mirror of
https://github.com/epi052/feroxbuster.git
synced 2026-06-02 22:21:13 -03:00
Compare commits
15 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
4c39944557 | ||
|
|
2be2da470f | ||
|
|
5d74b2bb2d | ||
|
|
9233bfc548 | ||
|
|
287120832d | ||
|
|
dc02f3bb9a | ||
|
|
2cb05ba17f | ||
|
|
6bb263462b | ||
|
|
563da57545 | ||
|
|
d43142575f | ||
|
|
f6d5739eea | ||
|
|
d10c7f0937 | ||
|
|
dc4cf6e5bf | ||
|
|
7e229a047f | ||
|
|
5845e7f286 |
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "feroxbuster"
|
||||
version = "1.6.3"
|
||||
version = "1.7.0"
|
||||
authors = ["Ben 'epi' Risher <epibar052@gmail.com>"]
|
||||
license = "MIT"
|
||||
edition = "2018"
|
||||
|
||||
11
README.md
11
README.md
@@ -321,15 +321,17 @@ A pre-made configuration file with examples of all available settings can be fou
|
||||
# wordlist = "/wordlists/jhaddix/all.txt"
|
||||
# status_codes = [200, 500]
|
||||
# filter_status = [301]
|
||||
# replay_codes = [301]
|
||||
# threads = 1
|
||||
# timeout = 5
|
||||
# proxy = "http://127.0.0.1:8080"
|
||||
# replay_proxy = "http://127.0.0.1:8081"
|
||||
# replay_codes = [200, 302]
|
||||
# verbosity = 1
|
||||
# scan_limit = 6
|
||||
# quiet = true
|
||||
# json = true
|
||||
# output = "/targets/ellingson_mineral_company/gibson.txt"
|
||||
# debug_log = "/var/log/find-the-derp.log"
|
||||
# user_agent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
|
||||
# redirects = true
|
||||
# insecure = true
|
||||
@@ -373,14 +375,17 @@ FLAGS:
|
||||
findings (default: false)
|
||||
-h, --help Prints help information
|
||||
-k, --insecure Disables TLS certificate validation
|
||||
--json Emit JSON logs to --output and --debug-log instead of normal text
|
||||
-n, --no-recursion Do not scan recursively
|
||||
-q, --quiet Only print URLs; Don't print status codes, response size, running config, etc...
|
||||
-r, --redirects Follow redirects
|
||||
--stdin Read url(s) from STDIN
|
||||
-V, --version Prints version information
|
||||
-v, --verbosity Increase verbosity level (use -vv or more for greater effect)
|
||||
-v, --verbosity Increase verbosity level (use -vv or more for greater effect. [CAUTION] 4 -v's is probably
|
||||
too much)
|
||||
|
||||
OPTIONS:
|
||||
--debug-log <FILE> Output file to write log entries (use w/ --json for JSON entries)
|
||||
-d, --depth <RECURSION_DEPTH> Maximum recursion depth, a depth of 0 is infinite recursion (default: 4)
|
||||
-x, --extensions <FILE_EXTENSION>... File extension(s) to search for (ex: -x php -x pdf js)
|
||||
-N, --filter-lines <LINES>... Filter out messages of a particular line count (ex: -N 20 -N 31,30)
|
||||
@@ -388,7 +393,7 @@ OPTIONS:
|
||||
-C, --filter-status <STATUS_CODE>... Filter out status codes (deny list) (ex: -C 200 -C 401)
|
||||
-W, --filter-words <WORDS>... Filter out messages of a particular word count (ex: -W 312 -W 91,82)
|
||||
-H, --headers <HEADER>... Specify HTTP headers (ex: -H Header:val 'stuff: things')
|
||||
-o, --output <FILE> Output file to write results to (default: stdout)
|
||||
-o, --output <FILE> Output file to write results to (use w/ --json for JSON entries)
|
||||
-p, --proxy <PROXY> Proxy to use for requests (ex: http(s)://host:port, socks5://host:port)
|
||||
-Q, --query <QUERY>... Specify URL query parameters (ex: -Q token=stuff -Q secret=key)
|
||||
-R, --replay-codes <REPLAY_CODE>... Status Codes to send through a Replay Proxy when found (default: --status
|
||||
|
||||
@@ -18,7 +18,9 @@
|
||||
# verbosity = 1
|
||||
# scan_limit = 6
|
||||
# quiet = true
|
||||
# json = true
|
||||
# output = "/targets/ellingson_mineral_company/gibson.txt"
|
||||
# debug_log = "/var/log/find-the-derp.log"
|
||||
# user_agent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
|
||||
# redirects = true
|
||||
# insecure = true
|
||||
|
||||
@@ -324,6 +324,15 @@ by Ben "epi" Risher {} ver: {}"#,
|
||||
.unwrap_or_default(); // 🔎
|
||||
}
|
||||
|
||||
if config.json {
|
||||
writeln!(
|
||||
&mut writer,
|
||||
"{}",
|
||||
format_banner_entry!("\u{1F9d4}", "JSON Output", config.json)
|
||||
)
|
||||
.unwrap_or_default(); // 🧔
|
||||
}
|
||||
|
||||
if !config.queries.is_empty() {
|
||||
for query in &config.queries {
|
||||
writeln!(
|
||||
@@ -348,6 +357,15 @@ by Ben "epi" Risher {} ver: {}"#,
|
||||
.unwrap_or_default(); // 💾
|
||||
}
|
||||
|
||||
if !config.debug_log.is_empty() {
|
||||
writeln!(
|
||||
&mut writer,
|
||||
"{}",
|
||||
format_banner_entry!("\u{1fab2}", "Debugging Log", config.debug_log)
|
||||
)
|
||||
.unwrap_or_default(); // 🪲
|
||||
}
|
||||
|
||||
if !config.extensions.is_empty() {
|
||||
writeln!(
|
||||
&mut writer,
|
||||
|
||||
126
src/config.rs
126
src/config.rs
@@ -1,11 +1,11 @@
|
||||
use crate::utils::{module_colorizer, status_colorizer};
|
||||
use crate::{client, parser, progress};
|
||||
use crate::{DEFAULT_CONFIG_NAME, DEFAULT_STATUS_CODES, DEFAULT_WORDLIST, VERSION};
|
||||
use crate::{FeroxSerialize, DEFAULT_CONFIG_NAME, DEFAULT_STATUS_CODES, DEFAULT_WORDLIST, VERSION};
|
||||
use clap::value_t;
|
||||
use indicatif::{MultiProgress, ProgressBar, ProgressDrawTarget};
|
||||
use lazy_static::lazy_static;
|
||||
use reqwest::{Client, StatusCode};
|
||||
use serde::Deserialize;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use std::collections::HashMap;
|
||||
use std::env::{current_dir, current_exe};
|
||||
use std::fs::read_to_string;
|
||||
@@ -49,8 +49,12 @@ fn report_and_exit(err: &str) -> ! {
|
||||
/// In that order.
