403增加 http/1.0 协议绕过

yhy0 · May 22, 2023 · fda360c · fda360c
1 parent 8d9eaf6
commit fda360c
Show file tree

Hide file tree

Showing 8 changed files with 93 additions and 9 deletions.
diff --git a/README-en.md b/README-en.md
@@ -65,7 +65,7 @@ Automatic 403 bypass for the Swagger features.
 
 https://github.com/devploit/dontgo403
 
-Not implemented: https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
+https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
 
 ### JWT
 

diff --git a/README.md b/README.md
@@ -62,7 +62,7 @@ Swagger 会自动进行 403 bypass
 
 https://github.com/devploit/dontgo403
 
-未实现https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
+https://infosecwriteups.com/403-bypass-lyncdiscover-microsoft-com-db2778458c33
 
 ### JWT
 

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json.md5 b/frontend/package.json.md5
@@ -1 +1 @@
-070b7eaf99af1c1c8627eb5e1cd307ca
+bfe8b93da5c003bedd08ff0a7b4755c0
diff --git a/frontend/src/components/Twj.vue b/frontend/src/components/Twj.vue
@@ -37,7 +37,7 @@ function verify() {
       return
     }
     message.success("Signature Verified")
-    twj.signature = result.msg
+    twj.signature = JSON.stringify(JSON.parse(result.msg),null, 2);
   })
 }
 

diff --git a/pkg/httpx/request.go b/pkg/httpx/request.go
@@ -1,14 +1,17 @@
 package httpx
 
 import (
+	"bufio"
 	"bytes"
 	"crypto/tls"
+	"fmt"
 	"github.com/corpix/uarand"
 	"github.com/yhy0/ChYing/conf"
 	"github.com/yhy0/logging"
 	"go.uber.org/ratelimit"
 	"io/ioutil"
 	"mime/multipart"
+	"net"
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptrace"
@@ -283,3 +286,42 @@ func RequestRaw(target string, method string, postdata string, isredirect bool,
 
 	return &Response{resp.Status, resp.StatusCode, respbody, string(requestDump), responseDump, resp.Header, contentLength, resp.Request.URL.String(), location, float64(time.Since(start).Milliseconds())}, nil
 }
+
+// Request10 发送 http/1.0
+func Request10(host, raw string) (*Response, error) {
+	conn, err := net.Dial("tcp", host)
+	if err != nil {
+		logging.Logger.Errorln("Error connecting:", err)
+		return nil, err
+	}
+	defer conn.Close()
+	// 发送请求
+	_, err = fmt.Fprint(conn, raw)
+	if err != nil {
+		logging.Logger.Errorln("Error sending request:", err)
+		return nil, err
+	}
+
+	// 读取响应
+	reader := bufio.NewReader(conn)
+	resp, err := http.ReadResponse(reader, nil)
+	if err != nil {
+		logging.Logger.Errorln("Error reading response:", err)
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	// 读取响应内容
+	responseDump, _ := httputil.DumpResponse(resp, true)
+	var location string
+	var respbody string
+	defer resp.Body.Close()
+	if bodytmp, err := ioutil.ReadAll(resp.Body); err == nil {
+		respbody = string(bodytmp)
+	}
+	if resplocation, err := resp.Location(); err == nil {
+		location = resplocation.String()
+	}
+
+	return &Response{resp.Status, resp.StatusCode, string(respbody), raw, string(responseDump), resp.Header, int(resp.ContentLength), resp.Request.URL.String(), location, 0}, nil
+}
diff --git a/tools/burpSuite/burpAddon.go b/tools/burpSuite/burpAddon.go
@@ -223,12 +223,9 @@ func (b *Burp) Request(f *proxy.Flow) {
 }
 
 func (b *Burp) Responseheaders(f *proxy.Flow) {
-	fmt.Println("Responseheaders")
-
 }
 
 func (b *Burp) Response(f *proxy.Flow) {
-	fmt.Println("Response ========================)))))))))))))))))")
 	if Intercept {
 		for {
 			if Sum != 0 {

diff --git a/tools/fuzz/403bypass.go b/tools/fuzz/403bypass.go
@@ -1,10 +1,12 @@
 package fuzz
 
 import (
+	"fmt"
 	"github.com/yhy0/ChYing/pkg/file"
 	"github.com/yhy0/ChYing/pkg/httpx"
 	"github.com/yhy0/ChYing/tools"
 	"github.com/yhy0/logging"
+	"net/url"
 	"strings"
 	"unicode"
 )
@@ -13,6 +15,7 @@ import (
 	@author: yhy
 	@since: 2023/5/6
 	@desc: bypass 403 	https://github.com/devploit/dontgo403
+	todo 应该考虑一下带参数的，现在不能处理带参数的，直接拼接了，不好
 **/
 
 func Bypass403(uri, m string) {
@@ -91,6 +94,19 @@ func Bypass403(uri, m string) {
 		return
 	}
 
+	result = http10(uri, m)
+	if result != nil {
+		FuzzChan <- tools.Result{
+			Url:           result.Url,
+			Method:        m,
+			StatusCode:    result.StatusCode,
+			ContentLength: result.ContentLength,
+			Request:       result.Request,
+			Response:      result.Response,
+		}
+		return
+	}
+
 	return
 }
 
@@ -375,3 +391,32 @@ func capital(uri, m string) *tools.Result {
 	}
 	return nil
 }
+
+func http10(uri, m string) *tools.Result {
+	u, err := url.Parse(uri)
+	if err != nil {
+		logging.Logger.Errorln("Error url.Parse:", err)
+		return nil
+	}
+	// 设置请求行和请求头
+	raw := fmt.Sprintf("GET %s HTTP/1.0\r\n"+
+		"\r\n"+
+		"\r\n", u.Path+"?"+u.RawQuery)
+
+	resp, err := httpx.Request10(u.Host, raw)
+	if err != nil {
+		return nil
+	}
+	if resp != nil && resp.StatusCode == 200 {
+		return &tools.Result{
+			Url:           uri,
+			Method:        "GET",
+			StatusCode:    resp.StatusCode,
+			ContentLength: resp.ContentLength,
+			Request:       resp.RequestDump,
+			Response:      resp.ResponseDump,
+		}
+	}
+
+	return nil
+}