fscan icon indicating copy to clipboard operation
fscan copied to clipboard

Published 20 hours ago verified publisher icon shadow1ng

POC search 问题

Open Zxc123456zxc opened this issue 2 years ago • 11 comments
trafficstars

1.search可以匹配响应头中的内容吗? 我想获取响应头的cookie,但是只执行规则1,然后规则2不执行

这是我的poc name: CVE-2023-27350-Paper-Cut rules:

  • method: GET path: /app?service=page/SetupCompleted expression: | response.status == 200 search: | Set-Cookie: (?P[^;]+)
  • method: GET path: /app?service=page/Dashboard headers: Cookie: "{{var}}" expression: | response.status == 200

只执行了规则1,没有执行规则2

image

Zxc123456zxc avatar Apr 25 '23 03:04 Zxc123456zxc

search的格式不对吧 应该类似 search: r'Set-Cookie:(?P<cookie>.*?)'

shadow1ng avatar Apr 25 '23 03:04 shadow1ng

好的,谢谢

Zxc123456zxc avatar Apr 25 '23 05:04 Zxc123456zxc

还是只执行规则1,规则2不执行

Zxc123456zxc avatar Apr 25 '23 06:04 Zxc123456zxc

search语法 "code_uid":"(?P.+?)",body里面的内容可以获取到,header里面的内容获取不到加.bmatches(response.headers),也获取不到

Zxc123456zxc avatar May 05 '23 04:05 Zxc123456zxc

https://github.com/shadow1ng/fscan/blob/ecb0cd9e5fbebc8d466c3480d908869b8d77d2df/WebScan/lib/check.go#L151

默认是设置匹配header+body的

shadow1ng avatar May 05 '23 04:05 shadow1ng

好的,我在看看,谢谢

Zxc123456zxc avatar May 05 '23 04:05 Zxc123456zxc

我后面调试了一下,发现strings.TrimSpace(rule.Search)函数会影响结果。现在修复了 测试poc

name: test
rules:
  - method: GET
    path: /
    search: |
      Set-Cookie:(?P<cookie>.*?)
  - method: GET
    path: '/cookie'
    headers:
      Cookie: "{{cookie}}"
    expression: |
      response.status == 404

go run .\main.go -u https://www.baidu.com -proxy 8080查看burp可以正常获取到cookie image

shadow1ng avatar May 05 '23 10:05 shadow1ng

并新增了optimizeCookies函数,过滤无用的cookie信息

shadow1ng avatar May 05 '23 10:05 shadow1ng

好的,谢谢,麻烦大佬了

Zxc123456zxc avatar May 05 '23 11:05 Zxc123456zxc

大佬,反连平台,-dns ,报错 image

Zxc123456zxc avatar May 05 '23 11:05 Zxc123456zxc

已修复

shadow1ng avatar May 05 '23 15:05 shadow1ng