diff --git a/README.md b/README.md index 593cd50..5ff5455 100644 --- a/README.md +++ b/README.md @@ -13,22 +13,20 @@ So, be like me, use `curl as a backend`, it's gonna be just fine. Also, this tool can be used as a library, see [lib_sample_usage.py](lib_sample_usage.py) - ## Usage ``` Bypass Url Parser, made with love by @TheLaluka -Improvements & Refactoring with the help of @jtop_fap A tool that tests MANY url bypasses to reach a 40X protected page. Usage: - ./bypass_url_parser.py -u [(-m )...] [-o ] [-S ] [(-H
)...] [-r ] + ./bypass_url_parser.py -u [-m ] [-o ] [-S ] [(-H
)...] [-r ] [-s ] [--spoofip-replace] [-p ] [--spoofport-replace] [--dump-payloads] [-t ] [-T ] [-x ] [-v | -d | -dd] Program options: -H, --header
Header(s) to use, format: "Cookie: can_i_haz=fire" - -m, --mode Bypass modes. See 'Bypasser.bypass_modes' in code [Default: all] + -m, --mode Bypass modes. See 'Bypasser.BYPASS_MODES' in code [Default: all] -o, --outdir Output directory for results -x, --proxy Set a proxy in the format http://proxy_ip:port. -S, --save-level Save results level. From 0 (DISABLE) to 3 (FULL) [Default: 1] @@ -49,18 +47,17 @@ General options: Misc options: --spoofip-replace Disable list of default internal IPs in 'http_headers_ip' bypass mode --spoofport-replace Disable list of default internal ports in 'http_headers_port' bypass mode - --dump-payloads Dumps all payloads (curls) to /tmp/bup-payloads.lst. + --dump-payloads Print all payloads (curls) generated by this tool. Examples: ./bypass_url_parser.py -u "http://127.0.0.1/juicy_403_endpoint/" -s 8.8.8.8 -d ./bypass_url_parser.py -u /path/urls -t 30 -T 5 -H "Cookie: me_iz=admin" -H "User-agent: test" ``` - ## Expected result -``` -python bypass_url_parser.py -u "http://127.0.0.1:8000/foo/bar" 130 ↵ +```bash +python bypass_url_parser.py -u "http://127.0.0.1:8000/foo/bar" 2022-08-09 14:52:40 lalu-perso bup[361559] WARNING Trying to bypass 'http://127.0.0.1:8000/foo/bar' url (1625 payloads)... 2022-08-09 14:52:40 lalu-perso bup[361559] INFO Doing: 50 / 1625 [...] @@ -84,7 +81,6 @@ python bypass_url_parser.py -u "http://127.0.0.1:8000/foo/bar" [GROUP (2)] [mid_paths] [http://127.0.0.1:8000//#?foo/bar] => [301] [] [] [0] [0] [] [SimpleHTTP/0.6 Python/3.8.10] [/] ``` - ## Setup ### LINUX @@ -110,19 +106,20 @@ docker run --rm -it --net=host -v "$PWD:/host" thelaluka/bypass-url-parser:lates # docker push thelaluka/bypass-url-parser:latest ``` - ## More about supported arguments ### Arguments parsing -Bypass-url-parser allows to define some arguments in many ways: +Bypass_url_parser allows to define some arguments in many ways: + +- `-m, --mode`, `-s, --spoofip` and `-p, --spoofport` arguments can be a filename, a string, a comma-separated string list or a list (when `Bypasser` is used as a library); +- `-u, --url` argument can be a filename, a string or a list (when `Bypasser` is used as a library); +- `stdin` (with `-`) is supported for all these arguments. - - `-u, --url`, `-m, --mode`, `-s, --spoofip` and `-p, --spoofport` arguments can be a filename, a string, or a list (when `Bypasser` is used as a library); - - `stdin` support for these three arguments (with `-`). - For example, if you want to define several target urls (`-u, --url`), all the following commands produce the same result: ```bash +./bypass_url_parser.py -u 'http://thinkloveshare.com/test' ./bypass_url_parser.py -u /path/urls cat /path/urls | ./bypass_url_parser.py -u - echo 'http://thinkloveshare.com/test' | ./bypass_url_parser.py -u - @@ -141,43 +138,42 @@ all, mid_paths, case_substitution, char_encode, http_methods, http_headers_schem Example: ```bash -./bypass_url_parser.py -u /path/urls -m case_substitution -m char_encode -m http_headers_scheme +./bypass_url_parser.py -u /path/urls -m "case_substitution, char_encode, http_headers_scheme" ``` ### Spoofip / Spoofport In order to customize the ip addresses and ports used in bypass attempts, the tool supports the following options: - - With `-s, --spoofip` you can set some IP(s) to inject into `ip-specific` headers (`X-Forwarded-For`, `X-Real-Ip`, etc.) - - With `-p, --spoofport` you can set some ports to inject into `port-specific` headers (`X-Forwarded-Port`) - +- With `-s, --spoofip` you can set some IP(s) to inject into `ip-specific` headers (`X-Forwarded-For`, `X-Real-Ip`, etc.) +- With `-p, --spoofport` you can set some ports to inject into `port-specific` headers (`X-Forwarded-Port`) + By default, these custom entries are added to the internal IP/port lists. If you want to use only your IP(s)/port(s), you can use `--spoofip-replace` and/or `--spoofport-replace` arguments. -Example: +Example: ```bash ./bypass_url_parser.py -u /path/urls -s /path/custom_ip --spoofip-replace -./bypass_url_parser.py -u /path/urls -p 3000 -p 9443 -p 10443 +./bypass_url_parser.py -u /path/urls -p "3000, 9443, 10443" ``` ### Results saving -By default, if target url is unique, the tool saves a copy of the results in `/tmp/tmpXXX-bypass-url-parser/triaged-bypass.log` log file. +By default, if target url is unique, the tool saves a copy of the results in `/tmp/tmpXXX-bypass-url-parser/triaged-bypass.log` log file. ***Notes:** If multiple target urls are passed to `-u`, results are prefixed with the url as directory (`/tmp/tmpXXX-bypass-url-parser/http-target-com-8080-api-users/`).* There are two arguments to customize this behavior: - - `-o, --outdir` to set a custome output directory - - `-S, --save-level` to choose a saving level - -The saving levels are: +- `-o, --outdir` to set a custome output directory +- `-S, --save-level` to choose a saving level +The saving levels are: - - `0` (NONE): Disable output saving and output directory creation; - - `1` (MINIMAL): Only save the program log file which contains the results (Default); - - `2` (PERTINENT): Save the program log file and pertinent (results) curl responses in separate html files; - - `3` (FULL): Save the program log file and all curl responses in separate html files. +- `0` (NONE): Disable output saving and output directory creation; +- `1` (MINIMAL): Only save the program log file which contains the results (Default); +- `2` (PERTINENT): Save the program log file and pertinent (results) curl responses in separate html files; +- `3` (FULL): Save the program log file and all curl responses in separate html files. Example: @@ -186,18 +182,15 @@ Example: ./bypass_url_parser.py -o /tmp/bypass-res ./bypass_url_parser.py -o /tmp/bypass-res2 -S 2 -u "http://thinkloveshare.com/juicy_403_endpoint/" tree /tmp/bypass-res2/ -/tmp/bypass-res2/ -├── bypass-3d9d56e24d0284ea2c78ebf031f3f755.html -├── bypass-405eafe576175042d3615b2ad83eab38.html -├── bypass-4664f26a295212981877122fae274dc3.html -├── bypass-770e5322396930f5e6e6166c8d76ef48.html -├── bypass-aff8205929cbf18f7356020c1f85dd21.html +├── bypass-14193b8d2e14ec60d52405f46c5d35f3.html +├── bypass-782550777a661b7bef046b5d899b403a.html +├── bypass-e06268bcef8506053feed2646af4e773.html +├── bypass-ebdf6466c5ef82ab08a7b97324662bf0.html └── triaged-bypass.log -0 directories, 6 files +0 directories, 5 files ``` - ## Non-Regression tests & Code Cleanup ```bash @@ -205,8 +198,8 @@ tree /tmp/bypass-res2/ isort --py 37 *.py autopep8 -a --max-line-length 120 -i *.py # Ensure no regression is pushed -python bypass_url_parser.py -u "http://127.0.0.1:8000/foo/bar" -dd --dump-payloads > "tests-history/bup-payloads-$(date +'%Y-%m-%d').lst" -# Compare /tmp/bup-payloads.lst and the latest tests-history/bup-payloads-YYYY-MM-DD.lst +./bypass_url_parser.py -u "http://127.0.0.1:8000/foo/bar" --dump-payloads > "tests-history/bup-payloads-$(date +'%Y-%m-%d').lst" +# Compare /tmp/bup-payloads-YYYY-MM-DD.lst and the latest tests-history/bup-payloads-YYYY-MM-DD.lst # TODO create ls/sort/diff bash command for maintainers git commit -m "My cool feature or bugfix" git tag -a vX.Y.Z "$COMMIT_HASH" -m "New release: vX.Y.Z" @@ -214,7 +207,6 @@ git push --tags # If X or Y is bumped, create new release on github ``` - ## Contributors - Initial release by [@TheLaluka](https://twitter.com/TheLaluka)