2020-12-28 20:00:07 +00:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"compress/gzip"
|
2021-06-09 05:45:21 +00:00
|
|
|
"compress/zlib"
|
|
|
|
"io"
|
2020-12-28 20:00:07 +00:00
|
|
|
"io/ioutil"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httputil"
|
|
|
|
"strings"
|
|
|
|
|
2021-11-09 00:30:30 +00:00
|
|
|
"github.com/pkg/errors"
|
2020-12-28 20:00:07 +00:00
|
|
|
"github.com/projectdiscovery/nuclei/v2/pkg/protocols/common/generators"
|
|
|
|
"github.com/projectdiscovery/rawhttp"
|
2021-10-15 16:17:00 +00:00
|
|
|
"github.com/projectdiscovery/stringsutil"
|
2021-09-10 15:41:13 +00:00
|
|
|
"golang.org/x/text/encoding/simplifiedchinese"
|
|
|
|
"golang.org/x/text/transform"
|
2020-12-28 20:00:07 +00:00
|
|
|
)
|
|
|
|
|
2021-11-09 00:30:30 +00:00
|
|
|
type redirectedResponse struct {
|
|
|
|
headers []byte
|
|
|
|
body []byte
|
|
|
|
fullResponse []byte
|
2021-11-09 12:25:42 +00:00
|
|
|
resp *http.Response
|
2021-11-09 00:30:30 +00:00
|
|
|
}
|
|
|
|
|
2021-02-06 22:04:07 +00:00
|
|
|
// dumpResponseWithRedirectChain dumps a http response with the
|
|
|
|
// complete http redirect chain.
|
|
|
|
//
|
|
|
|
// It preserves the order in which responses were given to requests
|
|
|
|
// and returns the data to the user for matching and viewing in that order.
|
2021-02-06 22:06:08 +00:00
|
|
|
//
|
|
|
|
// Inspired from - https://github.com/ffuf/ffuf/issues/324#issuecomment-719858923
|
2021-11-09 00:30:30 +00:00
|
|
|
func dumpResponseWithRedirectChain(resp *http.Response, body []byte) ([]redirectedResponse, error) {
|
|
|
|
var response []redirectedResponse
|
|
|
|
|
2021-02-06 22:04:07 +00:00
|
|
|
respData, err := httputil.DumpResponse(resp, false)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-11-09 00:30:30 +00:00
|
|
|
respObj := redirectedResponse{
|
|
|
|
headers: respData,
|
|
|
|
body: body,
|
2021-11-09 12:25:42 +00:00
|
|
|
resp: resp,
|
2021-11-09 00:30:30 +00:00
|
|
|
fullResponse: bytes.Join([][]byte{respData, body}, []byte{}),
|
|
|
|
}
|
2021-11-09 00:50:10 +00:00
|
|
|
if err := normalizeResponseBody(resp, &respObj); err != nil {
|
2021-11-09 00:30:30 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
response = append(response, respObj)
|
2021-02-06 22:04:07 +00:00
|
|
|
|
2021-02-07 18:14:19 +00:00
|
|
|
var redirectResp *http.Response
|
2021-02-08 10:37:16 +00:00
|
|
|
if resp != nil && resp.Request != nil {
|
2021-02-07 18:14:19 +00:00
|
|
|
redirectResp = resp.Request.Response
|
|
|
|
}
|
2021-02-06 22:04:07 +00:00
|
|
|
for redirectResp != nil {
|
|
|
|
var body []byte
|
|
|
|
|
|
|
|
respData, err := httputil.DumpResponse(redirectResp, false)
|
|
|
|
if err != nil {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if redirectResp.Body != nil {
|
|
|
|
body, _ = ioutil.ReadAll(redirectResp.Body)
|
|
|
|
}
|
2021-11-09 00:30:30 +00:00
|
|
|
respObj := redirectedResponse{
|
|
|
|
headers: respData,
|
|
|
|
body: body,
|
2021-11-09 12:25:42 +00:00
|
|
|
resp: redirectResp,
|
2021-11-09 00:30:30 +00:00
|
|
|
fullResponse: bytes.Join([][]byte{respData, body}, []byte{}),
|
|
|
|
}
|
2021-11-09 00:50:10 +00:00
|
|
|
if err := normalizeResponseBody(redirectResp, &respObj); err != nil {
|
2021-11-09 00:30:30 +00:00
|
|
|
return nil, err
|
2021-02-06 22:04:07 +00:00
|
|
|
}
|
2021-11-09 00:30:30 +00:00
|
|
|
response = append(response, respObj)
|
2021-02-06 22:04:07 +00:00
|
|
|
redirectResp = redirectResp.Request.Response
|
|
|
|
}
|
2021-11-09 00:30:30 +00:00
|
|
|
return response, nil
|
2021-02-06 22:04:07 +00:00
|
|
|
}
|
|
|
|
|
2021-11-09 00:30:30 +00:00
|
|
|
// normalizeResponseBody performs normalization on the http response object.
|
2021-11-09 00:50:10 +00:00
|
|
|
func normalizeResponseBody(resp *http.Response, response *redirectedResponse) error {
|
2021-11-09 00:30:30 +00:00
|
|
|
var err error
|
|
|
|
// net/http doesn't automatically decompress the response body if an
|
|
|
|
// encoding has been specified by the user in the request so in case we have to
|
|
|
|
// manually do it.
