def _get_ip(res: HTTPResponse) -> Union[str, None]: loc = res.getheader("Location") if loc is not None: # it's a redirect, check to see if there's an IP in it parsed = urlparse(loc) domain = utils.get_domain(parsed.netloc) if utils.is_ip(domain): # it's an IP, now, is it private? if utils.is_private_ip(domain): return domain else: return None return None
def _decode_big_ip_cookie(value: str) -> Union[str, None]: def _swap_endianness(val, bits: int = 32): if bits == 32: return struct.unpack("<I", struct.pack(">I", val))[0] elif bits == 16: return struct.unpack("<H", struct.pack(">H", val))[0] # regex copied from: https://github.com/rapid7/metasploit-framework # /blob/6300758c46464ff5488bc49bc326ebbb1df46321 # /modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb # License: BSD # Copyright: 2006-2018, Rapid7, Inc. value_pattern = ( r"(((?:\d+\.){2}\d+)|(rd\d+o0{20}f{4}\w+o\d{1,5})|" r"(vi([a-f0-9]{32})\.(\d{1,5}))|" r"(rd\d+o([a-f0-9]{32})o(\d{1,5})))(?:$|,|;|\s)" ) ret = None if re.match(value_pattern, value): # it fits the pattern if re.search(r"(\d{8,10})\.(\d{1,5})\.", value): # BIGipServerWEB=2263487148.3013.0000 - IPv4 comps = value.split(".") host = socket.inet_ntop( socket.AF_INET, _swap_endianness(int(comps[0])).to_bytes(4, byteorder="big"), ) port = _swap_endianness(int(comps[1]), 16) if utils.is_private_ip(host): ret = f"{host}:{port}" elif re.search(r"rd\d+o0{20}f{4}([a-f0-9]{8})o(\d{1,5})", value): # BIGipServerWEB=rd5o00000000000000000000ffffc0000201o80 - IPv4 comps = value.split("o") host = socket.inet_ntop( socket.AF_INET, int(comps[1][24:32], 16).to_bytes(4, byteorder="big") ) port = int(comps[2]) if utils.is_private_ip(host): ret = f"{host}:{port}" elif re.search(r"vi([a-f0-9]{32})\.(\d{1,5})", value): # BIGipServerWEB=vi20010112000000000000000000000030.20480 - IPv6 comps = value.split(".") comps[0] = comps[0].replace("vi", "", 1) host = socket.inet_ntop( socket.AF_INET6, int(comps[0], 16).to_bytes(16, byteorder="big") ) port = _swap_endianness(int(comps[1]), 16) if utils.is_private_ip(host): ret = f"{host}:{port}" elif re.search(r"rd\d+o([a-f0-9]{32})o(\d{1,5})", value): # BIGipServerWEB=rd3o20010112000000000000000000000030o80 - IPv6 comps = value.split("o") host = socket.inet_ntop( socket.AF_INET6, int(comps[1], 16).to_bytes(16, byteorder="big") ) port = int(comps[2]) if utils.is_private_ip(host): ret = f"{host}:{port}" return ret