mirror of https://github.com/daffainfo/nuclei.git
420 lines
17 KiB
Go
420 lines
17 KiB
Go
package ssl
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"time"
|
|
|
|
"github.com/fatih/structs"
|
|
jsoniter "github.com/json-iterator/go"
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/projectdiscovery/fastdialer/fastdialer"
|
|
"github.com/projectdiscovery/gologger"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/model"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/operators"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/operators/extractors"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/operators/matchers"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/output"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/contextargs"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/expressions"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/generators"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/helpers/eventcreator"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/helpers/responsehighlighter"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/utils/vardump"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/network/networkclientpool"
|
|
protocolutils "github.com/projectdiscovery/nuclei/v3/pkg/protocols/utils"
|
|
templateTypes "github.com/projectdiscovery/nuclei/v3/pkg/templates/types"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/types"
|
|
"github.com/projectdiscovery/tlsx/pkg/tlsx"
|
|
"github.com/projectdiscovery/tlsx/pkg/tlsx/clients"
|
|
"github.com/projectdiscovery/tlsx/pkg/tlsx/openssl"
|
|
errorutil "github.com/projectdiscovery/utils/errors"
|
|
stringsutil "github.com/projectdiscovery/utils/strings"
|
|
urlutil "github.com/projectdiscovery/utils/url"
|
|
)
|
|
|
|
// Request is a request for the SSL protocol
|
|
type Request struct {
|
|
// Operators for the current request go here.
|
|
operators.Operators `yaml:",inline,omitempty" json:",inline,omitempty"`
|
|
CompiledOperators *operators.Operators `yaml:"-" json:"-"`
|
|
|
|
// ID is the optional id of the request
|
|
ID string `yaml:"id,omitempty" json:"id,omitempty" jsonschema:"title=id of the request,description=ID of the request"`
|
|
|
|
// description: |
|
|
// Address contains address for the request
|
|
Address string `yaml:"address,omitempty" json:"address,omitempty" jsonschema:"title=address for the ssl request,description=Address contains address for the request"`
|
|
// description: |
|
|
// Minimum tls version - auto if not specified.
|
|
// values:
|
|
// - "sslv3"
|
|
// - "tls10"
|
|
// - "tls11"
|
|
// - "tls12"
|
|
// - "tls13"
|
|
MinVersion string `yaml:"min_version,omitempty" json:"min_version,omitempty" jsonschema:"title=Min. TLS version,description=Minimum tls version - automatic if not specified.,enum=sslv3,enum=tls10,enum=tls11,enum=tls12,enum=tls13"`
|
|
// description: |
|
|
// Max tls version - auto if not specified.
|
|
// values:
|
|
// - "sslv3"
|
|
// - "tls10"
|
|
// - "tls11"
|
|
// - "tls12"
|
|
// - "tls13"
|
|
MaxVersion string `yaml:"max_version,omitempty" json:"max_version,omitempty" jsonschema:"title=Max. TLS version,description=Max tls version - automatic if not specified.,enum=sslv3,enum=tls10,enum=tls11,enum=tls12,enum=tls13"`
|
|
// description: |
|
|
// Client Cipher Suites - auto if not specified.
|
|
CipherSuites []string `yaml:"cipher_suites,omitempty" json:"cipher_suites,omitempty"`
|
|
// description: |
|
|
// Tls Scan Mode - auto if not specified
|
|
// values:
|
|
// - "ctls"
|
|
// - "ztls"
|
|
// - "auto"
|
|
// - "openssl" # reverts to "auto" is openssl is not installed
|
|
ScanMode string `yaml:"scan_mode,omitempty" json:"scan_mode,omitempty" jsonschema:"title=Scan Mode,description=Scan Mode - auto if not specified.,enum=ctls,enum=ztls,enum=auto"`
|
|
// description: |
|
|
// TLS Versions Enum - false if not specified
|
|
// Enumerates supported TLS versions
|
|
TLSVersionsEnum bool `yaml:"tls_version_enum,omitempty" json:"tls_version_enum,omitempty" jsonschema:"title=Enumerate Versions,description=Enumerate Version - false if not specified"`
|
|
// description: |
|
|
// TLS Ciphers Enum - false if not specified
|
|
// Enumerates supported TLS ciphers
|
|
TLSCiphersEnum bool `yaml:"tls_cipher_enum,omitempty" json:"tls_cipher_enum,omitempty" jsonschema:"title=Enumerate Ciphers,description=Enumerate Ciphers - false if not specified"`
|
|
// description: |
|
|
// TLS Cipher types to enumerate
|
|
// values:
|
|
// - "insecure" (default)
|
|
// - "weak"
|
|
// - "secure"
|
|
// - "all"
|
|
TLSCipherTypes []string `yaml:"tls_cipher_types,omitempty" json:"tls_cipher_types,omitempty" jsonschema:"title=TLS Cipher Types,description=TLS Cipher Types to enumerate,enum=weak,enum=secure,enum=insecure,enum=all"`
|
|
|
|
// cache any variables that may be needed for operation.
