func "SSRF checks" if [ -n "$COLLAB_SERVER" ]; then - start_func "SSRF checks" - if [ "$DEEP" = true ]; then - if [ -s "gf/ssrf.txt" ]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - fi - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} - else - if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then - cat gf/ssrf.txt | qsreplace FUZZ | anew -q .tmp/tmp_ssrf.txt - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") - echo $COLLAB_SERVER_FIX | anew -q .tmp/ssrf_server.txt - echo $COLLAB_SERVER | anew -q .tmp/ssrf_server.txt - for url in $(cat .tmp/tmp_ssrf.txt); do - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/ssrf_server.txt -u $url 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf.txt - done - python3 $tools/ssrf.py $dir/gf/ssrf.txt $COLLAB_SERVER_FIX 2>>"$LOGFILE" | anew -q vulns/ssrf.txt - end_func "Results are saved in vulns/ssrf.txt" ${FUNCNAME[0]} - else - end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} - fi + interactsh-client 2>.tmp/server.txt &>.tmp/ssrf_callback.txt & + INTERACT_PID=$! + COLLAB_SERVER_FIX=$(cat server.txt | tail -n1 | cut -c 16-) + else + COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") + fi + [ -s "$tools/headers_inject.txt" ] && cp $tools/headers_inject.txt .tmp/headers_inject.txt + sed -e "s/$/${COLLAB_SERVER_FIX}/" -i .tmp/headers_inject.txt + if [ "$DEEP" = true ]; then + if [ -s "gf/ssrf.txt" ]; then + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt fi + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else - notification "No COLLAB_SERVER defined" error - end_func "Skipping function" ${FUNCNAME[0]} - printf "${bgreen}#######################################################################${reset}\n" + if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then + COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} + else + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} + fi fi else if [ "$SSRF_CHECKS" = false ]; then From 3683f8e6443e7d83e27433256366b651b3e29e82 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 3 Jun 2021 09:39:43 +0200 Subject: [PATCH 10/15] Fix domain grep and stderr --- reconftw.sh | 4 ++-- reconftw_axiom.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 489f38bb..37df77ab 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -427,7 +427,7 @@ function sub_analytics(){ start_subfunc "Running : Analytics Subdomain Enumeration" if [ -s ".tmp/probed_tmp_scrap.txt" ]; then for sub in $(cat .tmp/probed_tmp_scrap.txt); do - python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub | anew -q .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null + python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub 2>>"$LOGFILE" | anew -q .tmp/analytics_subs_tmp.txt done [ -s ".tmp/analytics_subs_tmp.txt" ] && cat .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed "s/|__ //" | anew -q .tmp/analytics_subs_clean.txt [ -s ".tmp/analytics_subs_clean.txt" ] && puredns resolve .tmp/analytics_subs_clean.txt -w .tmp/analytics_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT 2>>"$LOGFILE" &>/dev/null @@ -888,7 +888,7 @@ function urlchecks(){ fi fi sed -i '/^.\{2048\}./d' .tmp/gospider.txt - [ -s ".tmp/gospider.txt" ] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + [ -s ".tmp/gospider.txt" ] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain" | anew -q .tmp/url_extract_tmp.txt if [ -s "${GITHUB_TOKENS}" ]; then github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/github-endpoints.txt" ] && cat .tmp/github-endpoints.txt | anew -q .tmp/url_extract_tmp.txt diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 78ef6b8c..8c60f766 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -439,7 +439,7 @@ function sub_analytics(){ start_subfunc "Running : Analytics Subdomain Enumeration" if [ -s ".tmp/probed_tmp_scrap.txt" ]; then for sub in $(cat .tmp/probed_tmp_scrap.txt); do - python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub | anew -q .