01
—
工具介绍
httpx 是一个go语言开发的快速且多用途的 HTTP 工具包,允许使用 retryablehttp 库运行多个探测器。可以获取url的状态,title,jarm等信息,也可以对网站截图。
02
—
下载安装
https://github.com/projectdiscovery/httpx
在releases中找到最新版本,选择对应的操作系统,我是安装在kali上,选择了linux_amd_64
安装包解压缩
unzip httpx_1.3.5_linux_amd64.zip
httpx -h
将httpx设置为系统命令
cp httpx /usr/local/bin/
03
—
使用
httpx -h
帮助信息如下
Usage:
./httpx [flags]
Flags:
INPUT:
-l, -list string input file containing list of hosts to process
-rr, -request string file containing raw request
-u, -target string[] input target host(s) to probe
PROBES:
-sc, -status-code display response status-code
-cl, -content-length display response content-length
-ct, -content-type display response content-type
-location display response redirect location
-favicon display mmh3 hash for '/favicon.ico' file
-hash string display response body hash (supported: md5,mmh3,simhash,sha1,sha256,sha512)
-jarm display jarm fingerprint hash
-rt, -response-time display response time
-lc, -line-count display response body line count
-wc, -word-count display response body word count
-title display page title
-bp, -body-preview display first N characters of response body (default 100)
-server, -web-server display server name
-td, -tech-detect display technology in use based on wappalyzer dataset
-method display http request method
-websocket display server using websocket
-ip display host ip
-cname display host cname
-asn display host asn information
-cdn display cdn/waf in use
-probe display probe status
HEADLESS:
-ss, -screenshot enable saving screenshot of the page using headless browser
-system-chrome enable using local installed chrome for screenshot
-esb, -exclude-screenshot-bytes enable excluding screenshot bytes from json output
-ehb, -exclude-headless-body enable excluding headless header from json output
MATCHERS:
-mc, -match-code string match response with specified status code (-mc 200,302)
-ml, -match-length string match response with specified content length (-ml 100,102)
-mlc, -match-line-count string match response body with specified line count (-mlc 423,532)
-mwc, -match-word-count string match response body with specified word count (-mwc 43,55)
-mfc, -match-favicon string[] match response with specified favicon hash (-mfc 1494302000)
-ms, -match-string string match response with specified string (-ms admin)
-mr, -match-regex string match response with specified regex (-mr admin)
-mcdn, -match-cdn string[] match host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath)
-mrt, -match-response-time string match response with specified response time in seconds (-mrt '< 1')
-mdc, -match-condition string match response with dsl expression condition
EXTRACTOR:
-er, -extract-regex string[] display response content with matched regex
-ep, -extract-preset string[] display response content matched by a pre-defined regex (ipv4,mail,url)
FILTERS:
-fc, -filter-code string filter response with specified status code (-fc 403,401)
-fep, -filter-error-page filter response with ML based error page detection
-fl, -filter-length string filter response with specified content length (-fl 23,33)
