Merge pull request #834 from six2dez/dev

Dev

README.md

@@ -536,7 +536,7 @@ reset='\033[0m'
 - SSTI ([ffuf](https://github.com/ffuf/ffuf))
 - SSL tests ([testssl](https://github.com/drwetter/testssl.sh))
 - Broken Links Checker ([katana](https://github.com/projectdiscovery/katana))
-- Prototype Pollution ([ppfuzz](https://github.com/dwisiswant0/ppfuzz))
+- Prototype Pollution ([ppmap](https://github.com/kleiton0x00/ppmap))
 - Web Cache Vulnerabilities ([Web-Cache-Vulnerability-Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner))
 - 4XX Bypasser ([dontgo403](https://github.com/devploit/dontgo403))
 

install.sh

@@ -73,6 +73,7 @@ gotools["s3scanner"]="go install -v github.com/sa7mon/s3scanner@latest"
 gotools["nmapurls"]="go install -v github.com/sdcampbell/nmapurls@latest"
 gotools["shortscan"]="go install -v github.com/bitquark/shortscan/cmd/shortscan@latest"
 gotools["sns"]="go install github.com/sw33tLie/sns@latest"
+gotools["ppmap"]="go install -v github.com/kleiton0x00/ppmap@latest"
 
 # Declaring repositories and their paths
 declare -A repos
@@ -124,15 +125,6 @@ function banner() {
 	printf " ${reconftw_version}                                         by @six2dez\n"
 }
 
-function install_ppfuzz() {
-	local url=$1
-	local tar_file=$2
-
-	eval wget -N -c "$url" $DEBUG_STD
-	eval $SUDO tar -C /usr/local/bin/ -xzf "$tar_file" $DEBUG_STD
-	eval $SUDO rm -rf "$tar_file" $DEBUG_STD
-}
-
 # This function installs various tools and repositories as per the configuration.
 function install_tools() {
 
@@ -228,23 +220,6 @@ function install_tools() {
 		}
 	done
 
-	if [[ "True" == "$IS_ARM" ]]; then
-        if [[ "True" == "$RPI_3" ]]; then
-            install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz"
-        elif [[ "True" == "$RPI_4" ]]; then
-            install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-aarch64-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-aarch64-unknown-linux-gnueabihf.tar.gz"
-        fi
-    elif [[ "True" == "$IS_MAC" ]]; then
-        if [[ "True" == "$IS_ARM" ]]; then
-			install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz" "ppfuzz-v1.0.1-armv7-unknown-linux-gnueabihf.tar.gz"
-		else
-			install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz" "ppfuzz-v1.0.1-x86_64-apple-darwin.tar.gz"
-		fi
-	else
-		install_ppfuzz "https://github.com/dwisiswant0/ppfuzz/releases/download/v1.0.1/ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz" "ppfuzz-v1.0.1-x86_64-unknown-linux-musl.tar.gz"
-	fi
-	eval $SUDO chmod 755 /usr/local/bin/ppfuzz
-	eval $SUDO strip -s /usr/local/bin/ppfuzz $DEBUG_STD
 	eval notify $DEBUG_STD
 	eval subfinder $DEBUG_STD
 	eval subfinder $DEBUG_STD

reconftw.cfg

@@ -152,7 +152,7 @@ REMOVELOG=false # Delete logs after execution
 PROXY=false # Send to proxy the websites found
 SENDZIPNOTIFY=false # Send to zip the results (over notify)
 PRESERVE=true      # set to true to avoid deleting the .called_fn files on really large scans
-FFUF_FLAGS=" -mc all -fc 404 -ach -sf -of json" # Ffuf flags
+FFUF_FLAGS=" -mc all -fc 404 -ach -sf -noninteractive -of json" # Ffuf flags
 HTTPX_FLAGS=" -follow-redirects -random-agent -status-code -silent -title -web-server -tech-detect -location -content-length" # Httpx flags for simple web probing
 
