L-codes / Neo-reGeorg

Neo-reGeorg is a project that seeks to aggressively refactor reGeorg
GNU General Public License v3.0
2.92k stars 448 forks source link

PHP built-in web server not working (php -S) #62

Open jotunel opened 2 years ago

jotunel commented 2 years ago

When I use sudo proxychains nmap -sT -p443,80 -Pn 192.168.37.238 I get

sudo proxychains nmap -sT -p443,80 -Pn 192.168.37.238 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.15
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-06 14:13 EDT
[proxychains] Dynamic chain  ...  127.0.0.1:1080  ...  192.168.37.238:443 <--socket error or timeout!
[proxychains] Dynamic chain  ...  127.0.0.1:1080  ...  192.168.37.238:80 <--socket error or timeout!
Nmap scan report for 192.168.37.238
Host is up (0.0038s latency).

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https  (<--This is supposed to be **open**, it is an **open** port in my **VM**'s)

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
/etc/proxychains: 

dynamic_chain
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080

On the other window, I have this:

$ python neoreg.py -k pivotpassword -u http://192.168.37.238:8080/tunnel.php --cut-left 5528 --cut-right 23 --skip
+------------------------------------------------------------------------+
  Log Level set to [ERROR]
  Starting SOCKS5 server [127.0.0.1:1080]
  Tunnel at:
    http://192.168.37.238:8080/tunnel.php
+------------------------------------------------------------------------+
[CRITICAL]  Bad KEY or non-neoreg server
[CRITICAL]  Bad KEY or non-neoreg server
L-codes commented 2 years ago

Can you provide the following information?

  1. neoreg version used
  2. 192.168.37.238 is the system windows?
  3. The content returned by curl http://192.168.37.238:8080/tunnel.php
L-codes commented 2 years ago

If you use windows to run php and use it for scanning, you should manually adjust the --php-connect-timeout parameter

jotunel commented 2 years ago
  1. neoreg version 3.8.0
  2. Every machine is a Linux VM machine(attacking is kali, the one i am trying to nmap into is kali, .238 is ubuntu and its hosting the tunnel.php. 192.168.37.238 is the Ubuntu VM that I hosted the tunnel.php into.
  3. curl http://192.168.37.238:8080/tunnel.php returns nothing.
  4. I am not using Windows at all
jotunel commented 2 years ago

Into .238 (root directory), I run: php -S 192.168.37.238:8080 [Wed Apr 6 14:57:54 2022] PHP 7.4.3 Development Server (http://192.168.37.238:8080) started

and I hosted the tunnel.php I produced with the code pivotpassword in my attacking machine.

L-codes commented 2 years ago

I tested php -S and it does not work. The reason is that php's built-in web server is single-threaded blocking.

L-codes commented 2 years ago

For PHP built-in web server, neoreg currently does not support :(

jotunel commented 2 years ago

Thanks, so what should I do for it to work? If I set up a simpleHTTPserver, it still does not work and the same errors pop up (<--socket error or timeout!)

Basically, I can't get it to work via the chain.

L-codes commented 2 years ago

run a php web server started by apache.