Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add some new features #36

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add some new features #36

wants to merge 1 commit into from

Conversation

physics-sec
Copy link

@physics-sec physics-sec commented Jul 12, 2021
edited
Loading

Hey there!
I have been using pwndrop for a while and it is really really great,
I added some new features that I think are useful on some scenarios.

added:

  • Black and White list of IPs and IP ranges for dis-/allowing access to the payloads (this affects all hosted files)
  • You can decide to put pwndrop behind a redirector and the client IP will be obtained from the X-Forwarded-For/Host headers
  • An option to host all payloads on a particular folder (I use this with redirectors)
  • Now you can decide how many times a payload can be downloaded (1 by default, this option is specific for each file)
  • You can specify a file to write all the logs (useful for reporting)
  • The debug logs now include the User-Agent header
  • Pwndrop cookies now have SameSite: Lax (just to remove a Firefox warning)

Note:
I only update how many times a file has been downloaded while using HTTP.

The new configuration file options are:

[pwndrop]
downloads_dir = "/my/payload/folder"        # directory path where files will be hosted by default, leave empty for ramdom
logfile = "/home/user/pwndrop.log"          # file where logs will be written, leave empty to only use stdout
trust_x_forwarded_for = true                # decides if pwndrop uses the X-Forwarded-For/X-Forwarded-Host HTTP headers to determine the remote address of a request. Use this option if pwndrop is behind an HTTP redirector.

I have also updated the GUI to include the Black/White listed IPs or IP ranges and how many times a payload can be downloaded.

Hope you will consider including these changes.

@physics-sec
Copy link
Author

Add some screenshots to show de GUI:
Global settings, here you can define individual IPs or ranges. A common use is to only allow the public IP of the company you are pentesting.
Screenshot from 2021-07-12 20-18-26

File config, here you can define how many times can this payload be downloaded.
Screenshot from 2021-07-12 20-18-50

The file view, showing the downloads left, once they reach 0, the file is disabled.
Screenshot from 2021-07-12 20-18-54

@B1t0n
Copy link

B1t0n commented Aug 10, 2021

Great stuff!
Do you think that it can get merged with this commit as well? I want to use these features as well
#28

@physics-sec
Copy link
Author

Saw your PR, the ability to add files programmatically is super powerful, great work!
Take into account that you can just use a custom build and have both changes included.
weather this gets merged or not depends on @kgretzky 😄

@lucawen
Copy link

lucawen commented Nov 30, 2022

Maybe we can keep working on in on this fork: https://github.com/SygniaLabs/pwndrop what you think ?

@nuno-andre nuno-andre mentioned this pull request Jan 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VoldeSec VoldeSec VoldeSec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@physics-sec @B1t0n @lucawen @VoldeSec