From dcc71dfbce509f8fc62e626c749449e2a876da09 Mon Sep 17 00:00:00 2001
From: six2dez <six2dez@gmail.com>
Date: Wed, 14 Feb 2024 13:48:24 +0100
Subject: [PATCH] replaced ppfuzz with ppmap and nuclei checks fuzzing results

---
 README.md    |  2 +-
 install.sh   | 27 +--------------------------
 reconftw.cfg |  1 -
 reconftw.sh  | 20 +++++++++++---------
 4 files changed, 13 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index bd779647..01c92748 100644
--- a/README.md
+++ b/README.md
@@ -536,7 +536,7 @@ reset='\033[0m'
 - SSTI ([ffuf](https://github.com/ffuf/ffuf))
 - SSL tests ([testssl](https://github.com/drwetter/testssl.sh))
 - Broken Links Checker ([katana](https://github.com/projectdiscovery/katana))
-- Prototype Pollution ([ppfuzz](https://github.com/dwisiswant0/ppfuzz))
+- Prototype Pollution ([ppmap](https://github.com/kleiton0x00/ppmap))
 - Web Cache Vulnerabilities ([Web-Cache-Vulnerability-Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner))
 - 4XX Bypasser ([dontgo403](https://github.com/devploit/dontgo403))
 
diff --git a/install.sh b/install.sh
index d8817220..7e0ce135 100755
--- a/install.sh
+++ b/install.sh
@@ -73,6 +73,7 @@ gotools["s3scanner"]="go install -v github.com/sa7mon/s3scanner@latest"
 gotools["nmapurls"]="go install -v github.com/sdcampbell/nmapurls@latest"
 gotools["shortscan"]="go install -v github.com/bitquark/shortscan/cmd/shortscan@latest"
 gotools["sns"]="go install github.com/sw33tLie/sns@latest"
+gotools["ppmap"]="go install -v github.com/kleiton0x00/ppmap@latest"
 
 # Declaring repositories and their paths
 declare -A repos
@@ -124,15 +125,6 @@ function banner() {
 	printf " ${reconftw_version}                                         by @six2dez\n"
 }
 
-function install_ppfuzz() {
-	local url=$1
-	local tar_file=$2
-
-	eval wget -N -c "$url" $DEBUG_STD
-	eval $SUDO tar -C /usr/local/bin/ -xzf "$tar_file" $DEBUG_STD
-	eval $SUDO rm -rf "$tar_file" $DEBUG_STD
-}
-
 # This function installs various tools and repositories as per the configuration.
 function install_tools() {
 
