From f7f9ad16285ee7c73f607798a54b1b7c43ae1b0d Mon Sep 17 00:00:00 2001
From: Roman Hergenreder <mail@romanh.de>
Date: Sun, 29 Oct 2023 17:22:24 +0100
Subject: [PATCH] bugfix, sni fuzzing preparation

---
 fileserver.py    |  2 ++
 subdomainFuzz.sh | 22 +++++++++++++++++++---
 util.py          |  9 +++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/fileserver.py b/fileserver.py
index 27e1808..edd9cdc 100755
--- a/fileserver.py
+++ b/fileserver.py
@@ -254,6 +254,8 @@ class HttpFileServer(HTTPServer):
         protocol = "https" if type(self.socket) == ssl.SSLSocket else "http"
         if (int(port) == 80 and protocol == "http") or (int(port) == 443 and protocol == "https"):
             port = ""
+        else:
+            port = f":{port}"
     
         return f"{protocol}://{addr}{port}"
 
diff --git a/subdomainFuzz.sh b/subdomainFuzz.sh
index 10d500d..223579c 100755
--- a/subdomainFuzz.sh
+++ b/subdomainFuzz.sh
@@ -14,6 +14,7 @@ fi
 
 DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
 
+
 echo "[ ] Resolving IP-Address…"
 output=$(resolveip $DOMAIN 2>&1)
 status=$(echo $?)
@@ -22,16 +23,31 @@ if ! [[ $status == 0 ]] ; then
   exit
 fi
 
+function sni () {
+  protocol=$1
+  sni=$2
+  if ! [[ "$sni" =~ ".*:[0-9]+" ]]; then
+    if [[ $protocol == "https" ]]; then
+      sni="$sni:443"
+    else
+      sni="$sni:80"
+    fi
+  fi
+
+  echo $sni
+}
+
 IP_ADDRESS=$(echo $output | head -n 1 |  awk '{print $NF}')
 echo "[+] IP-Address: ${IP_ADDRESS}"
-
 echo "[ ] Retrieving default site…"
+rnd=$(uuidgen)
+sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
 charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
 charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
-charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc -m)
+charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
 echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
 echo "[ ] Fuzzing…"
 
 (set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
   -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
-  -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
+  -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
\ No newline at end of file
diff --git a/util.py b/util.py
index 80b137f..1db387c 100755
--- a/util.py
+++ b/util.py
@@ -266,8 +266,17 @@ def xor(a, b):
     return b"".join([bytes([c1 ^ c2]) for (c1,c2) in zip(a, b) ])
 
 def base64urldecode(data):
+    if isinstance(data, str):
+        data = data.encode()
+
     return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4))
 
+def base64urlencode(data):
+    if isinstance(data, str):
+        data = data.encode()
+
+    return base64.urlsafe_b64encode(data)
+
 def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None, _format=None):
     import exif
     from PIL import Image