search

yogeshojha / rengine

reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine's correlation, it just makes recon effortless.
https://yogeshojha.github.io/rengine/
GNU General Public License v3.0
7.48k stars 1.13k forks source link

Bug - Scan Doesn't Properly Run w/o Subdomain Discovery & No Optional Domains #568

Closed quantumburnz closed 11 months ago

quantumburnz commented 2 years ago

Issue Summary

I'm using SpiderFoot for subdomain enumeration, and I want to feed these results into reNgine. In my use-case, I provided one target sub-domain to reNgine with a custom Scan Engine: NO "Subdomain Discovery" but I am performing Screenshot, Port Scan, Fetch URLs, and Vulnerability Scan. Upon running this on the subdomain with NO optional subdomains provided, I noticed the scan would quickly jump through HTTP Crawler, Visual Recon, and Port Scanning without giving me any results, but I knew this particular subdomain should have had some results, so I dug into the code and found the following:

initiate_scan is called with a default parameter imported_subdomains=None . Early in the function, there's a check to see whether the subdomain_discovery task is enabled or not: https://github.com/yogeshojha/rengine/blob/27d6ec5827a51fd74e3ab97a5cef38fc7f5d9168/web/reNgine/tasks.py#L147 ... some extra code here that doesn't pertain to this use-case ... https://github.com/yogeshojha/rengine/blob/27d6ec5827a51fd74e3ab97a5cef38fc7f5d9168/web/reNgine/tasks.py#L157-L158

In skip_subdomain_scan, the target is written into target_domain.txt which is then cat'd into subdomain_collection.txt. However, from_imported.txt is also cat'd into subdomain_collection.txt, overwriting the value that came from target_domain.txt as you can see below. https://github.com/yogeshojha/rengine/blob/27d6ec5827a51fd74e3ab97a5cef38fc7f5d9168/web/reNgine/tasks.py#L294-L298

Simply appending from_imported.txt to subdomain_collection.txt instead of overwriting it as shown below will fix the issue. 'cat {0}/from_imported.txt >> {0}/subdomain_collection.txt'.format(results_dir))

Steps to Reproduce

  1. Provide one target sub-domain to reNgine
  2. Create a custom Scan Engine to perform: Screenshot, Port Scan, Fetch URLs, and Vulnerability Scan
  3. Run a scan against the subdomain with NO optional subdomains provided

Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead? I expect the scan to perform the desired functions on the target domain.

I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: yes, I'm using a pull from 30Dec21.

Technical details

Ubuntu 20.04.3 LTS Docker version 20.10.12, build e91ed57

github-actions[bot] commented 2 years ago

👋 Hi @quantumburnz, Issues is only for reporting a bug/feature request. Please read documentation before raising an issue https://rengine.wiki For very limited support, questions, and discussions, please join reNgine Discord channel: https://discord.gg/azv6fzhNCE Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

quantumburnz commented 2 years ago

This is somewhat of a duplicate issue already raised in issue #516, granted, with a little more detail.

psyray commented 11 months ago

Fixed by 2.0 version with @ocervell PR https://github.com/yogeshojha/rengine/pull/742 https://rengine.wiki/changelog/#200