BUG/MINOR: requester: fix GET param replacement

The specified "param" value should be entirely replaced by the payload.
This seems to work as expected when using POST values as it is entirely
reset. However, the GET value is replaced using regex, which was not
matching the entire value causing the original value to be appended to
the payload. For example, assuming the following value request:

```
GET /?url=https%3A%2F%2Fgoogle.com
```

A sample payload from the readfile module would become:

```
file:///etc/passwd://google.com
```

This is mostly due to the existing regex using a word (\w) match, which
prevents it from parsing "://" (%3A%2F%2F). Generally, query string
params should be properly urlencoded so we should be able to replace
anything after `param=` up until the default delimeter (&).

This is less of an issue if you just set the starting param to a string
(the example in data/request3.txt uses SSRF. However, based on the
provided example within the README, this may not be obvious to new users
and having consistency between starting payloads could be helpful.

This commit switches the regex from a word match (\w) to a negated
character class, matching everything up to the next ampersand (&).
pull/44/head
Daniel Corbett 2023-02-10 11:42:16 -05:00 committed by Daniel Corbett
parent c11f4efe28
commit 592af1d187
1 changed files with 1 additions and 1 deletions

View File

@ -131,7 +131,7 @@ class Requester(object):
exit(1) exit(1)
else: else:
# String is immutable, we don't have to do a "forced" copy # String is immutable, we don't have to do a "forced" copy
regex = re.compile(param+"=(\w+)") regex = re.compile(param+"=([^&]+)")
value = urllib.parse.quote(value, safe='') value = urllib.parse.quote(value, safe='')
data_injected = re.sub(regex, param+'='+value, self.action) data_injected = re.sub(regex, param+'='+value, self.action)
r = requests.get( r = requests.get(