@@ -169,6 +169,10 @@ function tools_installed() {
169169 printf " ${bred} [*] regulator [NO]${reset} \n"
170170 allinstalled=false
171171 }
172+ [ -f " ${tools} /dontgo403/dontgo403" || {
173+ printf " ${bred} [*] dontgo403 [NO]${reset} \n"
174+ allinstalled=false
175+ }
172176 command -v github-endpoints & > /dev/null || {
173177 printf " ${bred} [*] github-endpoints [NO]${reset} \n"
174178 allinstalled=false
@@ -341,10 +345,6 @@ function tools_installed() {
341345 printf " ${bred} [*] subfinder [NO]${reset} \n${reset} "
342346 allinstalled=false
343347 }
344- command -v byp4xx & > /dev/null || {
345- printf " ${bred} [*] byp4xx [NO]${reset} \n${reset} "
346- allinstalled=false
347- }
348348 command -v ghauri & > /dev/null || {
349349 printf " ${bred} [*] ghauri [NO]${reset} \n${reset} "
350350 allinstalled=false
@@ -503,24 +503,37 @@ function metadata() {
503503 spinny::stop
504504}
505505
506- function postleaks ()
506+ function apileaks ()
507507 spinny::start
508- if { [[ ! -f " $called_fn_dir /.${FUNCNAME[0]} " || [[ $DIFF == true ]]; } && [[ $POSTMAN_LEAKS == true ]] && [[ $OSINT == true ]] && ! [[ $domain =~ ^[0-9]+\. [0-9]+\. [0-9]+\. [0-9] ]]; then
509- start_func ${FUNCNAME[0]} " Scanning for leaks in postman public directory "
508+ if { [[ ! -f " $called_fn_dir /.${FUNCNAME[0]} " || [[ $DIFF == true ]]; } && [[ $API_LEAKS == true ]] && [[ $OSINT == true ]] && ! [[ $domain =~ ^[0-9]+\. [0-9]+\. [0-9]+\. [0-9] ]]; then
509+ start_func ${FUNCNAME[0]} " Scanning for leaks in APIs public directories "
510510
511511 porch-pirate -s " $domain " > osint/postman_leaks.txt || {
512512 echo " porch-pirate command failed"
513513 exit 1
514514 }
515515
516+ pushd " ${tools} /SwaggerSpy" > /dev/null || {
517+ echo " Failed to pushd to ${tools} /SwaggerSpy in ${FUNCNAME[0]} @ line ${LINENO} "
518+ exit 1
519+ }
520+ python swaggerspy.py -d $domain -o ../osint/swagger_leaks.txt 2>> " $LOGFILE " || {
521+ echo " swaggerspy command failed"
522+ exit 1
523+ }
524+ popd > /dev/null || {
525+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
526+ exit 1
527+ }
528+
516529 end_func " Results are saved in $domain /osint/[software/authors/metadata_results].txt" ${FUNCNAME[0]}
517530 else
518- if [[ $POSTMAN_LEAKS == false ]] || [[ $OSINT == false ]]; then
531+ if [[ $API_LEAKS == false ]] || [[ $OSINT == false ]]; then
519532 printf " \n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset} \n"
520533 elif [[ $domain =~ ^[0-9]+\. [0-9]+\. [0-9]+\. [0-9] ]]; then
521534 return
522535 else
523- if [[ $POSTMAN_LEAKS == false ]] || [[ $OSINT == false ]]; then
536+ if [[ $API_LEAKS == false ]] || [[ $OSINT == false ]]; then
524537 printf " \n${yellow} ${FUNCNAME[0]} skipped in this mode or defined in reconftw.cfg ${reset} \n"
525538 else
526539 printf " ${yellow} ${FUNCNAME[0]} is already processed, to force executing ${FUNCNAME[0]} delete\n $called_fn_dir /.${FUNCNAME[0]} ${reset} \n\n"
@@ -996,13 +1009,16 @@ function sub_regex_permut() {
9961009 spinny::start
9971010 if { [[ ! -f " $called_fn_dir /.${FUNCNAME[0]} " || [[ $DIFF == true ]]; } && [[ $SUBREGEXPERMUTE == true ]]; then
9981011 start_subfunc ${FUNCNAME[0]} " Running : Permutations by regex analysis"
999- cd " ${tools} /regulator" || {
1012+
1013+ pushd " ${tools} /regulator" > /dev/null || {
10001014 echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
10011015 exit 1
10021016 }
1017+
10031018 python3 main.py -t $domain -f ${dir} /subdomains/subdomains.txt -o ${dir} /.tmp/${domain} .brute
1004- cd " $dir " || {
1005- echo " Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO} "
