nuclei/v2/cmd/tools/fuzzplayground/main.go

package main

import (
	"fmt"
	"io"
	"os/exec"
	"strconv"
	"strings"

	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
	"github.com/projectdiscovery/retryablehttp-go"
)

func main() {
	e := echo.New()
	e.Use(middleware.Recover())
	e.Use(middleware.Logger())

	e.GET("/", indexHandler)
	e.GET("/info", infoHandler)
	e.GET("/redirect", redirectHandler)
	e.GET("/request", requestHandler)
	e.GET("/email", emailHandler)
	e.GET("/permissions", permissionsHandler)
	if err := e.Start("localhost:8082"); err != nil {
		panic(err)
	}
}

var bodyTemplate = `<html>
<head>
<title>Fuzz Playground</title>
</head>
<body>
%s
</body>
</html>`

func indexHandler(ctx echo.Context) error {
	return ctx.HTML(200, fmt.Sprintf(bodyTemplate, `<h1>Fuzzing Playground</h1><hr>
<ul>
<li><a href="/info?name=test&another=value&random=data">Info Page XSS</a></li>
<li><a href="/redirect?redirect_url=/info?name=redirected_from_url">Redirect Page OpenRedirect</a></li>
<li><a href="/request?url=https://example.com">Request Page SSRF</a></li>
<li><a href="/email?text=important_user">Email Page SSTI</a></li>
<li><a href="/permissions?cmd=whoami">Permissions Page CMDI</a></li>
</ul>
`))
}

func infoHandler(ctx echo.Context) error {
	return ctx.HTML(200, fmt.Sprintf(bodyTemplate, fmt.Sprintf("Name of user: %s%s%s", ctx.QueryParam("name"), ctx.QueryParam("another"), ctx.QueryParam("random"))))
}

func redirectHandler(ctx echo.Context) error {
	url := ctx.QueryParam("redirect_url")
	return ctx.Redirect(302, url)
}

func requestHandler(ctx echo.Context) error {
	url := ctx.QueryParam("url")
	data, err := retryablehttp.DefaultClient().Get(url)
	if err != nil {
		return ctx.HTML(500, err.Error())
	}
	defer data.Body.Close()

	body, _ := io.ReadAll(data.Body)
	return ctx.HTML(200, fmt.Sprintf(bodyTemplate, string(body)))
}

func emailHandler(ctx echo.Context) error {
	text := ctx.QueryParam("text")
	if strings.Contains(text, "{{") {
		trimmed := strings.SplitN(strings.Trim(text[strings.Index(text, "{"):], "{}"), "*", 2)
		if len(trimmed) < 2 {
			return ctx.HTML(500, "invalid template")
		}
		first, _ := strconv.Atoi(trimmed[0])
		second, _ := strconv.Atoi(trimmed[1])
		text = strconv.Itoa(first * second)
	}
	return ctx.HTML(200, fmt.Sprintf(bodyTemplate, fmt.Sprintf("Text: %s", text)))
}

func permissionsHandler(ctx echo.Context) error {
	command := ctx.QueryParam("cmd")
	fields := strings.Fields(command)
	cmd := exec.Command(fields[0], fields[1:]...)
	data, _ := cmd.CombinedOutput()

	return ctx.HTML(200, fmt.Sprintf(bodyTemplate, string(data)))
}
Added fuzzing support for query params + var dump feature (#2679) * Added fuzzing support for query params + var dump feature * Added query-fuzz integration test * Fixed payloads + added keys-regex fuzz parameter * Fixed interactsh not working + misc * Fixed evaluation + added global variables/dsl support to payloads * Misc fixes related to variables evaluations * Added http variables support to fuzz * misc * Misc * Added testing playground + misc renaming * Added support for path and raw request to fuzzing * Fixed fuzz integration test * Fixed variable unresolved issue * Add multiple parameter support with same name * Added parameter value as 'value' dsl variable for parts Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-11-01 14:58:50 +00:00			`package main`

