vhost_scan - work in progress

aristosMiliaressis · Dec 2, 2023 · 231bccf · 231bccf
1 parent bc1b9a7
commit 231bccf
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 8 deletions.
diff --git a/src/core/pwnctl.app/Scope/Entities/ScopeDefinition.cs b/src/core/pwnctl.app/Scope/Entities/ScopeDefinition.cs
@@ -65,7 +65,7 @@ private bool UrlMatchingChecks(Asset? asset)
     {
         return asset switch
         {
-            HttpEndpoint ep => new Regex(Pattern).Matches(ep.Url).Count > 0,
+            HttpEndpoint ep => new Regex(Pattern).Matches(ep.ToString()).Count > 0,
             HttpParameter param => Matches(param.Endpoint),
             _ => false
         };

diff --git a/src/core/pwnctl.domain/Entities/HttpEndpoint.cs b/src/core/pwnctl.domain/Entities/HttpEndpoint.cs
@@ -4,6 +4,7 @@
 using pwnctl.kernel.BaseClasses;
 using pwnctl.domain.BaseClasses;
 using pwnctl.domain.Enums;
+using System.Text.RegularExpressions;
 
 public sealed class HttpEndpoint : Asset
 {
@@ -15,6 +16,8 @@ public sealed class HttpEndpoint : Asset
     public Guid? ParentEndpointId { get; private init; }
     public HttpEndpoint? ParentEndpoint { get; private set; }
     public List<HttpParameter> HttpParameters { get; private set; }
+
+    public bool IsIpBased => new Regex(@"^https?://[\d]{1,3}(\.[\d]{1,3}){3}").Match(Url).Success;
 
     public string Scheme { get; init; }
     public string Path { get; init; }

diff --git a/src/core/pwnctl.domain/Entities/HttpParameter.cs b/src/core/pwnctl.domain/Entities/HttpParameter.cs
@@ -24,7 +24,7 @@ public HttpParameter() {}
     public HttpParameter(HttpEndpoint endpoint, string name, ParamType type, string? value)
     {
         Endpoint = endpoint;
-        Url = endpoint.Url;
+        Url = endpoint.ToString();
         Name = name;
         Type = type;
         Value = value;

diff --git a/src/core/pwnctl.exec/scripts/webcrawl.sh b/src/core/pwnctl.exec/scripts/webcrawl.sh
@@ -13,7 +13,7 @@ timeout -v -k 30s 150m katana --silent --no-sandbox -hl -d 10 -silent -nc -or -o
 cat $katana_tmp | jq -r .request.endpoint | sort -u 2>/dev/null
 
 cat $katana_tmp \
-    | jq -c 'select( .response.forms != null ) | .response.forms[] as $form | select( $form.parameters != null) | $form.parameters[] | { asset:($form.action+"?"+.), tags:{form:true,enctype:$form.enctype,method:$form.method} }' \
+    | jq -c 'select( .response.forms != null ) | .response.forms[] as $form | select( $form.parameters != null) | $form.parameters[] | { asset:($form.action+"?"+.), tags:{form:"true",enctype:$form.enctype|tostring,method:$form.method} }' \
     | jq -c 'if .tags.method != "GET" then .tags.Type="Body" else . end' 2>/dev/null >> $temp
 
 cat $temp | grep "form\":true" | while read url; do param=$(echo $url | jq -r .asset | cut -d '?' -f2); tags=$(echo $url | jq -c .tags); echo $url | jq -r .asset | sed 's/%/\\\\x/g' | xargs -I {} printf "{}\n" | unfurl format "{\"asset\":\"%s://%a%p?$param\",\"tags\":$tags}"; done | sort -u 2>/dev/null

diff --git a/src/core/pwnctl.infra/Persistence/seed/post-web-recon.yaml b/src/core/pwnctl.infra/Persistence/seed/post-web-recon.yaml
@@ -0,0 +1,8 @@
+Profile: "post_web_recon"
+
+TaskDefinitions:
+  - Name: vhost_scan
+    Subject: HttpEndpoint
+    Filter: HttpEndpoint.Path == "/" && HttpEndpoint.IsIpBased
+    CommandTemplate: vhost-scan.sh {{Url}}
+    StdinQuery: SELECT "TextNotation" FROM "asset_records" WHERE "InScope" = true AND "DomainNameId" != null
diff --git a/src/core/pwnctl.infra/Persistence/seed/web-recon.td.yml b/src/core/pwnctl.infra/Persistence/seed/web-recon.td.yml
@@ -153,8 +153,3 @@ TaskDefinitions:
     CommandTemplate: mdwfuzzer.sh {{Url}}
     Filter: HttpEndpoint.Path=="/"
     Subject: HttpEndpoint
-
-  - Name: vhost_scan
-    CommandTemplate: vhost-scan.sh {{Url}}
-    Subject: HttpEndpoint
-    Filter: false && HttpEndpoint.Path=="/"