Add new checksum feature for more detection case

jaeles-project · Feb 2, 2021 · cf58a71 · cf58a71
1 parent 6c165df
commit cf58a71
Show file tree

Hide file tree

Showing 15 changed files with 322 additions and 87 deletions.
diff --git a/cmd/scan.go b/cmd/scan.go
@@ -117,7 +117,6 @@ func runScan(cmd *cobra.Command, _ []string) error {
 	defer p.Release()
 
 	for _, url := range urls {
-
 		// calculate filtering result first if enabled from cli
 		baseJob := libs.Job{URL: url}
 		if options.EnableFiltering {
@@ -157,6 +156,11 @@ func CreateRunner(j interface{}) {
 	var jobs []libs.Job
 	job := j.(libs.Job)
 
+	if job.Sign.Type == "dns" {
+		CreateDnsRunner(job)
+		return
+	}
+
 	// auto append http and https prefix if not present
 	if !strings.HasPrefix(job.URL, "http://") && !strings.HasPrefix(job.URL, "https://") {
 		withPrefixJob := job
@@ -204,6 +208,15 @@ func CreateRunner(j interface{}) {
 	}
 }
 
+// CreateDnsRunner create runner for dns
+func CreateDnsRunner(job libs.Job) {
+	runner, err := core.InitDNSRunner(job.URL, job.Sign, options)
+	if err != nil {
+		utils.ErrorF("Error create new dns runner: %v", err)
+	}
+	runner.Resolving()
+}
+
 /////////////////////// Chunk options (very experimental)
 
 func genChunkFiles(urlFile string, options libs.Options) []string {

diff --git a/core/dns.go b/core/dns.go
@@ -0,0 +1,142 @@
+package core
+
+import (
+	"fmt"
+	"github.com/jaeles-project/jaeles/dns"
+	"github.com/jaeles-project/jaeles/libs"
+	"github.com/jaeles-project/jaeles/utils"
+	"github.com/robertkrimen/otto"
+	"strings"
+)
+
+// InitDNSRunner init task
+func InitDNSRunner(url string, sign libs.Signature, opt libs.Options) (Runner, error) {
+	var runner Runner
+	runner.Input = url
+	runner.Opt = opt
+	runner.Sign = sign
+	runner.RunnerType = "dns"
+	runner.PrepareTarget()
+
+	return runner, nil
+}
+
+// GetDns get dns ready to resolve
+func (r *Runner) Resolving() {
+	if len(r.Sign.Dns) == 0 {
+		return
+	}
+	for _, dnsRecord := range r.Sign.Dns {
+		dnsRecord.Domain = ResolveVariable(dnsRecord.Domain, r.Target)
+		dnsRecord.RecordType = ResolveVariable(dnsRecord.RecordType, r.Target)
+		dnsRecord.Detections = ResolveDetection(dnsRecord.Detections, r.Target)
+		dnsRecord.PostRun = ResolveDetection(dnsRecord.PostRun, r.Target)
+
+		dns.QueryDNS(&dnsRecord, r.Opt)
+		if len(dnsRecord.Results) == 0 {
+			return
+		}
+
+		var rec Record
+		// set somethings in record
+		rec.Dns = dnsRecord
+		rec.Sign = r.Sign
+		rec.Opt = r.Opt
+		r.Records = append(r.Records, rec)
+	}
+
+	r.DnsDetection()
+}
+
+// DnsDetection get requests ready to send
+func (r *Runner) DnsDetection() {
+	for _, rec := range r.Records {
+		rec.DnsDetector()
+	}
+}
+
+func (r *Record) DnsDetector() bool {
+	record := *r
+	var extra string
+	vm := otto.New()
+
+	// Only for dns detection
+	vm.Set("DnsString", func(call otto.FunctionCall) otto.Value {
+		args := call.ArgumentList
+		recordName := "ANY"
+		searchString := args[0].String()
+		if len(args) > 1 {
+			searchString = args[1].String()
+			recordName = args[0].String()
+		}
+		content := GetDnsComponent(record, recordName)
+		record.Response.Beautify = content
+		result, _ := vm.ToValue(StringSearch(content, searchString))
+		return result
+	})
+
+	vm.Set("DnsRegex", func(call otto.FunctionCall) otto.Value {
+		args := call.ArgumentList
+		recordName := "ANY"
+		searchString := args[0].String()
+		if len(args) > 1 {
+			searchString = args[1].String()
+			recordName = args[0].String()
+		}
+		content := GetDnsComponent(record, recordName)
+		record.Response.Beautify = content
+
+		matches, validate := RegexSearch(content, searchString)
+		result, err := vm.ToValue(validate)
+		if err != nil {
+			utils.ErrorF("Error Regex: %v", searchString)
+			result, _ = vm.ToValue(false)
+		}
+		if matches != "" {
+			extra = matches
+		}
+		return result
+	})
+
+	// really run detection here
+	for _, analyze := range record.Dns.Detections {
+		// pass detection here
+		result, _ := vm.Run(analyze)
+		analyzeResult, err := result.Export()
+		// in case vm panic
+		if err != nil || analyzeResult == nil {
+			r.DetectString = analyze
+			r.IsVulnerable = false
+			r.DetectResult = ""
+			r.ExtraOutput = ""
+			continue
+		}
+		r.DetectString = analyze
+		r.IsVulnerable = analyzeResult.(bool)
+		r.DetectResult = extra
+		r.ExtraOutput = extra
+
+		// add extra things for standard output
+		r.Request.URL = r.Dns.Domain
+		r.Request.Beautify = fmt.Sprintf("dig %s %s", r.Dns.RecordType, r.Dns.Domain)
+		r.Response.Beautify = record.Response.Beautify
+
+		utils.DebugF("[Detection] %v -- %v", analyze, r.IsVulnerable)
+		// deal with vulnerable one here
+		next := r.Output()
+		if next == "stop" {
+			return true
+		}
+	}
+
+	return false
+}
+
+func GetDnsComponent(record Record, componentName string) string {
+	for _, dnsResult := range record.Dns.Results {
+		if dnsResult.RecordType == strings.TrimSpace(componentName) {
+			return dnsResult.Data
+		}
+	}
+	return ""
+}
diff --git a/core/filter.go b/core/filter.go
@@ -9,11 +9,12 @@ import (
 )
 