-flc, -filter-line-count string filter response body with specified line count (-flc 423,532)
-fwc, -filter-word-count string filter response body with specified word count (-fwc 423,532)
-ffc, -filter-favicon string[] filter response with specified favicon hash (-ffc 1494302000)
-fs, -filter-string string filter response with specified string (-fs admin)
-fe, -filter-regex string filter response with specified regex (-fe admin)
-fcdn, -filter-cdn string[] filter host with specified cdn provider (cloudfront, fastly, google, leaseweb, stackpath)
-frt, -filter-response-time string filter response with specified response time in seconds (-frt '> 1')
-fdc, -filter-condition string filter response with dsl expression condition
-strip strips all tags in response. supported formats: html,xml (default html)
RATE-LIMIT:
-t, -threads int number of threads to use (default 50)
-rl, -rate-limit int maximum requests to send per second (default 150)
-rlm, -rate-limit-minute int maximum number of requests to send per minute
MISCELLANEOUS:
-pa, -probe-all-ips probe all the ips associated with same host
-p, -ports string[] ports to probe (nmap syntax: eg http:1,2-10,11,https:80)
-path string path or list of paths to probe (comma-separated, file)
-tls-probe send http probes on the extracted TLS domains (dns_name)
-csp-probe send http probes on the extracted CSP domains
-tls-grab perform TLS(SSL) data grabbing
-pipeline probe and display server supporting HTTP1.1 pipeline
-http2 probe and display server supporting HTTP2
-vhost probe and display server supporting VHOST
-ldv, -list-dsl-variables list json output field keys name that support dsl matcher/filter
UPDATE:
-up, -update update httpx to latest version
-duc, -disable-update-check disable automatic httpx update check
OUTPUT:
-o, -output string file to write output results
-oa, -output-all filename to write output results in all formats
-sr, -store-response store http response to output directory
-srd, -store-response-dir string store http response to custom directory
-csv store output in csv format
-csvo, -csv-output-encoding string define output encoding
-j, -json store output in JSONL(ines) format
-irh, -include-response-header include http response (headers) in JSON output (-json only)
-irr, -include-response include http request/response (headers + body) in JSON output (-json only)
-irrb, -include-response-base64 include base64 encoded http request/response in JSON output (-json only)
-include-chain include redirect http chain in JSON output (-json only)
-store-chain include http redirect chain in responses (-sr only)
CONFIGURATIONS:
-config string path to the httpx configuration file (default $HOME/.config/httpx/config.yaml)
-r, -resolvers string[] list of custom resolver (file or comma separated)
-allow string[] allowed list of IP/CIDR's to process (file or comma separated)
-deny string[] denied list of IP/CIDR's to process (file or comma separated)
-sni, -sni-name string custom TLS SNI name
-random-agent enable Random User-Agent to use (default true)
-H, -header string[] custom http headers to send with request
-http-proxy, -proxy string http proxy to use (eg http://127.0.0.1:8080)
