From 187fc6acd2a91e3debdab2519725d62cfab5b020 Mon Sep 17 00:00:00 2001 From: AndresFelipeGualdron Date: Fri, 3 Jan 2025 12:01:42 -0500 Subject: [PATCH 1/5] fix to import overwrite c2Profile to url_parameters --- client/command/c2profiles/c2profiles.go | 9 +++++++++ server/db/helpers.go | 17 +++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/client/command/c2profiles/c2profiles.go b/client/command/c2profiles/c2profiles.go index ac9d4b689..dffd9d787 100644 --- a/client/command/c2profiles/c2profiles.go +++ b/client/command/c2profiles/c2profiles.go @@ -464,6 +464,15 @@ func C2ConfigToProtobuf(profileName string, config *assets.HTTPC2Config) *client }) } + for _, urlParameter := range config.ImplantConfig.URLParameters { + httpC2UrlParameters = append(httpC2UrlParameters, &clientpb.HTTPC2URLParameter{ + Method: urlParameter.Method, + Name: urlParameter.Name, + Value: urlParameter.Value, + Probability: int32(urlParameter.Probability), + }) + } + implantConfig := &clientpb.HTTPC2ImplantConfig{ UserAgent: config.ImplantConfig.UserAgent, ChromeBaseVersion: int32(config.ImplantConfig.ChromeBaseVersion), diff --git a/server/db/helpers.go b/server/db/helpers.go index 7a40edd5a..ac5b16ef5 100644 --- a/server/db/helpers.go +++ b/server/db/helpers.go @@ -477,6 +477,13 @@ func HTTPC2ConfigUpdate(newConf *clientpb.HTTPC2Config, oldConf *clientpb.HTTPC2 return err.Error } + err = Session().Where(&models.HttpC2URLParameter{ + HttpC2ImplantConfigID: clientID, + }).Delete(&models.HttpC2URLParameter{}) + if err.Error != nil { + return err.Error + } + err = Session().Where(&models.ImplantConfig{ ID: clientID, }).Updates(c2Config.ImplantConfig) @@ -504,6 +511,16 @@ func HTTPC2ConfigUpdate(newConf *clientpb.HTTPC2Config, oldConf *clientpb.HTTPC2 } } + for _, urlParameter := range c2Config.ImplantConfig.ExtraURLParameters { + urlParameter.HttpC2ImplantConfigID = clientID + err = Session().Clauses(clause.OnConflict{ + UpdateAll: true, + }).Create(&urlParameter) + if err.Error != nil { + return err.Error + } + } + serverID, _ := uuid.FromString(oldConf.ServerConfig.ID) err = Session().Where(&models.HttpC2Cookie{ From 26efc776c7c30beb202d85d3ee8e95f0923947d6 Mon Sep 17 00:00:00 2001 From: AndresFelipeGualdron Date: Fri, 3 Jan 2025 22:32:53 -0500 Subject: [PATCH 2/5] fix to import no overwrite c2Profile --- server/rpc/rpc-c2profile.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/server/rpc/rpc-c2profile.go b/server/rpc/rpc-c2profile.go index b2be3e5b5..d03d19b1d 100644 --- a/server/rpc/rpc-c2profile.go +++ b/server/rpc/rpc-c2profile.go @@ -80,11 +80,10 @@ func (rpc *Server) SaveHTTPC2Profile(ctx context.Context, req *clientpb.HTTPC2Co return nil, configs.ErrDuplicateC2ProfileName } - if httpC2Config.Name == "" { - return nil, configs.ErrC2ProfileNotFound - } - if req.Overwrite { + if httpC2Config.Name == "" { + return nil, configs.ErrC2ProfileNotFound + } err = db.HTTPC2ConfigUpdate(req.C2Config, httpC2Config) if err != nil { log.Printf("Error:\n%s", err) From 674df112a4bcd6548d5bcc72c10524be4c534d55 Mon Sep 17 00:00:00 2001 From: AndresFelipeGualdron Date: Sat, 4 Jan 2025 20:12:10 -0500 Subject: [PATCH 3/5] adding method of url parameter in template --- implant/sliver/transports/httpclient/httpclient.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/implant/sliver/transports/httpclient/httpclient.go b/implant/sliver/transports/httpclient/httpclient.go index 8eee99b7f..29a6a8093 100644 --- a/implant/sliver/transports/httpclient/httpclient.go +++ b/implant/sliver/transports/httpclient/httpclient.go @@ -273,7 +273,12 @@ func (s *SliverHTTPClient) newHTTPRequest(method string, uri *url.URL, body io.R extraURLParams := []nameValueProbability{ // {{range $param := .HTTPC2ImplantConfig.ExtraURLParameters}} - {Name: "{{$param.Name}}", Value: "{{$param.Value}}", Probability: "{{$param.Probability}}"}, + { + Name: "{{$param.Name}}", + Value: "{{$param.Value}}", + Probability: "{{$param.Probability}}", + Method: "{{$param.Method}}", + }, // {{end}} } queryParams := req.URL.Query() From daeb463f77950e72f3cdcffcd1db6dbc9b5de31e Mon Sep 17 00:00:00 2001 From: Timothy Makram Ghatas <47985652+TimBF@users.noreply.github.com> Date: Tue, 7 Jan 2025 14:46:32 +0100 Subject: [PATCH 4/5] Update httpclient.go add check for method in implant httpclient Signed-off-by: Timothy Makram Ghatas <47985652+TimBF@users.noreply.github.com> --- implant/sliver/transports/httpclient/httpclient.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/implant/sliver/transports/httpclient/httpclient.go b/implant/sliver/transports/httpclient/httpclient.go index 29a6a8093..d16c169d7 100644 --- a/implant/sliver/transports/httpclient/httpclient.go +++ b/implant/sliver/transports/httpclient/httpclient.go @@ -283,6 +283,9 @@ func (s *SliverHTTPClient) newHTTPRequest(method string, uri *url.URL, body io.R } queryParams := req.URL.Query() for _, param := range extraURLParams { + if len(param.Method)>0 && param.Method != method { + continue + } probability, _ := strconv.Atoi(param.Probability) if 0 < probability { roll := insecureRand.Intn(99) + 1 From 3d70247f8b74adc8035dad0e70bf5b4d510e261d Mon Sep 17 00:00:00 2001 From: Timothy Makram Ghatas <47985652+TimBF@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:33:29 +0100 Subject: [PATCH 5/5] Update httpclient.go - use updated uri for debug logs Signed-off-by: Timothy Makram Ghatas <47985652+TimBF@users.noreply.github.com> --- implant/sliver/transports/httpclient/httpclient.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/implant/sliver/transports/httpclient/httpclient.go b/implant/sliver/transports/httpclient/httpclient.go index d16c169d7..6652b97a9 100644 --- a/implant/sliver/transports/httpclient/httpclient.go +++ b/implant/sliver/transports/httpclient/httpclient.go @@ -434,7 +434,7 @@ func (s *SliverHTTPClient) ReadEnvelope() (*pb.Envelope, error) { s.NonceQueryArgument(uri, nonce) req := s.newHTTPRequest(http.MethodGet, uri, nil) // {{if .Config.Debug}} - log.Printf("[http] GET -> %s", uri) + log.Printf("[http] GET -> %s", req.URL) // {{end}} resp, rawRespData, err := s.DoPoll(req) if err != nil {