Closed johndoe2293022490 closed 1 year ago
Thank you for bringing this issue up!
We're going to discuss internally.
Maybe we send both URL encoded and non-encoded payloads at the target? This would cover the two use-cases but also increase request counts in large scale scans. Thoughts?
Make it an option, so large scale scans can exclude it as needed? --skip-unencoded-requests
🐛 Summary
URL is encoded by the Requests library. Only URL encoded attacks on the URI are being sent to the target(s) which is leading to false negatives.
I believe this is unexpected behavior, and the payload is intended to be sent via the URL as output by the script (not encoded). However, it is possible unencoded characters would just lead to more dropped packets, so it may be best to include both.
To reproduce
Steps to reproduce the behavior:
Expected behavior
Expected behavior would send a request containing the exact payload printed by the script. Using a function such as urllib.request.urlopen() is able to deliver the payload properly in the URL.
Any helpful log output or screenshots
The following code was added to send a non-urlencoded request.
from urllib import parse as urlparse, request
...
print("sending a payload using a different library...")
cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan")
request.urlopen(url + "?v=" + payload)
This was added to the end of the script to compare over Wireshark.
In this instance within a lab environment, the current script was not able to successfully attack a known vulnerable version due to this. Once modified to deliver the payload as printed, the attack was successful.