 var baseFiltering = []string{
+	"/",
 	"hopetoget404" + RandomString(6),
 	fmt.Sprintf("%s", RandomString(16)+"/"+RandomString(5)),
 	fmt.Sprintf("%s.html", RandomString(16)),
 	fmt.Sprintf("%s.php~", RandomString(16)),
-	fmt.Sprintf("%s.%00", RandomString(16)),
+	fmt.Sprintf("%%00%s", RandomString(16)),
 	fmt.Sprintf("%s.json", RandomString(16)),
 }
 

diff --git a/core/output.go b/core/output.go
@@ -81,6 +81,13 @@ func (r *Record) Output() string {
 		Execution(r.Opt.FoundCmd)
 	}
 
+	if len(r.Request.PostRun) > 0 {
+		r.Request.PostRun = ResolveDetection(r.Request.PostRun, r.Request.Target)
+		for _, postrun := range r.Request.PostRun {
+			Execution(postrun)
+		}
+	}
+
 	//// do passive analyze if got called from detector
 	//if strings.Contains(strings.ToLower(r.DetectString), "invokesign") {
 	//	r.InvokeSign()

diff --git a/core/parser.go b/core/parser.go
@@ -338,6 +338,7 @@ func ParseRequest(req libs.Request, sign libs.Signature, options libs.Options) [
 	req.Middlewares = ResolveDetection(req.Middlewares, target)
 	req.Conditions = ResolveDetection(req.Conditions, target)
 	req.Conclusions = ResolveDetection(req.Conclusions, target)
+	req.PostRun = ResolveDetection(req.PostRun, target)
 
 	if sign.Type != "fuzz" {
 		if req.Res != "" {

diff --git a/core/runner.go b/core/runner.go
@@ -12,6 +12,7 @@ import (
 type Runner struct {
 	Input       string
 	SendingType string
+	RunnerType  string
 	Opt         libs.Options
 	Sign        libs.Signature
 	Origin      Record
@@ -31,6 +32,9 @@ type Record struct {
 	Response libs.Response
 	Sign     libs.Signature
 