|
||||
///
|
||||
/// Inspired by and derived from https://github.com/PhilipDaniels/rust-config-example
|
||||
#[derive(Debug, Clone, Deserialize)]
|
||||
#[derive(Debug, Clone, Deserialize, Serialize)]
|
||||
pub struct Configuration {
|
||||
#[serde(rename = "type", default = "serialized_type")]
|
||||
/// Name of this type of struct, used for serialization, i.e. `{"type":"configuration"}`
|
||||
kind: String,
|
||||
|
||||
/// Path to the wordlist
|
||||
#[serde(default = "wordlist")]
|
||||
pub wordlist: String,
|
||||
@@ -107,10 +111,19 @@ pub struct Configuration {
|
||||
#[serde(default)]
|
||||
pub quiet: bool,
|
||||
|
||||
/// Store log output as NDJSON
|
||||
#[serde(default)]
|
||||
pub json: bool,
|
||||
|
||||
/// Output file to write results to (default: stdout)
|
||||
#[serde(default)]
|
||||
pub output: String,
|
||||
|
||||
/// File in which to store debug output, used in conjunction with verbosity to dictate which
|
||||
/// logs are written
|
||||
#[serde(default)]
|
||||
pub debug_log: String,
|
||||
|
||||
/// Sets the User-Agent (default: feroxbuster/VERSION)
|
||||
#[serde(default = "user_agent")]
|
||||
pub user_agent: String,
|
||||
@@ -180,6 +193,11 @@ pub struct Configuration {
|
||||
// defaults in the event that a ferox-config.toml is found but one or more of the values below
|
||||
// aren't listed in the config. This way, we get the correct defaults upon Deserialization
|
||||
|
||||
/// default Configuration type for use in json output
|
||||
fn serialized_type() -> String {
|
||||
String::from("configuration")
|
||||
}
|
||||
|
||||
/// default timeout value
|
||||
fn timeout() -> u64 {
|
||||
7
|
||||
@@ -222,8 +240,10 @@ impl Default for Configuration {
|
||||
let replay_client = None;
|
||||
let status_codes = status_codes();
|
||||
let replay_codes = status_codes.clone();
|
||||
let kind = serialized_type();
|
||||
|
||||
Configuration {
|
||||
kind,
|
||||
client,
|
||||
timeout,
|
||||
user_agent,
|
||||
@@ -233,6 +253,7 @@ impl Default for Configuration {
|
||||
dont_filter: false,
|
||||
quiet: false,
|
||||
stdin: false,
|
||||
json: false,
|
||||
verbosity: 0,
|
||||
scan_limit: 0,
|
||||
add_slash: false,
|
||||
@@ -243,6 +264,7 @@ impl Default for Configuration {
|
||||
proxy: String::new(),
|
||||
config: String::new(),
|
||||
output: String::new(),
|
||||
debug_log: String::new(),
|
||||
target_url: String::new(),
|
||||
replay_proxy: String::new(),
|
||||
queries: Vec::new(),
|
||||
@@ -275,8 +297,9 @@ impl Configuration {
|
||||
/// - **status_codes**: [`DEFAULT_RESPONSE_CODES`](constant.DEFAULT_RESPONSE_CODES.html)
|
||||
/// - **filter_status**: `None`
|
||||
/// - **output**: `None` (print to stdout)
|
||||
/// - **debug_log**: `None`
|
||||
/// - **quiet**: `false`
|
||||
/// - **user_agent**: `feroxer/VERSION`
|
||||
/// - **user_agent**: `feroxbuster/VERSION`
|
||||
/// - **insecure**: `false` (don't be insecure, i.e. don't allow invalid certs)
|
||||
/// - **extensions**: `None`
|
||||
/// - **filter_size**: `None`
|
||||
@@ -287,6 +310,7 @@ impl Configuration {
|
||||
/// - **no_recursion**: `false` (recursively scan enumerated sub-directories)
|
||||
/// - **add_slash**: `false`
|
||||
/// - **stdin**: `false`
|
||||
/// - **json**: `false`
|
||||
/// - **dont_filter**: `false` (auto filter wildcard responses)
|
||||
/// - **depth**: `4` (maximum recursion depth)
|
||||
/// - **scan_limit**: `0` (no limit on concurrent scans imposed)
|
||||
@@ -385,6 +409,7 @@ impl Configuration {
|
||||
update_config_if_present!(&mut config.scan_limit, args, "scan_limit", usize);
|
||||
update_config_if_present!(&mut config.wordlist, args, "wordlist", String);
|
||||
update_config_if_present!(&mut config.output, args, "output", String);
|
||||
update_config_if_present!(&mut config.debug_log, args, "debug_log", String);
|
||||
|
||||
if let Some(arg) = args.values_of("status_codes") {
|
||||
config.status_codes = arg
|
||||
@@ -481,6 +506,10 @@ impl Configuration {
|
||||
config.extract_links = true;
|
||||
}
|
||||
|
||||
if args.is_present("json") {
|
||||
config.json = true;
|
||||
}
|
||||
|
||||
if args.is_present("stdin") {
|
||||
config.stdin = true;
|
||||
} else {
|
||||
@@ -625,6 +654,8 @@ impl Configuration {
|
||||
settings.scan_limit = settings_to_merge.scan_limit;
|
||||
settings.replay_proxy = settings_to_merge.replay_proxy;
|
||||
settings.replay_codes = settings_to_merge.replay_codes;
|
||||
settings.debug_log = settings_to_merge.debug_log;
|
||||
settings.json = settings_to_merge.json;
|
||||
}
|
||||
|
||||
/// If present, read in `DEFAULT_CONFIG_NAME` and deserialize the specified values
|
||||
@@ -650,6 +681,47 @@ impl Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
/// Implementation of FeroxMessage
|
||||
impl FeroxSerialize for Configuration {
|
||||
/// Simple wrapper around create_report_string
|
||||
fn as_str(&self) -> String {
|
||||
format!("{:#?}\n", *self)
|
||||
}
|
||||
|
||||
/// Create an NDJSON representation of the current scan's Configuration
|
||||
///
|
||||
/// (expanded for clarity)
|
||||
/// ex:
|
||||
/// {
|
||||
/// "type":"configuration",
|
||||
/// "wordlist":"test",
|
||||
/// "config":"/home/epi/.config/feroxbuster/ferox-config.toml",
|
||||
/// "proxy":"",
|
||||
/// "replay_proxy":"",
|
||||
/// "target_url":"https://localhost.com",
|
||||
/// "status_codes":[
|
||||
/// 200,
|
||||
/// 204,
|
||||
/// 301,
|
||||
/// 302,
|
||||
/// 307,
|
||||
/// 308,
|
||||
/// 401,
|
||||
/// 403,
|
||||
/// 405
|
||||
/// ],
|
||||
/// ...
|
||||
/// }\n
|
||||
fn as_json(&self) -> String {
|
||||
if let Ok(mut json) = serde_json::to_string(&self) {
|
||||
json.push('\n');
|
||||
json
|
||||
} else {
|
||||
String::from("{\"error\":\"could not Configuration convert to json\"}")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
@@ -670,6 +742,7 @@ mod tests {
|
||||
verbosity = 1
|
||||
scan_limit = 6
|
||||
output = "/some/otherpath"
|
||||
debug_log = "/yet/anotherpath"
|
||||
redirects = true
|
||||
insecure = true
|
||||
extensions = ["html", "php", "js"]
|
||||
@@ -680,6 +753,7 @@ mod tests {
|
||||
stdin = true
|
||||
dont_filter = true
|
||||
extract_links = true
|
||||
json = true
|
||||
depth = 1
|
||||
filter_size = [4120]
|
||||
filter_word_count = [994, 992]
|
||||
@@ -699,6 +773,7 @@ mod tests {
|
||||
assert_eq!(config.wordlist, wordlist());
|
||||
assert_eq!(config.proxy, String::new());
|
||||
assert_eq!(config.target_url, String::new());
|
||||
assert_eq!(config.debug_log, String::new());
|
||||
assert_eq!(config.config, String::new());
|
||||
assert_eq!(config.replay_proxy, String::new());
|
||||
assert_eq!(config.status_codes, status_codes());
|
||||
@@ -712,6 +787,7 @@ mod tests {
|
||||
assert_eq!(config.quiet, false);
|
||||
assert_eq!(config.dont_filter, false);
|
||||
assert_eq!(config.no_recursion, false);
|
||||
assert_eq!(config.json, false);
|
||||
assert_eq!(config.stdin, false);
|
||||
assert_eq!(config.add_slash, false);
|
||||
assert_eq!(config.redirects, false);
|
||||
@@ -733,6 +809,13 @@ mod tests {
|
||||
assert_eq!(config.wordlist, "/some/path");
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// parse the test config and see that the value parsed is correct
|
||||
fn config_reads_debug_log() {
|
||||
let config = setup_config_test();
|
||||
assert_eq!(config.debug_log, "/yet/anotherpath");
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// parse the test config and see that the value parsed is correct
|
||||
fn config_reads_status_codes() {
|
||||
@@ -796,6 +879,13 @@ mod tests {
|
||||
assert_eq!(config.quiet, true);
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// parse the test config and see that the value parsed is correct
|
||||
fn config_reads_json() {
|
||||
let config = setup_config_test();
|
||||
assert_eq!(config.json, true);
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// parse the test config and see that the value parsed is correct
|
||||
fn config_reads_verbosity() {
|
||||
@@ -920,4 +1010,32 @@ mod tests {
|
||||
fn config_report_and_exit_works() {
