POC search 问题 - Githubissues

shadow1ng / fscan

一款内网综合扫描工具，方便一键自动化、全方位漏扫扫描。

MIT License

10.87k stars 1.62k forks source link

POC search 问题 #269

Closed Zxc123456zxc closed 2 months ago

Zxc123456zxc commented 1 year ago

1.search可以匹配响应头中的内容吗? 我想获取响应头的cookie,但是只执行规则1，然后规则2不执行

这是我的poc name: CVE-2023-27350-Paper-Cut rules:

method: GET path: /app?service=page/SetupCompleted expression: | response.status == 200 search: | Set-Cookie: (?P[^;]+)
method: GET path: /app?service=page/Dashboard headers: Cookie: "{{var}}" expression: | response.status == 200

只执行了规则1，没有执行规则2

shadow1ng commented 1 year ago

search的格式不对吧应该类似 search: r'Set-Cookie:(?P<cookie>.*?)'

Zxc123456zxc commented 1 year ago

好的，谢谢

Zxc123456zxc commented 1 year ago

还是只执行规则1，规则2不执行

Zxc123456zxc commented 1 year ago

search语法 "code_uid":"(?P.+?)"，body里面的内容可以获取到，header里面的内容获取不到加.bmatches(response.headers)，也获取不到

shadow1ng commented 1 year ago

https://github.com/shadow1ng/fscan/blob/ecb0cd9e5fbebc8d466c3480d908869b8d77d2df/WebScan/lib/check.go#L151

默认是设置匹配header+body的

Zxc123456zxc commented 1 year ago

好的，我在看看，谢谢

shadow1ng commented 1 year ago

我后面调试了一下，发现strings.TrimSpace(rule.Search)函数会影响结果。现在修复了测试poc

name: test
rules:
  - method: GET
    path: /
    search: |
      Set-Cookie:(?P<cookie>.*?)
  - method: GET
    path: '/cookie'
    headers:
      Cookie: "{{cookie}}"
    expression: |
      response.status == 404

go run .\main.go -u https://www.baidu.com -proxy 8080查看burp可以正常获取到cookie

shadow1ng commented 1 year ago

并新增了optimizeCookies函数，过滤无用的cookie信息

Zxc123456zxc commented 1 year ago

好的，谢谢，麻烦大佬了

Zxc123456zxc commented 1 year ago

大佬，反连平台，-dns ，报错

shadow1ng commented 1 year ago

已修复