From 7335c312275df41c9a1294fd2ef3bb280a6b9ee4 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer <105281+firefart@users.noreply.github.com> Date: Sat, 9 Mar 2024 17:25:23 +0100 Subject: [PATCH] add warning for #317 --- cli/vhost/vhost.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cli/vhost/vhost.go b/cli/vhost/vhost.go index f6341bf..3b0940a 100644 --- a/cli/vhost/vhost.go +++ b/cli/vhost/vhost.go @@ -2,6 +2,7 @@ package vhost import ( "fmt" + "strings" internalcli "github.com/OJ/gobuster/v3/cli" "github.com/OJ/gobuster/v3/gobustervhost" @@ -28,6 +29,7 @@ func getFlags() []cli.Flag { &cli.StringFlag{Name: "exclude-length", Aliases: []string{"xl"}, Usage: "exclude the following content lengths. You can separate multiple lengths by comma and it also supports ranges like 203-206"}, &cli.StringFlag{Name: "exclude-status", Aliases: []string{"xs"}, Usage: "exclude the following status codes. Can also handle ranges like 200,300-400,404.", Value: ""}, &cli.StringFlag{Name: "domain", Aliases: []string{"do"}, Usage: "the domain to append when using an IP address as URL. If left empty and you specify a domain based URL the hostname from the URL is extracted"}, + &cli.BoolFlag{Name: "force", Value: false, Usage: "Force execution even when result is not guaranteed."}, }...) return flags @@ -64,6 +66,13 @@ func run(c *cli.Context) error { return err } + force := c.Bool("force") + if !force && + (strings.HasPrefix(pluginOpts.Proxy, "http://") || strings.HasPrefix(pluginOpts.Proxy, "https://")) && + strings.HasPrefix(pluginOpts.URL, "http://") { + return fmt.Errorf("VHOST mode does not work with a http proxy when using plain text http urls as golang strictly adheres to the http standard. This results in always sending the requests to the IP of the VHOST domain instead of the specified target. See https://github.com/golang/go/issues/30775 for example. You need to either disable the proxy, use a https based url or use the --force switch to continue. When using --force you may need to do some rewrites in your proxy to get the expected result.") + } + log := libgobuster.NewLogger(globalOpts.Debug) plugin, err := gobustervhost.New(&globalOpts, pluginOpts, log)