Closed chesskuo closed 2 days ago
First of all, thank you for your PR. This --cookie is for initialization settings, which will be used in the first request. If you have fixed cookie settings, do you think it would be better to use the --header parameter?
Hi, thanks for your reply.
In this situation, setting cookie in the header parameter is a good way to avoid trigger the 2nd bug.
But the first bug still have.
Because the web server would not return any Set-Cookie
header back.
In my opinion, if --cookie
option exist, it should work in correct behavior too and not only works on --header
option.
The --cookie
parameter here is used to deal with load balancing scenarios that return Set-Cookie
based on specific cookies.
In your scenario, you should use tools such as burpsuite
to capture packets to obtain fixed cookies and use --header
to solve it. :)
Hello sir, I understand your opinion about the --cookie
option mean and I know I can get the fixed cookie by burp.
Maybe we can focus on the "If response didn't receive Set-Cookie header, the program will exit." (this is the first bug I mentioned in previous comment.)
I used the --header
to set my fixed cookie (this cookie called PHPSESSID
, it is the default php env cookie name).
In this situation, it would break on neoreg.py#634
(this is the line number in my commit).
log.error('[Ask NeoGeorg] There is no valid cookie return')
Because neo regeorg didn't receive any Set-Cookie
header in response.
And the server would not send other cookie again, because I already set a fixed cookie called PHPSESSID
.
This situation will make neo regeorg exit.
I think this is a bug, because I need to set a login session cookie to get some web page contain neo regeorg page.
But if I set the cookie, the server would not send Set-Cookie
header and trigger the program exit.
Maybe we can have a mechanism to sure neo regeorg working on the the situation about "no Set-Cookie
header return", right ?
How do you think about this issue?
Thanks
Oh, there is indeed this problem. I just added the --php-skip-cookie parameter to skip the cookie validity verification. You can test it.
I noticed that the custom cookie parameter is not working in some situation.
For example, I use a LFI vulnerability on DVWA to test this bug.
It needs to login to get the vulnerable web page, so I need to login and get the PHPSESSID first. And then, I need to pass the cookie to Neo-reGeorg custom cookie field.
But it will exit on
neoreg.py#631
, because it would not get anySet-Cookie
header from response. (I already set thePHPSESSID
cookie, so it would never get that.) Here is the first bug.And then I comment" (
neoreg.py#632
to make this program go ahead for test. When I proxied some traffic, it would get the second bug. It show me "[HTTP] Response Format Error:neoreg.py#438
). This is because of the valuerinfo
isNone
.When I checked what is causing this, I noticed that the
response.content
always show me a DVWA login page, so I confirmed this issue is the parameter--cookie
would not send my custom cookie to the remote correctly.I correct these two bugs according this PR, please review it ~ If you have any problem, please let me know. Thank you for developing this so wonderful tool.