-unsafe send raw requests skipping golang normalization
-resume resume scan using resume.cfg
-fr, -follow-redirects follow http redirects
-maxr, -max-redirects int max number of redirects to follow per host (default 10)
-fhr, -follow-host-redirects follow redirects on the same host
-rhsts, -respect-hsts respect HSTS response headers for redirect requests
-vhost-input get a list of vhosts as input
-x string request methods to probe, use 'all' to probe all HTTP methods
-body string post body to include in http request
-s, -stream stream mode - start elaborating input targets without sorting
-sd, -skip-dedupe disable dedupe input items (only used with stream mode)
-ldp, -leave-default-ports leave default http/https ports in host header (eg. http://host:80 - https://host:443
-ztls use ztls library with autofallback to standard one for tls13
-no-decode avoid decoding body
-tlsi, -tls-impersonate enable experimental client hello (ja3) tls randomization
-no-stdin Disable Stdin processing
DEBUG:
-health-check, -hc run diagnostic check up
-debug display request/response content in cli
-debug-req display request content in cli
-debug-resp display response content in cli
-version display httpx version
-stats display scan statistic
-profile-mem string optional httpx memory profile dump file
-silent silent mode
-v, -verbose verbose mode
-si, -stats-interval int number of seconds to wait between showing a statistics update (default: 5)
-nc, -no-color disable colors in cli output
OPTIMIZATIONS:
-nf, -no-fallback display both probed protocol (HTTPS and HTTP)
-nfs, -no-fallback-scheme probe with protocol scheme specified in input
-maxhr, -max-host-error int max error count per host before skipping remaining path/s (default 30)
-ec, -exclude-cdn skip full port scans for CDN/WAF (only checks for 80,443)
-retries int number of retries
-timeout int timeout in seconds (default 10)
-delay value duration between each http request (eg: 200ms, 1s) (default -1ns)
-rsts, -response-size-to-save int max response size to save in bytes (default 2147483647)
-rstr, -response-size-to-read int max response size to read in bytes (default 2147483647)
描述信息使用机器翻译成中文
Usage:
./httpx [flags]
Flags:
INPUT:
-l, -list string 包含要处理的主机列表的输入文件
-rr, -request string 包含原始请求的文件
-u, -target string[] 输入要探测的目标主机
PROBES:
-sc, -status-code 显示响应状态代码
-cl, -content-length 显示响应内容长度
-ct, -content-type 显示响应内容类型
-location 显示响应重定向位置
-favicon 显示'/faveicon.ico'文件的mmh3哈希
-hash string 显示响应主体哈希(supported: md5,mmh3,simhash,sha1,sha256,sha512)
-jarm 显示jarm指纹散列
-rt, -response-time 显示响应时间
-lc, -line-count 显示响应正文行计数
-wc, -word-count 显示响应正文字数
-title 显示页面标题
-bp, -body-preview 显示响应主体的前N个字符(默认值为100)
-server, -web-server 显示服务器名称
-td, -tech-detect 基于wappalyzer数据集的显示技术
-method 显示http请求方法
-websocket 使用websocket显示服务器
-ip 显示主机ip
-cname 显示主机cname
-asn 显示主机asn信息
-cdn 显示使用中的cdn/waf
-probe 显示探头状态
HEADLESS:
-ss, -screenshot 启用使用无头浏览器保存页面的屏幕截图
-system-chrome 启用使用本地安装的chrome进行屏幕截图
-esb, -exclude-screenshot-bytes 启用从json输出中排除屏幕截图字节
-ehb, -exclude-headless-body 启用从json输出中排除headless头
MATCHERS:
-mc, -match-code string 将响应与指定的状态代码匹配 (-mc 200,302)
