| 1 | + | package main |
| 2 | + | |
| 3 | + | import ( |
| 4 | + | "fmt" |
| 5 | + | "net/http" |
| 6 | + | "sync" |
| 7 | + | "io/ioutil" |
| 8 | + | "time" |
| 9 | + | "net" |
| 10 | + | "crypto/tls" |
| 11 | + | "github.com/fatih/color" |
| 12 | + | "flag" |
| 13 | + | "bufio" |
| 14 | + | "os" |
| 15 | + | "log" |
| 16 | + | "strings" |
| 17 | + | |
| 18 | + | ) |
| 19 | + | |
| 20 | + | var Threads int |
| 21 | + | var recheck_url string |
| 22 | + | var method string |
| 23 | + | var body string |
| 24 | + | var payload string |
| 25 | + | var base_size int |
| 26 | + | var matcher string |
| 27 | + | var payloads []string |
| 28 | + | var confirm []string |
| 29 | + | var verify bool |
| 30 | + | var grep string |
| 31 | + | var greps []string |
| 32 | + | |
| 33 | + | func getClient() *http.Client { |
| 34 | + | tr := &http.Transport{ |
| 35 | + | MaxIdleConns: 30, |
| 36 | + | IdleConnTimeout: time.Second, |
| 37 | + | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, |
| 38 | + | DialContext: (&net.Dialer{ |
| 39 | + | Timeout: time.Second * 10, |
| 40 | + | KeepAlive: time.Second, |
| 41 | + | }).DialContext, |
| 42 | + | } |
| 43 | + | |
| 44 | + | re := func(req *http.Request, via []*http.Request) error { |
| 45 | + | return http.ErrUseLastResponse |
| 46 | + | } |
| 47 | + | |
| 48 | + | return &http.Client{ |
| 49 | + | Transport: tr, |
| 50 | + | CheckRedirect: re, |
| 51 | + | Timeout: time.Second * 10, |
| 52 | + | } |
| 53 | + | } |
| 54 | + | |
| 55 | + | func base_request(c *http.Client, u string, method string, matcher string) (int, string) { |
| 56 | + | req, _ := http.NewRequest(method, u, nil) |
| 57 | + | if req != nil { |
| 58 | + | resp, _ := c.Do(req) |
| 59 | + | if resp != nil { |
| 60 | + | contents, _ := ioutil.ReadAll(resp.Body) |
| 61 | + | if matcher == "check" { |
| 62 | + | body = string(contents) |
| 63 | + | } |
| 64 | + | base_size = len(contents) |
| 65 | + | resp.Body.Close() |
| 66 | + | } |
| 67 | + | } |
| 68 | + | |
| 69 | + | return base_size, body |
| 70 | + | } |
| 71 | + | |
| 72 | + | |
| 73 | + | func requester(c *http.Client, u string, method string, list []string , verify bool, matcher string) { |
| 74 | + | req_base, _ := base_request(c, u, method, matcher) |
| 75 | + | for _, test := range list { |
| 76 | + | url := strings.Replace(u, "FUZZ", test, -1) |
| 77 | + | req_test, _ := base_request(c, url, method , matcher) |
| 78 | + | if req_test != req_base { |
| 79 | + | if verify != true { |
| 80 | + | fmt.Printf("%v %s\n", color.RedString("[!] Potential vulnerability found at:..🛠") , url) |
| 81 | + | fmt.Printf("%v\n", color.CyanString("[~] Storing for confirmation..✒")) |
| 82 | + | } |
| 83 | + | confirm = append(confirm, url) |
| 84 | + | } |
| 85 | + | } |
| 86 | + | if verify != true { |
| 87 | + | fmt.Printf("%v\n",color.YellowString("[>] Staring confirmation tests..🔍")) |
| 88 | + | } |
| 89 | + | matcher = "check" |
| 90 | + | for _, recheck_url = range confirm { |
| 91 | + | _, checkbody := base_request(c, recheck_url, method, matcher) |
| 92 | + | for _, query := range greps { |
| 93 | + | if strings.Contains(checkbody, query) { |
| 94 | + | fmt.Printf("%v %s\n", color.GreenString("[+] POC:..✨"), recheck_url) |
| 95 | + | } |
| 96 | + | } |
| 97 | + | } |
| 98 | + | } |
| 99 | + | |
| 100 | + | func grep_add(path string) []string { |
| 101 | + | if path != "" { |
| 102 | + | file, err := os.Open(path) |
| 103 | + | if err != nil { |
| 104 | + | log.Fatal(err) |
