2020-12-21 14:31:32 +05:30
|
|
|
package http
|
2020-12-22 04:11:07 +05:30
|
|
|
|
2020-12-26 14:55:15 +05:30
|
|
|
import (
|
2021-01-12 02:44:51 +05:30
|
|
|
"strings"
|
|
|
|
|
|
2020-12-28 01:33:50 +05:30
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v2/pkg/operators"
|
2020-12-26 14:55:15 +05:30
|
|
|
"github.com/projectdiscovery/nuclei/v2/pkg/protocols"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v2/pkg/protocols/common/generators"
|
2020-12-28 01:33:50 +05:30
|
|
|
"github.com/projectdiscovery/nuclei/v2/pkg/protocols/http/httpclientpool"
|
|
|
|
|
"github.com/projectdiscovery/rawhttp"
|
|
|
|
|
"github.com/projectdiscovery/retryablehttp-go"
|
2020-12-26 14:55:15 +05:30
|
|
|
)
|
2020-12-22 04:11:07 +05:30
|
|
|
|
|
|
|
|
// Request contains a http request to be made from a template
|
|
|
|
|
type Request struct {
|
2021-03-09 15:00:22 +05:30
|
|
|
// Operators for the current request go here.
|
|
|
|
|
operators.Operators `yaml:",inline"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Path contains the path/s for the HTTP requests. It supports variables
|
|
|
|
|
// as placeholders.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Some example path values
|
|
|
|
|
// value: >
|
|
|
|
|
// []string{"{{BaseURL}}", "{{BaseURL}}/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions"}
|
2021-08-04 14:20:48 +05:30
|
|
|
Path []string `yaml:"path,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Raw contains HTTP Requests in Raw format.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Some example raw requests
|
|
|
|
|
// value: |
|
|
|
|
|
// []string{"GET /etc/passwd HTTP/1.1\nHost:\nContent-Length: 4", "POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.1\nHost: {{Hostname}}\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\nContent-Length: 1\nConnection: close\n\necho\necho\ncat /etc/passwd 2>&1"}
|
2021-08-04 14:20:48 +05:30
|
|
|
Raw []string `yaml:"raw,omitempty"`
|
2021-08-03 22:33:50 +05:30
|
|
|
// ID is the ID of the request
|
2021-08-04 14:20:48 +05:30
|
|
|
ID string `yaml:"id,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Name is the optional name of the request.
|
|
|
|
|
//
|
|
|
|
|
// If a name is specified, all the named request in a template can be matched upon
|
|
|
|
|
// in a combined manner allowing multirequest based matchers.
|
2021-08-04 14:20:48 +05:30
|
|
|
Name string `yaml:"name,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Attack is the type of payload combinations to perform.
|
|
|
|
|
//
|
|
|
|
|
// Sniper is each payload once, pitchfork combines multiple payload sets and clusterbomb generates
|
|
|
|
|
// permutations and combinations for all payloads.
|
|
|
|
|
// values:
|
|
|
|
|
// - "sniper"
|
|
|
|
|
// - "pitchfork"
|
|
|
|
|
// - "clusterbomb"
|
2021-08-04 14:20:48 +05:30
|
|
|
AttackType string `yaml:"attack,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Method is the HTTP Request Method.
|
|
|
|
|
// values:
|
|
|
|
|
// - "GET"
|
|
|
|
|
// - "POST"
|
|
|
|
|
// - "PUT"
|
|
|
|
|
// - "DELETE"
|
2021-08-04 14:20:48 +05:30
|
|
|
Method string `yaml:"method,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Body is an optional parameter which contains HTTP Request body.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Same Body for a Login POST request
|
|
|
|
|
// value: "\"username=test&password=test\""
|
2021-08-04 14:20:48 +05:30
|
|
|
Body string `yaml:"body,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Payloads contains any payloads for the current request.
|
|
|
|
|
//
|
|
|
|
|
// Payloads support both key-values combinations where a list
|
|
|
|
|
// of payloads is provided, or optionally a single file can also
|
|
|
|
|
// be provided as payload which will be read on run-time.