+	// for dns part
+	Dns libs.Dns
+
 	// passive check
 	NoOutput            bool
 	DoPassive           bool
@@ -55,10 +59,6 @@ type Record struct {
 	ScanID        string
 }
 
-//
-//func InitRunnerWithDefaultOpt(url string, sign string) {
-//}
-
 // InitRunner init task
 func InitRunner(url string, sign libs.Signature, opt libs.Options) (Runner, error) {
 	var runner Runner

diff --git a/dns/query.go b/dns/query.go
@@ -0,0 +1,66 @@
+package dns
+
+import (
+	"github.com/jaeles-project/jaeles/libs"
+	"github.com/jaeles-project/jaeles/utils"
+	"github.com/lixiangzhong/dnsutil"
+	"github.com/thoas/go-funk"
+)
+
+var recordMap = map[string]uint16{
+	"A":     1,
+	"AAAA":  28,
+	"NS":    2,
+	"CNAME": 5,
+	"SOA":   6,
+	"PTR":   12,
+	"MX":    15,
+	"TXT":   16,
+}
+
+var CommonResolvers = []string{
+	"1.1.1.1", // Cloudflare
+	"8.8.8.8", // Google
+	"8.8.4.4", // Google
+}
+
+func QueryDNS(dnsRecord *libs.Dns, options libs.Options) {
+	resolver := options.Resolver
+	if resolver == "" {
+		index := funk.RandomInt(0, len(CommonResolvers))
+		resolver = CommonResolvers[index]
+	}
+	domain := dnsRecord.Domain
+	queryType := dnsRecord.RecordType
+
+	var dig dnsutil.Dig
+	dig.Retry = options.Retry
+	dig.SetDNS(resolver)
+	utils.InforF("[resolved] %v -- %v", domain, queryType)
+
+	if queryType == "ANY" || queryType == "" {
+		for k, v := range recordMap {
+			var dnsResult libs.DnsResult
+			msg, err := dig.GetMsg(v, domain)
+			if err != nil {
+				utils.DebugF("err to resolved: %v -- %v", domain, err)
+				return
+			}
+			dnsResult.Data = msg.String()
+			dnsResult.RecordType = k
+			dnsRecord.Results = append(dnsRecord.Results, dnsResult)
+		}
+	} else {
+		var dnsResult libs.DnsResult
+		msg, err := dig.GetMsg(recordMap[queryType], domain)
+		if err != nil {
+			utils.DebugF("err to resolved: %v -- %v", domain, err)
+			return
+		}
+		dnsResult.Data = msg.String()
+		dnsResult.RecordType = queryType
+		dnsRecord.Results = append(dnsRecord.Results, dnsResult)
+	}
+
+	return
+}
diff --git a/dns/query_test.go b/dns/query_test.go
@@ -0,0 +1,23 @@
+package dns
+
+import (
+	"fmt"
+	"github.com/jaeles-project/jaeles/libs"
+	"testing"
+)
+
+func TestQueryDNS(t *testing.T) {
+	opt := libs.Options{
+		Concurrency: 3,
+		Threads:     5,
+		Verbose:     true,
+		NoDB:        true,
+		NoOutput:    true,
+	}
+
+	dnsRcord := libs.Dns{
+		Domain: "github.com",
+	}
+	QueryDNS(&dnsRcord, opt)
+	fmt.Println(dnsRcord)
+}
diff --git a/go.mod b/go.mod
@@ -20,11 +20,10 @@ require (
 	github.com/jinzhu/copier v0.2.3
 	github.com/jinzhu/gorm v1.9.16
 	github.com/json-iterator/go v1.1.10
+	github.com/lixiangzhong/dnsutil v0.0.0-20191203032812-75ad39d2945a
 	github.com/logrusorgru/aurora/v3 v3.0.0
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/onsi/ginkgo v1.14.2 // indirect
-	github.com/onsi/gomega v1.10.4 // indirect
 	github.com/panjf2000/ants v1.3.0
 	github.com/robertkrimen/otto v0.0.0-20200922221731-ef014fd054ac
 	github.com/sirupsen/logrus v1.7.0