1019+
1020+ popd > /dev/null || {
1021+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
10061022 exit 1
10071023 }
10081024
@@ -1423,10 +1439,11 @@ function favicon() {
14231439 spinny::start
14241440 if { [[ ! -f " $called_fn_dir /.${FUNCNAME[0]} " || [[ $DIFF == true ]]; } && [[ $FAVICON == true ]] && ! [[ $domain =~ ^[0-9]+\. [0-9]+\. [0-9]+\. [0-9] ]]; then
14251441 start_func ${FUNCNAME[0]} " Favicon Ip Lookup"
1426- cd " ${tools} /fav-up" || {
1442+ pushd " ${tools} /fav-up" > /dev/null || {
14271443 echo " Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO} "
14281444 exit 1
14291445 }
1446+
14301447 python3 favUp.py -w " $domain " 2>> " $LOGFILE " > /dev/null
14311448 if [[ -s " favicontest.json" ; then
14321449 cat favicontest.json | jq -r ' try .found_ips' 2>> " $LOGFILE " | grep -v " not-found" > favicontest.txt
@@ -1435,8 +1452,9 @@ function favicon() {
14351452 mv favicontest.txt $dir /hosts/favicontest.txt 2>> " $LOGFILE "
14361453 rm -f favicontest.json 2>> " $LOGFILE "
14371454 fi
1438- cd " $dir " || {
1439- echo " Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO} "
1455+
1456+ popd > /dev/null || {
1457+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
14401458 exit 1
14411459 }
14421460 end_func " Results are saved in hosts/favicontest.txt" ${FUNCNAME[0]}
@@ -2239,13 +2257,15 @@ function spraying() {
22392257 spinny::start
22402258 if { [[ ! -f " $called_fn_dir /.${FUNCNAME[0]} " || [[ $DIFF == true ]]; } && [[ $SPRAY == true ]]; then
22412259 start_func ${FUNCNAME[0]} " Password spraying"
2242- cd " ${tools} /brutespray" || {
2260+
2261+ pushd " ${tools} /brutespray" > /dev/null || {
22432262 echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
22442263 exit 1
22452264 }
2265+
22462266 python3 brutespray.py --file $dir /hosts/portscan_active.gnmap --threads $BRUTESPRAY_THREADS --hosts $BRUTESPRAY_CONCURRENCE -o $dir /vulns/brutespray 2>> " $LOGFILE " > /dev/null
2247- cd " $dir " || {
2248- echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
2267+ popd > /dev/null || {
2268+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
22492269 exit 1
22502270 }
22512271 end_func " Results are saved in vulns/brutespray folder" ${FUNCNAME[0]}
@@ -2288,17 +2308,19 @@ function 4xxbypass() {
22882308 if [[ $( cat fuzzing/fuzzing_full.txt 2> /dev/null | grep -E ' ^4' | grep -Ev ' ^404' | cut -d ' ' | wc -l) -le 1000 ]] || [[ $DEEP == true ]]; then
22892309 start_func " 403 bypass"
22902310 cat $dir /fuzzing/fuzzing_full.txt 2> /dev/null | grep -E ' ^4' | grep -Ev ' ^404' | cut -d ' ' > $dir /.tmp/403test.txt
2291- cd " ${tools} /byp4xx" || {
2311+
2312+ pushd " ${tools} /dontgo403" > /dev/null || {
22922313 echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
22932314 exit 1
22942315 }
2295- byp4xx -threads $BYP4XX_THREADS $dir /.tmp/403test.txt > $dir /.tmp/byp4xx.txt
2296- cd " $dir " || {
2297- echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
2316+
2317+ cat $dir /.tmp/403test.txt | ./dontgo403 > $dir /.tmp/4xxbypass.txt
2318+ popd > /dev/null || {
2319+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
22982320 exit 1
22992321 }
2300- [ -s " .tmp/byp4xx .txt" && cat .tmp/byp4xx .txt | anew -q vulns/byp4xx .txt
2301- end_func " Results are saved in vulns/byp4xx .txt" ${FUNCNAME[0]}
2322+ [ -s " .tmp/4xxbypass .txt" && cat .tmp/4xxbypass .txt | anew -q vulns/4xxbypass .txt
2323+ end_func " Results are saved in vulns/4xxbypass .txt" ${FUNCNAME[0]}
23022324 else
23032325 notification " Too many urls to bypass, skipping"
23042326 fi