|
||||
report_and_exit("some message");
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// test as_str method of Configuration
|
||||
fn as_str_returns_string_with_newline() {
|
||||
let config = Configuration::new();
|
||||
let config_str = config.as_str();
|
||||
println!("{}", config_str);
|
||||
assert!(config_str.starts_with("Configuration {"));
|
||||
assert!(config_str.ends_with("}\n"));
|
||||
assert!(config_str.contains("replay_codes:"));
|
||||
assert!(config_str.contains("client: Client {"));
|
||||
assert!(config_str.contains("user_agent: \"feroxbuster"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// test as_json method of Configuration
|
||||
fn as_json_returns_json_representation_of_configuration_with_newline() {
|
||||
let mut config = Configuration::new();
|
||||
config.timeout = 12;
|
||||
config.depth = 2;
|
||||
let config_str = config.as_json();
|
||||
let json: Configuration = serde_json::from_str(&config_str).unwrap();
|
||||
assert_eq!(json.config, config.config);
|
||||
assert_eq!(json.wordlist, config.wordlist);
|
||||
assert_eq!(json.replay_codes, config.replay_codes);
|
||||
assert_eq!(json.timeout, config.timeout);
|
||||
assert_eq!(json.depth, config.depth);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2,10 +2,7 @@ use crate::{
|
||||
config::{CONFIGURATION, PROGRESS_PRINTER},
|
||||
filters::WildcardFilter,
|
||||
scanner::should_filter_response,
|
||||
utils::{
|
||||
ferox_print, format_url, get_url_path_length, make_request, module_colorizer,
|
||||
status_colorizer,
|
||||
},
|
||||
utils::{ferox_print, format_url, get_url_path_length, make_request, status_colorizer},
|
||||
FeroxResponse,
|
||||
};
|
||||
use console::style;
|
||||
@@ -42,13 +39,13 @@ fn unique_string(length: usize) -> String {
|
||||
pub async fn wildcard_test(
|
||||
target_url: &str,
|
||||
bar: ProgressBar,
|
||||
tx_file: UnboundedSender<String>,
|
||||
tx_term: UnboundedSender<FeroxResponse>,
|
||||
) -> Option<WildcardFilter> {
|
||||
log::trace!(
|
||||
"enter: wildcard_test({:?}, {:?}, {:?})",
|
||||
target_url,
|
||||
bar,
|
||||
tx_file
|
||||
tx_term
|
||||
);
|
||||
|
||||
if CONFIGURATION.dont_filter {
|
||||
@@ -57,10 +54,10 @@ pub async fn wildcard_test(
|
||||
return None;
|
||||
}
|
||||
|
||||
let clone_req_one = tx_file.clone();
|
||||
let clone_req_two = tx_file.clone();
|
||||
let tx_clone_one = tx_term.clone();
|
||||
let tx_clone_two = tx_term.clone();
|
||||
|
||||
if let Some(ferox_response) = make_wildcard_request(&target_url, 1, clone_req_one).await {
|
||||
if let Some(ferox_response) = make_wildcard_request(&target_url, 1, tx_clone_one).await {
|
||||
bar.inc(1);
|
||||
|
||||
// found a wildcard response
|
||||
@@ -75,7 +72,7 @@ pub async fn wildcard_test(
|
||||
|
||||
// content length of wildcard is non-zero, perform additional tests:
|
||||
// make a second request, with a known-sized (64) longer request
|
||||
if let Some(resp_two) = make_wildcard_request(&target_url, 3, clone_req_two).await {
|
||||
if let Some(resp_two) = make_wildcard_request(&target_url, 3, tx_clone_two).await {
|
||||
bar.inc(1);
|
||||
|
||||
let wc2_length = resp_two.content_length();
|
||||
@@ -89,46 +86,34 @@ pub async fn wildcard_test(
|
||||
|
||||
if !CONFIGURATION.quiet {
|
||||
let msg = format!(
|
||||
"{} {:>8}l {:>8}w {:>8}c Wildcard response is dynamic; {} ({} + url length) responses; toggle this behavior by using {}\n",
|
||||
"{} {:>9} {:>9} {:>9} Wildcard response is dynamic; {} ({} + url length) responses; toggle this behavior by using {}\n",
|
||||
status_colorizer("WLD"),
|
||||
ferox_response.line_count(),
|
||||
ferox_response.word_count(),
|
||||
wildcard.dynamic,
|
||||
"-",
|
||||
"-",
|
||||
"-",
|
||||
style("auto-filtering").yellow(),
|
||||
style(wc_length - url_len).cyan(),
|
||||
style("--dont-filter").yellow()
|
||||
);
|
||||
);
|
||||
|
||||
ferox_print(&msg, &PROGRESS_PRINTER);
|
||||
|
||||
try_send_message_to_file(
|
||||
&msg,
|
||||
tx_file.clone(),
|
||||
!CONFIGURATION.output.is_empty(),
|
||||
);
|
||||
}
|
||||
} else if wc_length == wc2_length {
|
||||
wildcard.size = wc_length;
|
||||
|
||||
if !CONFIGURATION.quiet {
|
||||
let msg = format!(
|
||||
"{} {:>8}l {:>8}w {:>8}c Wildcard response is static; {} {} responses; toggle this behavior by using {}\n",
|
||||
"{} {:>9} {:>9} {:>9} Wildcard response is static; {} {} responses; toggle this behavior by using {}\n",
|
||||
status_colorizer("WLD"),
|
||||
ferox_response.line_count(),
|
||||
ferox_response.word_count(),
|
||||
wc_length,
|
||||
"-",
|
||||
"-",
|
||||
"-",
|
||||
style("auto-filtering").yellow(),
|
||||
style(wc_length).cyan(),
|
||||
style("--dont-filter").yellow()
|
||||
);
|
||||
|
||||
ferox_print(&msg, &PROGRESS_PRINTER);
|
||||
|
||||
try_send_message_to_file(
|
||||
&msg,
|
||||
tx_file.clone(),
|
||||
!CONFIGURATION.output.is_empty(),
|
||||
);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -152,7 +137,7 @@ pub async fn wildcard_test(
|
||||
async fn make_wildcard_request(
|
||||
target_url: &str,
|
||||
length: usize,
|
||||
tx_file: UnboundedSender<String>,
|
||||
tx_file: UnboundedSender<FeroxResponse>,
|
||||
) -> Option<FeroxResponse> {
|
||||
log::trace!(
|
||||
"enter: make_wildcard_request({}, {}, {:?})",
|
||||
@@ -178,8 +163,6 @@ async fn make_wildcard_request(
|
||||
}
|
||||
};
|
||||
|
||||
let wildcard = status_colorizer("WLD");
|
||||
|
||||
match make_request(&CONFIGURATION.client, &nonexistent.to_owned()).await {
|
||||
Ok(response) => {
|
||||
if CONFIGURATION
|
||||
@@ -187,58 +170,16 @@ async fn make_wildcard_request(
|
||||
.contains(&response.status().as_u16())
|
||||
{
|
||||
// found a wildcard response
|
||||
let ferox_response = FeroxResponse::from(response, true).await;
|
||||
let url_len = get_url_path_length(&ferox_response.url());
|
||||
let content_len = ferox_response.content_length();
|
||||
let content_words = ferox_response.word_count();
|
||||
let content_lines = ferox_response.line_count();
|
||||
let mut ferox_response = FeroxResponse::from(response, true).await;
|
||||
ferox_response.wildcard = true;
|
||||
|
||||
if !CONFIGURATION.quiet && !should_filter_response(&ferox_response) {
|
||||
let msg = format!(
|
||||
"{} {:>8}l {:>8}w {:>8}c Got {} for {} (url length: {})\n",
|
||||
wildcard,
|
||||
content_lines,
|
||||
content_words,
|
||||
content_len,
|
||||
status_colorizer(&ferox_response.status().as_str()),
|
||||
ferox_response.url(),
|
||||
url_len
|
||||
);
|
||||
|
||||
ferox_print(&msg, &PROGRESS_PRINTER);
|
||||
|
||||
try_send_message_to_file(
|
||||
&msg,
|
||||
tx_file.clone(),
|
||||
!CONFIGURATION.output.is_empty(),
|
||||
);
|
||||
if !CONFIGURATION.quiet
|
||||
&& !should_filter_response(&ferox_response)
|
||||
&& tx_file.send(ferox_response.clone()).is_err()
|
||||
{
|
||||
return None;
|
||||
}
|
||||
|
||||
if ferox_response.status().is_redirection() {
|
||||
// show where it goes, if possible
|
||||
if let Some(next_loc) = ferox_response.headers().get("Location") {
|
||||
let next_loc_str = next_loc.to_str().unwrap_or("Unknown");
|
||||
if !CONFIGURATION.quiet && !should_filter_response(&ferox_response) {
|
||||
let msg = format!(
|
||||
"{} {:>8}l {:>8}w {:>8}c {} redirects to => {}\n",
|
||||
wildcard,
|
||||
content_lines,
|
||||
content_words,
|
||||
content_len,
|
||||
ferox_response.url(),
|
||||
next_loc_str
|
||||
);
|
||||
|
||||
ferox_print(&msg, &PROGRESS_PRINTER);
|
||||
|
||||
try_send_message_to_file(
|
||||
&msg,
|
||||
tx_file.clone(),
|
||||
!CONFIGURATION.output.is_empty(),
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
log::trace!("exit: make_wildcard_request -> {}", ferox_response);
|
||||
return Some(ferox_response);
|
||||
}
|
||||
@@ -303,35 +244,9 @@ pub async fn connectivity_test(target_urls: &[String]) -> Vec<String> {
|
||||
good_urls
|
||||
}
|
||||
|
||||
/// simple helper to keep DRY; sends a message using the transmitter side of the given mpsc channel
|
||||
/// the receiver is expected to be the side that saves the message to CONFIGURATION.output.
