search

modzero / mod0BurpUploadScanner

HTTP file upload scanner for Burp Proxy
Other
483 stars 138 forks source link

Evaluation of start and end marker #43

Closed luh2 closed 5 years ago

luh2 commented 5 years ago

Not sure this qualifies as a bug. I get a situation where the output contains the uploaded files like this

<tr>
                    <td class="textdata">
                        <a href="attachment.do?reportId=3760&amp;attachmentId=1337&amp;action=1">
                            1${IFS}-write${IFS}|sleep${IFS}6.0|a0Xkd.pdf
                        </a>
                    </td>
                    <td class="textdata">
                        <input type="button" value="Delete" id="deleteAttachment" onclick="deleteAttachmentFile(1337)"/>
                    </td>
                </tr>

                <tr>
                    <td class="textdata">
                        <a href="attachment.do?reportId=3760&amp;attachmentId=1338&amp;action=1">
                            |ping -n 12.0 localhost|a0LAR.pdf
                        </a>
                    </td>
                    <td class="textdata">
                        <input type="button" value="Delete" id="deleteAttachment" onclick="deleteAttachmentFile(1338)"/>
                    </td>
                </tr>

So it is clear, that the part that is interesting is the attachmentId. It is also obvious, that it can be identified by the name that is right below it.

So it makes sense to set start marker to:

attachment.do?reportId=3760&amp;attachmentId=

end marker to:

${PYTHONSTR:'&amp;action=1">\n                          ${FILENAME}'}

What currently now happens is that it will not select 1338 if filename was |ping -n 12.0 localhost|a0LAR.pdf but rather 

1337&amp;action=1">
                            1${IFS}-write${IFS}|sleep${IFS}6.0|a0Xkd.pdf
                        </a>
                    </td>
                    <td class="textdata">
                        <input type="button" value="Delete" id="deleteAttachment" onclick="deleteAttachmentFile(1337)"/>
                    </td>
                </tr>

                <tr>
                    <td class="textdata">
                        <a href="attachment.do?reportId=3760&amp;attachmentId=1338

So it matches the first occurrence of both statements. Since there is only one identifying data, I was wondering if it would make sense to select the first occurrence of the one with the file marker (if there is one) and chose the other one as closest preceding or following one (depending of the filename marker was in the end or start marker).

floyd-fuh commented 5 years ago

Yeah I see where that could be an issue. However, I think if you just set the end marker to &amp;action=1"> this should work just fine. I know this might be still an issue if that part is not there, but that's very much a corner case.

I recommend using a unique start marker. But the end marker can be whatever fits and doesn't need to be too unique. Also I recommend doing them both as short as possible. And especially I recommend not using the $FILENAME if not absolutely necessary.