|
2021-08-04 14:20:48 +05:30
|
|
|
Payloads map[string]interface{} `yaml:"payloads,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Headers contains HTTP Headers to send with the request.
|
|
|
|
|
// examples:
|
|
|
|
|
// - value: |
|
|
|
|
|
// map[string]string{"Content-Type": "application/x-www-form-urlencoded", "Content-Length": "1", "Any-Header": "Any-Value"}
|
2021-08-04 14:20:48 +05:30
|
|
|
Headers map[string]string `yaml:"headers,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// RaceCount is the number of times to send a request in Race Condition Attack.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Send a request 5 times
|
|
|
|
|
// value: "5"
|
2021-08-04 14:20:48 +05:30
|
|
|
RaceNumberRequests int `yaml:"race_count,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// MaxRedirects is the maximum number of redirects that should be followed.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Follow upto 5 redirects
|
|
|
|
|
// value: "5"
|
2021-08-04 14:20:48 +05:30
|
|
|
MaxRedirects int `yaml:"max-redirects,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// PipelineConcurrentConnections is number of connections to create during pipelining.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Create 40 concurrent connections
|
|
|
|
|
// value: 40
|
2021-08-04 14:20:48 +05:30
|
|
|
PipelineConcurrentConnections int `yaml:"pipeline-concurrent-connections,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// PipelineRequestsPerConnection is number of requests to send per connection when pipelining.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Send 100 requests per pipeline connection
|
|
|
|
|
// value: 100
|
2021-08-04 14:20:48 +05:30
|
|
|
PipelineRequestsPerConnection int `yaml:"pipeline-requests-per-connection,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Threads specifies number of threads to use sending requests. This enables Connection Pooling.
|
|
|
|
|
//
|
|
|
|
|
// Connection: Close attribute must not be used in request while using threads flag, otherwise
|
|
|
|
|
// pooling will fail and engine will continue to close connections after requests.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Send requests using 10 concurrent threads
|
|
|
|
|
// value: 10
|
2021-08-04 14:20:48 +05:30
|
|
|
Threads int `yaml:"threads,omitempty"`
|
2021-03-09 15:00:22 +05:30
|
|
|
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// MaxSize is the maximum size of http response body to read in bytes.
|
|
|
|
|
// examples:
|
|
|
|
|
// - name: Read max 2048 bytes of the response
|
|
|
|
|
// value: 2048
|
2021-08-04 14:20:48 +05:30
|
|
|
MaxSize int `yaml:"max-size,omitempty"`
|
2021-03-09 15:00:22 +05:30
|
|
|
|
2021-08-04 14:20:48 +05:30
|
|
|
CompiledOperators *operators.Operators `yaml:"-"`
|
2021-03-09 15:00:22 +05:30
|
|
|
|
|
|
|
|
options *protocols.ExecuterOptions
|
|
|
|
|
attackType generators.Type
|
|
|
|
|
totalRequests int
|
|
|
|
|
customHeaders map[string]string
|
|
|
|
|
generator *generators.Generator // optional, only enabled when using payloads
|
|
|
|
|
httpClient *retryablehttp.Client
|
|
|
|
|
rawhttpClient *rawhttp.Client
|
2021-07-27 16:03:56 +05:30
|
|
|
|
|
|
|
|
// description: |
|
|
|
|
|
// CookieReuse is an optional setting that enables cookie reuse for
|
|
|
|
|
// all requests defined in raw section.
|
2021-08-04 14:20:48 +05:30
|
|
|
CookieReuse bool `yaml:"cookie-reuse,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Redirects specifies whether redirects should be followed by the HTTP Client.
|
|
|
|
|
//
|
|
|
|
|
// This can be used in conjunction with `max-redirects` to control the HTTP request redirects.
|
2021-08-04 14:20:48 +05:30
|
|
|
Redirects bool `yaml:"redirects,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Pipeline defines if the attack should be performed with HTTP 1.1 Pipelining
|
|
|
|
|
//
|
|
|
|
|
// All requests must be indempotent (GET/POST). This can be used for race conditions/billions requests.
