search

vladko312 / SSTImap

Automatic SSTI detection tool with interactive interface
GNU General Public License v3.0
819 stars 96 forks source link

Parameter support issues. #14

Open sectroyer opened 1 year ago

sectroyer commented 1 year ago

SSTImap lacks '-p' (or equivalent) switch for specifying injection parameter.

Also it would be nice to have some improvement in case of multiple parameters like here:

[*] Javascript plugin is testing rendering with tag '*'
[*] Javascript plugin is testing ;*// code context escape with 6 variations
[*] Javascript plugin is testing blind injection
[*] Javascript plugin is testing ;*// code context escape with 6 variations
[*] Testing if POST parameter 'csrf' is injectable
[*] Ejs plugin is testing rendering with tag '*'
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Ejs plugin is testing blind injection
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Freemarker plugin is testing rendering with tag '*'
[*] Freemarker plugin is testing }* code context escape with 6 va

It's hard to find a line where it switches to new parameter. Even change to something like this would help a lot:

[*] Javascript plugin is testing rendering with tag '*'
[*] Javascript plugin is testing ;*// code context escape with 6 variations
[*] Javascript plugin is testing blind injection
[*] Javascript plugin is testing ;*// code context escape with 6 variations

[*] Testing if POST parameter 'csrf' is injectable
[*] Ejs plugin is testing rendering with tag '*'
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Ejs plugin is testing blind injection
[*] Ejs plugin is testing %>*<%# code context escape with 6 variations
[*] Freemarker plugin is testing rendering with tag '*'
[*] Freemarker plugin is testing }* code context escape with 6 va

Maybe even a different color of the "Testing..." line...

vladko312 commented 1 year ago

I will probably change the color. Also, have you set an injection marker (*) as a parameter you need?

sectroyer commented 1 year ago

Nope I didn't. It wasn't clear for me if it works or not :)

vladko312 commented 1 year ago

I made URL/form and parameter changing stand out a bit more.

Can you verify?

As for marker usage, it requires some documentation, so the issue will remain open for now.

sectroyer commented 1 year ago

Yes this green color looks much better 👍

vladko312 commented 1 year ago

Thank you for your feedback! I will close this issue after creating some documentation.

sectroyer commented 1 year ago

After some more testing I have noticed one issue with current logging: [*] Testing if POST parameter 'TEST' is injectable Since it's in green and ends with "parameter XYZ is injectable" it often confuses me. Tough I know the tool and notice it after a second. Still I think something like this: [*] Testing injection on POST parameter 'TEST' Especially since sqlmap logs "... is injectable" so that's probably why it confuses me 😄

vladko312 commented 1 year ago

Maybe, I will change the colour to yellow and change the text as well

vladko312 commented 10 months ago

Should be more clear in 1.2.0 Can you verify?