|
||||
fn try_send_message_to_file(msg: &str, tx_file: UnboundedSender<String>, save_output: bool) {
|
||||
log::trace!("enter: try_send_message_to_file({}, {:?})", msg, tx_file);
|
||||
|
||||
if save_output {
|
||||
match tx_file.send(msg.to_string()) {
|
||||
Ok(_) => {
|
||||
log::trace!(
|
||||
"sent message from heuristics::try_send_message_to_file to file handler"
|
||||
);
|
||||
}
|
||||
Err(e) => {
|
||||
log::error!(
|
||||
"{} {}",
|
||||
module_colorizer("heuristics::try_send_message_to_file"),
|
||||
e
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
log::trace!("exit: try_send_message_to_file");
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
use crate::FeroxChannel;
|
||||
use tokio::sync::mpsc;
|
||||
|
||||
#[test]
|
||||
/// request a unique string of 32bytes * a value returns correct result
|
||||
@@ -348,41 +263,4 @@ mod tests {
|
||||
assert_eq!(wcf.size, 0);
|
||||
assert_eq!(wcf.dynamic, 0);
|
||||
}
|
||||
|
||||
#[tokio::test(core_threads = 1)]
|
||||
/// tests that given a message and transmitter, the function sends the message across the
|
||||
/// channel
|
||||
async fn heuristics_try_send_message_to_file_sends_when_true() {
|
||||
let (tx, mut rx): FeroxChannel<String> = mpsc::unbounded_channel();
|
||||
let msg = "It really tied the room together.";
|
||||
let should_save = true;
|
||||
try_send_message_to_file(&msg, tx, should_save);
|
||||
|
||||
assert_eq!(rx.recv().await.unwrap(), msg);
|
||||
}
|
||||
|
||||
#[tokio::test(core_threads = 1)]
|
||||
#[should_panic]
|
||||
/// tests that when save_output is false, nothing is sent to the receiver
|
||||
async fn heuristics_try_send_message_to_file_sends_when_false() {
|
||||
let (tx, mut rx): FeroxChannel<String> = mpsc::unbounded_channel();
|
||||
let msg = "I'm the Dude, so that's what you call me.";
|
||||
let should_save = false;
|
||||
try_send_message_to_file(&msg, tx, should_save);
|
||||
|
||||
assert_ne!(rx.recv().await.unwrap(), msg);
|
||||
}
|
||||
|
||||
#[tokio::test(core_threads = 1)]
|
||||
/// tests that when save_output is true, but the receiver is closed, nothing is sent to the receiver
|
||||
/// this test doesn't assert anything, but reaches the error block of the given function and
|
||||
/// can be verified with --nocapture and RUST_LOG being set
|
||||
async fn heuristics_try_send_message_to_file_sends_with_closed_receiver() {
|
||||
env_logger::init();
|
||||
let (tx, mut rx): FeroxChannel<String> = mpsc::unbounded_channel();
|
||||
let msg = "Hey, nice marmot.";
|
||||
let should_save = true;
|
||||
rx.close();
|
||||
try_send_message_to_file(&msg, tx, should_save);
|
||||
}
|
||||
}
|
||||
|
||||
256
src/lib.rs
256
src/lib.rs
@@ -12,7 +12,11 @@ pub mod scan_manager;
|
||||
pub mod scanner;
|
||||
pub mod utils;
|
||||
|
||||
use crate::utils::{get_url_path_length, status_colorizer};
|
||||
use console::{style, Color};
|
||||
use reqwest::{header::HeaderMap, Response, StatusCode, Url};
|
||||
use serde::{ser::SerializeStruct, Deserialize, Serialize, Serializer};
|
||||
use std::collections::HashMap;
|
||||
use std::{error, fmt};
|
||||
use tokio::sync::mpsc::{UnboundedReceiver, UnboundedSender};
|
||||
|
||||
@@ -82,6 +86,17 @@ pub const DEFAULT_STATUS_CODES: [StatusCode; 9] = [
|
||||
/// Expected location is in the same directory as the feroxbuster binary.
|
||||
pub const DEFAULT_CONFIG_NAME: &str = "ferox-config.toml";
|
||||
|
||||
/// FeroxSerialize trait; represents different types that are Serialize and also implement
|
||||
/// as_str / as_json methods
|
||||
pub trait FeroxSerialize: Serialize {
|
||||
/// Return a String representation of the object, generally the human readable version of the
|
||||
/// implementor
|
||||
fn as_str(&self) -> String;
|
||||
|
||||
/// Return an NDJSON representation of the object
|
||||
fn as_json(&self) -> String;
|
||||
}
|
||||
|
||||
/// A `FeroxResponse`, derived from a `Response` to a submitted `Request`
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct FeroxResponse {
|
||||
@@ -99,6 +114,9 @@ pub struct FeroxResponse {
|
||||
|
||||
/// The `Headers` of this `FeroxResponse`
|
||||
headers: HeaderMap,
|
||||
|
||||
/// Wildcard response status
|
||||
wildcard: bool,
|
||||
}
|
||||
|
||||
/// Implement Display for FeroxResponse
|
||||
@@ -216,10 +234,206 @@ impl FeroxResponse {
|
||||
content_length,
|
||||
text,
|
||||
headers,
|
||||
wildcard: false,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Implement FeroxSerialize for FeroxResponse
|
||||
impl FeroxSerialize for FeroxResponse {
|
||||
/// Simple wrapper around create_report_string
|
||||
fn as_str(&self) -> String {
|
||||
let lines = self.line_count().to_string();
|
||||
let words = self.word_count().to_string();
|
||||
let chars = self.content_length().to_string();
|
||||
let status = self.status().as_str();
|
||||
let wild_status = status_colorizer("WLD");
|
||||
|
||||
if self.wildcard {
|
||||
// response is a wildcard, special messages abound when this is the case...
|
||||
|
||||
// create the base message
|
||||
let mut message = format!(
|
||||
"{} {:>8}l {:>8}w {:>8}c Got {} for {} (url length: {})\n",
|
||||
wild_status,
|
||||
lines,
|
||||
words,
|
||||
chars,
|
||||
status_colorizer(&status),
|
||||
self.url(),
|
||||
get_url_path_length(&self.url())
|
||||
);
|
||||
|
||||
if self.status().is_redirection() {
|
||||
// when it's a redirect, show where it goes, if possible
|
||||
if let Some(next_loc) = self.headers().get("Location") {
|
||||
let next_loc_str = next_loc.to_str().unwrap_or("Unknown");
|
||||
|
||||
let redirect_msg = format!(
|
||||
"{} {:>9} {:>9} {:>9} {} redirects to => {}\n",
|
||||
wild_status,
|
||||
"-",
|
||||
"-",
|
||||
"-",
|
||||
self.url(),
|
||||
next_loc_str
|
||||
);
|
||||
|
||||
message.push_str(&redirect_msg);
|
||||
}
|
||||
}
|
||||
|
||||
// base message + redirection message (if appropriate)
|
||||
message
|
||||
} else {
|
||||
// not a wildcard, just create a normal entry
|
||||
utils::create_report_string(
|
||||
self.status.as_str(),
|
||||
&lines,
|
||||
&words,
|
||||
&chars,
|
||||
self.url().as_str(),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/// Create an NDJSON representation of the FeroxResponse
|
||||
///
|
||||
/// (expanded for clarity)
|
||||
/// ex:
|
||||
/// {
|
||||
/// "type":"response",
|
||||
/// "url":"https://localhost.com/images",
|
||||
/// "path":"/images",
|
||||
/// "status":301,
|
||||
/// "content_length":179,
|
||||
/// "line_count":10,
|
||||
/// "word_count":16,
|
||||
/// "headers":{
|
||||
/// "x-content-type-options":"nosniff",
|
||||
/// "strict-transport-security":"max-age=31536000; includeSubDomains",
|
||||
/// "x-frame-options":"SAMEORIGIN",
|
||||
/// "connection":"keep-alive",
|
||||
/// "server":"nginx/1.16.1",
|
||||
/// "content-type":"text/html; charset=UTF-8",
|
||||
/// "referrer-policy":"origin-when-cross-origin",
|
||||
/// "content-security-policy":"default-src 'none'",
|
||||
