One of the checks for /proc/self/exe returns a binary directly to
terminal, which could print a several MB file out and also can cause
pain within a terminal due to a variety of escape sequences requiring a
"reset" to be performed.
This commit adds a check for ELF magic bytes to determine whether the
output is an ELF binary and if so it avoid writing it to stdout but
still writes it a local file.
Sample output:
```
[INFO]:Reading file : /proc/self/exe
ELF binary found - not printing to stdout
[INFO]:Writing file : /proc/self/exe to 127.0.0.1/_proc_self_exe
```
The specified "param" value should be entirely replaced by the payload.
This seems to work as expected when using POST values as it is entirely
reset. However, the GET value is replaced using regex, which was not
matching the entire value causing the original value to be appended to
the payload. For example, assuming the following value request:
```
GET /?url=https%3A%2F%2Fgoogle.com
```
A sample payload from the readfile module would become:
```
file:///etc/passwd://google.com
```
This is mostly due to the existing regex using a word (\w) match, which
prevents it from parsing "://" (%3A%2F%2F). Generally, query string
params should be properly urlencoded so we should be able to replace
anything after `param=` up until the default delimeter (&).
This is less of an issue if you just set the starting param to a string
(the example in data/request3.txt uses SSRF. However, based on the
provided example within the README, this may not be obvious to new users
and having consistency between starting payloads could be helpful.
This commit switches the regex from a word match (\w) to a negated
character class, matching everything up to the next ampersand (&).
- Swapped instances of format() to use fstrings for readability, as some of the format calls were convoluted:
- "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string) => "".join([f"%{ord(char):0>2x}" for char in string])
- logging.info("Original file length: {}".format('{0:0{1}X}'.format(len(webshell_data),8))) => logging.info(f"Original file length: {len(webshell_data):08X}")
- Added missing 'module launched' message for SMTP
Swissky
Seng Kyaut
dependabot[bot]
Konstantinos Xynos
Daniel Corbett
MBharanya
Mili-NT
Mateus Pimentel
Mashaz
xyzkab
Maki