@@ -2339,19 +2361,21 @@ function smuggling() {
23392361 start_func ${FUNCNAME[0]} " HTTP Request Smuggling checks"
23402362 [ ! -s " .tmp/webs_all.txt" && cat webs/webs.txt webs/webs_uncommon_ports.txt 2> /dev/null | anew -q .tmp/webs_all.txt
23412363 if [[ $DEEP == true ]] || [[ $( cat .tmp/webs_all.txt | wc -l) -le $DEEP_LIMIT ]]; then
2342- cd " ${tools} /smuggler" || {
2364+ pushd " ${tools} /smuggler" > /dev/null || {
23432365 echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
23442366 exit 1
23452367 }
23462368 cat $dir /.tmp/webs_all.txt | python3 smuggler.py -q --no-color 2> /dev/null | anew -q $dir /.tmp/smuggling.txt
2347- cd " $dir " || {
2348- echo " Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO} "
2369+ mkdir -p $dir /vulns/smuggling/
2370+ find payloads -type f ! -name " README*" $dir /vulns/smuggling/ \;
2371+ popd > /dev/null || {
2372+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
23492373 exit 1
2350- }
2351- [ -s " .tmp/smuggling.txt" && cat .tmp/smuggling.txt | anew -q vulns/smuggling .txt
2352- end_func " Results are saved in vulns/smuggling .txt" ${FUNCNAME[0]}
2374+ }
2375+ [ -s " .tmp/smuggling.txt" && cat .tmp/smuggling.txt | anew -q vulns/smuggling_log .txt
2376+ end_func " Results are saved in vulns/smuggling_log .txt and findings in vulns/smuggling/ " ${FUNCNAME[0]}
23532377 else
2354- end_func " Skipping Prototype Pollution : Too many webs to test, try with --deep flag" ${FUNCNAME[0]}
2378+ end_func " Skipping Request Smuggling : Too many webs to test, try with --deep flag" ${FUNCNAME[0]}
23552379 fi
23562380 else
23572381 if [[ $SMUGGLING == false ]]; then
@@ -2369,13 +2393,14 @@ function webcache() {
23692393 start_func ${FUNCNAME[0]} " Web Cache Poisoning checks"
23702394 [ ! -s " .tmp/webs_all.txt" && cat webs/webs.txt webs/webs_uncommon_ports.txt 2> /dev/null | anew -q .tmp/webs_all.txt
23712395 if [[ $DEEP == true ]] || [[ $( cat .tmp/webs_all.txt | wc -l) -le $DEEP_LIMIT ]]; then
2372- cd " ${tools} /Web-Cache-Vulnerability-Scanner" || {
2396+ pushd " ${tools} /Web-Cache-Vulnerability-Scanner" > /dev/null || {
23732397 echo " Failed to cd directory in ${FUNCNAME[0]} @ line ${LINENO} "
23742398 exit 1
23752399 }
2400+
23762401 Web-Cache-Vulnerability-Scanner -u file:$dir /.tmp/webs_all.txt -v 0 2> /dev/null | anew -q $dir /.tmp/webcache.txt
2377- cd " $dir " || {
2378- echo " Failed to cd to $dir in ${FUNCNAME[0]} @ line ${LINENO} "
2402+ popd > /dev/null || {
2403+ echo " Failed to popd in ${FUNCNAME[0]} @ line ${LINENO} "
23792404 exit 1
23802405 }
23812406 [ -s " .tmp/webcache.txt" && cat .tmp/webcache.txt | anew -q vulns/webcache.txt
@@ -2851,6 +2876,7 @@ function passive() {
28512876 github_dorks
28522877 github_repos
28532878 metadata
2879+ apileaks
28542880 SUBNOERROR=false
28552881 SUBANALYTICS=false
28562882 SUBBRUTE=false
@@ -2893,6 +2919,7 @@ function osint() {
28932919 github_dorks
28942920 github_repos
28952921 metadata
2922+ apileaks
28962923 zonetransfer
28972924 favicon
28982925}
@@ -2977,6 +3004,7 @@ function multi_osint() {
29773004 github_dorks
29783005 github_repos
29793006 metadata
3007+ apileaks
29803008 zonetransfer
29813009 favicon
29823010 done
@@ -2997,6 +3025,7 @@ function recon() {
29973025 github_dorks
29983026 github_repos
29993027 metadata
3028+ apileaks
30003029 zonetransfer
30013030 favicon
30023031
@@ -3095,6 +3124,7 @@ function multi_recon() {
30953124 github_dorks
30963125 github_repos
30973126 metadata
3127+ apileaks
30983128 zonetransfer
30993129 favicon
31003130 currently=$( date +" %H:%M:%S" )
0 commit comments