search

chaitin / xray

一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档
https://docs.xray.cool
Other
10.47k stars 1.83k forks source link

检测url(target)=https://example:port/a/b/c #1793

Closed q1258089344 closed 5 months ago

q1258089344 commented 7 months ago

这种多级路径时,xray不会进行检测吗?若是https://example:port/a则正常进行检测

q1258089344 commented 7 months ago

@yywing

Jarcis-cy commented 7 months ago
  1. 会进行检测的
  2. 发一下运行的命令?
q1258089344 commented 6 months ago

.\xray_windows_386.exe --log-level debug ws --poc "D:\working\document\ 内容风险\xray\workspace/pocs/*" --url-file D:\working\document\内容风险\xray\workspace\2024-04-29\16-33-42-domain.txt --html-output D:\working\document\内容风险\xray\workspace\2024-04-29\16-33-42-other.html

q1258089344 commented 6 months ago

https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh https://lppadweb.paas.cmbchina.com/a

q1258089344 commented 6 months ago

name: poc-yaml-js-report manual: false transport: http set:

/test/test

inputPath: request.url.path

rules: r1: request: cache: true method: GET

target: http://example.com:8080/test/test/b

        # 如果以 ^ 开头,取 path 作为请求路径
        path: '^{{inputPath}}/release/visualizer/reporter.html'
    expression: "true"

expression: r1() detail: author: yywing

q1258089344 commented 6 months ago

POC Loaded: poc-yaml-js-report

[DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:230] fingers count: 2 [DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:231] building finger tree [DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:239] start to trim the invocation tree [DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:291] init the event bus [DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:364] service finger count: 1, flow finger count: 2 [DBUG] 2024-05-11 14:52:47 [collector:url-list.go:36] processing https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh [DBUG] [DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh 2024-05-11 14:52:47 [collector:url-list.go:36] processing https://lppadweb.paas.cmbchina.com/a [DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/a [DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/index.php [INFO] 2024-05-11 14:52:47 [collector:url-list.go:66] waiting requests in queue [INFO] 2024-05-11 14:52:47 [default:dispatcher.go:444] processing GET https://lppadweb.paas.cmbchina.com/a [INFO] 2024-05-11 14:52:47 [default:dispatcher.go:444] processing GET https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh [DBUG] 2024-05-11 14:52:47 [runner client:http.go:54] req: GET /a/release/visualizer/reporter.html HTTP/1.1 Host: lppadweb.paas.cmbchina.com

[DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/a/release/visualizer/reporter.html [DBUG] 2024-05-11 14:52:47 [runner client:http.go:69] resp: HTTP/1.1 404 Not Found Content-Length: 146 Content-Type: text/html Date: Sat, 11 May 2024 06:52:47 GMT Server: nginx

404 Not Found

404 Not Found

nginx

[Vuln: phantasm] Target "https://lppadweb.paas.cmbchina.com/a" VulnType "poc-yaml-js-report/default" Author "yywing"

[DBUG] 2024-05-11 14:52:48 [controller:dispatcher.go:502] sending last stat [INFO] 2024-05-11 14:52:48 [controller:dispatcher.go:573] controller released, task done

q1258089344 commented 6 months ago

@Jarcis-cy

上面分别是启动命令,domain.txt里面内容,poc内容以及运行后的日志。

可以看到/a的url成功命中poc,多级路径的看起来未进行检测

q1258089344 commented 6 months ago 
name: poc-yaml-js-report
manual: false
transport: http
set:
    # /test/test
    inputPath: request.url.path
rules:
    r1:
        request:
            cache: true
            method: GET
            # target: http://example.com:8080/test/test/b
            # 如果以 ^ 开头,取 path 作为请求路径
            path: '^{{inputPath}}/release/visualizer/reporter.html'
        expression: "true"
expression:  r1()
detail:
    author: yywing
yywing commented 6 months ago

卧槽 兄弟 涉及ip地址的 你脱下敏吧, 有点害怕。

q1258089344 commented 6 months ago

卧槽 兄弟 涉及ip地址的 你脱下敏吧, 有点害怕。

问题不大 都是404地址

q1258089344 commented 6 months ago

卧槽 兄弟 涉及ip地址的 你脱下敏吧, 有点害怕。

大佬有空帮我看看,为啥一级路径符合poc预期,多级路径就没结果

yywing commented 6 months ago

你的脚本和用法感觉没问题 怀疑是检测深度(印象中有个子路径检测深度的)导致的。配置中能不能配置我也忘了。

建议使用 xpoc xpoc 应该没有这个问题

q1258089344 commented 6 months ago

你的脚本和用法感觉没问题 怀疑是检测深度(印象中有个子路径检测深度的)导致的。配置中能不能配置我也忘了。

建议使用 xpoc xpoc 应该没有这个问题

配置曾中找过,没找到。要换工具感觉有点难顶,改动太大,部署Linux时libpcap缺了还要gcc编译安装才行。踩坑太难受了~~

yywing commented 6 months ago

https://docs.xray.cool/tools/xray/Configuration#phantasm

depth 试试

Jarcis-cy commented 6 months ago

好吧~新版本会暴露出这个配置吗~thx

xpoc没有相关的限制,给他啥就发啥

q1258089344 commented 6 months ago

https://docs.xray.cool/tools/xray/Configuration#phantasm

depth 试试

可以了,十分感谢大佬~