From 312a5de977a25bd6edee1f325507290d5e60bacd Mon Sep 17 00:00:00 2001
From: AJ ONeal <coolaj86@gmail.com>
Date: Sat, 25 Aug 2018 00:37:46 -0600
Subject: [PATCH] v1.2.0 support --servername option for pentesting

---
 README.md           | 11 +++++++++++
 cmd/sclient/main.go | 11 +++++++----
 sclient.go          | 11 +++++++++--
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 4da6c22..d23b949 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ sclient [flags] <remote> <local>
 
 * flags
   * -k, --insecure ignore invalid TLS (SSL/HTTPS) certificates
+  * --servername <string> spoof SNI (to disable use IP as &lt;remote&gt; and do not use this option)
 * remote
   * must have servername (i.e. example.com)
   * port is optional (default is 443)
@@ -112,3 +113,13 @@ Piping
 ```bash
 printf "GET / HTTP/1.1\r\nHost: telebit.cloud\r\n\r\n" | sclient telebit.cloud:443
 ```
+
+Testing for security vulnerabilities on the remote:
+
+```bash
+sclient -servername "Robert'); DROP TABLE Students;" example.com localhost:3000
+```
+
+```bash
+sclient -servername "../../../.hidden/private.txt" example.com localhost:3000
+```
diff --git a/cmd/sclient/main.go b/cmd/sclient/main.go
index ce58ce2..80ed00f 100644
--- a/cmd/sclient/main.go
+++ b/cmd/sclient/main.go
@@ -25,6 +25,7 @@ func usage() {
 func main() {
 	flag.Usage = usage
 	insecure := flag.Bool("k", false, "ignore bad TLS/SSL/HTTPS certificates")
+	servername := flag.String("servername", "", "specify a servername different from <remote> (to disable SNI use an IP as <remote> and do use this option)")
 	flag.BoolVar(insecure, "insecure", false, "ignore bad TLS/SSL/HTTPS certificates")
 	flag.Parse()
 	remotestr := flag.Arg(0)
@@ -41,10 +42,12 @@ func main() {
 		}
 	}
 
-	opts := &sclient.PipeOpts{}
-	opts.RemotePort = 443
-	opts.LocalAddress = "localhost"
-	opts.InsecureSkipVerify = *insecure
+	opts := &sclient.PipeOpts{
+		RemotePort:         443,
+		LocalAddress:       "localhost",
+		InsecureSkipVerify: *insecure,
+		ServerName:         *servername,
+	}
 
 	remote := strings.Split(remotestr, ":")
 	//remoteAddr, remotePort, err := net.SplitHostPort(remotestr)
diff --git a/sclient.go b/sclient.go
index 49ed4cf..96303d1 100644
--- a/sclient.go
+++ b/sclient.go
@@ -46,6 +46,7 @@ type PipeOpts struct {
 	LocalAddress       string
 	LocalPort          int
 	InsecureSkipVerify bool
+	ServerName         string
 }
 
 type Tun struct{}
@@ -88,7 +89,10 @@ func pipe(r Rwc, w Rwc, t string) {
 
 func handleConnection(remote string, conn Rwc, opts *PipeOpts) {
 	sclient, err := tls.Dial("tcp", remote,
-		&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
+		&tls.Config{
+			ServerName:         opts.ServerName,
+			InsecureSkipVerify: opts.InsecureSkipVerify,
+		})
 
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[error] (remote) %s\n", err)
@@ -111,7 +115,10 @@ func handleConnection(remote string, conn Rwc, opts *PipeOpts) {
 func (*Tun) DialAndListen(opts *PipeOpts) error {
 	remote := opts.RemoteAddress + ":" + strconv.Itoa(opts.RemotePort)
 	conn, err := tls.Dial("tcp", remote,
-		&tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify})
+		&tls.Config{
+			ServerName:         opts.ServerName,
+			InsecureSkipVerify: opts.InsecureSkipVerify,
+		})
 
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)