search

vladko312 / SSTImap

Automatic SSTI detection tool with interactive interface
GNU General Public License v3.0
861 stars 103 forks source link

How to tell SSTImap test form a form WebKit? #29

Open alasalamont opened 11 months ago

alasalamont commented 11 months ago

Hi, assume I have this POST request 

POST / HTTP/1.1]
Host: example.com
Content-Length: 1092
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzZgoVbc9kBDZDmAs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="CSRF_TOKEN"

ns0h_eslIv0RNFTCJLEK4puKCu-QaMVmWFJCVG8ZWnP0LhReRUtGI_j6DJ-TQGelTkYFgGzYcInK-W6p4Ru9IxIWchcidxNekB9xFhR6FHw=
-----WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="action"

sprout-forms/entries/save-entry
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="handle"

contact
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[email]"

test@gmail.com
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[phone][country]"

US
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[phone][phone]"

(201) 555-0123
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[message]"

test
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="alojs01dca85956cc7cf638dda2c9642df2fd"

alojs01dca85956cc7cf638dda2c9642df2fd
------WebKitFormBoundaryzZgoVbc9kBDZDmAs--

How I can tell SSTImap test in from the input of field of Webkit form? I did try to use flag --load-form but it does not work

Regards!

vladko312 commented 11 months ago

Currently, SSTImap is not supporting multipart/form-data content type. I am working on it, so hopefully I would be able to release an update soon enough.

vladko312 commented 11 months ago

In 1.2.0 it should be possible through text and fromhex data types. Can you verify?

Proper multipart/form-data support would be added later

alasalamont commented 11 months ago

Can you instruc me the command line? I did try

python3 sstimap.py -u http://example.com -m POST --load-forms ./form --data-type fromhex
python3 sstimap.py -u http://example.com -m POST --load-forms ./form --data-type fromhex
python3 sstimap.py -u http://example.com -m POST --load-forms ./form

Where form is the form that I saved from Burpsuite

And here is the output

[*] Version: 1.2.0
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Loaded plugins by categories: languages: 5; legacy_engines: 2; engines: 17
[*] Loaded request body types: 4

[-] Error occurred while loading forms from file:
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
[*] Scanning url: http://example.com
[-] Tested parameters appear to be not injectable.
vladko312 commented 11 months ago

--load-forms is used to load forms saved by --save-forms.

For now, SSTImap lacks the ability to load requests or request bodies from files. I will work on this feature.

--data-type fromhex requires you to hex-encode data before adding injection markers. For example: 536f6d6509*1b62797465730d0a00 This can be done to preserve line endings (0d0a, \r\n) or other unusual bytes

alasalamont commented 11 months ago

--load-forms is used to load forms saved by --save-forms.

For now, SSTImap lacks the ability to load requests or request bodies from files. I will work on this feature.

--data-type fromhex requires you to hex-encode data before adding injection markers. For example: 536f6d6509*1b62797465730d0a00 This can be done to preserve line endings (0d0a, \r\n) or other unusual bytes

If am I not understanding wrong, for this WebKit form, I have to use --data-type fromhex,

Based on the example above, assume I want to test on fields[message] at word test. I have to hex encode data 2 part

------WebKitFormBoundaryzZgoVbc9kBDZDmAs Content-Disposition: form-data; name="fields[message]" test ``` Then concatenate with Marker `*`, and concatenate with Part 2 + Part 2: Everything behind the `test` at part 1, which are ``` ------WebKitFormBoundaryzZgoVbc9kBDZDmAs Content-Disposition: form-data; name="alojs01dca85956cc7cf638dda2c9642df2fd" alojs01dca85956cc7cf638dda2c9642df2fd ------WebKitFormBoundaryzZgoVbc9kBDZDmAs-- ``` will be also `hex-encoded` too So the final command will be ``` python3 sstimap.py -u http://example.com -m POST -d "*" --data-type fromhex ``` Am I right?
vladko312 commented 11 months ago

Yes, fromhex would be better as you would be able to preserve \r\n line endings as 0d0a