Affected by GO-2022-0372 and 1 other vulnerabilities

GO-2022-0372: Subdomain Takeover in Interactsh server in github.com/projectdiscovery/interactsh

GO-2024-2907: Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

interactsh

module

v0.0.4 Latest Latest Go to latest Published: Aug 9, 2021 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/projectdiscovery/interactsh

Links

Open Source Insights

README ¶

Interactsh

An OOB interaction gathering server and client library

Features • Installation • Usage • Run Interactsh • Self-Hosting • Join Discord

Interactsh is an Open-Source Solution for Out of band Data Extraction, A tool designed to detect bugs that cause external interactions, For example - Blind SQLi, Blind CMDi, SSRF, etc.

Features

DNS/HTTP/SMTP Interaction support
CLI Client / Web Dashboard support
AES encryption with zero logging
Automatic ACME based Wildcard TLS w/ Auto Renewal
SELF Hosting version support

A hosted instance of the service with WEB UI is available at https://interact.projectdiscovery.io.

Note: As hosted version doesn't store anything locally, restarting server for maintenance / unexpected server crash / updates will result into loss of previous data.

Installing Interactsh Client

Interactsh Client requires go1.15+ to install successfully. Run the following command to get the repo -

▶ GO111MODULE=on go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-client

Usage

interactsh-client -h

This will display help for the tool. Here are all the switches it supports.

Flag	Description	Example
n	Number of interactable URLs to generate (default 1)	interactsh-client -n 2
persistent	Enables persistent interactsh sessions	interactsh-client persistent
poll-interval	Number of seconds between each poll request (default 5)	interactsh-client -poll-interval 1
url	URL of the interactsh server (default "hxxps://interact.sh")	interactsh-client -url hxxps://example.com
json	Show JSON output	interactsh-client -json
o	Store interaction logs to file	interactsh-client -o logs.txt
v	Show verbose interaction	interactsh-client -v

Running Interactsh Client

This will generate single URL that can be used for interaction.

▶ interactsh-client

    _       __                       __       __  
   (_)___  / /____  _________ ______/ /______/ /_ 
  / / __ \/ __/ _ \/ ___/ __ '/ ___/ __/ ___/ __ \
 / / / / / /_/  __/ /  / /_/ / /__/ /_(__  ) / / /
/_/_/ /_/\__/\___/_/   \__,_/\___/\__/____/_/ /_/ v0.0.1

		projectdiscovery.io

[INF] Listing 1 URL for OOB Testing
[INF] c23b2la0kl1krjcrdj10cndmnioyyyyyn.interact.sh

[c23b2la0kl1krjcrdj10cndmnioyyyyyn] Received DNS interaction (A) from 172.253.226.100 at 2021-26-26 12:26
[c23b2la0kl1krjcrdj10cndmnioyyyyyn] Received DNS interaction (AAAA) from 32.3.34.129 at 2021-26-26 12:26
[c23b2la0kl1krjcrdj10cndmnioyyyyyn] Received HTTP interaction from 43.22.22.50 at 2021-26-26 12:26
[c23b2la0kl1krjcrdj10cndmnioyyyyyn] Received DNS interaction (MX) from 43.3.192.3 at 2021-26-26 12:26
[c23b2la0kl1krjcrdj10cndmnioyyyyyn] Received DNS interaction (TXT) from 74.32.183.135 at 2021-26-26 12:26
[c23b2la0kl1krjcrdj10cndmnioyyyyyn] Received SMTP interaction from 32.85.166.50 at 2021-26-26 12:26

Sending Interaction to Discord,Slack,Telegram with Notify

▶ interactsh-client | notify

Setting up self-hosted instance

Click here for details

Start with setting up Debian box, Debian is required as you need to setup your own Name servers.
Navigate to https://dcc.godaddy.com/manage/{{domain}}/dns/hosts > Advanced Features > Host names, add ns1 and ns2 as hostnames with the IP of your server.
Navigate to https://dns.godaddy.com/{{domain}}/nameservers > Enter my own nameservers (advanced) > Add ns1.{{domain}} and ns2.{{domain}} as name servers.
Installing interactsh-server on your server.

GO111MODULE=on go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-server

Starting interactsh-server, to ensure server is always running in the background, make sure to start the server in the screen session.

interactsh-server -domain {{Domain}} -hostmaster admin@{{Domain}} -ip {{Server_IP}}

interactsh-server -domain example.com -hostmaster admin@example.com -ip XX.XX.XX.XX

Server setup should be completed with this, now client can be used to generate your own payloads.

Installing interactsh-client for using interactsh service.

GO111MODULE=on go get -v github.com/projectdiscovery/interactsh/cmd/interactsh-client

Running interactsh-client with self-hosted domain.

interactsh-client -url https://example.com

Acknowledgement

Interactsh is inspired from Burp Collaborator.

License

Interactsh is distributed under MIT License and made with 🖤 by the projectdiscovery team.

Directories ¶

Path	Synopsis
cmd
interactsh-client
interactsh-server
pkg
client
server
server/acme Package acme implements an automatically renewing acme wildcard certificate generation implementation that performs rolling updates on the http.Server.	Package acme implements an automatically renewing acme wildcard certificate generation implementation that performs rolling updates on the http.Server.
storage Package storage implements a encrypted storage mechanism for interactsh external interaction data.	Package storage implements a encrypted storage mechanism for interactsh external interaction data.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL