Merge pull request #495 from hahwul/main

Sync

.github/workflows/codecov.yml

@@ -11,8 +11,8 @@ jobs:
           fetch-depth: 2
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.16'
+          go-version: '1.17'
       - name: Run coverage
-        run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
+        run: go test -coverprofile=coverage.out -covermode=atomic ./...
       - name: Upload coverage to Codecov
         run: bash <(curl -s https://codecov.io/bash)

.github/workflows/docker-publish.yml

@@ -0,0 +1,76 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  push:
+    branches: [ main ]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  # github.repository as <account>/<repo>
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/cosign-installer@d6a3abf1bdea83574e28d40543793018b6035605
+        with:
+          cosign-release: 'v1.7.1'
+
+
+      # Workaround: https://github.com/docker/build-push-action/issues/461
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/go.yml

@@ -6,16 +6,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: ["1.13", "1.14", "1.15"]
+        go: ["1.17", "1.18", "1.19", "1.20"]
     steps:
       - name: Set up Go ${{ matrix.go }}
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go }}
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Get dependencies
         run: |

.goreleaser.yml

@@ -29,8 +29,6 @@ builds:
         goarch: 386
       - goos: windows
         goarch: arm
-      - goos: windows
-        goarch: arm64
 
 checksum:
   name_template: "{{ .ProjectName }}_checksums.txt"

cmd/file.go

@@ -1,8 +1,9 @@
 package cmd
 
 import (
-	"bufio"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"strconv"
 	"strings"
@@ -13,6 +14,9 @@ import (
 	model "github.com/hahwul/dalfox/v2/pkg/model"
 	"github.com/hahwul/dalfox/v2/pkg/printing"
 	"github.com/hahwul/dalfox/v2/pkg/scanning"
+	voltFile "github.com/hahwul/volt/file"
+	voltHar "github.com/hahwul/volt/format/har"
+	voltUtils "github.com/hahwul/volt/util"
 	"github.com/spf13/cobra"
 )
 
@@ -26,15 +30,24 @@ var fileCmd = &cobra.Command{
 			options.Silence = sf
 		}
 		printing.Banner(options)
+		tMethod := options.Method
+		options.Method = "FILE Mode"
+		if len(args) == 0 {
+			printing.DalLog("ERROR", "Input file path", options)
+			printing.DalLog("ERROR", "e.g dalfox file ./targets.txt or ./rawdata.raw", options)
+			return
+		}
 		printing.Summary(options, args[0])
+		options.Method = tMethod
 		var targets []string
 		mutex := &sync.Mutex{}
 		options.Mutex = mutex
 		if len(args) >= 1 {
 			rawdata, _ := cmd.Flags().GetBool("rawdata")
+			har, _ := cmd.Flags().GetBool("har")
 			if rawdata {
 				printing.DalLog("SYSTEM", "Using file mode(rawdata)", options)
-				ff, err := readLinesOrLiteral(args[0])
+				ff, err := voltFile.ReadLinesOrLiteral(args[0])
 				_ = err
 				var path, body, host, target string
 				bodyswitch := false
@@ -82,19 +95,65 @@ var fileCmd = &cobra.Command{
 				}
 				_, _ = scanning.Scan(target, options, "single")
 
+			} else if har {
+				printing.DalLog("SYSTEM", "Using file mode(targets list from HAR)", options)
+				if (!options.NoSpinner || !options.Silence) && !sf {
+					options.SpinnerObject = spinner.New(spinner.CharSets[14], 100*time.Millisecond, spinner.WithWriter(os.Stderr)) // Build our new spinner
+				}
+				var harObject voltHar.HARObject
+				harFile, err := ioutil.ReadFile(args[0])
+				if err == nil {
+					err = json.Unmarshal(harFile, &harObject)
+					if options.Format == "json" {
+						printing.DalLog("PRINT", "[", options)
+					}
+					for i, entry := range harObject.Log.Entries {
+						var turl string
+						options.NowURL = i + 1
+						if len(entry.Request.QueryString) > 0 {
+							var tquery string
+							for _, query := range entry.Request.QueryString {
+								tquery = tquery + query.Name + "=" + query.Value + "&"
+							}
+							turl = entry.Request.URL + "?" + tquery
+						} else {
+							turl = entry.Request.URL
+						}
+						if entry.Request.PostData.Text != "" {
+							options.Data = entry.Request.PostData.Text
+						}
+						options.Method = entry.Request.Method
+						_, _ = scanning.Scan(turl, options, strconv.Itoa(i))
+						if (!options.NoSpinner || !options.Silence) && !sf {
+							mutex.Lock()
+							options.NowURL = options.NowURL + 1
+							percent := fmt.Sprintf("%0.2f%%", float64(options.NowURL)/float64(options.AllURLS)*100)
+							options.SpinnerObject.Suffix = "  [" + strconv.Itoa(options.NowURL) + "/" + strconv.Itoa(options.AllURLS) + " Tasks][" + percent + "] Multiple scanning from file"
+							mutex.Unlock()
+						}
+					}
+					if options.Format == "json" {
+						printing.DalLog("PRINT", "{}]", options)
+					}
+					if (!options.NoSpinner || !options.Silence) && !sf {
+						options.SpinnerObject.Stop()
+					}
+				}
+
 			} else {
 				printing.DalLog("SYSTEM", "Using file mode(targets list)", options)
 				if (!options.NoSpinner || !options.Silence) && !sf {
 					options.SpinnerObject = spinner.New(spinner.CharSets[14], 100*time.Millisecond, spinner.WithWriter(os.Stderr)) // Build our new spinner
 				}
-				ff, err := readLinesOrLiteral(args[0])
+
+				ff, err := voltFile.ReadLinesOrLiteral(args[0])
 				_ = err
 				for _, target := range ff {
 					targets = append(targets, target)
 				}
 