/// "access-control-allow-headers":"X-Requested-With",
|
||||
/// "x-xss-protection":"1; mode=block",
|
||||
/// "content-length":"179",
|
||||
/// "date":"Mon, 23 Nov 2020 15:33:24 GMT",
|
||||
/// "location":"/images/",
|
||||
/// "access-control-allow-origin":"https://localhost.com"
|
||||
/// }
|
||||
/// }\n
|
||||
fn as_json(&self) -> String {
|
||||
if let Ok(mut json) = serde_json::to_string(&self) {
|
||||
json.push('\n');
|
||||
json
|
||||
} else {
|
||||
format!("{{\"error\":\"could not convert {} to json\"}}", self.url())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Serialize implementation for FeroxResponse
|
||||
impl Serialize for FeroxResponse {
|
||||
/// Function that handles serialization of a FeroxResponse to NDJSON
|
||||
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
|
||||
where
|
||||
S: Serializer,
|
||||
{
|
||||
let mut headers = HashMap::new();
|
||||
let mut state = serializer.serialize_struct("FeroxResponse", 7)?;
|
||||
|
||||
// need to convert the HeaderMap to a HashMap in order to pass it to the serializer
|
||||
for (key, value) in &self.headers {
|
||||
let k = key.as_str().to_owned();
|
||||
let v = String::from_utf8_lossy(value.as_bytes());
|
||||
headers.insert(k, v);
|
||||
}
|
||||
|
||||
state.serialize_field("type", "response")?;
|
||||
state.serialize_field("url", self.url.as_str())?;
|
||||
state.serialize_field("path", self.url.path())?;
|
||||
state.serialize_field("wildcard", &self.wildcard)?;
|
||||
state.serialize_field("status", &self.status.as_u16())?;
|
||||
state.serialize_field("content_length", &self.content_length)?;
|
||||
state.serialize_field("line_count", &self.line_count())?;
|
||||
state.serialize_field("word_count", &self.word_count())?;
|
||||
state.serialize_field("headers", &headers)?;
|
||||
|
||||
state.end()
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Deserialize, Default)]
|
||||
/// Representation of a log entry, can be represented as a human readable string or JSON
|
||||
pub struct FeroxMessage {
|
||||
// todo probably move to lib
|
||||
#[serde(rename = "type")]
|
||||
/// Name of this type of struct, used for serialization, i.e. `{"type":"log"}`
|
||||
kind: String,
|
||||
|
||||
/// The log message
|
||||
pub message: String,
|
||||
|
||||
/// The log level
|
||||
pub level: String,
|
||||
|
||||
/// The number of seconds elapsed since the scan started
|
||||
pub time_offset: f32,
|
||||
|
||||
/// The module from which log::* was called
|
||||
pub module: String,
|
||||
}
|
||||
|
||||
/// Implementation of FeroxMessage
|
||||
impl FeroxSerialize for FeroxMessage {
|
||||
/// Create an NDJSON representation of the log message
|
||||
///
|
||||
/// (expanded for clarity)
|
||||
/// ex:
|
||||
/// {
|
||||
/// "type": "log",
|
||||
/// "message": "Sent https://localhost/api to file handler",
|
||||
/// "level": "DEBUG",
|
||||
/// "time_offset": 0.86333454,
|
||||
/// "module": "feroxbuster::reporter"
|
||||
/// }\n
|
||||
fn as_json(&self) -> String {
|
||||
if let Ok(mut json) = serde_json::to_string(&self) {
|
||||
json.push('\n');
|
||||
json
|
||||
} else {
|
||||
String::from("{\"error\":\"could not convert to json\"}")
|
||||
}
|
||||
}
|
||||
|
||||
/// Create a string representation of the log message
|
||||
///
|
||||
/// ex: 301 10l 16w 173c https://localhost/api
|
||||
fn as_str(&self) -> String {
|
||||
let (level_name, level_color) = match self.level.as_str() {
|
||||
"ERROR" => ("ERR", Color::Red),
|
||||
"WARN" => ("WRN", Color::Red),
|
||||
"INFO" => ("INF", Color::Cyan),
|
||||
"DEBUG" => ("DBG", Color::Yellow),
|
||||
"TRACE" => ("TRC", Color::Magenta),
|
||||
"WILDCARD" => ("WLD", Color::Cyan),
|
||||
_ => ("UNK", Color::White),
|
||||
};
|
||||
|
||||
format!(
|
||||
"{} {:10.03} {} {}\n",
|
||||
style(level_name).bg(level_color).black(),
|
||||
style(self.time_offset).dim(),
|
||||
self.module,
|
||||
style(&self.message).dim(),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
@@ -244,4 +458,46 @@ mod tests {
|
||||
fn default_version() {
|
||||
assert_eq!(VERSION, env!("CARGO_PKG_VERSION"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// test as_str method of FeroxMessage
|
||||
fn ferox_message_as_str_returns_string_with_newline() {
|
||||
let message = FeroxMessage {
|
||||
message: "message".to_string(),
|
||||
module: "utils".to_string(),
|
||||
time_offset: 1.0,
|
||||
level: "INFO".to_string(),
|
||||
kind: "log".to_string(),
|
||||
};
|
||||
let message_str = message.as_str();
|
||||
|
||||
assert!(message_str.contains("INF"));
|
||||
assert!(message_str.contains("1.000"));
|
||||
assert!(message_str.contains("utils"));
|
||||
assert!(message_str.contains("message"));
|
||||
assert!(message_str.ends_with('\n'));
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// test as_json method of FeroxMessage
|
||||
fn ferox_message_as_json_returns_json_representation_of_ferox_message_with_newline() {
|
||||
let message = FeroxMessage {
|
||||
message: "message".to_string(),
|
||||
module: "utils".to_string(),
|
||||
time_offset: 1.0,
|
||||
level: "INFO".to_string(),
|
||||
kind: "log".to_string(),
|
||||
};
|
||||
|
||||
let message_str = message.as_json();
|
||||
|
||||
let error_margin = f32::EPSILON;
|
||||
|
||||
let json: FeroxMessage = serde_json::from_str(&message_str).unwrap();
|
||||
assert_eq!(json.module, message.module);
|
||||
assert_eq!(json.message, message.message);
|
||||
assert!((json.time_offset - message.time_offset).abs() < error_margin);
|
||||
assert_eq!(json.level, message.level);
|
||||
assert_eq!(json.kind, message.kind);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,9 @@
|
||||
use crate::config::{CONFIGURATION, PROGRESS_PRINTER};
|
||||
use crate::reporter::{get_cached_file_handle, safe_file_write};
|
||||
use console::{style, Color};
|
||||
use crate::{
|
||||
config::{CONFIGURATION, PROGRESS_PRINTER},
|
||||
reporter::safe_file_write,
|
||||
utils::open_file,
|
||||
FeroxMessage, FeroxSerialize,
|
||||
};
|
||||
use env_logger::Builder;
|
||||
use std::env;
|
||||
use std::time::Instant;
|
||||
@@ -28,44 +31,27 @@ pub fn initialize(verbosity: u8) {
|
||||
let start = Instant::now();
|
||||
let mut builder = Builder::from_default_env();
|
||||
|
||||
// I REALLY wanted the logger to also use the reporting channels found in the `reporter`
|
||||
// module. However, in order to properly clean up the channels, all references to the
|
||||
// transmitter side of a channel need to go out of scope, then you can await the future into
|
||||
// which the receiver was moved.
|
||||
//
|
||||
// The problem was that putting a transmitter reference in this closure, which gets initialized
|
||||
// as part of the global logger, made it so that I couldn't destroy/leak/take/swap the last
|
||||
// reference to allow the channels to gracefully close.
|
||||
//
|
||||
// The workaround was to have a RwLock around the file and allow both the logger and the
|
||||
// file handler to both write independent of each other.
