| skipped 13 lines |
14 | 14 | | "os" |
15 | 15 | | "log" |
16 | 16 | | "strings" |
| 17 | + | "regexp" |
17 | 18 | | |
18 | 19 | | ) |
19 | 20 | | |
20 | 21 | | var Threads int |
21 | 22 | | var recheck_url string |
| 23 | + | var header string |
22 | 24 | | var method string |
23 | 25 | | var body string |
24 | 26 | | var payload string |
| skipped 4 lines |
29 | 31 | | var verify bool |
30 | 32 | | var grep string |
31 | 33 | | var greps []string |
| 34 | + | var req *http.Request |
32 | 35 | | |
33 | 36 | | func getClient() *http.Client { |
34 | 37 | | tr := &http.Transport{ |
| skipped 17 lines |
52 | 55 | | } |
53 | 56 | | } |
54 | 57 | | |
55 | | - | func base_request(c *http.Client, u string, method string, matcher string) (int, string) { |
56 | | - | req, _ := http.NewRequest(method, u, nil) |
| 58 | + | func custom_header(header string) { |
| 59 | + | parse := strings.ReplaceAll(header, "\\n", "\n") |
| 60 | + | var h_name string |
| 61 | + | var v_name string |
| 62 | + | r := regexp.MustCompile(`(.*):\s(.*)`) |
| 63 | + | matches := r.FindStringSubmatch(parse) |
| 64 | + | for i, match := range matches { |
| 65 | + | if i == 1 { |
| 66 | + | h_name = match |
| 67 | + | } |
| 68 | + | if i == 2 { |
| 69 | + | v_name = match |
| 70 | + | } |
| 71 | + | |
| 72 | + | } |
| 73 | + | req.Header.Set(h_name, v_name) |
| 74 | + | } |
| 75 | + | |
| 76 | + | func base_request(c *http.Client, u string, method string, matcher string, header string) (int, string) { |
| 77 | + | req, _ = http.NewRequest(method, u, nil) |
57 | 78 | | if req != nil { |
| 79 | + | if header != "" { |
| 80 | + | custom_header(header) |
| 81 | + | } |
58 | 82 | | resp, _ := c.Do(req) |
59 | 83 | | if resp != nil { |
60 | 84 | | contents, _ := ioutil.ReadAll(resp.Body) |
| skipped 9 lines |
70 | 94 | | } |
71 | 95 | | |
72 | 96 | | |
73 | | - | func requester(c *http.Client, u string, method string, list []string , verify bool, matcher string) { |
74 | | - | req_base, _ := base_request(c, u, method, matcher) |
| 97 | + | func requester(c *http.Client, u string, method string, list []string , verify bool, matcher string, header string) { |
| 98 | + | req_base, _ := base_request(c, u, method, matcher, header) |
75 | 99 | | for _, test := range list { |
76 | 100 | | url := strings.Replace(u, "FUZZ", test, -1) |
77 | | - | req_test, _ := base_request(c, url, method , matcher) |
| 101 | + | req_test, _ := base_request(c, url, method , matcher, header) |
78 | 102 | | if req_test != req_base { |
79 | 103 | | if verify != true { |
80 | 104 | | fmt.Printf("%v %s\n", color.RedString("[!] Potential vulnerability found at:..🛠") , url) |
| skipped 7 lines |
88 | 112 | | } |
89 | 113 | | matcher = "check" |
90 | 114 | | for _, recheck_url = range confirm { |
91 | | - | _, checkbody := base_request(c, recheck_url, method, matcher) |
| 115 | + | _, checkbody := base_request(c, recheck_url, method, matcher, header) |
92 | 116 | | for _, query := range greps { |
93 | 117 | | if strings.Contains(checkbody, query) { |
94 | 118 | | fmt.Printf("%v %s\n", color.GreenString("[+] POC:..✨"), recheck_url) |
| skipped 19 lines |
114 | 138 | | log.Fatal(err) |
115 | 139 | | } |
116 | 140 | | } else { |
117 | | - | greps = []string{"bount64yit", "uid=", "groups=" ,"Program Files", "Windows", "[boot loader]", "[drivers]", "[Mail]", "HTTP /1.1", "HTTP /1.0", "About php.ini", "root:x:", "root:*"} |
| 141 | + | greps = []string{"bount64yit", "[boot loader]", "[drivers]", "[Mail]", "About php.ini", "root:x:", "root:*"} |
118 | 142 | | } |
119 | 143 | | |
120 | 144 | | return greps |
| skipped 34 lines |
155 | 179 | | flag.IntVar(&Threads, "t", 40, "Number of workers to use..default 40. Ex: -t 50") |
156 | 180 | | flag.StringVar(&payload, "p", "", "Feed the list of payloads to fuzz. Ex: -p ~/wordlists/lfi.txt") |
157 | 181 | | flag.StringVar(&method, "method", "GET", "Add method name if required. Ex: -method PUT. Default \"GET\"") |
| 182 | + | flag.StringVar(&header, "header", "", "Add any custom header if required. Ex: -header \"Cookie: Session=12cbcx....\"") |
158 | 183 | | flag.BoolVar(&verify, "verify", false, "Only prints confirmed results. Ex -verify ") |
159 | | - | flag.StringVar(&grep, "grep", "", "Specify custom grepping singantures. Ex -grep singantures.txt") |
| 184 | + | flag.StringVar(&grep, "grep", "", "Specify custom grepping signatures. Ex -grep signatures.txt") |
160 | 185 | | flag.Parse() |
161 | 186 | | } |
162 | 187 | | |
| skipped 16 lines |
179 | 204 | | go func() { |
180 | 205 | | defer processGroup.Done() |
181 | 206 | | for u := range urls { |
182 | | - | requester(c, u, method, list, verify, matcher) |
| 207 | + | requester(c, u, method, list, verify, matcher, header) |
183 | 208 | | } |
184 | 209 | | }() |
185 | 210 | | } |
| skipped 15 lines |