| skipped 13 lines |
| 14 | 14 | | "os" |
| 15 | 15 | | "log" |
| 16 | 16 | | "strings" |
| | 17 | + | "regexp" |
| 17 | 18 | | |
| 18 | 19 | | ) |
| 19 | 20 | | |
| 20 | 21 | | var Threads int |
| 21 | 22 | | var recheck_url string |
| | 23 | + | var header string |
| 22 | 24 | | var method string |
| 23 | 25 | | var body string |
| 24 | 26 | | var payload string |
| skipped 4 lines |
| 29 | 31 | | var verify bool |
| 30 | 32 | | var grep string |
| 31 | 33 | | var greps []string |
| | 34 | + | var req *http.Request |
| 32 | 35 | | |
| 33 | 36 | | func getClient() *http.Client { |
| 34 | 37 | | tr := &http.Transport{ |
| skipped 17 lines |
| 52 | 55 | | } |
| 53 | 56 | | } |
| 54 | 57 | | |
| 55 | | - | func base_request(c *http.Client, u string, method string, matcher string) (int, string) { |
| 56 | | - | req, _ := http.NewRequest(method, u, nil) |
| | 58 | + | func custom_header(header string) { |
| | 59 | + | parse := strings.ReplaceAll(header, "\\n", "\n") |
| | 60 | + | var h_name string |
| | 61 | + | var v_name string |
| | 62 | + | r := regexp.MustCompile(`(.*):\s(.*)`) |
| | 63 | + | matches := r.FindStringSubmatch(parse) |
| | 64 | + | for i, match := range matches { |
| | 65 | + | if i == 1 { |
| | 66 | + | h_name = match |
| | 67 | + | } |
| | 68 | + | if i == 2 { |
| | 69 | + | v_name = match |
| | 70 | + | } |
| | 71 | + | |
| | 72 | + | } |
| | 73 | + | req.Header.Set(h_name, v_name) |
| | 74 | + | } |
| | 75 | + | |
| | 76 | + | func base_request(c *http.Client, u string, method string, matcher string, header string) (int, string) { |
| | 77 | + | req, _ = http.NewRequest(method, u, nil) |
| 57 | 78 | | if req != nil { |
| | 79 | + | if header != "" { |
| | 80 | + | custom_header(header) |
| | 81 | + | } |
| 58 | 82 | | resp, _ := c.Do(req) |
| 59 | 83 | | if resp != nil { |
| 60 | 84 | | contents, _ := ioutil.ReadAll(resp.Body) |
| skipped 9 lines |
| 70 | 94 | | } |
| 71 | 95 | | |
| 72 | 96 | | |
| 73 | | - | func requester(c *http.Client, u string, method string, list []string , verify bool, matcher string) { |
| 74 | | - | req_base, _ := base_request(c, u, method, matcher) |
| | 97 | + | func requester(c *http.Client, u string, method string, list []string , verify bool, matcher string, header string) { |
| | 98 | + | req_base, _ := base_request(c, u, method, matcher, header) |
| 75 | 99 | | for _, test := range list { |
| 76 | 100 | | url := strings.Replace(u, "FUZZ", test, -1) |
| 77 | | - | req_test, _ := base_request(c, url, method , matcher) |
| | 101 | + | req_test, _ := base_request(c, url, method , matcher, header) |
| 78 | 102 | | if req_test != req_base { |
| 79 | 103 | | if verify != true { |
| 80 | 104 | | fmt.Printf("%v %s\n", color.RedString("[!] Potential vulnerability found at:..🛠") , url) |
| skipped 7 lines |
| 88 | 112 | | } |
| 89 | 113 | | matcher = "check" |
| 90 | 114 | | for _, recheck_url = range confirm { |
| 91 | | - | _, checkbody := base_request(c, recheck_url, method, matcher) |
| | 115 | + | _, checkbody := base_request(c, recheck_url, method, matcher, header) |
| 92 | 116 | | for _, query := range greps { |
| 93 | 117 | | if strings.Contains(checkbody, query) { |
| 94 | 118 | | fmt.Printf("%v %s\n", color.GreenString("[+] POC:..✨"), recheck_url) |
| skipped 19 lines |
| 114 | 138 | | log.Fatal(err) |
| 115 | 139 | | } |
| 116 | 140 | | } else { |
| 117 | | - | greps = []string{"bount64yit", "uid=", "groups=" ,"Program Files", "Windows", "[boot loader]", "[drivers]", "[Mail]", "HTTP /1.1", "HTTP /1.0", "About php.ini", "root:x:", "root:*"} |
| | 141 | + | greps = []string{"bount64yit", "[boot loader]", "[drivers]", "[Mail]", "About php.ini", "root:x:", "root:*"} |
| 118 | 142 | | } |
| 119 | 143 | | |
| 120 | 144 | | return greps |
| skipped 34 lines |
| 155 | 179 | | flag.IntVar(&Threads, "t", 40, "Number of workers to use..default 40. Ex: -t 50") |
| 156 | 180 | | flag.StringVar(&payload, "p", "", "Feed the list of payloads to fuzz. Ex: -p ~/wordlists/lfi.txt") |
| 157 | 181 | | flag.StringVar(&method, "method", "GET", "Add method name if required. Ex: -method PUT. Default \"GET\"") |
| | 182 | + | flag.StringVar(&header, "header", "", "Add any custom header if required. Ex: -header \"Cookie: Session=12cbcx....\"") |
| 158 | 183 | | flag.BoolVar(&verify, "verify", false, "Only prints confirmed results. Ex -verify ") |
| 159 | | - | flag.StringVar(&grep, "grep", "", "Specify custom grepping singantures. Ex -grep singantures.txt") |
| | 184 | + | flag.StringVar(&grep, "grep", "", "Specify custom grepping signatures. Ex -grep signatures.txt") |
| 160 | 185 | | flag.Parse() |
| 161 | 186 | | } |
| 162 | 187 | | |
| skipped 16 lines |
| 179 | 204 | | go func() { |
| 180 | 205 | | defer processGroup.Done() |
| 181 | 206 | | for u := range urls { |
| 182 | | - | requester(c, u, method, list, verify, matcher) |
| | 207 | + | requester(c, u, method, list, verify, matcher, header) |
| 183 | 208 | | } |
| 184 | 209 | | }() |
| 185 | 210 | | } |
| skipped 15 lines |
Shivangx01b
committed
with
GitHub
3 years ago
1 parent 2a0aadc7