Fix XML inject + example 4

2024-06-08 23:29:47 +02:00 · 2024-06-08 23:29:47 +02:00 · 92146f2bcd
parent febd5df763
commit 92146f2bcd
3 changed files with 24 additions and 21 deletions
--- a/core/requester.py
+++ b/core/requester.py
@ -103,20 +103,8 @@ class Requester(object):
                            proxies=self.proxies
                        )

-                    # Handle FORM data
-                    else:
-                        if param == '': data_injected = value
-                        r = requests.post(
-                            self.protocol + "://" + self.host + self.action, 
-                            headers=header_injected, 
-                            data=data_injected,
-                            timeout=timeout,
-                            stream=stream,
-                            verify=False,
-                            proxies=self.proxies
-                        )
-                else:
-                    if self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']:
+                    # Handle XML data
+                    elif self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']:
                        if "*FUZZ*" in data_injected['__xml__']:

                            # replace the injection point with the payload
@ -136,9 +124,23 @@ class Requester(object):
                        else:
                            logging.error("No injection point found ! (use -p)")
                            exit(1)  
+
+                    # Handle FORM data
                    else:
-                        logging.error("No injection point found ! (use -p)")
-                        exit(1)  
+                        if param == '': data_injected = value
+                        r = requests.post(
+                            self.protocol + "://" + self.host + self.action, 
+                            headers=header_injected, 
+                            data=data_injected,
+                            timeout=timeout,
+                            stream=stream,
+                            verify=False,
+                            proxies=self.proxies
+                        )
+
+                else:
+                    logging.error("No injection point found ! (use -p)")
+                    exit(1)  
            else:
                # String is immutable, we don't have to do a "forced" copy
                regex = re.compile(param+"=([^&]+)")
--- a/examples/example.py
+++ b/examples/example.py
@ -5,6 +5,7 @@
 from flask import Flask, request 
 import re
 import subprocess
+import urllib.parse

 app = Flask(__name__)

@ -39,15 +40,16 @@ def ssrf3():
@app.route("/ssrf4", methods=['POST'])
 def ssrf4():
    data = request.data
-    print(data.decode())
    regex = re.compile("url>(.*?)</url")
    try:
-        url = regex.findall(data.decode())[0]
+        data = urllib.parse.unquote(data)
+        url = regex.findall(data)[0]
+        print(url)
        content = command(f"curl {url}")
        return content
+    
    except Exception as e:
-        return e
-
+        print(e)

 # curl -v "http://127.0.0.1:5000/ssrf5" -H 'X-Custom-Header: http://example.com'
@app.route("/ssrf5", methods=['GET'])
--- a/modules/readfiles.py
+++ b/modules/readfiles.py
@ -1,7 +1,6 @@
 from core.utils import *
 import logging
 import os
-from argparse import ArgumentParser

 name          = "readfiles"
 description   = "Read files from the target"