Feature request: auto leak information

vladko312 / SSTImap

Automatic SSTI detection tool with interactive interface

GNU General Public License v3.0

755 stars 89 forks source link

Feature request: auto leak information #23

Open ImJoke opened 1 year ago

ImJoke commented 1 year ago

This feature will work like {{config|attr(request.args.a)}}&a=__init__ that leaking information like token, etc. Btw don't forget for the obfuscator

In my case if the web only be injectable with POST data, I need to change from {{config|attr(request.args.a)}}&a=__init__ to {{config|attr(request.args.a)}} and change the url path to http://<IP>/?a=__init__

vladko312 commented 1 year ago

Information disclosure is planned, but WAF bypasses are really hard to automate, as there are just too many things that can be blocked.