			`import (`
			`"fmt"`
Adding support to scan all v4/v6 IPs (#2709) * Adding support to scan all v4/v6 IPs * adding tests * metainput prototype * using new signature * fixing nil pointer * adding request context with metadata * removing log instruction * fixing merge conflicts * adding clone helpers * attempting to fix ipv6 square parenthesis wrap * fixing dialed ip info * fixing syntax * fixing output ip selection * adding integration tests * disabling test due to gh ipv6 issue * using ipv4 only due to GH limited networking * extending metainput marshaling * fixing hmap key * adding test for httpx integration * fixing lint error * reworking marshaling/id-calculation * adding ip version validation * improving handling non url targets * fixing condition check 2022-11-09 13:18:56 +00:00			`"io"`
Added fuzzing support for query params + var dump feature (#2679) * Added fuzzing support for query params + var dump feature * Added query-fuzz integration test * Fixed payloads + added keys-regex fuzz parameter * Fixed interactsh not working + misc * Fixed evaluation + added global variables/dsl support to payloads * Misc fixes related to variables evaluations * Added http variables support to fuzz * misc * Misc * Added testing playground + misc renaming * Added support for path and raw request to fuzzing * Fixed fuzz integration test * Fixed variable unresolved issue * Add multiple parameter support with same name * Added parameter value as 'value' dsl variable for parts Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-11-01 14:58:50 +00:00			`"os/exec"`
			`"strconv"`
			`"strings"`

			`"github.com/labstack/echo/v4"`
			`"github.com/labstack/echo/v4/middleware"`
started move to retryablehttp 2023-03-02 13:54:01 +00:00			`"github.com/projectdiscovery/retryablehttp-go"`
Added fuzzing support for query params + var dump feature (#2679) * Added fuzzing support for query params + var dump feature * Added query-fuzz integration test * Fixed payloads + added keys-regex fuzz parameter * Fixed interactsh not working + misc * Fixed evaluation + added global variables/dsl support to payloads * Misc fixes related to variables evaluations * Added http variables support to fuzz * misc * Misc * Added testing playground + misc renaming * Added support for path and raw request to fuzzing * Fixed fuzz integration test * Fixed variable unresolved issue * Add multiple parameter support with same name * Added parameter value as 'value' dsl variable for parts Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-11-01 14:58:50 +00:00			`)`

			`func main() {`
			`e := echo.New()`
			`e.Use(middleware.Recover())`
			`e.Use(middleware.Logger())`

			`e.GET("/", indexHandler)`
			`e.GET("/info", infoHandler)`
			`e.GET("/redirect", redirectHandler)`
			`e.GET("/request", requestHandler)`
			`e.GET("/email", emailHandler)`
			`e.GET("/permissions", permissionsHandler)`
			`if err := e.Start("localhost:8082"); err != nil {`
			`panic(err)`
			`}`
			`}`

			var bodyTemplate = `<html>
			`<head>`
			`<title>Fuzz Playground</title>`
			`</head>`
			`<body>`
			`%s`
			`</body>`
			</html>`

			`func indexHandler(ctx echo.Context) error {`
			return ctx.HTML(200, fmt.Sprintf(bodyTemplate, `<h1>Fuzzing Playground</h1><hr>
			`<ul>`
			`<li><a href="/info?name=test&another=value&random=data">Info Page XSS</a></li>`
			`<li><a href="/redirect?redirect_url=/info?name=redirected_from_url">Redirect Page OpenRedirect</a></li>`
			`<li><a href="/request?url=https://example.com">Request Page SSRF</a></li>`
			`<li><a href="/email?text=important_user">Email Page SSTI</a></li>`
			`<li><a href="/permissions?cmd=whoami">Permissions Page CMDI</a></li>`
			`</ul>`
			`))
			`}`

