3、file fuzz针对

hktalent · hktalent · commit 2f5289eed8f2 · 2022-10-11T22:31:05.000+08:00
aac、abw、arc...
的Content-Type:  进行类型识别，跳过无用的fuzz 2022-10-11
diff --git a/brute/filefuzz.go b/brute/filefuzz.go
@@ -9,7 +9,9 @@ import (
 	"github.com/hktalent/goSqlite_gorm/lib/scan/Const"
 	"github.com/hktalent/goSqlite_gorm/pkg/models"
 	"log"
+	"mime"
 	"net/url"
+	"path/filepath"
 	"regexp"
 	"strings"
 	"sync"
@@ -158,6 +160,8 @@ type FuzzData struct {
 	Req  *util.Page
 }
 
+var r001 = regexp.MustCompile(`\.(aac)|(abw)|(arc)|(avif)|(avi)|(azw)|(bin)|(bmp)|(bz)|(bz2)|(cda)|(csh)|(css)|(csv)|(doc)|(docx)|(eot)|(epub)|(gz)|(gif)|(ico)|(ics)|(jar)|(jpeg)|(jpg)|(js)|(json)|(jsonld)|(mid)|(midi)|(mjs)|(mp3)|(mp4)|(mpeg)|(mpkg)|(odp)|(ods)|(odt)|(oga)|(ogv)|(ogx)|(opus)|(otf)|(png)|(pdf)|(php)|(ppt)|(pptx)|(rar)|(rtf)|(sh)|(svg)|(tar)|(tif)|(tiff)|(ts)|(ttf)|(txt)|(vsd)|(wav)|(weba)|(webm)|(webp)|(woff)|(woff2)|(xhtml)|(xls)|(xlsx)|(xml)|(xul)|(zip)|(3gp)|(3g2)|(7z)$`)
+
 // 重写了fuzz：优化流程、优化算法、修复线程安全bug、增加智能功能
 //  两次  ioutil.ReadAll(resp.Body)，第二次就会 Read返回EOF error
 func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody string) ([]string, []string) {
@@ -213,6 +217,9 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
 	if strings.HasPrefix(url404req.Protocol, "HTTP/2") || strings.HasPrefix(url404req.Protocol, "HTTP/3") {
 		MaxErrorTimes = int32(len(filedic))
 	}
+	if c1 := util.GetClient(u, map[string]interface{}{"Timeout": 15 * time.Second, "ErrLimit": MaxErrorTimes}); nil != c1 {
+		util.PutClientCc(u, c1)
+	}
 	//defer func() {
 	//	close(ch)
 	//	close(async_data)
@@ -304,6 +311,18 @@ func FileFuzz(u string, indexStatusCode int, indexContentLength int, indexbody s
 							} else if lst200.Body == req.Body { // 无意义的 200
 								continue
 							}
+							if oU1, err := url.Parse(szUrl); nil == err {
+								a50 := r001.FindStringSubmatch(oU1.Path)
+								if 0 < len(a50) {
+									s2 := mime.TypeByExtension(filepath.Ext(a50[0]))
+									ct := (*req).Header.Get("Content-Type")
+									if "" != ct && "" != s2 && strings.Contains(ct, s2) {
+										continue
+									}
+								}
+							}
+
+							mime.TypeByExtension(".jpg")
 							//log.Printf("%d : %s \n", req.StatusCode, szUrl)
 						}
 						go util.CheckHeader(req.Header, u)
diff --git a/lib/test/test.go b/lib/test/test.go
@@ -1,13 +1,12 @@
 package main
 
 import (
-	"fmt"
-	"github.com/hktalent/ProScan4all/lib/util"
 	"log"
-	"sync"
+	"mime"
 )
 
 func main() {
+	log.Println(mime.TypeByExtension(".jsp"))
 	//
 	//data, err := ioutil.ReadFile("/Users/51pwn/MyWork/TestPoc/JRMPListener.ser")
 	//if nil == err {
@@ -24,22 +23,22 @@ func main() {
 	//		log.Println(resp.StatusCode)
 	//	}
 	//})
-	var Wg = sync.WaitGroup{}
-	// 单独测试没有问题
-	for i := 33; i < 8082; i++ {
-		Wg.Add(1)
-		go func(n int) {
-			defer Wg.Done()
-			s1 := fmt.Sprintf("http://127.0.0.1:%d/scan4all", n)
-			if resp, err := util.HttpRequset(s1, "GET", "", false, nil); nil == err {
-				log.Println(resp.StatusCode, s1)
-			} else {
-				if n == 8081 {
-					log.Println(err)
-				}
-			}
-		}(i)
-
-	}
-	Wg.Wait()
+	//var Wg = sync.WaitGroup{}
+	//// 单独测试没有问题
+	//for i := 33; i < 8082; i++ {
+	//	Wg.Add(1)
+	//	go func(n int) {
+	//		defer Wg.Done()
+	//		s1 := fmt.Sprintf("http://127.0.0.1:%d/scan4all", n)
+	//		if resp, err := util.HttpRequset(s1, "GET", "", false, nil); nil == err {
+	//			log.Println(resp.StatusCode, s1)
+	//		} else {
+	//			if n == 8081 {
+	//				log.Println(err)
+	//			}
+	//		}
+	//	}(i)
+	//
+	//}
+	//Wg.Wait()
 }
diff --git a/lib/util/checkerImp.go b/lib/util/checkerImp.go
@@ -37,6 +37,11 @@ func RegResponsCheckFunc(cbk ...func(*CheckerTools, ...interface{})) {
 	GetInstance(RespBody).RegCheckFunc(cbk...)
 }
 