 # HTTP options
@@ -173,7 +173,6 @@ PUREDNS_TRUSTED_LIMIT=400
 PUREDNS_WILDCARDTEST_LIMIT=30
 PUREDNS_WILDCARDBATCH_LIMIT=1500000
 RESOLVE_DOMAINS_THREADS=150
-PPFUZZ_THREADS=30
 DNSVALIDATOR_THREADS=200
 INTERLACE_THREADS=10
 TLSX_THREADS=1000

reconftw.sh

@@ -299,8 +299,8 @@ function tools_installed() {
 		printf "${bred} [*] mapcidr			[NO]${reset}\n"
 		allinstalled=false
 	}
-	command -v ppfuzz &>/dev/null || {
-		printf "${bred} [*] ppfuzz			[NO]${reset}\n"
+	command -v ppmap &>/dev/null || {
+		printf "${bred} [*] ppmap			[NO]${reset}\n"
 		allinstalled=false
 	}
 	command -v cdncheck &>/dev/null || {
@@ -917,7 +917,7 @@ function sub_scraping() {
 						[ -s ".tmp/probed_tmp_scrap.txt" ] && axiom-scan .tmp/probed_tmp_scrap.txt -m katana -jc -kf all -d 2 -fs rdn -o .tmp/katana.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
 					fi
 				fi
-				sed -i '/^.\{2048\}./d' .tmp/katana.txt
+				[ -s ".tmp/katana.txt" ] && sed -i '/^.\{2048\}./d' .tmp/katana.txt
 				[ -s ".tmp/katana.txt" ] && cat .tmp/katana.txt | unfurl -u domains 2>>"$LOGFILE" | grep ".$domain$" | grep -E '^((http|https):\/\/)?([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?\.)+[a-zA-Z]{1,}(\/.*)?$' | anew -q .tmp/scrap_subs.txt
 				[ -s ".tmp/scrap_subs.txt" ] && puredns resolve .tmp/scrap_subs.txt -w .tmp/scrap_subs_resolved.txt -r $resolvers --resolvers-trusted $resolvers_trusted -l $PUREDNS_PUBLIC_LIMIT --rate-limit-trusted $PUREDNS_TRUSTED_LIMIT --wildcard-tests $PUREDNS_WILDCARDTEST_LIMIT --wildcard-batch $PUREDNS_WILDCARDBATCH_LIMIT 2>>"$LOGFILE" >/dev/null
 				if [[ $INSCOPE == true ]]; then
@@ -1631,19 +1631,21 @@ function nuclei_check() {
 		mkdir -p nuclei_output
 		[ ! -s "webs/webs_all.txt" ] && cat webs/webs.txt webs/webs_uncommon_ports.txt 2>/dev/null | anew -q webs/webs_all.txt
 		[ ! -s ".tmp/webs_subs.txt" ] && cat subdomains/subdomains.txt webs/webs_all.txt 2>>"$LOGFILE" | anew -q .tmp/webs_subs.txt
+		[ -s "$dir/fuzzing/fuzzing_full.txt" ] && cat $dir/fuzzing/fuzzing_full.txt | grep -e "^200" | cut -d " " -f3 | anew -q .tmp/webs_fuzz.txt
+		cat .tmp/webs_subs.txt .tmp/webs_fuzz.txt 2>>"$LOGFILE" | anew -q .tmp/webs_nuclei.txt
 		if [[ $AXIOM != true ]]; then # avoid globbing (expansion of *).
 			IFS=',' read -ra severity_array <<<"$NUCLEI_SEVERITY"
 			for crit in "${severity_array[@]}"; do
 				printf "${yellow}\n Running : Nuclei $crit ${reset}\n\n"
-				cat .tmp/webs_subs.txt 2>/dev/null | nuclei $NUCLEI_FLAGS -severity $crit -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt
+				cat .tmp/webs_nuclei.txt 2>/dev/null | nuclei $NUCLEI_FLAGS -severity $crit -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt
 			done
 			printf "\n\n"
 		else
-			if [[ -s ".tmp/webs_subs.txt" ]]; then
+			if [[ -s ".tmp/webs_nuclei.txt" ]]; then
 				IFS=',' read -ra severity_array <<<"$NUCLEI_SEVERITY"
