Closed mchlstr closed 1 year ago
Good catch, I think we may be hitting a rune parsing issue in injectKeyword
. Thanks for providing test cases, have replicated locally. Will take a look
Got it, the issue was with any single-character payload location between the section signs and the silly string slice logic. Have moved to a dedicated output slice, added in some tests, and opened the PR for the fix.
With the fix:
./ffuf -w ./payloads.txt -u "http://127.0.0.1:8000/file?id=§a§&sort=§b§&test=§c§" -mode sniper
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=payload3&sort=b&test=c HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=payload1&sort=b&test=c HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=payload2&sort=b&test=c HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=a&sort=payload1&test=c HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=a&sort=payload2&test=c HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=a&sort=payload3&test=c HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=a&sort=b&test=payload3 HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=a&sort=b&test=payload2 HTTP/1.1" 404 -
127.0.0.1 - - [14/Aug/2022 11:55:43] code 404, message File not found
127.0.0.1 - - [14/Aug/2022 11:55:43] "GET /file?id=a&sort=b&test=payload1 HTTP/1.1" 404 -
Hey Dol!
Thank you for reacting so fast and for working on issue. Glad that it was such a easy fix. And looking forward to test this super handy sniper mode!
Best,
Hi team,
When running the latest (v1.5.0)
ffuf
, I encountered the following issue.I am not used to the go language, but I think that an issue lies in the parser. Explicitly while the code is trying to execute this feature as mentioned PR #469:
What is happening is that when substituting any but the last parameter
&
character is getting replaced byZ
.To showcase, I prepared a simple payload file as a word list:
And following are the logs from my local web server.
As you can see
file?id=§a§&sort=§b§&test=§c§
got replaced byfile?id=payload2Zsort=b&test=c
, making the request invalid.I also tried an example mentioned by @denandz in Add Sniper Mode #469; however, the result remains the same. It worked better, but the replace mechanism replaced the
]
character withZ
.I hope it will be fixed because I use
ffuf
regularly and findsniper
integration an ingenious idea.Thanks and good work!!