|
||||
let locked_file = get_cached_file_handle(&CONFIGURATION.output);
|
||||
let debug_file = open_file(&CONFIGURATION.debug_log);
|
||||
|
||||
if let Some(buffered_file) = debug_file.clone() {
|
||||
// write out the configuration to the debug file if it exists
|
||||
safe_file_write(&*CONFIGURATION, buffered_file, CONFIGURATION.json);
|
||||
}
|
||||
|
||||
builder
|
||||
.format(move |_, record| {
|
||||
let t = start.elapsed().as_secs_f32();
|
||||
let level = record.level();
|
||||
|
||||
let (level_name, level_color) = match level {
|
||||
log::Level::Error => ("ERR", Color::Red),
|
||||
log::Level::Warn => ("WRN", Color::Red),
|
||||
log::Level::Info => ("INF", Color::Cyan),
|
||||
log::Level::Debug => ("DBG", Color::Yellow),
|
||||
log::Level::Trace => ("TRC", Color::Magenta),
|
||||
let log_entry = FeroxMessage {
|
||||
message: record.args().to_string(),
|
||||
level: record.level().to_string(),
|
||||
time_offset: start.elapsed().as_secs_f32(),
|
||||
module: record.target().to_string(),
|
||||
kind: "log".to_string(),
|
||||
};
|
||||
|
||||
let msg = format!(
|
||||
"{} {:10.03} {} {}\n",
|
||||
style(level_name).bg(level_color).black(),
|
||||
style(t).dim(),
|
||||
record.target(),
|
||||
style(record.args()).dim(),
|
||||
);
|
||||
PROGRESS_PRINTER.println(&log_entry.as_str());
|
||||
|
||||
PROGRESS_PRINTER.println(&msg);
|
||||
|
||||
if let Some(buffered_file) = locked_file.clone() {
|
||||
safe_file_write(&msg, buffered_file);
|
||||
if let Some(buffered_file) = debug_file.clone() {
|
||||
safe_file_write(&log_entry, buffered_file, CONFIGURATION.json);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
|
||||
@@ -97,7 +97,7 @@ fn get_unique_words_from_wordlist(path: &str) -> FeroxResult<Arc<HashSet<String>
|
||||
async fn scan(
|
||||
targets: Vec<String>,
|
||||
tx_term: UnboundedSender<FeroxResponse>,
|
||||
tx_file: UnboundedSender<String>,
|
||||
tx_file: UnboundedSender<FeroxResponse>,
|
||||
) -> FeroxResult<()> {
|
||||
log::trace!("enter: scan({:?}, {:?}, {:?})", targets, tx_term, tx_file);
|
||||
// cloning an Arc is cheap (it's basically a pointer into the heap)
|
||||
@@ -187,7 +187,6 @@ async fn wrapped_main() {
|
||||
|
||||
// can't trace main until after logger is initialized and the above task is started
|
||||
log::trace!("enter: main");
|
||||
log::debug!("{:#?}", *CONFIGURATION);
|
||||
|
||||
// spawn a thread that listens for keyboard input on stdin, when a user presses enter
|
||||
// the input handler will toggle PAUSE_SCAN, which in turn is used to pause and resume
|
||||
@@ -249,7 +248,7 @@ async fn wrapped_main() {
|
||||
async fn clean_up(
|
||||
tx_term: UnboundedSender<FeroxResponse>,
|
||||
term_handle: JoinHandle<()>,
|
||||
tx_file: UnboundedSender<String>,
|
||||
tx_file: UnboundedSender<FeroxResponse>,
|
||||
file_handle: Option<JoinHandle<()>>,
|
||||
save_output: bool,
|
||||
) {
|
||||
|
||||
@@ -109,6 +109,12 @@ pub fn initialize() -> App<'static, 'static> {
|
||||
.takes_value(false)
|
||||
.help("Only print URLs; Don't print status codes, response size, running config, etc...")
|
||||
)
|
||||
.arg(
|
||||
Arg::with_name("json")
|
||||
.long("json")
|
||||
.takes_value(false)
|
||||
.help("Emit JSON logs to --output and --debug-log instead of normal text")
|
||||
)
|
||||
.arg(
|
||||
Arg::with_name("dont_filter")
|
||||
.short("D")
|
||||
@@ -121,7 +127,14 @@ pub fn initialize() -> App<'static, 'static> {
|
||||
.short("o")
|
||||
.long("output")
|
||||
.value_name("FILE")
|
||||
.help("Output file to write results to (default: stdout)")
|
||||
.help("Output file to write results to (use w/ --json for JSON entries)")
|
||||
.takes_value(true),
|
||||
)
|
||||
.arg(
|
||||
Arg::with_name("debug_log")
|
||||
.long("debug-log")
|
||||
.value_name("FILE")
|
||||
.help("Output file to write log entries (use w/ --json for JSON entries)")
|
||||
.takes_value(true),
|
||||
)
|
||||
.arg(
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
use crate::config::{CONFIGURATION, PROGRESS_PRINTER};
|
||||
use crate::utils::{create_report_string, ferox_print, make_request};
|
||||
use crate::{FeroxChannel, FeroxResponse};
|
||||
use crate::{
|
||||
config::{CONFIGURATION, PROGRESS_PRINTER},
|
||||
utils::{ferox_print, make_request, open_file},
|
||||
FeroxChannel, FeroxResponse, FeroxSerialize,
|
||||
};
|
||||
use console::strip_ansi_codes;
|
||||
use std::io::Write;
|
||||
use std::sync::{Arc, Once, RwLock};
|
||||
@@ -41,14 +43,14 @@ pub fn initialize(
|
||||
save_output: bool,
|
||||
) -> (
|
||||
UnboundedSender<FeroxResponse>,
|
||||
UnboundedSender<String>,
|
||||
UnboundedSender<FeroxResponse>,
|
||||
JoinHandle<()>,
|
||||
Option<JoinHandle<()>>,
|
||||
) {
|
||||
log::trace!("enter: initialize({}, {})", output_file, save_output);
|
||||
|
||||
let (tx_rpt, rx_rpt): FeroxChannel<FeroxResponse> = mpsc::unbounded_channel();
|
||||
let (tx_file, rx_file): FeroxChannel<String> = mpsc::unbounded_channel();
|
||||
let (tx_file, rx_file): FeroxChannel<FeroxResponse> = mpsc::unbounded_channel();
|
||||
|
||||
let file_clone = tx_file.clone();
|
||||
|
||||
@@ -81,7 +83,7 @@ pub fn initialize(
|
||||
/// reporting criteria
|
||||
async fn spawn_terminal_reporter(
|
||||
mut resp_chan: UnboundedReceiver<FeroxResponse>,
|
||||
file_chan: UnboundedSender<String>,
|
||||
file_chan: UnboundedSender<FeroxResponse>,
|
||||
save_output: bool,
|
||||
) {
|
||||
log::trace!(
|
||||
@@ -95,20 +97,12 @@ async fn spawn_terminal_reporter(
|
||||
log::trace!("received {} on reporting channel", resp.url());
|
||||
|
||||
if CONFIGURATION.status_codes.contains(&resp.status().as_u16()) {
|
||||
let report = create_report_string(
|
||||
resp.status().as_str(),
|
||||
&resp.line_count().to_string(),
|
||||
&resp.word_count().to_string(),
|
||||
&resp.content_length().to_string(),
|
||||
&resp.url().to_string(),
|
||||
);
|
||||
|
||||
// print to stdout
|
||||
ferox_print(&report, &PROGRESS_PRINTER);
|
||||
ferox_print(&resp.as_str(), &PROGRESS_PRINTER);
|
||||
|
||||
if save_output {
|
||||
// -o used, need to send the report to be written out to disk
|
||||
match file_chan.send(report.to_string()) {
|
||||
match file_chan.send(resp.clone()) {
|
||||
Ok(_) => {
|
||||
log::debug!("Sent {} to file handler", resp.url());
|
||||
}
|
||||
@@ -140,7 +134,10 @@ async fn spawn_terminal_reporter(
|
||||
///
|
||||
/// The consumer simply receives responses and writes them to the given output file if they meet
|
||||
/// the given reporting criteria
|
||||
async fn spawn_file_reporter(mut report_channel: UnboundedReceiver<String>, output_file: &str) {
|
||||
async fn spawn_file_reporter(
|
||||
mut report_channel: UnboundedReceiver<FeroxResponse>,
|
||||
output_file: &str,
|
||||
) {
|
||||
let buffered_file = match get_cached_file_handle(&CONFIGURATION.output) {
|
||||
Some(file) => file,
|
||||
None => {
|
||||
@@ -157,47 +154,33 @@ async fn spawn_file_reporter(mut report_channel: UnboundedReceiver<String>, outp
|
||||
|
||||
log::info!("Writing scan results to {}", output_file);
|
||||
|
||||
while let Some(report) = report_channel.recv().await {
|
||||
safe_file_write(&report, buffered_file.clone());
|
||||
while let Some(response) = report_channel.recv().await {
|
||||
safe_file_write(&response, buffered_file.clone(), CONFIGURATION.json);
|
||||
}
|
||||
|
||||
log::trace!("exit: spawn_file_reporter");
|
||||
}
|
||||
|
||||
/// Given the path to a file, open the file in append mode (create it if it doesn't exist) and
|
||||
/// return a reference to the file that is buffered and locked
|
||||
fn open_file(filename: &str) -> Option<Arc<RwLock<io::BufWriter<fs::File>>>> {
|
||||
log::trace!("enter: open_file({})", filename);
|
||||
|
||||
match fs::OpenOptions::new() // std fs
|
||||
.create(true)
|
||||
.append(true)
|
||||
.open(filename)
|
||||
{
|
||||
Ok(file) => {
|
||||
let writer = io::BufWriter::new(file); // std io
|
||||
|
||||
let locked_file = Some(Arc::new(RwLock::new(writer)));
|
||||
|
||||
log::trace!("exit: open_file -> {:?}", locked_file);
|
||||
locked_file
|
||||
}
|
||||
Err(e) => {
|
||||
log::error!("{}", e);
|
||||
log::trace!("exit: open_file -> None");
|
||||
None
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Given a string and a reference to a locked buffered file, write the contents and flush
|
||||
/// the buffer to disk.
|
||||
pub fn safe_file_write(contents: &str, locked_file: Arc<RwLock<io::BufWriter<fs::File>>>) {
|
||||
pub fn safe_file_write<T>(
|
||||
value: &T,
|
||||
locked_file: Arc<RwLock<io::BufWriter<fs::File>>>,
|
||||
convert_to_json: bool,
|
||||
) where
|
||||
T: FeroxSerialize,
|
||||
{
|
||||
// note to future self: adding logging of anything other than error to this function
|
||||
// is a bad idea. we call this function while processing records generated by the logger.
