├── README.md ├── bountyit.go ├── static ├── .gitkeep ├── logo.png └── run.PNG └── wordlist ├── .gitkeep ├── singnatures.txt └── vul_fuzz.txt /README.md: -------------------------------------------------------------------------------- 1 |

2 |
3 | 4 |
5 | 6 | 7 | 8 |

9 | 10 | ## What is BountyIt ? 11 | A fuzzer made in golang for finding issues like xss, lfi, rce, ssti...that detects issues using change in content length and verify it using signatures. 12 | 13 | ## Help 14 | ``` 15 | -grep string 16 | Specify custom grepping signatures. Ex -grep signatures.txt 17 | -header string 18 | Add any custom header if required. Ex: -header "Cookie: Session=12cbcx...." 19 | -method string 20 | Add method name if required. Ex: -method PUT. Default "GET" (default "GET") 21 | -p string 22 | Feed the list of payloads to fuzz. Ex: -p ~/wordlists/lfi.txt 23 | -t int 24 | Number of workers to use..default 40. Ex: -t 50 (default 40) 25 | -verify 26 | Only prints confirmed results. Ex -verify 27 | 28 | ``` 29 | 30 | ## How to Install 31 | 32 | ``` 33 | $ go get -u -v github.com/shivangx01b/BountyIt 34 | ``` 35 | ## Usage 36 | 37 | - Note: 38 | Urls must have keyword "FUZZ" like 39 | ``` 40 | https://example.com/FUZZ 41 | or 42 | https://example.com/?query=FUZZ 43 | ``` 44 | 45 | Single Url 46 | ```plain 47 | echo "https://example.com/FUZZ" | BountyIt 48 | ``` 49 | Multiple Url 50 | ```plain 51 | cat http_https.txt | BountyIt -t 70 -p payloads.txt -verify 52 | ``` 53 | Add another method if required 54 | ```plain 55 | cat http_https.txt | BountyIt -t 70 -method "POST" -p payloads.txt -grep signatures.txt 56 | ``` 57 | Add header if required 58 | ```plain 59 | cat http_https.txt | BountyIt -t 70 -header "Cookie: session=311x1211sx4..." -p payloads.txt -grep signatures.txt 60 | ``` 61 | 62 | - Note: 63 | Check wordlist dir for signatures.txt and basic fuzzing list for basic ssti, rce, lfi. 64 | Make sure to add -verify as potential issues create false positive. 65 | 66 | ## Screenshot 67 | ![1414](https://github.com/Shivangx01b/LfiMe/blob/main/static/run.PNG) 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /bountyit.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "net/http" 6 | "sync" 7 | "io/ioutil" 8 | "time" 9 | "net" 10 | "crypto/tls" 11 | "github.com/fatih/color" 12 | "flag" 13 | "bufio" 14 | "os" 15 | "log" 16 | "strings" 17 | "regexp" 18 | 19 | ) 20 | 21 | var Threads int 22 | var recheck_url string 23 | var header string 24 | var method string 25 | var body string 26 | var payload string 27 | var base_size int 28 | var matcher string 29 | var payloads []string 30 | var confirm []string 31 | var verify bool 32 | var grep string 33 | var greps []string 34 | var req *http.Request 35 | 36 | func getClient() *http.Client { 37 | tr := &http.Transport{ 38 | MaxIdleConns: 30, 39 | IdleConnTimeout: time.Second, 40 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, 41 | DialContext: (&net.Dialer{ 42 | Timeout: time.Second * 10, 43 | KeepAlive: time.Second, 44 | }).DialContext, 45 | } 46 | 47 | re := func(req *http.Request, via []*http.Request) error { 48 | return http.ErrUseLastResponse 49 | } 50 | 51 | return &http.Client{ 52 | Transport: tr, 53 | CheckRedirect: re, 54 | Timeout: time.Second * 10, 55 | } 56 | } 57 | 58 | func custom_header(header string) { 59 | parse := strings.ReplaceAll(header, "\\n", "\n") 60 | var h_name string 61 | var v_name string 62 | r := regexp.MustCompile(`(.*):\s(.*)`) 63 | matches := r.FindStringSubmatch(parse) 64 | for i, match := range matches { 65 | if i == 1 { 66 | h_name = match 67 | } 68 | if i == 2 { 69 | v_name = match 70 | } 71 | 72 | } 73 | req.Header.Set(h_name, v_name) 74 | } 75 | 76 | func base_request(c *http.Client, u string, method string, matcher string, header string) (int, string) { 77 | req, _ = http.NewRequest(method, u, nil) 78 | if req != nil { 79 | if header != "" { 80 | custom_header(header) 81 | } 82 | resp, _ := c.Do(req) 83 | if resp != nil { 84 | contents, _ := ioutil.ReadAll(resp.Body) 85 | if matcher == "check" { 86 | body = string(contents) 87 | } 88 | base_size = len(contents) 89 | resp.Body.Close() 90 | } 91 | } 92 | 93 | return base_size, body 94 | } 95 | 96 | 97 | func requester(c *http.Client, u string, method string, list []string , verify bool, matcher string, header string) { 98 | req_base, _ := base_request(c, u, method, matcher, header) 99 | for _, test := range list { 100 | url := strings.Replace(u, "FUZZ", test, -1) 101 | req_test, _ := base_request(c, url, method , matcher, header) 102 | if req_test != req_base { 103 | if verify != true { 104 | fmt.Printf("%v %s\n", color.RedString("[!] Potential vulnerability found at:..