 				for crit in "${severity_array[@]}"; do
 					printf "${yellow}\n Running : Nuclei $crit, check results on nuclei_output folder${reset}\n\n"
-					axiom-scan .tmp/webs_subs.txt -m nuclei --nuclei-templates ${NUCLEI_TEMPLATES_PATH} -severity ${crit} -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
+					axiom-scan .tmp/webs_nuclei.txt -m nuclei --nuclei-templates ${NUCLEI_TEMPLATES_PATH} -severity ${crit} -nh -rl $NUCLEI_RATELIMIT -o nuclei_output/${crit}.txt $AXIOM_EXTRA_ARGS 2>>"$LOGFILE" >/dev/null
 					[ -s "nuclei_output/${crit}.txt" ] && cat nuclei_output/${crit}.txt
 				done
 				printf "\n\n"
@@ -2252,7 +2254,7 @@ function ssti() {
 		if [[ -s "gf/ssti.txt" ]]; then
 			cat gf/ssti.txt | qsreplace FUZZ | sed '/FUZZ/!d' | anew -q .tmp/tmp_ssti.txt
 			if [[ $DEEP == true ]] || [[ $(cat .tmp/tmp_ssti.txt | wc -l) -le $DEEP_LIMIT ]]; then
-				#TInjA url -u "file://.tmp/tmp_ssti.txt" --csti --reportpath "vulns/"
+				#TInjA url -u "file:./Recon/eazybi.com/gf/ssti.txt" --csti --reportpath "vulns/"
 				interlace -tL .tmp/tmp_ssti.txt -threads ${INTERLACE_THREADS} -c "ffuf -v -r -t ${FFUF_THREADS} -rate ${FFUF_RATELIMIT} -H \"${HEADER}\" -w ${ssti_wordlist} -u \"_target_\" -mr \"ssti49\" " 2>/dev/null | grep "URL" | sed 's/| URL | //' | anew -q vulns/ssti.txt
 				end_func "Results are saved in vulns/ssti.txt" ${FUNCNAME[0]}
 			else
@@ -2398,8 +2400,8 @@ function prototype_pollution() {
 	if { [[ ! -f "$called_fn_dir/.${FUNCNAME[0]}" ]] || [[ $DIFF == true ]]; } && [[ $PROTO_POLLUTION == true ]]; then
 		start_func ${FUNCNAME[0]} "Prototype Pollution checks"
 		if [[ $DEEP == true ]] || [[ $(cat webs/url_extract.txt | wc -l) -le $DEEP_LIMIT ]]; then
-			[ -s "webs/url_extract.txt" ] && ppfuzz -l webs/url_extract.txt -c $PPFUZZ_THREADS 2>/dev/null | anew -q .tmp/prototype_pollution.txt
-			[ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | sed -e '1,8d' | sed '/^\[ERR/d' | anew -q vulns/prototype_pollution.txt
+			[ -s "webs/url_extract.txt" ] && cat webs/url_extract.txt | ppmap &> .tmp/prototype_pollution.txt
+			[ -s ".tmp/prototype_pollution.txt" ] && cat .tmp/prototype_pollution.txt | grep "EXPL" | anew -q vulns/prototype_pollution.txt
 			end_func "Results are saved in vulns/prototype_pollution.txt" ${FUNCNAME[0]}
 		else
 			end_func "Skipping Prototype Pollution: Too many URLs to test, try with --deep flag" ${FUNCNAME[0]}
@@ -3102,8 +3104,8 @@ function recon() {
 	portscan
 	geo_info
 	waf_checks
-	nuclei_check
 	fuzz
+	nuclei_check
 	iishortname
 	urlchecks
 	jschecks
@@ -3360,9 +3362,9 @@ function webs_menu() {
 	screenshot
 	#	virtualhosts
 	waf_checks
+	fuzz
 	nuclei_check
 	cms_scanner
-	fuzz
 	iishortname
 	urlchecks
 	jschecks
@@ -3472,7 +3474,6 @@ while true; do
 		shift 2
 		continue
 		;;
-
 	# modes
 	'-r' | '--recon')
 		opt_mode='r'