|
|
dialer *fastdialer.Dialer
|
|
tlsx *tlsx.Service
|
|
options *protocols.ExecutorOptions
|
|
}
|
|
|
|
// CanCluster returns true if the request can be clustered.
|
|
func (request *Request) CanCluster(other *Request) bool {
|
|
if len(request.CipherSuites) > 0 || request.MinVersion != "" || request.MaxVersion != "" {
|
|
return false
|
|
}
|
|
if request.Address != other.Address || request.ScanMode != other.ScanMode {
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// Compile compiles the request generators preparing any requests possible.
|
|
func (request *Request) Compile(options *protocols.ExecutorOptions) error {
|
|
request.options = options
|
|
|
|
client, err := networkclientpool.Get(options.Options, &networkclientpool.Configuration{})
|
|
if err != nil {
|
|
return errorutil.NewWithTag("ssl", "could not get network client").Wrap(err)
|
|
}
|
|
request.dialer = client
|
|
switch {
|
|
//validate scanmode
|
|
case request.ScanMode == "":
|
|
request.ScanMode = "auto"
|
|
|
|
case !stringsutil.EqualFoldAny(request.ScanMode, "auto", "openssl", "ztls", "ctls"):
|
|
return errorutil.NewWithTag(request.TemplateID, "template %v does not contain valid scan-mode", request.TemplateID)
|
|
|
|
case request.ScanMode == "openssl" && !openssl.IsAvailable():
|
|
// if openssl is not installed instead of failing "auto" scanmode is used
|
|
request.ScanMode = "auto"
|
|
}
|
|
if request.TLSCiphersEnum {
|
|
// cipher enumeration requires tls version enumeration first
|
|
request.TLSVersionsEnum = true
|
|
}
|
|
if request.TLSCiphersEnum && len(request.TLSCipherTypes) == 0 {
|
|
// by default only look for insecure ciphers
|
|
request.TLSCipherTypes = []string{"insecure"}
|
|
}
|
|
|
|
tlsxOptions := &clients.Options{
|
|
AllCiphers: true,
|
|
ScanMode: request.ScanMode,
|
|
Expired: true,
|
|
SelfSigned: true,
|
|
Revoked: true,
|
|
MisMatched: true,
|
|
MinVersion: request.MinVersion,
|
|
MaxVersion: request.MaxVersion,
|
|
Ciphers: request.CipherSuites,
|
|
WildcardCertCheck: true,
|
|
Retries: request.options.Options.Retries,
|
|
Timeout: request.options.Options.Timeout,
|
|
Fastdialer: client,
|
|
ClientHello: true,
|
|
ServerHello: true,
|
|
DisplayDns: true,
|
|
TlsVersionsEnum: request.TLSVersionsEnum,
|
|
TlsCiphersEnum: request.TLSCiphersEnum,
|
|
TLsCipherLevel: request.TLSCipherTypes,
|
|
}
|
|
|
|
tlsxService, err := tlsx.New(tlsxOptions)
|
|
if err != nil {
|
|
return errorutil.NewWithTag(request.TemplateID, "could not create tlsx service")
|
|
}
|
|
request.tlsx = tlsxService
|
|
|
|
if len(request.Matchers) > 0 || len(request.Extractors) > 0 {
|
|
compiled := &request.Operators
|
|
compiled.ExcludeMatchers = options.ExcludeMatchers
|
|
compiled.TemplateID = options.TemplateID
|
|
if err := compiled.Compile(); err != nil {
|
|
return errorutil.NewWithTag(request.TemplateID, "could not compile operators got %v", err)
|
|
}
|
|
request.CompiledOperators = compiled
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Options returns executer options for http request
|
|
func (r *Request) Options() *protocols.ExecutorOptions {
|
|
return r.options
|
|
}
|
|
|
|
// Requests returns the total number of requests the rule will perform
|
|
func (request *Request) Requests() int {
|
|
return 1
|
|
}
|
|
|
|
// GetID returns the ID for the request if any.
