-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
about disable ssl cert check / accept low strength certificate encryption #676
Comments
I think dirsearch disabled certificate check by default |
or... how do i force the use of tls v1.0? |
Well, it's not important, we can request without cert check, so tls v1.0 or no cert has no impact |
firefox: |
curl:
|
curl with
|
I don't know what are you tesing? |
@shelld3v I need something like
|
|
And I think |
I can't start the test, if I don't get |
I can't understand what you tried to say. If you select a low strength encryption certificate website and try brute-forcing it with dirsearch, you will see that it works fluently!! |
Of course I tried before submitting here... |
It needed to be |
And I can't scan that old website with |
What is the error traceback? |
|
Were you able to visit https://xx.xx.xx.xx:443/ from your browser? |
I told u before bro.... ^^'' it's ok, but you need to click the ~ |
It needs |
I have no idea why should I do this! People haven't seen any problem with SSL in dirsearch for years, so I don't know why you are facing this. I even don't know is it an SSL problem or not, and how to fix this (I disabled cert check, what else to do?)! I maybe need to investigate more!! |
With and without with |
Hi, sorry for being so late! I am trying to find a way to fix this. |
Hi, can you give me any website that has a low strength certificate? So I can do more tests for my fix!! |
send me ur email addr then~ thx ^^ |
Is the problem solved, and how?I have the same problem here, macos big sur, version 0.4.1, example: |. _ _ _ _ _ | v0.4.1 Extensions: php, asp, aspx, jsp, html, htm, js | HTTP method: GET | Threads: 20 | Wordlist size: 11793 Error Log: XXX/dirsearch-0.4.1-alpha/logs/errors-21-01-21_15-30-04.log Target: https://xx.xx.xx.xx:8081/ There was a problem in the request to: https://xx.xx.xx.xx:8081 Task Completed |
Hey @oldlazycat, I don't think port 8081 is served for HTTPS service! Try |
It doesn't have to be port 443, you can specify any port, and it is https://xx.xx.xx.xx:8081 |
Try opening https://xx.xx.xx.xx:8081 in your browser and you will know it is HTTP or HTTPS |
bruh.... |
Hi, sorry, but I haven't found a fix that can fit all the requirements yet (this may need a lot of updates), and I am in my break, so I can't fix it now. I hope I can get back soon!! Meanwhile, you can hack other things, right ;) Happy Lunar New Year! (not yet, but will be soon) |
it's fine~ thx ^^ |
Hello folks, If you can give me at least one host with the same issue, I'd probably be able to fix it. You can write me via email or twitter. Regards, |
Can I get your email address? THX |
ping? @maurosoria |
You should be able to see it in my profile
|
From that link, you can fix this with |
I'll take a look later, THX! |
🤔 |
Hi @c2xusnpq6, sorry for the late response. Look at this: https://stackoverflow.com/a/38502727/12238982 I'm suspecting that the issue you facing does not relate to SSL/TLS. @c2xusnpq6 @oldlazycat If one of u can give me the target, I will be happy and try my best to solve your problems. Thanks |
Hi @c2xusnpq6, I have delayed for so long, so made a fix locally. But I need to test this fix first, can you give a target that uses TLSv1? |
I'm sorry, I forgot the target IP... maybe next time... you can close this issue😅thx |
No problem, I will keep this issue open until you find that IP |
I ran into this issue against an older iis server; you can replicate the issue locally by setting up a tls1 server:
Verify
Example of the dirsearch error when scanning the tls1 server:
Work around patch I applied locally to make it work (on a slightly older dirsearch version): diff --git a/lib/connection/Requester.py b/lib/connection/Requester.py
index c3b2068..de08517 100755
--- a/lib/connection/Requester.py
+++ b/lib/connection/Requester.py
@@ -26,9 +26,21 @@ import urllib.parse
import urllib.request
import thirdparty.requests as requests
+from requests.adapters import HTTPAdapter
+from requests.packages.urllib3.poolmanager import PoolManager
from .RequestException import *
from .Response import *
+import ssl
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+class MyAdapter(HTTPAdapter):
+ def init_poolmanager(self, connections, maxsize, block=False):
+ self.poolmanager = PoolManager(num_pools=connections,
+ maxsize=maxsize,
+ block=block,
+ ssl_version=ssl.PROTOCOL_TLSv1)
class Requester(object):
headers = {
@@ -111,6 +123,7 @@ class Requester(object):
self.randomAgents = None
self.requestByHostname = requestByHostname
self.session = requests.Session()
+ self.session.mount('https://', MyAdapter())
def setHeader(self, header, content):
self.headers[header] = content |
@adfoster-r7 Thanks for your effort, I have actually made the same fix locally already but haven't pushed it to the code yet because I didn't have any target to test, now I can:) |
@adfoster-r7 Do you know how to host a TLSv1.2-only server? |
Should be the same as the steps above but just with the
Verifying:
Or with sslscan:
|
@adfoster-r7 Can you check if the issue is still reproducible with dirsearch v0.4.3? |
@adfoster-r7 I can't reproduce the issue now, can you check if the issue is still there in the latest version of dirsearch (v0.4.3)? |
tsl1.0
--tlsv1.0
or-1
?The text was updated successfully, but these errors were encountered: