search

modzero / mod0BurpUploadScanner

HTTP file upload scanner for Burp Proxy
Other
483 stars 138 forks source link

Bug #77

Open naveenenushan opened 4 years ago

naveenenushan commented 4 years ago 
Traceback (most recent call last):
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1088, in do_checks
    self._php_rce(injector)
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1088, in do_checks
    self._php_rce(injector)
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1725, in _php_rce
    self._servercode_rce_backdoored_file(injector, self._php_gen_payload,
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1968, in _servercode_rce_backdoored_file
    self._send_simple(injector, types, basename, content, redownload=True)
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4225, in _send_simple
    urrs.append(self._make_http_request(injector, req, redownload_filename=x))
  File "/Users/naveen/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4380, in _make_http_request
    attack = self._callbacks.makeHttpRequest(service, req)
RuntimeException: java.lang.RuntimeException: supplier.viator.com

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.2 (v2.7.2:925a3cc3b49d, Mar 21 2020, 10:03:58)
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 14
Burp version: Burp Suite Professional 2020 9.2
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /signup/media/avatar/289203/updateSingleMediaGallery?galleryRef=GAL-
dd389dc4-d418-4706-b828-a80bce9de470&x=0&y=0&width=300&height=300&aspectRatio=1_1 HTTP/1.1\r\nHost:
supplier.viator.com\r\nConnection: close\r\nContent-Length: 10191\r\nUser-Agent: Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121
Safari/537.36\r\nX-CSRF-TOKEN: 196e5330-1b18-4ec5-85cc-eade976387a4\r\nContent-Type: multipart/form-
data; boundary=----WebKitFormBoundary7bQFFYrzoXcYtxAa\r\nAccept: */*\r\nOrigin:
https://supplier.viator.com\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-
Dest: empty\r\nReferer: https://supplier.viator.com/signup/public/profilePhoto\r\nAccept-Encoding:
gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: x-viator-
tapersistentcookie=6693d095-24f0-4773-adec-a8123d13abac;
nspmarket=%7B%22m%22%3A%220%22%2C%22nid%22%3Anull%7D; _ga=GA1.2.108270628.1604412707;
_gid=GA1.2.1468974745.1604412707; SCSI=VM303503|X6Fp...