|
|
func (request *Request) GetID() string {
|
|
return ""
|
|
}
|
|
|
|
// ExecuteWithResults executes the protocol requests and returns results instead of writing them.
|
|
func (request *Request) ExecuteWithResults(input *contextargs.Context, dynamicValues, previous output.InternalEvent, callback protocols.OutputEventCallback) error {
|
|
hostPort, err := getAddress(input.MetaInput.Input)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
hostname, port, _ := net.SplitHostPort(hostPort)
|
|
|
|
requestOptions := request.options
|
|
payloadValues := generators.BuildPayloadFromOptions(request.options.Options)
|
|
for k, v := range dynamicValues {
|
|
payloadValues[k] = v
|
|
}
|
|
|
|
payloadValues["Hostname"] = hostPort
|
|
payloadValues["Host"] = hostname
|
|
payloadValues["Port"] = port
|
|
|
|
hostnameVariables := protocolutils.GenerateDNSVariables(hostname)
|
|
// add template context variables to varMap
|
|
values := generators.MergeMaps(payloadValues, hostnameVariables, request.options.GetTemplateCtx(input.MetaInput).GetAll())
|
|
variablesMap := request.options.Variables.Evaluate(values)
|
|
payloadValues = generators.MergeMaps(variablesMap, payloadValues, request.options.Constants)
|
|
|
|
if vardump.EnableVarDump {
|
|
gologger.Debug().Msgf("SSL Protocol request variables: \n%s\n", vardump.DumpVariables(payloadValues))
|
|
}
|
|
|
|
finalAddress, dataErr := expressions.EvaluateByte([]byte(request.Address), payloadValues)
|
|
if dataErr != nil {
|
|
requestOptions.Output.Request(requestOptions.TemplateID, input.MetaInput.Input, request.Type().String(), dataErr)
|
|
requestOptions.Progress.IncrementFailedRequestsBy(1)
|
|
return errors.Wrap(dataErr, "could not evaluate template expressions")
|
|
}
|
|
addressToDial := string(finalAddress)
|
|
host, port, err := net.SplitHostPort(addressToDial)
|
|
if err != nil {
|
|
return errorutil.NewWithErr(err).Msgf("could not split input host port")
|
|
}
|
|
|
|
var hostIp string
|
|
if input.MetaInput.CustomIP != "" {
|
|
hostIp = input.MetaInput.CustomIP
|
|
} else {
|
|
hostIp = host
|
|
}
|
|
|
|
response, err := request.tlsx.Connect(host, hostIp, port)
|
|
if err != nil {
|
|
requestOptions.Output.Request(requestOptions.TemplateID, input.MetaInput.Input, request.Type().String(), err)
|
|
requestOptions.Progress.IncrementFailedRequestsBy(1)
|
|
return errorutil.NewWithTag(request.TemplateID, "could not connect to server").Wrap(err)
|
|
}
|
|
|
|
requestOptions.Output.Request(requestOptions.TemplateID, hostPort, request.Type().String(), err)
|
|
gologger.Verbose().Msgf("[%s] Sent SSL request to %s", request.options.TemplateID, hostPort)
|
|
|
|
if requestOptions.Options.Debug || requestOptions.Options.DebugRequests || requestOptions.Options.StoreResponse {
|
|
msg := fmt.Sprintf("[%s] Dumped SSL request for %s", requestOptions.TemplateID, input.MetaInput.Input)
|
|
if requestOptions.Options.Debug || requestOptions.Options.DebugRequests {
|
|
gologger.Debug().Str("address", input.MetaInput.Input).Msg(msg)
|
|
}
|
|
if requestOptions.Options.StoreResponse {
|
|
request.options.Output.WriteStoreDebugData(input.MetaInput.Input, request.options.TemplateID, request.Type().String(), msg)
|
|
}
|
|
}
|
|
|
|
jsonData, _ := jsoniter.Marshal(response)
|
|