|
||||
// If we then call log::... while already processing some logging output, it results in
|
||||
// the second log entry being injected into the first.
|
||||
|
||||
let contents = if convert_to_json {
|
||||
value.as_json()
|
||||
} else {
|
||||
value.as_str()
|
||||
};
|
||||
|
||||
let contents = strip_ansi_codes(&contents);
|
||||
|
||||
if let Ok(mut handle) = locked_file.write() {
|
||||
|
||||
@@ -66,7 +66,7 @@ impl FeroxScan {
|
||||
self.stop_progress_bar();
|
||||
|
||||
if let Some(_task) = &self.task {
|
||||
// task.abort(); todo uncomment once upgraded to tokio 0.3
|
||||
// task.abort(); todo uncomment once upgraded to tokio 0.3 (issue #107)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -271,8 +271,8 @@ impl FeroxScans {
|
||||
|
||||
let mut user_input = String::new();
|
||||
std::io::stdin().read_line(&mut user_input).unwrap();
|
||||
// todo actual logic for parsing user input in a way that allows for
|
||||
// calling .abort on the scan retrieved based on the input (issue #107)
|
||||
// todo (issue #107) actual logic for parsing user input in a way that allows for
|
||||
// calling .abort on the scan retrieved based on the input
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -91,7 +91,7 @@ fn spawn_recursion_handler(
|
||||
wordlist: Arc<HashSet<String>>,
|
||||
base_depth: usize,
|
||||
tx_term: UnboundedSender<FeroxResponse>,
|
||||
tx_file: UnboundedSender<String>,
|
||||
tx_file: UnboundedSender<FeroxResponse>,
|
||||
) -> BoxFuture<'static, Vec<JoinHandle<()>>> {
|
||||
log::trace!(
|
||||
"enter: spawn_recursion_handler({:?}, wordlist[{} words...], {}, {:?}, {:?})",
|
||||
@@ -466,7 +466,7 @@ pub async fn scan_url(
|
||||
wordlist: Arc<HashSet<String>>,
|
||||
base_depth: usize,
|
||||
tx_term: UnboundedSender<FeroxResponse>,
|
||||
tx_file: UnboundedSender<String>,
|
||||
tx_file: UnboundedSender<FeroxResponse>,
|
||||
) {
|
||||
log::trace!(
|
||||
"enter: scan_url({:?}, wordlist[{} words...], {}, {:?}, {:?})",
|
||||
@@ -516,7 +516,7 @@ pub async fn scan_url(
|
||||
|
||||
// Arc clones to be passed around to the various scans
|
||||
let wildcard_bar = progress_bar.clone();
|
||||
let heuristics_file_clone = tx_file.clone();
|
||||
let heuristics_term_clone = tx_term.clone();
|
||||
let recurser_term_clone = tx_term.clone();
|
||||
let recurser_file_clone = tx_file.clone();
|
||||
let recurser_words = wordlist.clone();
|
||||
@@ -535,7 +535,7 @@ pub async fn scan_url(
|
||||
|
||||
// add any wildcard filters to `FILTERS`
|
||||
let filter =
|
||||
match heuristics::wildcard_test(&target_url, wildcard_bar, heuristics_file_clone).await {
|
||||
match heuristics::wildcard_test(&target_url, wildcard_bar, heuristics_term_clone).await {
|
||||
Some(f) => Box::new(f),
|
||||
None => Box::new(WildcardFilter::default()),
|
||||
};
|
||||
|
||||
28
src/utils.rs
28
src/utils.rs
@@ -8,6 +8,34 @@ use reqwest::{Client, Response, Url};
|
||||
#[cfg(not(target_os = "windows"))]
|
||||
use rlimit::{getrlimit, setrlimit, Resource, Rlim};
|
||||
use std::convert::TryInto;
|
||||
use std::sync::{Arc, RwLock};
|
||||
use std::{fs, io};
|
||||
|
||||
/// Given the path to a file, open the file in append mode (create it if it doesn't exist) and
|
||||
/// return a reference to the file that is buffered and locked
|
||||
pub fn open_file(filename: &str) -> Option<Arc<RwLock<io::BufWriter<fs::File>>>> {
|
||||
log::trace!("enter: open_file({})", filename);
|
||||
|
||||
match fs::OpenOptions::new() // std fs
|
||||
.create(true)
|
||||
.append(true)
|
||||
.open(filename)
|
||||
{
|
||||
Ok(file) => {
|
||||
let writer = io::BufWriter::new(file); // std io
|
||||
|
||||
let locked_file = Some(Arc::new(RwLock::new(writer)));
|
||||
|
||||
log::trace!("exit: open_file -> {:?}", locked_file);
|
||||
locked_file
|
||||
}
|
||||
Err(e) => {
|
||||
log::error!("{}", e);
|
||||
log::trace!("exit: open_file -> None");
|
||||
None
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Helper function that determines the current depth of a given url
|
||||
///
|
||||
|
||||
@@ -701,3 +701,56 @@ fn banner_prints_filter_status() -> Result<(), Box<dyn std::error::Error>> {
|
||||
);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// test allows non-existent wordlist to trigger the banner printing to stderr
|
||||
/// expect to see all mandatory prints + json
|
||||
fn banner_prints_json() {
|
||||
Command::cargo_bin("feroxbuster")
|
||||
.unwrap()
|
||||
.arg("--url")
|
||||
.arg("http://localhost")
|
||||
.arg("--json")
|
||||
.assert()
|
||||
.success()
|
||||
.stderr(
|
||||
predicate::str::contains("─┬─")
|
||||
.and(predicate::str::contains("Target Url"))
|
||||
.and(predicate::str::contains("http://localhost"))
|
||||
.and(predicate::str::contains("Threads"))
|
||||
.and(predicate::str::contains("Wordlist"))
|
||||
.and(predicate::str::contains("Status Codes"))
|
||||
.and(predicate::str::contains("Timeout (secs)"))
|
||||
.and(predicate::str::contains("User-Agent"))
|
||||
.and(predicate::str::contains("JSON Output"))
|
||||
.and(predicate::str::contains("│ true"))
|
||||
.and(predicate::str::contains("─┴─")),
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// test allows non-existent wordlist to trigger the banner printing to stderr
|
||||
/// expect to see all mandatory prints + json
|
||||
fn banner_prints_debug_log() {
|
||||
Command::cargo_bin("feroxbuster")
|
||||
.unwrap()
|
||||
.arg("--url")
|
||||
.arg("http://localhost")
|
||||
.arg("--debug-log")
|
||||
.arg("im-a-debug-log.hurr-durr")
|
||||
.assert()
|
||||
.success()
|
||||
.stderr(
|
||||
predicate::str::contains("─┬─")
|
||||
.and(predicate::str::contains("Target Url"))
|
||||
.and(predicate::str::contains("http://localhost"))
|
||||
.and(predicate::str::contains("Threads"))
|
||||
.and(predicate::str::contains("Wordlist"))
|
||||
.and(predicate::str::contains("Status Codes"))
|
||||
.and(predicate::str::contains("Timeout (secs)"))
|
||||
.and(predicate::str::contains("User-Agent"))
|
||||
.and(predicate::str::contains("Debugging Log"))
|
||||
.and(predicate::str::contains("│ im-a-debug-log.hurr-durr"))
|
||||
.and(predicate::str::contains("─┴─")),
|
||||
);
|
||||
}
|
||||
|
||||
@@ -131,10 +131,10 @@ fn extractor_finds_relative_url() -> Result<(), Box<dyn std::error::Error>> {
|
||||
#[test]
|
||||
/// send a request to a page that contains an relative link, follow it, and find the same link again
|
||||
/// should follow then filter
|
||||
fn extractor_finds_same_relative_url_twice() -> Result<(), Box<dyn std::error::Error>> {
|
||||
fn extractor_finds_same_relative_url_twice() {
|
||||
let srv = MockServer::start();
|
||||
let (tmp_dir, file) =
|
||||
setup_tmp_directory(&["LICENSE".to_string(), "README".to_string()], "wordlist")?;
|
||||
setup_tmp_directory(&["LICENSE".to_string(), "README".to_string()], "wordlist").unwrap();
|
||||
|
||||
let mock = Mock::new()
|
||||
.expect_method(GET)
|
||||
@@ -177,7 +177,6 @@ fn extractor_finds_same_relative_url_twice() -> Result<(), Box<dyn std::error::E
|
||||
assert_eq!(mock_two.times_called(), 1);
|
||||
assert_eq!(mock_three.times_called(), 1);
|
||||
teardown_tmp_directory(tmp_dir);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
||||
@@ -44,11 +44,11 @@ fn filters_status_code_should_filter_response() {
|
||||
.not()
|
||||
.and(predicate::str::contains("302"))
|
||||
.not()
|
||||
.and(predicate::str::contains("14"))
|
||||
.and(predicate::str::contains("14c"))
|
||||
.not()
|
||||
.and(predicate::str::contains("/file.js"))
|
||||
