转发Bug get请求变成post请求

[notwhy]

复现xray ssrf的时候发现的问题 具体步骤如下
1.搭建ssrf漏洞页面
https://github.com/virusdefender/ssrf-app
2.运行xray 运行passive scan client
147.28是我本机机器
71.247是公网机器

3.大致请求如下
本机访问ssrf漏洞页面
http://..71.247:8000/?url=http://www.baidu.com
如下
147.138 - - [15/Oct/2019 09:13:39] "GET /?url=http://www.baidu.com HTTP/1.1" 200 -
到xray变成
71.247 - - [15/Oct/2019 09:13:40] "POST /?url=http://www.baidu.com HTTP/1.1" 405 -
get请求变成post请求 导致发现不了该ssrf漏洞。

[0xWi11]

同样遇到一样的问题，在插件里面显示是GET请求，然后服务器返回405 Methon Not Allow，然后在xray里面观察了一下，原本的GET请求到Xray里面成了POST请求

[0xWi11]

GET /images/?format=png&w=990&h=990&image=http://oc4ft409b132slzyh7f4pqccf3l09p.burpcollaborator.net&sign=7a027419953ff8ca8f98ec6bbacd55faff8b064a HTTP/1.1
Host: example
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Sec-Fetch-Dest: document
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7

原GET请求

[0xWi11]

插件转发出的请求

POST /images/?format=png&w=990&h=990&image=http://oc4ft409b132slzyh7f4pqccf3l09p.burpcollaborator.net&sign=7a027419953ff8ca8f98ec6bbacd55faff8b064a HTTP/1.1
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Host: example.com
Content-type: application/x-www-form-urlencoded
Content-Length: 0

[Toy-godlike]

同样遇到一样的问题，在插件里面显示是GET请求，然后服务器返回405 Methon Not Allow，然后在xray里面观察了一下，原本的GET请求到Xray里面成了POST请求

试试这个吧https://xray.cool/xray/#/scenario/burp，用burp原生的上游代理，passive-scan-client确实有时候有bug。