-
Notifications
You must be signed in to change notification settings - Fork 144
/
hostScan.go
48 lines (43 loc) · 1.14 KB
/
hostScan.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package plugin
import (
"github.com/chainreactors/fingers/common"
"net/http"
"strconv"
"strings"
. "github.com/chainreactors/gogo/v2/pkg"
"github.com/chainreactors/logs"
"github.com/chainreactors/parsers"
)
func hostScan(result *Result) {
url := result.GetBaseURL()
conn := result.GetHttpConn(RunOpt.Delay)
if len(result.HttpHosts) > 5 {
//经验公式: 绑定超过2个host可以认为是cdn, 5个留点冗余
return
}
req, _ := http.NewRequest("GET", url, nil)
vuln := &common.Vuln{Name: "host", Detail: map[string][]string{}, SeverityLevel: common.SeverityINFO}
for _, host := range result.HttpHosts {
req.Host = host
resp, err := conn.Do(req)
if err != nil {
continue
}
logs.Log.Debugf("request host %s, %d for %s", url, resp.StatusCode, host)
if strings.HasPrefix(strconv.Itoa(resp.StatusCode), "40") {
continue
}
raw := parsers.ReadRaw(resp)
title := parsers.MatchTitle(raw)
if result.HasTitle && result.Title != title {
if result.CurrentHost == "" {
result.CurrentHost = host
}
result.Host = host
vuln.Detail[host] = []string{title}
}
}
if len(vuln.Detail) > 0 {
result.AddVuln(vuln)
}
}