| 105 | + | } |
| 106 | + | defer file.Close() |
| 107 | + | |
| 108 | + | scanner := bufio.NewScanner(file) |
| 109 | + | for scanner.Scan() { |
| 110 | + | greps = append(greps, scanner.Text()) |
| 111 | + | } |
| 112 | + | |
| 113 | + | if err := scanner.Err(); err != nil { |
| 114 | + | log.Fatal(err) |
| 115 | + | } |
| 116 | + | } else { |
| 117 | + | greps = []string{"bount64yit", "uid=", "groups=" ,"Program Files", "Windows", "[boot loader]", "[drivers]", "[Mail]", "HTTP /1.1", "HTTP /1.0", "About php.ini", "root:x:", "root:*"} |
| 118 | + | } |
| 119 | + | |
| 120 | + | return greps |
| 121 | + | } |
| 122 | + | |
| 123 | + | func payloadlist(path string) []string { |
| 124 | + | file, err := os.Open(path) |
| 125 | + | if err != nil { |
| 126 | + | log.Fatal(err) |
| 127 | + | } |
| 128 | + | defer file.Close() |
| 129 | + | |
| 130 | + | scanner := bufio.NewScanner(file) |
| 131 | + | for scanner.Scan() { |
| 132 | + | payloads = append(payloads, scanner.Text()) |
| 133 | + | } |
| 134 | + | |
| 135 | + | if err := scanner.Err(); err != nil { |
| 136 | + | log.Fatal(err) |
| 137 | + | } |
| 138 | + | return payloads |
| 139 | + | } |
| 140 | + | |
| 141 | + | func Banner() { |
| 142 | + | color.HiGreen(` |
| 143 | + | __________ __ .___ __ |
| 144 | + | \______ \ ____ __ __ _____/ |_ ___.__. | |/ |_ |
| 145 | + | | | _// _ \| | \/ \ __< | | | \ __\ |
| 146 | + | | | ( <_> ) | / | \ | \___ | | || | |
| 147 | + | |______ /\____/|____/|___| /__| / ____| |___||__| |
| 148 | + | \/ \/ \/ v1.0 |
| 149 | + | `) |
| 150 | + | color.HiRed(" " + "Made with <3 by @shivangx01b") |
| 151 | + | |
| 152 | + | } |
| 153 | + | |
| 154 | + | func ParseArguments() { |
| 155 | + | flag.IntVar(&Threads, "t", 40, "Number of workers to use..default 40. Ex: -t 50") |
| 156 | + | flag.StringVar(&payload, "p", "", "Feed the list of payloads to fuzz. Ex: -p ~/wordlists/lfi.txt") |
| 157 | + | flag.StringVar(&method, "method", "GET", "Add method name if required. Ex: -method PUT. Default \"GET\"") |
| 158 | + | flag.BoolVar(&verify, "verify", false, "Only prints confirmed results. Ex -verify ") |
| 159 | + | flag.StringVar(&grep, "grep", "", "Specify custom grepping singantures. Ex -grep singantures.txt") |
| 160 | + | flag.Parse() |
| 161 | + | } |
| 162 | + | |
| 163 | + | |
| 164 | + | func main() { |
| 165 | + | ParseArguments() |
| 166 | + | Banner() |
| 167 | + | checkin, _ := os.Stdin.Stat() |
| 168 | + | if checkin.Mode() & os.ModeNamedPipe > 0 { |
| 169 | + | if payload != "" { |
| 170 | + | list := payloadlist(payload) |
| 171 | + | grep_add(grep) |
| 172 | + | matcher = "nocheck" |
| 173 | + | urls := make(chan string, Threads) |
| 174 | + | processGroup := new(sync.WaitGroup) |
| 175 | + | processGroup.Add(Threads) |
| 176 | + | |
| 177 | + | for i := 0; i < Threads; i++ { |
| 178 | + | c := getClient() |
| 179 | + | go func() { |
| 180 | + | defer processGroup.Done() |
| 181 | + | for u := range urls { |
| 182 | + | requester(c, u, method, list, verify, matcher) |
| 183 | + | } |
| 184 | + | }() |
| 185 | + | } |
| 186 | + | |
| 187 | + | sc := bufio.NewScanner(os.Stdin) |
| 188 | + | |
| 189 | + | for sc.Scan() { |
| 190 | + | urls <- sc.Text() |
| 191 | + | } |
| 192 | + | close(urls) |
| 193 | + | processGroup.Wait() |
| 194 | + | } else { |
| 195 | + | color.HiRed("\n[!] Must give payload list") |
| 196 | + | } |
| 197 | + | } else { |
| 198 | + | color.HiRed("\n[!] Check: BountyIt -h for arguments") |
| 199 | + | } |
| 200 | + | } |