-ml, -match-length string 将响应与指定的内容长度匹配 (-ml 100,102)
-mlc, -match-line-count string 将响应正文与指定的行数匹配 (-mlc 423,532)
-mwc, -match-word-count string 将响应正文与指定的字数匹配 (-mwc 43,55)
-mfc, -match-favicon string[] 将响应与指定的收藏夹哈希匹配 (-mfc 1494302000)
-ms, -match-string string 将响应与指定字符串匹配 (-ms admin)
-mr, -match-regex string 将响应与指定的正则表达式匹配 (-mr admin)
-mcdn, -match-cdn string[] 将主机与指定的cdn提供程序匹配 (cloudfront, fastly, google, leaseweb, stackpath)
-mrt, -match-response-time string 将响应与指定的响应时间匹配 (-mrt '< 1')
-mdc, -match-condition string 将响应与dsl表达式条件匹配
EXTRACTOR:
-er, -extract-regex string[] 使用匹配的正则表达式显示响应内容
-ep, -extract-preset string[] 显示与预定义regex匹配的响应内容 (ipv4,mail,url)
FILTERS:
-fc, -filter-code string 筛选具有指定状态代码的响应 (-fc 403,401)
-fep, -filter-error-page 基于ML的错误页面检测的过滤器响应
-fl, -filter-length string 筛选具有指定内容长度的响应 (-fl 23,33)
-flc, -filter-line-count string 具有指定行计数的筛选器响应正文 (-flc 423,532)
-fwc, -filter-word-count string 具有指定字数的筛选器响应正文 (-fwc 423,532)
-ffc, -filter-favicon string[] 使用指定的收藏夹哈希筛选响应 (-ffc 1494302000)
-fs, -filter-string string 使用指定字符串筛选响应 (-fs admin)
-fe, -filter-regex string 使用指定的正则表达式筛选响应 (-fe admin)
-fcdn, -filter-cdn string[] 使用指定的cdn提供程序筛选主机 (cloudfront, fastly, google, leaseweb, stackpath)
-frt, -filter-response-time string 筛选具有指定响应时间(秒)的响应 (-frt '> 1')
-fdc, -filter-condition string 具有dsl表达式条件的滤波器响应
-strip 剥离所有标签作为响应。支持的格式: html,xml (default html)
RATE-LIMIT:
-t, -threads int 要使用的线程数 (default 50)
-rl, -rate-limit int 每秒发送的最大请求数 (default 150)
-rlm, -rate-limit-minute int 每分钟发送的最大请求数
MISCELLANEOUS:
-pa, -probe-all-ips 探测与同一主机相关的所有ip
-p, -ports string[] 要探测的端口 (nmap syntax: eg http:1,2-10,11,https:80)
-path string 要探测的路径或路径列表 (comma-separated, file)
-tls-probe 在提取的TLS域上发送http探测 (dns_name)
-csp-probe 在提取的CSP域上发送http探测
-tls-grab 执行TLS(SSL)数据抓取
-pipeline 支持HTTP1.1管道的探测和显示服务器
-http2 支持HTTP2的探测和显示服务器
-vhost 支持VHOST的探测和显示服务器
-ldv, -list-dsl-variables 列出支持dsl matcher/filter的json输出字段密钥名称
UPDATE:
-up, -update 将httpx更新到最新版本
-duc, -disable-update-check 禁用httpx自动更新检查
OUTPUT:
-o, -output string 用于写入输出结果的文件
-oa, -output-all 以所有格式写入输出结果的filename
-sr, -store-response 将http响应存储到输出目录
-srd, -store-response-dir string 将http响应存储到自定义目录
-csv 以csv格式存储输出
-csvo, -csv-output-encoding string 定义输出编码
-j, -json 以JSONL(ines)格式存储输出
-irh, -include-response-header 在JSON输出中包含http响应(标头)(仅限-JSON)
-irr, -include-response 在JSON输出中包含http请求/响应(头+正文)(仅限-JSON)
-irrb, -include-response-base64 在JSON输出中包含base64编码的http请求/响应(仅限-JSON)
-include-chain 在JSON输出中包含重定向http链(仅限-JSON)
-store-chain 在响应中包括http重定向链(仅限-sr)
CONFIGURATIONS:
-config string httpx配置文件的路径 (default $HOME/.config/httpx/config.yaml)
-r, -resolvers string[] 自定义冲突解决程序列表(以文件或逗号分隔)
-allow string[] 允许处理的IP/CIDR列表(文件或逗号分隔)
-deny string[] 要处理的IP/CIDR的拒绝列表(文件或逗号分隔)
-sni, -sni-name string 自定义TLS SNI名称
-random-agent 允许随机用户代理使用(默认为true)
-H, -header string[] 要随请求一起发送的自定义http标头
-http-proxy, -proxy string 要使用的http代理(例如http://127.0.0.1:8080)
-unsafe 跳过golang规范化发送原始请求
-resume 使用resume.cfg恢复扫描
-fr, -follow-redirects 遵循http重定向
-maxr, -max-redirects int 每个主机要遵循的最大重定向数(默认为10)
-fhr, -follow-host-redirects 在同一主机上跟踪重定向
-rhsts, -respect-hsts 重定向请求的HSTS响应标头
-vhost-input 获取vhosts列表作为输入