.and(predicate::str::contains("200"))
|
||||
.and(predicate::str::contains("34")),
|
||||
.and(predicate::str::contains("34c")),
|
||||
);
|
||||
|
||||
assert_eq!(mock.times_called(), 1);
|
||||
|
||||
@@ -129,9 +129,9 @@ fn test_static_wildcard_request_found() -> Result<(), Box<dyn std::error::Error>
|
||||
|
||||
#[test]
|
||||
/// test finds a dynamic wildcard and reports as much to stdout and a file
|
||||
fn test_dynamic_wildcard_request_found() -> Result<(), Box<dyn std::error::Error>> {
|
||||
fn test_dynamic_wildcard_request_found() {
|
||||
let srv = MockServer::start();
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist")?;
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
|
||||
let outfile = tmp_dir.path().join("outfile");
|
||||
|
||||
let mock = Mock::new()
|
||||
@@ -166,31 +166,19 @@ fn test_dynamic_wildcard_request_found() -> Result<(), Box<dyn std::error::Error
|
||||
assert_eq!(contents.contains("WLD"), true);
|
||||
assert_eq!(contents.contains("Got"), true);
|
||||
assert_eq!(contents.contains("200"), true);
|
||||
assert_eq!(contents.contains("auto-filtering"), true);
|
||||
assert_eq!(contents.contains("(url length: 32)"), true);
|
||||
assert_eq!(contents.contains("(url length: 96)"), true);
|
||||
assert_eq!(contents.contains("Wildcard response is dynamic"), true);
|
||||
assert_eq!(
|
||||
contents.contains("(14 + url length) responses; toggle this behavior by using"),
|
||||
true
|
||||
);
|
||||
|
||||
cmd.assert().success().stdout(
|
||||
predicate::str::contains("WLD")
|
||||
.and(predicate::str::contains("Got"))
|
||||
.and(predicate::str::contains("200"))
|
||||
.and(predicate::str::contains("(url length: 32)"))
|
||||
.and(predicate::str::contains("(url length: 96)"))
|
||||
.and(predicate::str::contains("Wildcard response is dynamic;"))
|
||||
.and(predicate::str::contains("auto-filtering"))
|
||||
.and(predicate::str::contains(
|
||||
"(14 + url length) responses; toggle this behavior by using",
|
||||
)),
|
||||
.and(predicate::str::contains("(url length: 96)")),
|
||||
);
|
||||
|
||||
assert_eq!(mock.times_called(), 1);
|
||||
assert_eq!(mock2.times_called(), 1);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -223,9 +211,9 @@ fn heuristics_static_wildcard_request_with_dont_filter() -> Result<(), Box<dyn s
|
||||
|
||||
#[test]
|
||||
/// test finds a static wildcard and reports as much to stdout
|
||||
fn heuristics_wildcard_test_with_two_static_wildcards() -> Result<(), Box<dyn std::error::Error>> {
|
||||
fn heuristics_wildcard_test_with_two_static_wildcards() {
|
||||
let srv = MockServer::start();
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist")?;
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
|
||||
|
||||
let mock = Mock::new()
|
||||
.expect_method(GET)
|
||||
@@ -265,7 +253,6 @@ fn heuristics_wildcard_test_with_two_static_wildcards() -> Result<(), Box<dyn st
|
||||
|
||||
assert_eq!(mock.times_called(), 1);
|
||||
assert_eq!(mock2.times_called(), 1);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -310,10 +297,9 @@ fn heuristics_wildcard_test_with_two_static_wildcards_with_quiet_enabled(
|
||||
|
||||
#[test]
|
||||
/// test finds a static wildcard and reports as much to stdout and a file
|
||||
fn heuristics_wildcard_test_with_two_static_wildcards_and_output_to_file(
|
||||
) -> Result<(), Box<dyn std::error::Error>> {
|
||||
fn heuristics_wildcard_test_with_two_static_wildcards_and_output_to_file() {
|
||||
let srv = MockServer::start();
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist")?;
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
|
||||
let outfile = tmp_dir.path().join("outfile");
|
||||
|
||||
let mock = Mock::new()
|
||||
@@ -350,10 +336,6 @@ fn heuristics_wildcard_test_with_two_static_wildcards_and_output_to_file(
|
||||
assert_eq!(contents.contains("200"), true);
|
||||
assert_eq!(contents.contains("(url length: 32)"), true);
|
||||
assert_eq!(contents.contains("(url length: 96)"), true);
|
||||
assert_eq!(
|
||||
contents.contains("Wildcard response is static; auto-filtering 46"),
|
||||
true
|
||||
);
|
||||
|
||||
cmd.assert().success().stdout(
|
||||
predicate::str::contains("WLD")
|
||||
@@ -368,8 +350,6 @@ fn heuristics_wildcard_test_with_two_static_wildcards_and_output_to_file(
|
||||
|
||||
assert_eq!(mock.times_called(), 1);
|
||||
assert_eq!(mock2.times_called(), 1);
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
|
||||
@@ -460,3 +460,84 @@ fn scanner_single_request_replayed_to_proxy() -> Result<(), Box<dyn std::error::
|
||||
teardown_tmp_directory(tmp_dir);
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// send a single valid request, get a response, and write the logging messages to disk
|
||||
fn scanner_single_request_scan_with_debug_logging() {
|
||||
let srv = MockServer::start();
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
|
||||
|
||||
let mock = Mock::new()
|
||||
.expect_method(GET)
|
||||
.expect_path("/LICENSE")
|
||||
.return_status(200)
|
||||
.return_body("this is a test")
|
||||
.create_on(&srv);
|
||||
|
||||
let outfile = tmp_dir.path().join("debug.log");
|
||||
|
||||
Command::cargo_bin("feroxbuster")
|
||||
.unwrap()
|
||||
.arg("--url")
|
||||
.arg(srv.url("/"))
|
||||
.arg("--wordlist")
|
||||
.arg(file.as_os_str())
|
||||
.arg("-vvvv")
|
||||
.arg("--debug-log")
|
||||
.arg(outfile.as_os_str())
|
||||
.unwrap();
|
||||
|
||||
let contents = std::fs::read_to_string(outfile).unwrap();
|
||||
println!("{}", contents);
|
||||
assert!(contents.starts_with("Configuration {"));
|
||||
assert!(contents.contains("TRC"));
|
||||
assert!(contents.contains("DBG"));
|
||||
assert!(contents.contains("INF"));
|
||||
assert!(contents.contains("feroxbuster All scans complete!"));
|
||||
assert!(contents.contains("feroxbuster exit: terminal_input_handler"));
|
||||
|
||||
assert_eq!(mock.times_called(), 1);
|
||||
teardown_tmp_directory(tmp_dir);
|
||||
}
|
||||
|
||||
#[test]
|
||||
/// send a single valid request, get a response, and write the logging messages to disk as NDJSON
|
||||
fn scanner_single_request_scan_with_debug_logging_as_json() {
|
||||
let srv = MockServer::start();
|
||||
let (tmp_dir, file) = setup_tmp_directory(&["LICENSE".to_string()], "wordlist").unwrap();
|
||||
|
||||
let mock = Mock::new()
|
||||
.expect_method(GET)
|
||||
.expect_path("/LICENSE")
|
||||
.return_status(200)
|
||||
.return_body("this is a test")
|
||||
.create_on(&srv);
|
||||
|
||||
let outfile = tmp_dir.path().join("debug.log");
|
||||
|
||||
Command::cargo_bin("feroxbuster")
|
||||
.unwrap()
|
||||
.arg("--url")
|
||||
.arg(srv.url("/"))
|
||||
.arg("--wordlist")
|
||||
.arg(file.as_os_str())
|
||||
.arg("-vvvv")
|
||||
.arg("--debug-log")
|
||||
.arg(outfile.as_os_str())
|
||||
.arg("--json")
|
||||
.unwrap();
|
||||
|
||||
let contents = std::fs::read_to_string(outfile).unwrap();
|
||||
println!("{}", contents);
|
||||
assert!(contents.starts_with("{\"type\":\"configuration\""));
|
||||
assert!(contents.contains("\"level\":\"TRACE\""));
|
||||
assert!(contents.contains("\"level\":\"DEBUG\""));
|
||||
assert!(contents.contains("\"level\":\"INFO\""));
|
||||
assert!(contents.contains("time_offset"));
|
||||
assert!(contents.contains("\"module\":\"feroxbuster::scanner\""));
|
||||
assert!(contents.contains("All scans complete!"));
|
||||
assert!(contents.contains("exit: terminal_input_handler"));
|
||||
|
||||
assert_eq!(mock.times_called(), 1);
|
||||
teardown_tmp_directory(tmp_dir);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user