From ca1829417ec0021639aee298d380eb91e8a77cbd Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 19 Jan 2024 14:25:47 +0100 Subject: [PATCH 1/3] api leaks + pushd + dontgo403 fixes --- README.md | 7 ++- Terraform/files/reconftw.cfg | 3 +- install.sh | 1 + reconftw.cfg | 3 +- reconftw.sh | 91 +++++++++++++++++++++++------------- 5 files changed, 65 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 5f65f3e1..4c065127 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,8 @@

- - + + @@ -318,7 +318,6 @@ DNSVALIDATOR_THREADS=200 INTERLACE_THREADS=10 TLSX_THREADS=1000 XNLINKFINDER_DEPTH=3 -BYP4XX_THREADS=20 # Rate limits HTTPX_RATELIMIT=150 @@ -533,7 +532,7 @@ reset='\033[0m' - Broken Links Checker ([katana](https://github.com/projectdiscovery/katana)) - Prototype Pollution ([ppfuzz](https://github.com/dwisiswant0/ppfuzz)) - Web Cache Vulnerabilities ([Web-Cache-Vulnerability-Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner)) -- 4XX Bypasser ([byp4xx](https://github.com/lobuhi/byp4xx)) +- 4XX Bypasser ([dontgo403](https://github.com/devploit/dontgo403)) ## Extras diff --git a/Terraform/files/reconftw.cfg b/Terraform/files/reconftw.cfg index 31152a36..6cbe2e0b 100644 --- a/Terraform/files/reconftw.cfg +++ b/Terraform/files/reconftw.cfg @@ -52,7 +52,7 @@ EMAILS=true # Fetch emails from differents sites DOMAIN_INFO=true # whois info REVERSE_WHOIS=true # amass intel reverse whois info, takes some time IP_INFO=true # Reverse IP search, geolocation and whois -POSTMAN_LEAKS=true # Check for postman leaks +API_LEAKS=true # Check for postman leaks METAFINDER_LIMIT=20 # Max 250 # Subdomains @@ -177,7 +177,6 @@ DNSVALIDATOR_THREADS=200 INTERLACE_THREADS=10 TLSX_THREADS=1000 XNLINKFINDER_DEPTH=3 -BYP4XX_THREADS=20 # Rate limits HTTPX_RATELIMIT=150 diff --git a/install.sh b/install.sh index af160799..3fbaf686 100755 --- a/install.sh +++ b/install.sh @@ -103,6 +103,7 @@ repos["ghauri"]="r0oth3x49/ghauri" repos["gitleaks"]="gitleaks/gitleaks" repos["trufflehog"]="trufflesecurity/trufflehog" repos["dontgo403"]="devploit/dontgo403" +repos["SwaggerSpy"]="UndeadSec/SwaggerSpy" function banner() { tput clear diff --git a/reconftw.cfg b/reconftw.cfg index 16886182..bddb121f 100644 --- a/reconftw.cfg +++ b/reconftw.cfg @@ -54,7 +54,7 @@ EMAILS=true # Fetch emails from differents sites DOMAIN_INFO=true # whois info REVERSE_WHOIS=true # amass intel reverse whois info, takes some time IP_INFO=true # Reverse IP search, geolocation and whois -POSTMAN_LEAKS=true # Check for postman leaks +API_LEAKS=true # Check for API leaks METAFINDER_LIMIT=20 # Max 250 # Subdomains @@ -179,7 +179,6 @@ DNSVALIDATOR_THREADS=200 INTERLACE_THREADS=10 TLSX_THREADS=1000 XNLINKFINDER_DEPTH=3 -BYP4XX_THREADS=20 # Rate limits HTTPX_RATELIMIT=150 diff --git a/reconftw.sh b/reconftw.sh index 63b7b735..cd375fcc 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -169,6 +169,10 @@ function tools_installed() { printf "${bred} [*] regulator [NO]${reset}\n" allinstalled=false } + [ -f "${tools}/dontgo403/dontgo403" ] || { + printf "${bred} [*] dontgo403 [NO]${reset}\n" + allinstalled=false + } command -v github-endpoints &>/dev/null || { printf "${bred} [*] github-endpoints [NO]${reset}\n" allinstalled=false @@ -341,10 +345,6 @@ function tools_installed() { printf "${bred} [*] subfinder [NO]${reset}\n${reset}" allinstalled=false } - command -v byp4xx &>/dev/null || { - printf "${bred} [*] byp4xx [NO]${reset}\n${reset}" - allinstalled=false - } command -v ghauri &>/dev/null || { printf "${bred} [*] ghauri [NO]${reset}\n${reset}" allinstalled=false @@ -503,24 +503,37 @@ function metadata() { spinny::stop } -function postleaks() { +function apileaks() { spinny::start - if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $POSTMAN_LEAKS == true ]] && [[ $OSINT == true ]] && ! [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then - start_func ${FUNCNAME[0]} "Scanning for leaks in postman public directory" + if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $API_LEAKS == true ]] && [[ $OSINT == true ]] && ! [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then + start_func ${FUNCNAME[0]} "Scanning for leaks in APIs public directories" porch-pirate -s "$domain" --dump >osint/postman_leaks.txt || { echo "porch-pirate command failed" exit 1 } + pushd "${tools}/SwaggerSpy" >/dev/null || { + echo "Failed to pushd to ${tools}/SwaggerSpy in ${FUNCNAME[0]} @ line ${LINENO}" + exit 1 + } + python swaggerspy.py -d $domain -o ../osint/swagger_leaks.txt 2>>"$LOGFILE" || { + echo "swaggerspy command failed" + exit 1 + } + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" + exit 1 + } + end_func "Results are saved in $domain/osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]} else - if [[ $POSTMAN_LEAKS == false ]] || [[ $OSINT == false ]]; then + if [[ $API_LEAKS == false ]] || [[ $OSINT == false ]]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" elif [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then return else - if [[ $POSTMAN_LEAKS == false ]] || [[ $OSINT == false ]]; then + if [[ $API_LEAKS == false ]] || [[ $OSINT == false ]]; then printf "\n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset}\n" else printf "${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete\n $called_fn_dir/.${FUNCNAME[0]} ${reset}\n\n" @@ -996,13 +1009,16 @@ function sub_regex_permut() { spinny::start if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $SUBREGEXPERMUTE == true ]]; then start_subfunc ${FUNCNAME[0]} "Running : Permutations by regex analysis" - cd "${tools}/regulator" || { + + pushd "${tools}/regulator" >/dev/null || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } + python3 main.py -t $domain -f ${dir}/subdomains/subdomains.txt -o ${dir}/.tmp/${domain}.brute - cd "$dir" || { - echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}" + + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } @@ -1423,10 +1439,11 @@ function favicon() { spinny::start if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $FAVICON == true ]] && ! [[ $domain =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9] ]]; then start_func ${FUNCNAME[0]} "Favicon Ip Lookup" - cd "${tools}/fav-up" || { + pushd "${tools}/fav-up" >/dev/null || { echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } + python3 favUp.py -w "$domain" -sc -o favicontest.json 2>>"$LOGFILE" >/dev/null if [[ -s "favicontest.json" ]]; then cat favicontest.json | jq -r 'try .found_ips' 2>>"$LOGFILE" | grep -v "not-found" >favicontest.txt @@ -1435,8 +1452,9 @@ function favicon() { mv favicontest.txt $dir/hosts/favicontest.txt 2>>"$LOGFILE" rm -f favicontest.json 2>>"$LOGFILE" fi - cd "$dir" || { - echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}" + + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } end_func "Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]} @@ -2239,13 +2257,15 @@ function spraying() { spinny::start if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $SPRAY == true ]]; then start_func ${FUNCNAME[0]} "Password spraying" - cd "${tools}/brutespray" || { + + pushd "${tools}/brutespray" >/dev/null || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } + python3 brutespray.py --file $dir/hosts/portscan_active.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir/vulns/brutespray 2>>"$LOGFILE" >/dev/null - cd "$dir" || { - echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } end_func "Results are saved in vulns/brutespray folder" ${FUNCNAME[0]} @@ -2288,17 +2308,19 @@ function 4xxbypass() { if [[ $(cat fuzzing/fuzzing_full.txt 2>/dev/null | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 | wc -l) -le 1000 ]] || [[ $DEEP == true ]]; then start_func "403 bypass" cat $dir/fuzzing/fuzzing_full.txt 2>/dev/null | grep -E '^4' | grep -Ev '^404' | cut -d ' ' -f3 >$dir/.tmp/403test.txt - cd "${tools}/byp4xx" || { + + pushd "${tools}/dontgo403" >/dev/null || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } - byp4xx -threads $BYP4XX_THREADS $dir/.tmp/403test.txt >$dir/.tmp/byp4xx.txt - cd "$dir" || { - echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" + + cat $dir/.tmp/403test.txt | ./dontgo403 >$dir/.tmp/4xxbypass.txt + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } - [ -s ".tmp/byp4xx.txt" ] && cat .tmp/byp4xx.txt | anew -q vulns/byp4xx.txt - end_func "Results are saved in vulns/byp4xx.txt" ${FUNCNAME[0]} + [ -s ".tmp/4xxbypass.txt" ] && cat .tmp/4xxbypass.txt | anew -q vulns/4xxbypass.txt + end_func "Results are saved in vulns/4xxbypass.txt" ${FUNCNAME[0]} else notification "Too many urls to bypass, skipping" warn fi @@ -2339,16 +2361,15 @@ function smuggling() { start_func ${FUNCNAME[0]} "HTTP Request Smuggling checks" [ ! -s ".tmp/webs_all.txt" ] && cat webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | anew -q .tmp/webs_all.txt if [[ $DEEP == true ]] || [[ $(cat .tmp/webs_all.txt | wc -l) -le $DEEP_LIMIT ]]; then - cd "${tools}/smuggler" || { + pushd "${tools}/smuggler" >/dev/null || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } cat $dir/.tmp/webs_all.txt | python3 smuggler.py -q --no-color 2>/dev/null | anew -q $dir/.tmp/smuggling.txt - cd "$dir" || { - echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}" + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 - } - [ -s ".tmp/smuggling.txt" ] && cat .tmp/smuggling.txt | anew -q vulns/smuggling.txt + } [ -s ".tmp/smuggling.txt" ] && cat .tmp/smuggling.txt | anew -q vulns/smuggling.txt end_func "Results are saved in vulns/smuggling.txt" ${FUNCNAME[0]} else end_func "Skipping Prototype Pollution: Too many webs to test, try with --deep flag" ${FUNCNAME[0]} @@ -2369,13 +2390,14 @@ function webcache() { start_func ${FUNCNAME[0]} "Web Cache Poisoning checks" [ ! -s ".tmp/webs_all.txt" ] && cat webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | anew -q .tmp/webs_all.txt if [[ $DEEP == true ]] || [[ $(cat .tmp/webs_all.txt | wc -l) -le $DEEP_LIMIT ]]; then - cd "${tools}/Web-Cache-Vulnerability-Scanner" || { + pushd "${tools}/Web-Cache-Vulnerability-Scanner" >/dev/null || { echo "Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } + Web-Cache-Vulnerability-Scanner -u file:$dir/.tmp/webs_all.txt -v 0 2>/dev/null | anew -q $dir/.tmp/webcache.txt - cd "$dir" || { - echo "Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO}" + popd >/dev/null || { + echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 } [ -s ".tmp/webcache.txt" ] && cat .tmp/webcache.txt | anew -q vulns/webcache.txt @@ -2851,6 +2873,7 @@ function passive() { github_dorks github_repos metadata + apileaks SUBNOERROR=false SUBANALYTICS=false SUBBRUTE=false @@ -2893,6 +2916,7 @@ function osint() { github_dorks github_repos metadata + apileaks zonetransfer favicon } @@ -2977,6 +3001,7 @@ function multi_osint() { github_dorks github_repos metadata + apileaks zonetransfer favicon done @@ -2997,6 +3022,7 @@ function recon() { github_dorks github_repos metadata + apileaks zonetransfer favicon @@ -3095,6 +3121,7 @@ function multi_recon() { github_dorks github_repos metadata + apileaks zonetransfer favicon currently=$(date +"%H:%M:%S") From 1567badf5e69d228e9f7054fa53b39abefdfd58c Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 19 Jan 2024 14:27:40 +0100 Subject: [PATCH 2/3] update readme for apis search --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4c065127..fc3c94c9 100644 --- a/README.md +++ b/README.md @@ -473,6 +473,7 @@ reset='\033[0m' - Domain information ([whois](https://github.com/rfc1036/whois) and [amass](https://github.com/OWASP/Amass)) - Emails addresses and users ([emailfinder](https://github.com/Josue87/EmailFinder)) - Metadata finder ([MetaFinder](https://github.com/Josue87/MetaFinder)) +- API leaks search ([porch-pirate](https://github.com/MandConsultingGroup/porch-pirate) and [SwaggerSpy](https://github.com/UndeadSec/SwaggerSpy)) - Google Dorks ([dorks_hunter](https://github.com/six2dez/dorks_hunter)) - Github Dorks ([gitdorks_go](https://github.com/damit5/gitdorks_go)) - GitHub org analysis ([enumerepo](https://github.com/trickest/enumerepo), [trufflehog](https://github.com/trufflesecurity/trufflehog) and [gitleaks](https://github.com/gitleaks/gitleaks)) From e52ce398cc6df2589b1b63cf212baf2297970bb8 Mon Sep 17 00:00:00 2001 From: six2dez Date: Fri, 19 Jan 2024 14:43:47 +0100 Subject: [PATCH 3/3] smuggler fix --- reconftw.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/reconftw.sh b/reconftw.sh index cd375fcc..0979808d 100755 --- a/reconftw.sh +++ b/reconftw.sh @@ -2366,13 +2366,16 @@ function smuggling() { exit 1 } cat $dir/.tmp/webs_all.txt | python3 smuggler.py -q --no-color 2>/dev/null | anew -q $dir/.tmp/smuggling.txt + mkdir -p $dir/vulns/smuggling/ + find payloads -type f ! -name "README*" -exec mv {} $dir/vulns/smuggling/ \; popd >/dev/null || { echo "Failed to popd in ${FUNCNAME[0]} @ line ${LINENO}" exit 1 - } [ -s ".tmp/smuggling.txt" ] && cat .tmp/smuggling.txt | anew -q vulns/smuggling.txt - end_func "Results are saved in vulns/smuggling.txt" ${FUNCNAME[0]} + } + [ -s ".tmp/smuggling.txt" ] && cat .tmp/smuggling.txt | anew -q vulns/smuggling_log.txt + end_func "Results are saved in vulns/smuggling_log.txt and findings in vulns/smuggling/" ${FUNCNAME[0]} else - end_func "Skipping Prototype Pollution: Too many webs to test, try with --deep flag" ${FUNCNAME[0]} + end_func "Skipping Request Smuggling: Too many webs to test, try with --deep flag" ${FUNCNAME[0]} fi else if [[ $SMUGGLING == false ]]; then