+// 注册body处理
+func RegHeaderCheckFunc(cbk ...func(*CheckerTools, ...interface{})) {
+	GetInstance(ReqHeader).RegCheckFunc(cbk...)
+}
+
 // 构建一个检查器
 func New(name string) *CheckerTools {
 	ct := GetObjFromNoRpt[*CheckerTools](name)
diff --git a/lib/util/util.go b/lib/util/util.go
@@ -89,6 +89,12 @@ func GetClient4Cc(szUrl string) *PipelineHttp.PipelineHttp {
 	}
 	return nil
 }
+func PutClientCc(szUrl string, c *PipelineHttp.PipelineHttp) {
+	CloseHttpClient(szUrl)
+	oU, _ := url.Parse(szUrl)
+	clientHttpCc.Delete(oU.Scheme + oU.Host)
+	clientHttpCc.Set(oU.Scheme+oU.Host, c, defaultInteractionDuration)
+}
 
 //var G_hc *http.Client
 
diff --git a/new.txt b/new.txt
@@ -1,2 +1,5 @@
 1、fuzz、及所有请求输出限制为800k，避免被反制、进行内存攻击导致程序崩溃
 2、修复naabu、nmap扫描后使用ip继续走后续流程，导致无法正确访问目标的bug，https通常是限定只能域名访问的
+3、file fuzz针对
+aac、abw、arc、avif、avi、azw、bin、bmp、bz、bz2、cda、csh、css、csv、doc、docx、eot、epub、gz、gif、ico、ics、jar、jpeg、jpg、js、json、jsonld、mid、midi、mjs、mp3、mp4、mpeg、mpkg、odp、ods、odt、oga、ogv、ogx、opus、otf、png、pdf、php、ppt、pptx、rar、rtf、sh、svg、tar、tif、tiff、ts、ttf、txt、vsd、wav、weba、webm、webp、woff、woff2、xhtml、xls、xlsx、xml、xul、zip、3gp、3g2、7z
+的Content-Type:  进行类型识别，跳过无用的fuzz
diff --git a/pkg/checker/fuzz/fuzzBody.go b/pkg/checker/fuzz/fuzzBody.go
@@ -30,5 +30,8 @@ func init() {
 				util.SendLog(fmt.Sprintf("%v", i), "leak", strings.Join(a, "\n"), "")
 			}
 		})
+		//util.RegHeaderCheckFunc(func(r *util.CheckerTools, i ...interface{}) {
+		//
+		//})
 	})
 }
diff --git a/pocs_go/shiro/CVE_2016_4437.go b/pocs_go/shiro/CVE_2016_4437.go
@@ -96,7 +96,8 @@ func init() {
 		// 检查 cookie
 		// Shiro CVE_2016_4437 cookie
 		// 其他POC cookie同一检查入口
-		util.GetInstance(util.ReqHeader).RegCheckFunc(func(r *util.CheckerTools, args ...interface{}) {
+		// 第一个参数header，第二个为 url
+		util.RegHeaderCheckFunc(func(r *util.CheckerTools, args ...interface{}) {
 			a := r.GetHead(args[0], "Set-Cookie")
 			if nil != a && 0 < len(a) {
 				//return len(DeleteMe.FindAllStringIndex(SetCookieAll, -1))

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,12 @@ func GetClient4Cc(szUrl string) *PipelineHttp.PipelineHttp {`
`89`	`89`	`}`
`90`	`90`	`return nil`
`91`	`91`	`}`
	`92`	`+func PutClientCc(szUrl string, c *PipelineHttp.PipelineHttp) {`
	`93`	`+ CloseHttpClient(szUrl)`
	`94`	`+ oU, _ := url.Parse(szUrl)`
	`95`	`+ clientHttpCc.Delete(oU.Scheme + oU.Host)`
	`96`	`+ clientHttpCc.Set(oU.Scheme+oU.Host, c, defaultInteractionDuration)`
	`97`	`+}`
`92`	`98`
`93`	`99`	`//var G_hc *http.Client`
`94`	`100`
Original file line number	Diff line number	Diff line change
`@@ -30,5 +30,8 @@ func init() {`
`30`	`30`	`util.SendLog(fmt.Sprintf("%v", i), "leak", strings.Join(a, "\n"), "")`
`31`	`31`	`}`
`32`	`32`	`})`
	`33`	`+ //util.RegHeaderCheckFunc(func(r *util.CheckerTools, i ...interface{}) {`
	`34`	`+ //`
	`35`	`+ //})`
`33`	`36`	`})`
`34`	`37`	`}`