|
2021-08-04 14:20:48 +05:30
|
|
|
Pipeline bool `yaml:"pipeline,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Unsafe specifies whether to use rawhttp engine for sending Non RFC-Compliant requests.
|
|
|
|
|
//
|
|
|
|
|
// This uses the [rawhttp](https://github.com/projectdiscovery/rawhttp) engine to achieve complete
|
|
|
|
|
// control over the request, with no normalization performed by the client.
|
2021-08-04 14:20:48 +05:30
|
|
|
Unsafe bool `yaml:"unsafe,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// Race determines if all the request have to be attempted at the same time (Race Condition)
|
|
|
|
|
//
|
|
|
|
|
// The actual number of requests that will be sent is determined by the `race_count` field.
|
2021-08-04 14:20:48 +05:30
|
|
|
Race bool `yaml:"race,omitempty"`
|
2021-07-27 16:03:56 +05:30
|
|
|
// description: |
|
|
|
|
|
// ReqCondition automatically assigns numbers to requests and preserves their history.
|
|
|
|
|
//
|
|
|
|
|
// This allows matching on them later for multi-request conditions.
|
2021-08-04 14:20:48 +05:30
|
|
|
ReqCondition bool `yaml:"req-condition,omitempty"`
|
2020-12-28 01:33:50 +05:30
|
|
|
}
|
|
|
|
|
|
2021-01-16 14:10:24 +05:30
|
|
|
// GetID returns the unique ID of the request if any.
|
|
|
|
|
func (r *Request) GetID() string {
|
|
|
|
|
return r.ID
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-28 01:33:50 +05:30
|
|
|
// Compile compiles the protocol request for further execution.
|
|
|
|
|
func (r *Request) Compile(options *protocols.ExecuterOptions) error {
|
2021-08-08 21:52:01 +02:00
|
|
|
connectionConfiguration := &httpclientpool.Configuration{
|
2020-12-28 01:33:50 +05:30
|
|
|
Threads: r.Threads,
|
|
|
|
|
MaxRedirects: r.MaxRedirects,
|
|
|
|
|
FollowRedirects: r.Redirects,
|
2021-01-15 14:17:34 +05:30
|
|
|
CookieReuse: r.CookieReuse,
|
2021-08-08 21:52:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// if the headers contain "Connection" we need to disable the automatic keep alive of the standard library
|
|
|
|
|
if _, hasConnectionHeader := r.Headers["Connection"]; hasConnectionHeader {
|
|
|
|
|
connectionConfiguration.Connection = &httpclientpool.ConnectionConfiguration{DisableKeepAlive: false}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
client, err := httpclientpool.Get(options.Options, connectionConfiguration)
|
2020-12-28 01:33:50 +05:30
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not get dns client")
|
|
|
|
|
}
|
2021-02-01 16:21:49 +05:30
|
|
|
r.customHeaders = make(map[string]string)
|
2020-12-28 01:33:50 +05:30
|
|
|
r.httpClient = client
|
2020-12-29 19:46:52 +05:30
|
|
|
r.options = options
|
2021-01-15 14:22:05 +05:30
|
|
|
for _, option := range r.options.Options.CustomHeaders {
|
2021-02-04 14:58:34 +05:30
|
|
|
parts := strings.SplitN(option, ":", 2)
|
2021-02-01 16:21:49 +05:30
|
|
|
if len(parts) != 2 {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
r.customHeaders[parts[0]] = strings.TrimSpace(parts[1])
|
2021-01-15 14:22:05 +05:30
|
|
|
}
|
2020-12-28 01:33:50 +05:30
|
|
|
|
2021-02-04 22:29:36 +05:30
|