			`func infoHandler(ctx echo.Context) error {`
			`return ctx.HTML(200, fmt.Sprintf(bodyTemplate, fmt.Sprintf("Name of user: %s%s%s", ctx.QueryParam("name"), ctx.QueryParam("another"), ctx.QueryParam("random"))))`
			`}`

			`func redirectHandler(ctx echo.Context) error {`
			`url := ctx.QueryParam("redirect_url")`
			`return ctx.Redirect(302, url)`
			`}`

			`func requestHandler(ctx echo.Context) error {`
			`url := ctx.QueryParam("url")`
started move to retryablehttp 2023-03-02 13:54:01 +00:00			`data, err := retryablehttp.DefaultClient().Get(url)`
Added fuzzing support for query params + var dump feature (#2679) * Added fuzzing support for query params + var dump feature * Added query-fuzz integration test * Fixed payloads + added keys-regex fuzz parameter * Fixed interactsh not working + misc * Fixed evaluation + added global variables/dsl support to payloads * Misc fixes related to variables evaluations * Added http variables support to fuzz * misc * Misc * Added testing playground + misc renaming * Added support for path and raw request to fuzzing * Fixed fuzz integration test * Fixed variable unresolved issue * Add multiple parameter support with same name * Added parameter value as 'value' dsl variable for parts Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-11-01 14:58:50 +00:00			`if err != nil {`
			`return ctx.HTML(500, err.Error())`
			`}`
			`defer data.Body.Close()`

Adding support to scan all v4/v6 IPs (#2709) * Adding support to scan all v4/v6 IPs * adding tests * metainput prototype * using new signature * fixing nil pointer * adding request context with metadata * removing log instruction * fixing merge conflicts * adding clone helpers * attempting to fix ipv6 square parenthesis wrap * fixing dialed ip info * fixing syntax * fixing output ip selection * adding integration tests * disabling test due to gh ipv6 issue * using ipv4 only due to GH limited networking * extending metainput marshaling * fixing hmap key * adding test for httpx integration * fixing lint error * reworking marshaling/id-calculation * adding ip version validation * improving handling non url targets * fixing condition check 2022-11-09 13:18:56 +00:00			`body, _ := io.ReadAll(data.Body)`
Added fuzzing support for query params + var dump feature (#2679) * Added fuzzing support for query params + var dump feature * Added query-fuzz integration test * Fixed payloads + added keys-regex fuzz parameter * Fixed interactsh not working + misc * Fixed evaluation + added global variables/dsl support to payloads * Misc fixes related to variables evaluations * Added http variables support to fuzz * misc * Misc * Added testing playground + misc renaming * Added support for path and raw request to fuzzing * Fixed fuzz integration test * Fixed variable unresolved issue * Add multiple parameter support with same name * Added parameter value as 'value' dsl variable for parts Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2022-11-01 14:58:50 +00:00			`return ctx.HTML(200, fmt.Sprintf(bodyTemplate, string(body)))`
			`}`

			`func emailHandler(ctx echo.Context) error {`
			`text := ctx.QueryParam("text")`
			`if strings.Contains(text, "{{") {`
			`trimmed := strings.SplitN(strings.Trim(text[strings.Index(text, "{"):], "{}"), "*", 2)`
			`if len(trimmed) < 2 {`
			`return ctx.HTML(500, "invalid template")`
			`}`
			`first, _ := strconv.Atoi(trimmed[0])`
			`second, _ := strconv.Atoi(trimmed[1])`
			`text = strconv.Itoa(first * second)`
			`}`
			`return ctx.HTML(200, fmt.Sprintf(bodyTemplate, fmt.Sprintf("Text: %s", text)))`
			`}`

			`func permissionsHandler(ctx echo.Context) error {`
			`command := ctx.QueryParam("cmd")`
			`fields := strings.Fields(command)`
			`cmd := exec.Command(fields[0], fields[1:]...)`
			`data, _ := cmd.CombinedOutput()`

			`return ctx.HTML(200, fmt.Sprintf(bodyTemplate, string(data)))`
			`}`