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" &>/dev/null + python3 $tools/AnalyticsRelationships/Python/analyticsrelationships.py -u $sub 2>>"$LOGFILE" | anew -q .tmp/analytics_subs_tmp.txt done [ -s ".tmp/analytics_subs_tmp.txt" ] && cat .tmp/analytics_subs_tmp.txt 2>>"$LOGFILE" | grep "\.$domain$\|^$domain$" | sed "s/|__ //" | anew -q .tmp/analytics_subs_clean.txt [ -s ".tmp/analytics_subs_clean.txt" ] && axiom-scan .tmp/analytics_subs_clean.txt -m puredns-resolve -r /home/op/lists/resolvers.txt -o .tmp/analytics_subs_resolved.txt 2>>"$LOGFILE" &>/dev/null @@ -918,7 +918,7 @@ function urlchecks(){ [[ -d .tmp/gospider/ ]] && cat .tmp/gospider/* 2>>"$LOGFILE" | sed '/^.\{2048\}./d' | anew -q .tmp/gospider.txt fi [[ -d .tmp/gospider/ ]] && NUMFILES=$(find .tmp/gospider/ -type f | wc -l) - [[ $NUMFILES -gt 0 ]] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain$" | anew -q .tmp/url_extract_tmp.txt + [[ $NUMFILES -gt 0 ]] && cat .tmp/gospider.txt | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | grep ".$domain" | anew -q .tmp/url_extract_tmp.txt if [ -s "${GITHUB_TOKENS}" ]; then github-endpoints -q -k -d $domain -t ${GITHUB_TOKENS} -o .tmp/github-endpoints.txt 2>>"$LOGFILE" &>/dev/null [ -s ".tmp/github-endpoints.txt" ] && cat .tmp/github-endpoints.txt | anew -q .tmp/url_extract_tmp.txt From 137ca9fc318c8aeb4bae3a4040cacc44a517853a Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 3 Jun 2021 11:40:01 +0200 Subject: [PATCH 11/15] Fix ssrf server --- reconftw.sh | 2 +- reconftw_axiom.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 37df77ab..8e04c69e 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1129,7 +1129,7 @@ function ssrf_checks(){ if [ -n "$COLLAB_SERVER" ]; then interactsh-client 2>.tmp/server.txt &>.tmp/ssrf_callback.txt & INTERACT_PID=$! - COLLAB_SERVER_FIX=$(cat server.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_FIX=$(cat .tmp/server.txt | tail -n1 | cut -c 16-) else COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") fi diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 8c60f766..05d9da78 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -1158,7 +1158,7 @@ function ssrf_checks(){ if [ -n "$COLLAB_SERVER" ]; then interactsh-client 2>.tmp/server.txt &>.tmp/ssrf_callback.txt & INTERACT_PID=$! - COLLAB_SERVER_FIX=$(cat server.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_FIX=$(cat .tmp/server.txt | tail -n1 | cut -c 16-) else COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") fi From 2ccecadd6994bf5959abe1f85c49e74a7d2c8cd2 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 3 Jun 2021 14:23:42 +0200 Subject: [PATCH 12/15] Fix ssrf --- reconftw.sh | 19 ++++++++----------- reconftw_axiom.sh | 19 ++++++++----------- 2 files changed, 16 insertions(+), 22 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 8e04c69e..838b6402 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1126,10 +1126,11 @@ function open_redirect(){ function ssrf_checks(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ]; then start_func "SSRF checks" - if [ -n "$COLLAB_SERVER" ]; then - interactsh-client 2>.tmp/server.txt &>.tmp/ssrf_callback.txt & + if [ -z "$COLLAB_SERVER" ]; then + interactsh-client &>.tmp/ssrf_callback.txt & + sleep 1 INTERACT_PID=$! - COLLAB_SERVER_FIX=$(cat .tmp/server.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) else COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") fi @@ -1140,10 +1141,8 @@ function ssrf_checks(){ cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt fi - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then @@ -1151,16 +1150,14 @@ function ssrf_checks(){ cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi fi + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 05d9da78..61131915 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -1155,10 +1155,11 @@ function open_redirect(){ function ssrf_checks(){ if { [ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ] || [ "$DIFF" = true ]; } && [ "$SSRF_CHECKS" = true ] && [ -s "gf/ssrf.txt" ]; then start_func "SSRF checks" - if [ -n "$COLLAB_SERVER" ]; then - interactsh-client 2>.tmp/server.txt &>.tmp/ssrf_callback.txt & + if [ -z "$COLLAB_SERVER" ]; then + interactsh-client &>.tmp/ssrf_callback.txt & + sleep 1 INTERACT_PID=$! - COLLAB_SERVER_FIX=$(cat .tmp/server.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) else COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") fi @@ -1169,10 +1170,8 @@ function ssrf_checks(){ cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt fi - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then @@ -1180,16 +1179,14 @@ function ssrf_checks(){ cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+12 | anew -q vulns/ssrf_callback.txt - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi fi + [ -z "$INTERACT_PID" ] && kill $INTERACT_PID + [ -z "$INTERACT_PID" ] && unset $INTERACT_PID else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" From 72e3585266acd0ce2a4ef789f624d967eafc7a2c Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 3 Jun 2021 14:29:40 +0200 Subject: [PATCH 13/15] fix kill_pid --- reconftw.sh | 4 ++-- reconftw_axiom.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 838b6402..dc37ee40 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1156,8 +1156,8 @@ function ssrf_checks(){ end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi fi - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + [ -n "$INTERACT_PID" ] && kill $INTERACT_PID + [ -n "$INTERACT_PID" ] && unset $INTERACT_PID else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 61131915..4efa8593 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -1185,8 +1185,8 @@ function ssrf_checks(){ end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi fi - [ -z "$INTERACT_PID" ] && kill $INTERACT_PID - [ -z "$INTERACT_PID" ] && unset $INTERACT_PID + [ -n "$INTERACT_PID" ] && kill $INTERACT_PID + [ -n "$INTERACT_PID" ] && unset $INTERACT_PID else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" From 885ad614d723765ee12994ad07ebf9a90f67c000 Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 3 Jun 2021 16:16:19 +0200 Subject: [PATCH 14/15] More SSRF fixes --- reconftw.sh | 22 +++++++++++----------- reconftw_axiom.sh | 22 +++++++++++----------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index dc37ee40..2679deae 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1131,25 +1131,25 @@ function ssrf_checks(){ sleep 1 INTERACT_PID=$! COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_URL="http://$COLLAB_SERVER_FIX" else COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") fi - [ -s "$tools/headers_inject.txt" ] && cp $tools/headers_inject.txt .tmp/headers_inject.txt - sed -e "s/$/${COLLAB_SERVER_FIX}/" -i .tmp/headers_inject.txt if [ "$DEEP" = true ]; then - if [ -s "gf/ssrf.txt" ]; then - cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt - ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt - fi + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt - ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else @@ -1157,7 +1157,7 @@ function ssrf_checks(){ fi fi [ -n "$INTERACT_PID" ] && kill $INTERACT_PID - [ -n "$INTERACT_PID" ] && unset $INTERACT_PID + [ -n "$INTERACT_PID" ] && unset INTERACT_PID else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index 4efa8593..e4a401c2 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -1160,25 +1160,25 @@ function ssrf_checks(){ sleep 1 INTERACT_PID=$! COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) + COLLAB_SERVER_URL="http://$COLLAB_SERVER_FIX" else COLLAB_SERVER_FIX=$(echo ${COLLAB_SERVER} | sed -r "s/https?:\/\///") fi - [ -s "$tools/headers_inject.txt" ] && cp $tools/headers_inject.txt .tmp/headers_inject.txt - sed -e "s/$/${COLLAB_SERVER_FIX}/" -i .tmp/headers_inject.txt if [ "$DEEP" = true ]; then - if [ -s "gf/ssrf.txt" ]; then - cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt - ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt - ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt - fi + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt + ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then - COLLAB_SERVER_FIX=$(echo $COLLAB_SERVER | sed -r "s/https?:\/\///") cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_FIX} | anew -q .tmp/tmp_ssrf.txt + cat gf/ssrf.txt | qsreplace ${COLLAB_SERVER_URL} | anew -q .tmp/tmp_ssrf.txt ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt - ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt + ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else @@ -1186,7 +1186,7 @@ function ssrf_checks(){ fi fi [ -n "$INTERACT_PID" ] && kill $INTERACT_PID - [ -n "$INTERACT_PID" ] && unset $INTERACT_PID + [ -n "$INTERACT_PID" ] && unset INTERACT_PID else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" From a89da33a4330915add44bb9314d2de2a0fdfd1fe Mon Sep 17 00:00:00 2001 From: six2dez Date: Thu, 3 Jun 2021 16:34:42 +0200 Subject: [PATCH 15/15] ssrf done --- reconftw.sh | 14 ++++++++------ reconftw_axiom.sh | 14 ++++++++------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index 2679deae..809cd259 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -1128,8 +1128,7 @@ function ssrf_checks(){ start_func "SSRF checks" if [ -z "$COLLAB_SERVER" ]; then interactsh-client &>.tmp/ssrf_callback.txt & - sleep 1 - INTERACT_PID=$! + sleep 2 COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) COLLAB_SERVER_URL="http://$COLLAB_SERVER_FIX" else @@ -1141,7 +1140,9 @@ function ssrf_checks(){ ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then @@ -1150,14 +1151,15 @@ function ssrf_checks(){ ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi fi - [ -n "$INTERACT_PID" ] && kill $INTERACT_PID - [ -n "$INTERACT_PID" ] && unset INTERACT_PID + pkill -f interactsh-client else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" diff --git a/reconftw_axiom.sh b/reconftw_axiom.sh index e4a401c2..ae41ee38 100755 --- a/reconftw_axiom.sh +++ b/reconftw_axiom.sh @@ -1157,8 +1157,7 @@ function ssrf_checks(){ start_func "SSRF checks" if [ -z "$COLLAB_SERVER" ]; then interactsh-client &>.tmp/ssrf_callback.txt & - sleep 1 - INTERACT_PID=$! + sleep 2 COLLAB_SERVER_FIX=$(cat .tmp/ssrf_callback.txt | tail -n1 | cut -c 16-) COLLAB_SERVER_URL="http://$COLLAB_SERVER_FIX" else @@ -1170,7 +1169,9 @@ function ssrf_checks(){ ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else if [[ $(cat gf/ssrf.txt | wc -l) -le 1000 ]]; then @@ -1179,14 +1180,15 @@ function ssrf_checks(){ ffuf -v -H "${HEADER}" -t $FFUF_THREADS -w .tmp/tmp_ssrf.txt -u FUZZ 2>>"$LOGFILE" | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssrf_requests_url.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_FIX}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt ffuf -v -w .tmp/tmp_ssrf.txt:W1,.tmp/headers_inject.txt:W2 -H "${HEADER}" -H "W2: ${COLLAB_SERVER_URL}" -t $FFUF_THREADS -u W1 2>>"$LOGFILE" | anew -q vulns/ssrf_requests_headers.txt - [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt + sleep 5 + [ -s ".tmp/ssrf_callback.txt" ] && cat .tmp/ssrf_callback.txt | tail -n+11 | anew -q vulns/ssrf_callback.txt && NUMOFLINES=$(cat .tmp/ssrf_callback.txt | tail -n+12 | wc -l) + notification "SSRF: ${NUMOFLINES} callbacks received" info end_func "Results are saved in vulns/ssrf_*" ${FUNCNAME[0]} else end_func "Skipping SSRF: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]} fi fi - [ -n "$INTERACT_PID" ] && kill $INTERACT_PID - [ -n "$INTERACT_PID" ] && unset INTERACT_PID + pkill -f interactsh-client else if [ "$SSRF_CHECKS" = false ]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n"