jsonDataString := string(jsonData)
|
|
|
|
data := make(map[string]interface{})
|
|
for k, v := range payloadValues {
|
|
data[k] = v
|
|
}
|
|
data["type"] = request.Type().String()
|
|
data["response"] = jsonDataString
|
|
data["host"] = input.MetaInput.Input
|
|
data["matched"] = addressToDial
|
|
if input.MetaInput.CustomIP != "" {
|
|
data["ip"] = hostIp
|
|
} else {
|
|
data["ip"] = request.dialer.GetDialedIP(hostname)
|
|
}
|
|
data["template-path"] = requestOptions.TemplatePath
|
|
data["template-id"] = requestOptions.TemplateID
|
|
data["template-info"] = requestOptions.TemplateInfo
|
|
|
|
// if response is not struct compatible, error out
|
|
if !structs.IsStruct(response) {
|
|
return errorutil.NewWithTag("ssl", "response cannot be parsed into a struct: %v", response)
|
|
}
|
|
|
|
// Convert response to key value pairs and first cert chain item as well
|
|
responseParsed := structs.New(response)
|
|
for _, f := range responseParsed.Fields() {
|
|
if !f.IsExported() {
|
|
// if field is not exported f.IsZero() , f.Value() will panic
|
|
continue
|
|
}
|
|
tag := protocolutils.CleanStructFieldJSONTag(f.Tag("json"))
|
|
if tag == "" || f.IsZero() {
|
|
continue
|
|
}
|
|
request.options.AddTemplateVar(input.MetaInput, request.Type(), request.ID, tag, f.Value())
|
|
data[tag] = f.Value()
|
|
}
|
|
|
|
// if certificate response is not struct compatible, error out
|
|
if !structs.IsStruct(response.CertificateResponse) {
|
|
return errorutil.NewWithTag("ssl", "certificate response cannot be parsed into a struct: %v", response.CertificateResponse)
|
|
}
|
|
|
|
responseParsed = structs.New(response.CertificateResponse)
|
|
for _, f := range responseParsed.Fields() {
|
|
if !f.IsExported() {
|
|
// if field is not exported f.IsZero() , f.Value() will panic
|
|
continue
|
|
}
|
|
tag := protocolutils.CleanStructFieldJSONTag(f.Tag("json"))
|
|
if tag == "" || f.IsZero() {
|
|
continue
|
|
}
|
|
request.options.AddTemplateVar(input.MetaInput, request.Type(), request.ID, tag, f.Value())
|
|
data[tag] = f.Value()
|
|
}
|
|
|
|
// add response fields ^ to template context and merge templatectx variables to output event
|
|
data = generators.MergeMaps(data, request.options.GetTemplateCtx(input.MetaInput).GetAll())
|
|
event := eventcreator.CreateEvent(request, data, requestOptions.Options.Debug || requestOptions.Options.DebugResponse)
|
|
if requestOptions.Options.Debug || requestOptions.Options.DebugResponse || requestOptions.Options.StoreResponse {
|
|
msg := fmt.Sprintf("[%s] Dumped SSL response for %s", requestOptions.TemplateID, input.MetaInput.Input)
|
|
if requestOptions.Options.Debug || requestOptions.Options.DebugResponse {
|
|
gologger.Debug().Msg(msg)
|
|
gologger.Print().Msgf("%s", responsehighlighter.Highlight(event.OperatorsResult, jsonDataString, requestOptions.Options.NoColor, false))
|
|
}
|
|
if requestOptions.Options.StoreResponse {
|
|
request.options.Output.WriteStoreDebugData(input.MetaInput.Input, request.options.TemplateID, request.Type().String(), fmt.Sprintf("%s\n%s", msg, jsonDataString))
|
|
}
|
|
}
|
|
callback(event)
|
|
return nil
|
|
}
|
|
|
|
// RequestPartDefinitions contains a mapping of request part definitions and their
|
|
// description. Multiple definitions are separated by commas.
|
|
// Definitions not having a name (generated on runtime) are prefixed & suffixed by <>.
|
|
var RequestPartDefinitions = map[string]string{
|
|
"type": "Type is the type of request made",
|
|
"response": "JSON SSL protocol handshake details",
|
|
"not_after": "Timestamp after which the remote cert expires",
|
|
"host": "Host is the input to the template",
|
|
"matched": "Matched is the input which was matched upon",
|
|
}
|
|
|
|
// getAddress returns the address of the host to make request to
|
|
func getAddress(toTest string) (string, error) {
|
|
urlx, err := urlutil.Parse(toTest)
|
|
if err != nil {
|
|
// use given input instead of url parsing failure
|
|
return toTest, nil
|
|
}
|
|
if urlx.Port() == "" {
|
|
urlx.UpdatePort("443")
|
|
}
|
|
return urlx.Host, nil
|
|
}
|
|
|
|
// Match performs matching operation for a matcher on model and returns:
|
|
// true and a list of matched snippets if the matcher type is supports it
|
|
// otherwise false and an empty string slice
|
|
func (request *Request) Match(data map[string]interface{}, matcher *matchers.Matcher) (bool, []string) {
|
|
return protocols.MakeDefaultMatchFunc(data, matcher)
|
|
}
|
|
|
|
// Extract performs extracting operation for an extractor on model and returns true or false.
|
|
func (request *Request) Extract(data map[string]interface{}, matcher *extractors.Extractor) map[string]struct{} {
|
|
return protocols.MakeDefaultExtractFunc(data, matcher)
|
|
}
|
|
|
|
// MakeResultEvent creates a result event from internal wrapped event
|
|
func (request *Request) MakeResultEvent(wrapped *output.InternalWrappedEvent) []*output.ResultEvent {
|
|
return protocols.MakeDefaultResultEvent(request, wrapped)
|
|
}
|
|
|
|
// GetCompiledOperators returns a list of the compiled operators
|
|
func (request *Request) GetCompiledOperators() []*operators.Operators {
|
|
return []*operators.Operators{request.CompiledOperators}
|
|
}
|
|
|
|
// Type returns the type of the protocol request
|
|
func (request *Request) Type() templateTypes.ProtocolType {
|
|
return templateTypes.SSLProtocol
|
|
}
|
|
|
|
func (request *Request) MakeResultEventItem(wrapped *output.InternalWrappedEvent) *output.ResultEvent {
|
|
fields := protocolutils.GetJsonFieldsFromURL(types.ToString(wrapped.InternalEvent["host"]))
|
|
if types.ToString(wrapped.InternalEvent["ip"]) != "" {
|
|
fields.Ip = types.ToString(wrapped.InternalEvent["ip"])
|
|
}
|
|
// in case scheme is not specified , we only connect to port 443 unless custom https port was specified
|
|
// like 8443 etc
|
|
if fields.Port == "80" {
|
|
fields.Port = "443"
|
|
}
|
|
data := &output.ResultEvent{
|
|
TemplateID: types.ToString(wrapped.InternalEvent["template-id"]),
|
|
TemplatePath: types.ToString(wrapped.InternalEvent["template-path"]),
|
|
Info: wrapped.InternalEvent["template-info"].(model.Info),
|
|
Type: types.ToString(wrapped.InternalEvent["type"]),
|
|
Host: fields.Host,
|
|
Port: fields.Port,
|
|
Matched: types.ToString(wrapped.InternalEvent["matched"]),
|
|
Metadata: wrapped.OperatorsResult.PayloadValues,
|
|
ExtractedResults: wrapped.OperatorsResult.OutputExtracts,
|
|
Timestamp: time.Now(),
|
|
MatcherStatus: true,
|
|
IP: fields.Ip,
|
|
TemplateEncoded: request.options.EncodeTemplate(),
|
|
Error: types.ToString(wrapped.InternalEvent["error"]),
|
|
}
|
|
return data
|
|
}
|