@@ -228,23 +220,6 @@ function install_tools() {
 		}
 	done
 
-	if [[ "True" == "$IS_ARM" ]]; then
-        if [[ "True" == "$RPI_3" ]]; then
-            install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz"
-        elif [[ "True" == "$RPI_4" ]]; then
-            install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-aarch64-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-aarch64-unknown-linux-gnueabihf.tar.gz"
-        fi
-    elif [[ "True" == "$IS_MAC" ]]; then
-        if [[ "True" == "$IS_ARM" ]]; then
-			install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz"
-		else
-			install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz" "ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz"
-		fi
-	else
-		install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz" "ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz"
-	fi
-	eval $SUDO chmod 755 /usr/local/bin/ppfuzz
-	eval $SUDO strip -s /usr/local/bin/ppfuzz $DEBUG_STD
 	eval notify $DEBUG_STD
 	eval subfinder $DEBUG_STD
 	eval subfinder $DEBUG_STD
diff --git a/reconftw.cfg b/reconftw.cfg
index 6479220d..64570195 100644
--- a/reconftw.cfg
+++ b/reconftw.cfg
@@ -173,7 +173,6 @@ PUREDNS_TRUSTED_LIMIT=400
 PUREDNS_WILDCARDTEST_LIMIT=30
 PUREDNS_WILDCARDBATCH_LIMIT=1500000
 RESOLVE_DOMAINS_THREADS=150
-PPFUZZ_THREADS=30
 DNSVALIDATOR_THREADS=200
 INTERLACE_THREADS=10
 TLSX_THREADS=1000
diff --git a/reconftw.sh b/reconftw.sh
index 16476485..a2831d39 100755
--- a/reconftw.sh
+++ b/reconftw.sh
@@ -299,8 +299,8 @@ function tools_installed() {
 		printf "${bred} [*] mapcidr			[NO]${reset}\n"
 		allinstalled=false
 	}
-	command -v ppfuzz &>/dev/null || {
-		printf "${bred} [*] ppfuzz			[NO]${reset}\n"
+	command -v ppmap &>/dev/null || {
+		printf "${bred} [*] ppmap			[NO]${reset}\n"
 		allinstalled=false
 	}
 	command -v cdncheck &>/dev/null || {
@@ -1631,19 +1631,21 @@ function nuclei_check() {
 		mkdir -p nuclei_output
 		[ ! -s "webs/webs_all.txt" ] && cat webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | anew -q webs/webs_all.txt
 		[ ! -s ".tmp/webs_subs.txt" ] && cat subdomains/subdomains.txt webs/webs_all.txt 2>>"$LOGFILE" | anew -q .tmp/webs_subs.txt
+		[ -s "$dir/fuzzing/fuzzing_full.txt" ] && cat $dir/fuzzing/fuzzing_full.txt | grep -e "^200" | cut -d " " -f3 | anew -q .tmp/webs_fuzz.txt
+		cat .tmp/webs_subs.txt .tmp/webs_fuzz.txt 2>>"$LOGFILE" | anew -q .tmp/webs_nuclei.txt
 		if [[ $AXIOM != true ]]; then # avoid globbing (expansion of *).
 			IFS=',' read -ra severity_array <<<"$NUCLEI_SEVERITY"
 			for crit in "${severity_array[@]}"; do
 				printf "${yellow}\n Running : Nuclei $crit ${reset}\n\n"
-				cat .tmp/webs_subs.txt 2>/dev/null | nuclei $NUCLEI_FLAGS -severity $crit -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt
+				cat .tmp/webs_nuclei.txt 2>/dev/null | nuclei $NUCLEI_FLAGS -severity $crit -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt
 			done
 			printf "\n\n"
 		else
-			if [[ -s ".tmp/webs_subs.txt" ]]; then
+			if [[ -s ".tmp/webs_nuclei.txt" ]]; then
 				IFS=',' read -ra severity_array <<<"$NUCLEI_SEVERITY"
 				for crit in "${severity_array[@]}"; do
 					printf "${yellow}\n Running : Nuclei $crit, check results on nuclei_output folder${reset}\n\n"
-					axiom-scan .tmp/webs_subs.txt -m nuclei --nuclei-templates ${NUCLEI_TEMPLATES_PATH} -severity ${crit} -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
+					axiom-scan .tmp/webs_nuclei.txt -m nuclei --nuclei-templates ${NUCLEI_TEMPLATES_PATH} -severity ${crit} -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
 					[ -s "nuclei_output/${crit}.txt" ] && cat nuclei_output/${crit}.txt
 				done
 				printf "\n\n"
@@ -2398,8 +2400,8 @@ function prototype_pollution() {
 	if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $PROTO_POLLUTION == true ]]; then
 		start_func ${FUNCNAME[0]} "Prototype Pollution checks"
 		if [[ $DEEP == true ]] || [[ $(cat webs/url_extract.txt | wc -l) -le $DEEP_LIMIT ]]; then
-			[ -s "webs/url_extract.txt" ] && ppfuzz -l webs/url_extract.txt -c $PPFUZZ_THREADS 2>/dev/null | anew -q .tmp/prototype_pollution.txt
-			[ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | sed -e '1,8d' | sed '/^\[ERR/d' | anew -q vulns/prototype_pollution.txt
+			[ -s "webs/url_extract.txt" ] && cat webs/url_extract.txt | ppmap &> .tmp/prototype_pollution.txt
+			[ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | grep "EXPL" | anew -q vulns/prototype_pollution.txt
 			end_func "Results are saved in vulns/prototype_pollution.txt" ${FUNCNAME[0]}
 		else
 			end_func "Skipping Prototype Pollution: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]}
@@ -3102,8 +3104,8 @@ function recon() {
 	portscan
 	geo_info
 	waf_checks
-	nuclei_check
 	fuzz
+	nuclei_check
 	iishortname
 	urlchecks
 	jschecks
@@ -3360,9 +3362,9 @@ function webs_menu() {
 	screenshot
 	#	virtualhosts
 	waf_checks
+	fuzz
 	nuclei_check
 	cms_scanner
-	fuzz
 	iishortname
 	urlchecks
 	jschecks