-x string 请求要探测的方法,使用“all”探测所有HTTP方法
-body string 要包含在http请求中的帖子正文
-s, -stream 流模式-开始详细说明输入目标而不进行排序
-sd, -skip-dedupe 禁用重复数据消除输入项目(仅用于流模式)
-ldp, -leave-default-ports 在主机标头中保留默认的http/https端口 (eg. http://host:80 - https://host:443
-ztls 使用ztls库并自动回调到tls13的标准库
-no-decode 避免解码主体
-tlsi, -tls-impersonate 启用实验客户端hello(ja3)tls随机化
-no-stdin 禁用Stdin处理
DEBUG:
-health-check, -hc 运行诊断检查
-debug 在cli中显示请求/响应内容
-debug-req 在cli中显示请求内容
-debug-resp 在cli中显示响应内容
-version 显示httpx版本
-stats 显示扫描统计
-profile-mem string 可选httpx内存配置文件转储文件
-silent 静音模式
-v, -verbose 详细模式
-si, -stats-interval int 显示统计信息更新之间等待的秒数 (default: 5)
-nc, -no-color 禁用cli输出中的颜色
OPTIMIZATIONS:
-nf, -no-fallback 显示两个探测的协议 (HTTPS and HTTP)
-nfs, -no-fallback-scheme 使用输入中指定的协议方案进行探测
-maxhr, -max-host-error int 跳过剩余路径之前每个主机的最大错误计数 (default 30)
-ec, -exclude-cdn 跳过CDN/WAF的完整端口扫描 (only checks for 80,443)
-retries int 重试次数
-timeout int 超时时间 (default 10)
-delay value 每个http请求之间的持续时间 (eg: 200ms, 1s) (default -1ns)
-rsts, -response-size-to-save int 要保存的最大响应大小(字节) (default 2147483647)
-rstr, -response-size-to-read int 要读取的最大响应大小(字节) (default 2147483647)
使用案例:
-
从大量url中过滤出能正常访问的,将结果存入url_ok.txt文件
httpx -l url.txt -fep -o url_ok.txt
2. 获取有价值的指纹信息,并截图,将结果以json格式存入文件
httpx -l url.txt -sc -ct -location -favicon -jarm -rt -title -server -probe -asn -fep -irr -include-chain -ss -j -o jjjj
会在本地生成一个output目录,下面有两个目录
response存储请求响应数据包
screnshot存储截图数据
3.URL Probe
cat hosts.txt | httpx
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ / __/ __/ __ | /
/ / / / /_/ /_/ /_/ / |
/_/ /_/__/__/ .___/_/|_| v1.1.1
/_/
projectdiscovery.io
[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
https://mta-sts.managed.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://docs.hackerone.com
https://www.hackerone.com
https://resources.hackerone.com
https://api.hackerone.com
https://support.hackerone.com
4. 输入文件
httpx -list hosts.txt -silent -probe
http://ns.hackerone.com [FAILED]
https://docs.hackerone.com [SUCCESS]
https://mta-sts.hackerone.com [SUCCESS]
https://mta-sts.managed.hackerone.com [SUCCESS]
http://email.hackerone.com [FAILED]
https://mta-sts.forwarding.hackerone.com [SUCCESS]
http://links.hackerone.com [FAILED]
https://api.hackerone.com [SUCCESS]
https://www.hackerone.com [SUCCESS]
http://events.hackerone.com [FAILED]
https://support.hackerone.com [SUCCESS]
https://gslink.hackerone.com [SUCCESS]
http://o1.email.hackerone.com [FAILED]
http://info.hackerone.com [FAILED]
https://resources.hackerone.com [SUCCESS]
http://o2.email.hackerone.com [FAILED]
http://o3.email.hackerone.com [FAILED]
http://go.hackerone.com [FAILED]
http://a.ns.hackerone.com [FAILED]
http://b.ns.hackerone.com [FAILED]
5. 输入CIDR
echo 173.0.84.0/24 | httpx -silent
https://173.0.84.29
https://173.0.84.43
https://173.0.84.31
https://173.0.84.44
https://173.0.84.12
https://173.0.84.4
https://173.0.84.36
https://173.0.84.45
https://173.0.84.14
https://173.0.84.25
https://173.0.84.46
https://173.0.84.24
https://173.0.84.32
https://173.0.84.9
https://173.0.84.13
https://173.0.84.6
https://173.0.84.16
https://173.0.84.34
6. 输入AS号
echo AS14421 | httpx -silent
https://216.101.17.248