|
|
|
|
dataOrig := response.body
|
|
|
|
response.body, err = handleDecompression(resp, response.body)
|
|
|
|
// in case of error use original data
|
|
|
|
if err != nil {
|
|
|
|
response.body = dataOrig
|
|
|
|
}
|
|
|
|
response.fullResponse = bytes.ReplaceAll(response.fullResponse, dataOrig, response.body)
|
2020-12-28 20:00:07 +00:00
|
|
|
|
2021-11-09 00:30:30 +00:00
|
|
|
// Decode gbk response content-types
|
|
|
|
// gb18030 supersedes gb2312
|
|
|
|
responseContentType := resp.Header.Get("Content-Type")
|
|
|
|
if isContentTypeGbk(responseContentType) {
|
|
|
|
response.fullResponse, err = decodegbk(response.fullResponse)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "could not gbk decode")
|
|
|
|
}
|
2020-12-28 20:00:07 +00:00
|
|
|
|
2021-11-09 00:30:30 +00:00
|
|
|
// the uncompressed body needs to be decoded to standard utf8
|
|
|
|
response.body, err = decodegbk(response.body)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "could not gbk decode")
|
2020-12-28 20:00:07 +00:00
|
|
|
}
|
|
|
|
}
|
2021-11-09 00:30:30 +00:00
|
|
|
return nil
|
2020-12-28 20:00:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// dump creates a dump of the http request in form of a byte slice
|
|
|
|
func dump(req *generatedRequest, reqURL string) ([]byte, error) {
|
|
|
|
if req.request != nil {
|
|
|
|
// Create a copy on the fly of the request body - ignore errors
|
|
|
|
bodyBytes, _ := req.request.BodyBytes()
|
|
|
|
req.request.Request.Body = ioutil.NopCloser(bytes.NewReader(bodyBytes))
|
2021-01-16 19:21:43 +00:00
|
|
|
return httputil.DumpRequestOut(req.request.Request, true)
|
2020-12-28 20:00:07 +00:00
|
|
|
}
|
2021-02-23 21:03:46 +00:00
|
|
|
return rawhttp.DumpRequestRaw(req.rawRequest.Method, reqURL, req.rawRequest.Path, generators.ExpandMapValues(req.rawRequest.Headers), ioutil.NopCloser(strings.NewReader(req.rawRequest.Data)), rawhttp.Options{CustomHeaders: req.rawRequest.UnsafeHeaders, CustomRawBytes: req.rawRequest.UnsafeRawBytes})
|
2020-12-28 20:00:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// handleDecompression if the user specified a custom encoding (as golang transport doesn't do this automatically)
|
2021-02-07 20:25:53 +00:00
|
|
|
func handleDecompression(resp *http.Response, bodyOrig []byte) (bodyDec []byte, err error) {
|
|
|
|
if resp == nil {
|
2020-12-28 20:00:07 +00:00
|
|
|
return bodyOrig, nil
|
|
|
|
}
|
|
|
|
|
2021-06-09 05:45:21 +00:00
|
|
|
var reader io.ReadCloser
|
|
|
|
switch resp.Header.Get("Content-Encoding") {
|
|
|
|
case "gzip":
|
2021-06-15 06:16:02 +00:00
|
|
|
reader, err = gzip.NewReader(bytes.NewReader(bodyOrig))
|
2021-06-09 05:45:21 +00:00
|
|
|
case "deflate":
|
2021-06-15 06:16:02 +00:00
|
|
|
reader, err = zlib.NewReader(bytes.NewReader(bodyOrig))
|
2021-06-09 05:45:21 +00:00
|
|
|
default:
|
2021-06-15 06:16:02 +00:00
|
|
|
return bodyOrig, nil
|
2021-06-09 05:45:21 +00:00
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer reader.Close()
|
2020-12-28 20:00:07 +00:00
|
|
|
|
2021-06-09 05:45:21 +00:00
|
|
|
bodyDec, err = ioutil.ReadAll(reader)
|
|
|
|
if err != nil {
|
|
|
|
return bodyOrig, err
|
2020-12-28 20:00:07 +00:00
|
|
|
}
|
2021-06-09 05:45:21 +00:00
|
|
|
return bodyDec, nil
|
2020-12-28 20:00:07 +00:00
|
|
|
}
|
2021-09-10 15:41:13 +00:00
|
|
|
|
|
|
|
// decodegbk converts GBK to UTF-8
|
|
|
|
func decodegbk(s []byte) ([]byte, error) {
|
|
|
|
I := bytes.NewReader(s)
|
|
|
|
O := transform.NewReader(I, simplifiedchinese.GBK.NewDecoder())
|
|
|
|
d, e := ioutil.ReadAll(O)
|
|
|
|
if e != nil {
|
|
|
|
return nil, e
|
|
|
|
}
|
|
|
|
return d, nil
|
|
|
|
}
|
2021-10-15 16:17:00 +00:00
|
|
|
|
|
|
|
// isContentTypeGbk checks if the content-type header is gbk
|
|
|
|
func isContentTypeGbk(contentType string) bool {
|
|
|
|
contentType = strings.ToLower(contentType)
|
|
|
|
return stringsutil.ContainsAny(contentType, "gbk", "gb2312", "gb18030")
|
|
|
|
}
|