|
|
if r.Body != "" && !strings.Contains(r.Body, "\r\n") {
|
|
|
|
|
r.Body = strings.ReplaceAll(r.Body, "\n", "\r\n")
|
|
|
|
|
}
|
2020-12-28 01:33:50 +05:30
|
|
|
if len(r.Raw) > 0 {
|
2021-02-04 22:27:47 +05:30
|
|
|
for i, raw := range r.Raw {
|
|
|
|
|
if !strings.Contains(raw, "\r\n") {
|
|
|
|
|
r.Raw[i] = strings.ReplaceAll(raw, "\n", "\r\n")
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-06-25 08:16:54 +02:00
|
|
|
r.rawhttpClient = httpclientpool.GetRawHTTP(options.Options)
|
2020-12-28 01:33:50 +05:30
|
|
|
}
|
2020-12-30 13:26:55 +05:30
|
|
|
if len(r.Matchers) > 0 || len(r.Extractors) > 0 {
|
|
|
|
|
compiled := &r.Operators
|
2021-02-26 13:13:11 +05:30
|
|
|
if compileErr := compiled.Compile(); compileErr != nil {
|
|
|
|
|
return errors.Wrap(compileErr, "could not compile operators")
|
2020-12-28 01:33:50 +05:30
|
|
|
}
|
2020-12-30 13:26:55 +05:30
|
|
|
r.CompiledOperators = compiled
|
2020-12-28 01:33:50 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(r.Payloads) > 0 {
|
2020-12-29 12:08:46 +05:30
|
|
|
attackType := r.AttackType
|
|
|
|
|
if attackType == "" {
|
|
|
|
|
attackType = "sniper"
|
|
|
|
|
}
|
|
|
|
|
r.attackType = generators.StringToType[attackType]
|
|
|
|
|
|
2021-01-12 02:44:51 +05:30
|
|
|
// Resolve payload paths if they are files.
|
|
|
|
|
for name, payload := range r.Payloads {
|
2021-02-26 13:13:11 +05:30
|
|
|
payloadStr, ok := payload.(string)
|
|
|
|
|
if ok {
|
|
|
|
|
final, resolveErr := options.Catalog.ResolvePath(payloadStr, options.TemplatePath)
|
|
|
|
|
if resolveErr != nil {
|
|
|
|
|
return errors.Wrap(resolveErr, "could not read payload file")
|
2021-01-12 02:44:51 +05:30
|
|
|
}
|
2021-02-04 14:58:34 +05:30
|
|
|
r.Payloads[name] = final
|
2021-01-12 02:44:51 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-12-29 12:08:46 +05:30
|
|
|
r.generator, err = generators.New(r.Payloads, r.attackType, r.options.TemplatePath)
|
2020-12-28 01:33:50 +05:30
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrap(err, "could not parse payloads")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
r.options = options
|
2020-12-28 20:02:26 +05:30
|
|
|
r.totalRequests = r.Requests()
|
2020-12-28 01:33:50 +05:30
|
|
|
return nil
|
2020-12-22 04:11:07 +05:30
|
|
|
}
|
2020-12-28 20:02:26 +05:30
|
|
|
|
|
|
|
|
// Requests returns the total number of requests the YAML rule will perform
|
|
|
|
|
func (r *Request) Requests() int {
|
2020-12-29 19:35:16 +05:30
|
|
|
if r.generator != nil {
|
2021-01-12 02:00:11 +05:30
|
|
|
payloadRequests := r.generator.NewIterator().Total() * len(r.Raw)
|
|
|
|
|
return payloadRequests
|
2020-12-28 20:02:26 +05:30
|
|
|
}
|
2020-12-29 19:35:16 +05:30
|
|
|
if len(r.Raw) > 0 {
|
2021-01-12 02:00:11 +05:30
|
|
|
requests := len(r.Raw)
|
2021-01-13 13:03:07 +05:30
|
|
|
if requests == 1 && r.RaceNumberRequests != 0 {
|
2021-02-26 13:13:11 +05:30
|
|
|
requests *= r.RaceNumberRequests
|
2021-01-12 02:00:11 +05:30
|
|
|
}
|
|
|
|
|
return requests
|
|
|
|
|
}
|
2021-01-13 13:03:07 +05:30
|
|
|
return len(r.Path)
|
2020-12-28 20:02:26 +05:30
|
|
|
}
|