https://216.101.17.249
https://216.101.17.250
https://216.101.17.251
https://216.101.17.252
7. 过滤错误请求
httpx -l urls.txt -path /v1/api -fep
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ / __/ __/ __ | /
/ / / / /_/ /_/ /_/ / |
/_/ /_/__/__/ .___/_/|_|
/_/
projectdiscovery.io
[INF] Current httpx version v1.3.3 (latest)
https://scanme.sh/v1/api
8. 获取favicon指纹
subfinder -d hackerone.com -silent | httpx -favicon
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ / __/ __/ __ | /
/ / / / /_/ /_/ /_/ / |
/_/ /_/__/__/ .___/_/|_|
/_/ v1.1.5
projectdiscovery.io
Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://docs.hackerone.com/favicon.ico [595148549]
https://hackerone.com/favicon.ico [595148549]
https://mta-sts.managed.hackerone.com/favicon.ico [-1700323260]
https://mta-sts.forwarding.hackerone.com/favicon.ico [-1700323260]
https://support.hackerone.com/favicon.ico [-1279294674]
https://gslink.hackerone.com/favicon.ico [1506877856]
https://resources.hackerone.com/favicon.ico [-1840324437]
https://api.hackerone.com/favicon.ico [566218143]
https://mta-sts.hackerone.com/favicon.ico [-1700323260]
https://www.hackerone.com/favicon.ico [778073381]
9. 获取JARM指纹
subfinder -d hackerone.com -silent | httpx -jarm
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ / __/ __/ __ | /
/ / / / /_/ /_/ /_/ / |
/_/ /_/__/__/ .___/_/|_|
/_/ v1.2.1
projectdiscovery.io
Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://www.hackerone.com [29d3dd00029d29d00042d43d00041d5de67cc9954cc85372523050f20b5007]
https://mta-sts.hackerone.com [29d29d00029d29d00042d43d00041d2aa5ce6a70de7ba95aef77a77b00a0af]
https://mta-sts.managed.hackerone.com [29d29d00029d29d00042d43d00041d2aa5ce6a70de7ba95aef77a77b00a0af]
https://docs.hackerone.com [29d29d00029d29d00042d43d00041d2aa5ce6a70de7ba95aef77a77b00a0af]
https://support.hackerone.com [29d3dd00029d29d00029d3dd29d29d5a74e95248e58a6162e37847a24849f7]
https://api.hackerone.com [29d3dd00029d29d00042d43d00041d5de67cc9954cc85372523050f20b5007]
https://mta-sts.forwarding.hackerone.com [29d29d00029d29d00042d43d00041d2aa5ce6a70de7ba95aef77a77b00a0af]
https://resources.hackerone.com [2ad2ad0002ad2ad0002ad2ad2ad2ad043bfbd87c13813505a1b60adf4f6ff5]
10. ASN指纹
subfinder -d hackerone.com -silent | httpx -asn
__ __ __ _ __
/ /_ / /_/ /_____ | |/ /
/ __ / __/ __/ __ | /
/ / / / /_/ /_/ /_/ / |
/_/ /_/__/__/ .___/_/|_|
/_/ v1.2.1
projectdiscovery.io
Use with caution. You are responsible for your actions.
Developers assume no liability and are not responsible for any misuse or damage.
https://mta-sts.managed.hackerone.com [AS54113, FASTLY, US]
https://gslink.hackerone.com [AS16509, AMAZON-02, US]
https://www.hackerone.com [AS13335, CLOUDFLARENET, US]
https://mta-sts.forwarding.hackerone.com [AS54113, FASTLY, US]
https://resources.hackerone.com [AS16509, AMAZON-02, US]
https://support.hackerone.com [AS13335, CLOUDFLARENET, US]
https://mta-sts.hackerone.com [AS54113, FASTLY, US]
https://docs.hackerone.com [AS54113, FASTLY, US]
https://api.hackerone.com [AS13335, CLOUDFLARENET, US]
原文始发于微信公众号(AI与网安):【工具分享】httpx的安装使用
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论