2019-03-27 03:17:20 +00:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/PuerkitoBio/goquery"
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
"github.com/gophish/gophish/dialer"
|
2019-03-27 03:17:20 +00:00
|
|
|
log "github.com/gophish/gophish/logger"
|
|
|
|
|
"github.com/gophish/gophish/models"
|
|
|
|
|
"github.com/gophish/gophish/util"
|
|
|
|
|
"github.com/jordan-wright/email"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type cloneRequest struct {
|
|
|
|
|
URL string `json:"url"`
|
|
|
|
|
IncludeResources bool `json:"include_resources"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (cr *cloneRequest) validate() error {
|
|
|
|
|
if cr.URL == "" {
|
|
|
|
|
return errors.New("No URL Specified")
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type cloneResponse struct {
|
|
|
|
|
HTML string `json:"html"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type emailResponse struct {
|
|
|
|
|
Text string `json:"text"`
|
|
|
|
|
HTML string `json:"html"`
|
|
|
|
|
Subject string `json:"subject"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ImportGroup imports a CSV of group members
|
|
|
|
|
func (as *Server) ImportGroup(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
ts, err := util.ParseCSV(r)
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: "Error parsing CSV"}, http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
JSONResponse(w, ts, http.StatusOK)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ImportEmail allows for the importing of email.
|
|
|
|
|
// Returns a Message object
|
|
|
|
|
func (as *Server) ImportEmail(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if r.Method != "POST" {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: "Method not allowed"}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
ir := struct {
|
|
|
|
|
Content string `json:"content"`
|
|
|
|
|
ConvertLinks bool `json:"convert_links"`
|
|
|
|
|
}{}
|
|
|
|
|
err := json.NewDecoder(r.Body).Decode(&ir)
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: "Error decoding JSON Request"}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
e, err := email.NewEmailFromReader(strings.NewReader(ir.Content))
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Error(err)
|
|
|
|
|
}
|
|
|
|
|
// If the user wants to convert links to point to
|
|
|
|
|
// the landing page, let's make it happen by changing up
|
|
|
|
|
// e.HTML
|
|
|
|
|
if ir.ConvertLinks {
|
|
|
|
|
d, err := goquery.NewDocumentFromReader(bytes.NewReader(e.HTML))
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
d.Find("a").Each(func(i int, a *goquery.Selection) {
|
|
|
|
|
a.SetAttr("href", "{{.URL}}")
|
|
|
|
|
})
|
|
|
|
|
h, err := d.Html()
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
e.HTML = []byte(h)
|
|
|
|
|
}
|
|
|
|
|
er := emailResponse{
|
|
|
|
|
Subject: e.Subject,
|
|
|
|
|
Text: string(e.Text),
|
|
|
|
|
HTML: string(e.HTML),
|
|
|
|
|
}
|
|
|
|
|
JSONResponse(w, er, http.StatusOK)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ImportSite allows for the importing of HTML from a website
|
|
|
|
|
// Without "include_resources" set, it will merely place a "base" tag
|
|
|
|
|
// so that all resources can be loaded relative to the given URL.
|
|
|
|
|
func (as *Server) ImportSite(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
cr := cloneRequest{}
|
|
|
|
|
if r.Method != "POST" {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: "Method not allowed"}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
err := json.NewDecoder(r.Body).Decode(&cr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: "Error decoding JSON Request"}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if err = cr.validate(); err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
restrictedDialer := dialer.Dialer()
|
2019-03-27 03:17:20 +00:00
|
|
|
tr := &http.Transport{
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
DialContext: restrictedDialer.DialContext,
|
2019-03-27 03:17:20 +00:00
|
|
|
TLSClientConfig: &tls.Config{
|
|
|
|
|
InsecureSkipVerify: true,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
client := &http.Client{Transport: tr}
|
|
|
|
|
resp, err := client.Get(cr.URL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
// Insert the base href tag to better handle relative resources
|
|
|
|
|
d, err := goquery.NewDocumentFromResponse(resp)
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
// Assuming we don't want to include resources, we'll need a base href
|
|
|
|
|
if d.Find("head base").Length() == 0 {
|
|
|
|
|
d.Find("head").PrependHtml(fmt.Sprintf("<base href=\"%s\">", cr.URL))
|
|
|
|
|
}
|
|
|
|
|
forms := d.Find("form")
|
|
|
|
|
forms.Each(func(i int, f *goquery.Selection) {
|
|
|
|
|
// We'll want to store where we got the form from
|
|
|
|
|
// (the current URL)
|
|
|
|
|
url := f.AttrOr("action", cr.URL)
|
|
|
|
|
if !strings.HasPrefix(url, "http") {
|
|
|
|
|
url = fmt.Sprintf("%s%s", cr.URL, url)
|
|
|
|
|
}
|
|
|
|
|
f.PrependHtml(fmt.Sprintf("<input type=\"hidden\" name=\"__original_url\" value=\"%s\"/>", url))
|
|
|
|
|
})
|
|
|
|
|
h, err := d.Html()
|
|
|
|
|
if err != nil {
|
|
|
|
|
JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
cs := cloneResponse{HTML: h}
|
|
|
|
|
JSONResponse(w, cs, http.StatusOK)
|
|
|
|
|
}
|