Skip to content

Commit

Permalink
replaced ppfuzz with ppmap and nuclei checks fuzzing results
Browse files Browse the repository at this point in the history
six2dez committed Feb 14, 2024
1 parent f9d31ad commit dcc71df
Showing 4 changed files with 13 additions and 37 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -536,7 +536,7 @@ reset='\033[0m'
- SSTI ([ffuf](https://github.com/ffuf/ffuf))
- SSL tests ([testssl](https://github.com/drwetter/testssl.sh))
- Broken Links Checker ([katana](https://github.com/projectdiscovery/katana))
- Prototype Pollution ([ppfuzz](https://github.com/dwisiswant0/ppfuzz))
- Prototype Pollution ([ppmap](https://github.com/kleiton0x00/ppmap))
- Web Cache Vulnerabilities ([Web-Cache-Vulnerability-Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner))
- 4XX Bypasser ([dontgo403](https://github.com/devploit/dontgo403))

27 changes: 1 addition & 26 deletions install.sh
Original file line number Diff line number Diff line change
@@ -73,6 +73,7 @@ gotools["s3scanner"]="go install -v github.com/sa7mon/s3scanner@latest"
gotools["nmapurls"]="go install -v github.com/sdcampbell/nmapurls@latest"
gotools["shortscan"]="go install -v github.com/bitquark/shortscan/cmd/shortscan@latest"
gotools["sns"]="go install github.com/sw33tLie/sns@latest"
gotools["ppmap"]="go install -v github.com/kleiton0x00/ppmap@latest"

# Declaring repositories and their paths
declare -A repos
@@ -124,15 +125,6 @@ function banner() {
printf " ${reconftw_version} by @six2dez\n"
}

function install_ppfuzz() {
local url=$1
local tar_file=$2

eval wget -N -c "$url" $DEBUG_STD
eval $SUDO tar -C /usr/local/bin/ -xzf "$tar_file" $DEBUG_STD
eval $SUDO rm -rf "$tar_file" $DEBUG_STD
}

# This function installs various tools and repositories as per the configuration.
function install_tools() {

@@ -228,23 +220,6 @@ function install_tools() {
}
done

if [[ "True" == "$IS_ARM" ]]; then
if [[ "True" == "$RPI_3" ]]; then
install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz"
elif [[ "True" == "$RPI_4" ]]; then
install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-aarch64-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-aarch64-unknown-linux-gnueabihf.tar.gz"
fi
elif [[ "True" == "$IS_MAC" ]]; then
if [[ "True" == "$IS_ARM" ]]; then
install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz"
else
install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz" "ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz"
fi
else
install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz" "ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz"
fi
eval $SUDO chmod 755 /usr/local/bin/ppfuzz
eval $SUDO strip -s /usr/local/bin/ppfuzz $DEBUG_STD
eval notify $DEBUG_STD
eval subfinder $DEBUG_STD
eval subfinder $DEBUG_STD
1 change: 0 additions & 1 deletion reconftw.cfg
Original file line number Diff line number Diff line change
@@ -173,7 +173,6 @@ PUREDNS_TRUSTED_LIMIT=400
PUREDNS_WILDCARDTEST_LIMIT=30
PUREDNS_WILDCARDBATCH_LIMIT=1500000
RESOLVE_DOMAINS_THREADS=150
PPFUZZ_THREADS=30
DNSVALIDATOR_THREADS=200
INTERLACE_THREADS=10
TLSX_THREADS=1000
20 changes: 11 additions & 9 deletions reconftw.sh
Original file line number Diff line number Diff line change
@@ -299,8 +299,8 @@ function tools_installed() {
printf "${bred} [*] mapcidr [NO]${reset}\n"
allinstalled=false
}
command -v ppfuzz &>/dev/null || {
printf "${bred} [*] ppfuzz [NO]${reset}\n"
command -v ppmap &>/dev/null || {
printf "${bred} [*] ppmap [NO]${reset}\n"
allinstalled=false
}
command -v cdncheck &>/dev/null || {
@@ -1631,19 +1631,21 @@ function nuclei_check() {
mkdir -p nuclei_output
[ ! -s "webs/webs_all.txt" ] && cat webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | anew -q webs/webs_all.txt
[ ! -s ".tmp/webs_subs.txt" ] && cat subdomains/subdomains.txt webs/webs_all.txt 2>>"$LOGFILE" | anew -q .tmp/webs_subs.txt
[ -s "$dir/fuzzing/fuzzing_full.txt" ] && cat $dir/fuzzing/fuzzing_full.txt | grep -e "^200" | cut -d " " -f3 | anew -q .tmp/webs_fuzz.txt
cat .tmp/webs_subs.txt .tmp/webs_fuzz.txt 2>>"$LOGFILE" | anew -q .tmp/webs_nuclei.txt
if [[ $AXIOM != true ]]; then # avoid globbing (expansion of *).
IFS=',' read -ra severity_array <<<"$NUCLEI_SEVERITY"
for crit in "${severity_array[@]}"; do
printf "${yellow}\n Running : Nuclei $crit ${reset}\n\n"
cat .tmp/webs_subs.txt 2>/dev/null | nuclei $NUCLEI_FLAGS -severity $crit -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt
cat .tmp/webs_nuclei.txt 2>/dev/null | nuclei $NUCLEI_FLAGS -severity $crit -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt
done
printf "\n\n"
else
if [[ -s ".tmp/webs_subs.txt" ]]; then
if [[ -s ".tmp/webs_nuclei.txt" ]]; then
IFS=',' read -ra severity_array <<<"$NUCLEI_SEVERITY"
for crit in "${severity_array[@]}"; do
printf "${yellow}\n Running : Nuclei $crit, check results on nuclei_output folder${reset}\n\n"
axiom-scan .tmp/webs_subs.txt -m nuclei --nuclei-templates ${NUCLEI_TEMPLATES_PATH} -severity ${crit} -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
axiom-scan .tmp/webs_nuclei.txt -m nuclei --nuclei-templates ${NUCLEI_TEMPLATES_PATH} -severity ${crit} -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
[ -s "nuclei_output/${crit}.txt" ] && cat nuclei_output/${crit}.txt
done
printf "\n\n"
@@ -2398,8 +2400,8 @@ function prototype_pollution() {
if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $PROTO_POLLUTION == true ]]; then
start_func ${FUNCNAME[0]} "Prototype Pollution checks"
if [[ $DEEP == true ]] || [[ $(cat webs/url_extract.txt | wc -l) -le $DEEP_LIMIT ]]; then
[ -s "webs/url_extract.txt" ] && ppfuzz -l webs/url_extract.txt -c $PPFUZZ_THREADS 2>/dev/null | anew -q .tmp/prototype_pollution.txt
[ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | sed -e '1,8d' | sed '/^\[ERR/d' | anew -q vulns/prototype_pollution.txt
[ -s "webs/url_extract.txt" ] && cat webs/url_extract.txt | ppmap &> .tmp/prototype_pollution.txt
[ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | grep "EXPL" | anew -q vulns/prototype_pollution.txt
end_func "Results are saved in vulns/prototype_pollution.txt" ${FUNCNAME[0]}
else
end_func "Skipping Prototype Pollution: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]}
@@ -3102,8 +3104,8 @@ function recon() {
portscan
geo_info
waf_checks
nuclei_check
fuzz
nuclei_check
iishortname
urlchecks
jschecks
@@ -3360,9 +3362,9 @@ function webs_menu() {
screenshot
# virtualhosts
waf_checks
fuzz
nuclei_check
cms_scanner
fuzz
iishortname
urlchecks
jschecks

0 comments on commit dcc71df

Please sign in to comment.