🛠") , url) 105 | fmt.Printf("%v\n", color.CyanString("[~] Storing for confirmation..✒")) 106 | } 107 | confirm = append(confirm, url) 108 | } 109 | } 110 | if verify != true { 111 | fmt.Printf("%v\n",color.YellowString("[>] Staring confirmation tests..🔍")) 112 | } 113 | matcher = "check" 114 | for _, recheck_url = range confirm { 115 | _, checkbody := base_request(c, recheck_url, method, matcher, header) 116 | for _, query := range greps { 117 | if strings.Contains(checkbody, query) { 118 | fmt.Printf("%v %s\n", color.GreenString("[+] POC:..✨"), recheck_url) 119 | } 120 | } 121 | } 122 | } 123 | 124 | func grep_add(path string) []string { 125 | if path != "" { 126 | file, err := os.Open(path) 127 | if err != nil { 128 | log.Fatal(err) 129 | } 130 | defer file.Close() 131 | 132 | scanner := bufio.NewScanner(file) 133 | for scanner.Scan() { 134 | greps = append(greps, scanner.Text()) 135 | } 136 | 137 | if err := scanner.Err(); err != nil { 138 | log.Fatal(err) 139 | } 140 | } else { 141 | greps = []string{"bount64yit", "[boot loader]", "[drivers]", "[Mail]", "About php.ini", "root:x:", "root:*"} 142 | } 143 | 144 | return greps 145 | } 146 | 147 | func payloadlist(path string) []string { 148 | file, err := os.Open(path) 149 | if err != nil { 150 | log.Fatal(err) 151 | } 152 | defer file.Close() 153 | 154 | scanner := bufio.NewScanner(file) 155 | for scanner.Scan() { 156 | payloads = append(payloads, scanner.Text()) 157 | } 158 | 159 | if err := scanner.Err(); err != nil { 160 | log.Fatal(err) 161 | } 162 | return payloads 163 | } 164 | 165 | func Banner() { 166 | color.HiGreen(` 167 | __________ __ .___ __ 168 | \______ \ ____ __ __ _____/ |_ ___.__. | |/ |_ 169 | | | _// _ \| | \/ \ __< | | | \ __\ 170 | | | ( <_> ) | / | \ | \___ | | || | 171 | |______ /\____/|____/|___| /__| / ____| |___||__| 172 | \/ \/ \/ v1.0 173 | `) 174 | color.HiRed(" " + "Made with <3 by @shivangx01b") 175 | 176 | } 177 | 178 | func ParseArguments() { 179 | flag.IntVar(&Threads, "t", 40, "Number of workers to use..default 40. Ex: -t 50") 180 | flag.StringVar(&payload, "p", "", "Feed the list of payloads to fuzz. Ex: -p ~/wordlists/lfi.txt") 181 | flag.StringVar(&method, "method", "GET", "Add method name if required. Ex: -method PUT. Default \"GET\"") 182 | flag.StringVar(&header, "header", "", "Add any custom header if required. Ex: -header \"Cookie: Session=12cbcx....\"") 183 | flag.BoolVar(&verify, "verify", false, "Only prints confirmed results. Ex -verify ") 184 | flag.StringVar(&grep, "grep", "", "Specify custom grepping signatures. Ex -grep signatures.txt") 185 | flag.Parse() 186 | } 187 | 188 | 189 | func main() { 190 | ParseArguments() 191 | Banner() 192 | checkin, _ := os.Stdin.Stat() 193 | if checkin.Mode() & os.ModeNamedPipe > 0 { 194 | if payload != "" { 195 | list := payloadlist(payload) 196 | grep_add(grep) 197 | matcher = "nocheck" 198 | urls := make(chan string, Threads) 199 | processGroup := new(sync.WaitGroup) 200 | processGroup.Add(Threads) 201 | 202 | for i := 0; i < Threads; i++ { 203 | c := getClient() 204 | go func() { 205 | defer processGroup.Done() 206 | for u := range urls { 207 | requester(c, u, method, list, verify, matcher, header) 208 | } 209 | }() 210 | } 211 | 212 | sc := bufio.NewScanner(os.Stdin) 213 | 214 | for sc.Scan() { 215 | urls <- sc.Text() 216 | } 217 | close(urls) 218 | processGroup.Wait() 219 | } else { 220 | color.HiRed("\n[!] Must give payload list") 221 | } 222 | } else { 223 | color.HiRed("\n[!] Check: BountyIt -h for arguments") 224 | } 225 | } -------------------------------------------------------------------------------- /static/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /static/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shivangx01b/BountyIt/b765c17fd6314aa3f6a5145bb0d638e1d497c081/static/logo.png -------------------------------------------------------------------------------- /static/run.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Shivangx01b/BountyIt/b765c17fd6314aa3f6a5145bb0d638e1d497c081/static/run.PNG -------------------------------------------------------------------------------- /wordlist/.gitkeep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /wordlist/singnatures.txt: -------------------------------------------------------------------------------- 1 | bount64yit 2 | uid= 3 | groups= 4 | Program Files 5 | Windows 6 | [boot loader] 7 | [drivers] 8 | [Mail] 9 | HTTP /1.1 10 | HTTP /1.0 11 | About php.ini 12 | root:x: 13 | root:* --------------------------------------------------------------------------------