Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

检测url(target)=https://example:port/a/b/c #1793

Open
q1258089344 opened this issue Apr 30, 2024 · 16 comments
Open

检测url(target)=https://example:port/a/b/c #1793

q1258089344 opened this issue Apr 30, 2024 · 16 comments

Comments

@q1258089344
Copy link

这种多级路径时,xray不会进行检测吗?若是https://example:port/a则正常进行检测
@q1258089344
Copy link
Author

@yywing

@Jarcis-cy
Copy link
Collaborator

  1. 会进行检测的
  2. 发一下运行的命令?

@q1258089344
Copy link
Author

.\xray_windows_386.exe --log-level debug ws --poc "D:\working\document\ 内容风险\xray\workspace/pocs/*" --url-file D:\working\document\内容风险\xray\workspace\2024-04-29\16-33-42-domain.txt --html-output D:\working\document\内容风险\xray\workspace\2024-04-29\16-33-42-other.html

@q1258089344
Copy link
Author

https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh
https://lppadweb.paas.cmbchina.com/a

@q1258089344
Copy link
Author

name: poc-yaml-js-report
manual: false
transport: http
set:
# /test/test
inputPath: request.url.path
rules:
r1:
request:
cache: true
method: GET
# target: http://example.com:8080/test/test/b
# 如果以 ^ 开头,取 path 作为请求路径
path: '^{{inputPath}}/release/visualizer/reporter.html'
expression: "true"
expression: r1()
detail:
author: yywing

@q1258089344
Copy link
Author

POC Loaded:
poc-yaml-js-report

[DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:230] fingers count: 2
[DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:231] building finger tree
[DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:239] start to trim the invocation tree
[DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:291] init the event bus
[DBUG] 2024-05-11 14:52:47 [controller:dispatcher.go:364] service finger count: 1, flow finger count: 2
[DBUG] 2024-05-11 14:52:47 [collector:url-list.go:36] processing https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh
[DBUG] [DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh
2024-05-11 14:52:47 [collector:url-list.go:36] processing https://lppadweb.paas.cmbchina.com/a
[DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/a
[DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/index.php
[INFO] 2024-05-11 14:52:47 [collector:url-list.go:66] waiting requests in queue
[INFO] 2024-05-11 14:52:47 [default:dispatcher.go:444] processing GET https://lppadweb.paas.cmbchina.com/a
[INFO] 2024-05-11 14:52:47 [default:dispatcher.go:444] processing GET https://lppadweb.paas.cmbchina.com/asdfasdfa/sdfsadf/fdsfg/asdfasdf/dfgsdf/dsfgsdh/fdgh/dfghdfgh/dfgh
[DBUG] 2024-05-11 14:52:47 [runner client:http.go:54] req:
GET /a/release/visualizer/reporter.html HTTP/1.1
Host: lppadweb.paas.cmbchina.com

[DBUG] 2024-05-11 14:52:47 [default:client.go:188] GET https://lppadweb.paas.cmbchina.com/a/release/visualizer/reporter.html
[DBUG] 2024-05-11 14:52:47 [runner client:http.go:69] resp:
HTTP/1.1 404 Not Found
Content-Length: 146
Content-Type: text/html
Date: Sat, 11 May 2024 06:52:47 GMT
Server: nginx

<title>404 Not Found</title>

404 Not Found

nginx

[Vuln: phantasm]
Target "https://lppadweb.paas.cmbchina.com/a"
VulnType "poc-yaml-js-report/default"
Author "yywing"

[DBUG] 2024-05-11 14:52:48 [controller:dispatcher.go:502] sending last stat
[INFO] 2024-05-11 14:52:48 [controller:dispatcher.go:573] controller released, task done

@q1258089344
Copy link
Author

@Jarcis-cy

上面分别是启动命令,domain.txt里面内容,poc内容以及运行后的日志。

可以看到/a的url成功命中poc,多级路径的看起来未进行检测

@q1258089344
Copy link
Author 

name: poc-yaml-js-report
manual: false
transport: http
set:
    # /test/test
    inputPath: request.url.path
rules:
    r1:
        request:
            cache: true
            method: GET
            # target: http://example.com:8080/test/test/b
            # 如果以 ^ 开头,取 path 作为请求路径
            path: '^{{inputPath}}/release/visualizer/reporter.html'
        expression: "true"
expression:  r1()
detail:
    author: yywing

@yywing
Copy link
Collaborator

yywing commented May 11, 2024

卧槽 兄弟 涉及ip地址的 你脱下敏吧, 有点害怕。

@q1258089344
Copy link
Author

卧槽 兄弟 涉及ip地址的 你脱下敏吧, 有点害怕。

问题不大 都是404地址

@q1258089344
Copy link
Author

卧槽 兄弟 涉及ip地址的 你脱下敏吧, 有点害怕。

大佬有空帮我看看,为啥一级路径符合poc预期,多级路径就没结果

@yywing
Copy link
Collaborator

yywing commented May 11, 2024

你的脚本和用法感觉没问题 怀疑是检测深度(印象中有个子路径检测深度的)导致的。配置中能不能配置我也忘了。

建议使用 xpoc xpoc 应该没有这个问题

@q1258089344
Copy link
Author

你的脚本和用法感觉没问题 怀疑是检测深度(印象中有个子路径检测深度的)导致的。配置中能不能配置我也忘了。

建议使用 xpoc xpoc 应该没有这个问题

配置曾中找过,没找到。要换工具感觉有点难顶,改动太大,部署Linux时libpcap缺了还要gcc编译安装才行。踩坑太难受了~~

@yywing
Copy link
Collaborator

yywing commented May 11, 2024

https://docs.xray.cool/tools/xray/Configuration#phantasm

depth 试试

@Jarcis-cy
Copy link
Collaborator

好吧~新版本会暴露出这个配置吗~thx

xpoc没有相关的限制,给他啥就发啥

@q1258089344
Copy link
Author

https://docs.xray.cool/tools/xray/Configuration#phantasm

depth 试试

可以了,十分感谢大佬~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@q1258089344 @yywing @Jarcis-cy