 				// Remove Deplicated value
-				targets = unique(targets)
+				targets = voltUtils.UniqueStringSlice(targets)
 				printing.DalLog("SYSTEM", "Loaded "+strconv.Itoa(len(targets))+" target urls", options)
 				multi, _ := cmd.Flags().GetBool("multicast")
 				mass, _ := cmd.Flags().GetBool("mass")
@@ -146,6 +205,9 @@ var fileCmd = &cobra.Command{
 							}
 						}()
 					}
+					if options.Format == "json" {
+						printing.DalLog("PRINT", "[", options)
+					}
 					for k, v := range t {
 						temp := model.MassJob{
 							Name: k,
@@ -155,6 +217,9 @@ var fileCmd = &cobra.Command{
 					}
 					close(tasks)
 					wg.Wait()
+					if options.Format == "json" {
+						printing.DalLog("PRINT", "{}]", options)
+					}
 					if (!options.NoSpinner || !options.Silence) && !sf {
 						options.SpinnerObject.Stop()
 					}
@@ -171,6 +236,9 @@ var fileCmd = &cobra.Command{
 						}
 						options.SpinnerObject.Start()
 					}
+					if options.Format == "json" {
+						printing.DalLog("PRINT", "[", options)
+					}
 					for i := range targets {
 						options.NowURL = i + 1
 						_, _ = scanning.Scan(targets[i], options, strconv.Itoa(i))
@@ -182,6 +250,9 @@ var fileCmd = &cobra.Command{
 							mutex.Unlock()
 						}
 					}
+					if options.Format == "json" {
+						printing.DalLog("PRINT", "{}]", options)
+					}
 					if (!options.NoSpinner || !options.Silence) && !sf {
 						options.SpinnerObject.Stop()
 					}
@@ -196,60 +267,11 @@ var fileCmd = &cobra.Command{
 
 func init() {
 	rootCmd.AddCommand(fileCmd)
-	fileCmd.Flags().Bool("rawdata", false, "Using req rawdata from Burp/ZAP")
+	fileCmd.Flags().Bool("rawdata", false, "[FORMAT] Using req rawdata from Burp/ZAP")
+	fileCmd.Flags().Bool("har", false, "[FORMAT] Using HAR format")
 	fileCmd.Flags().Bool("http", false, "Using force http on rawdata mode")
 	fileCmd.Flags().Bool("multicast", false, "Parallel scanning N*Host mode (show only poc code)")
 	fileCmd.Flags().Bool("mass", false, "Parallel scanning N*Host mode (show only poc code)")
 	fileCmd.Flags().Bool("silence-force", false, "Only print PoC (not print progress)")
 	fileCmd.Flags().Int("mass-worker", 10, "Parallel worker of --mass and --multicast option")
 }
-
-// a slice of strings, returning the slice and any error
-func readLines(filename string) ([]string, error) {
-	f, err := os.Open(filename)
-	if err != nil {
-		return []string{}, err
-	}
-	defer f.Close()
-
-	lines := make([]string, 0)
-	sc := bufio.NewScanner(f)
-	for sc.Scan() {
-		lines = append(lines, sc.Text())
-	}
-
-	return lines, sc.Err()
-}
-
-// readLinesOrLiteral tries to read lines from a file, returning
-// the arg in a string slice if the file doesn't exist, unless
-// the arg matches its default value
-func readLinesOrLiteral(arg string) ([]string, error) {
-	if isFile(arg) {
-		return readLines(arg)
-	}
-
-	// if the argument isn't a file, but it is the default, don't
-	// treat it as a literal value
-
-	return []string{arg}, nil
-}
-
-// isFile returns true if its argument is a regular file
-func isFile(path string) bool {
-	f, err := os.Stat(path)
-	return err == nil && f.Mode().IsRegular()
-}
-
-// unique is ..
-func unique(intSlice []string) []string {
-	keys := make(map[string]bool)
-	list := []string{}
-	for _, entry := range intSlice {
-		if _, value := keys[entry]; !value {
-			keys[entry] = true
-			list = append(list, entry)
-		}
-	}
-	return list
-}

cmd/payload.go

@@ -3,10 +3,10 @@ package cmd
 import (
 	"strconv"
 
+	"github.com/hahwul/dalfox/v2/pkg/generating"
 	"github.com/hahwul/dalfox/v2/pkg/optimization"
 	"github.com/hahwul/dalfox/v2/pkg/printing"
 	"github.com/hahwul/dalfox/v2/pkg/scanning"
-	"github.com/hahwul/dalfox/v2/pkg/generating"
 	"github.com/spf13/cobra"
 )
 
@@ -16,6 +16,7 @@ var remotePayloadbox, remotePortswigger bool
 var entityGF, entityEventHandler, entityUsefulTags, entitySpecialChars bool
 var urlEncode bool
 
+// Object is Type of PayloadObject
 type Object struct {
 	Use      bool
 	Name     string