search

wapiti-scanner / wapiti

Web vulnerability scanner written in Python3
https://github.com/wapiti-scanner/wapiti
GNU General Public License v2.0
1.2k stars 180 forks source link

crawl exclude not working #595

Closed e2002e closed 4 months ago

e2002e commented 4 months ago

Hello, I'm trying to fuzz a website which requires session cookie, so using -x option. But it doesn't skip the url, still fuzzing logout, I have given the complete url: https://www2.website/members/login_proc.php

I also got this error when using exclude, I don't find out when it appears or not.

Traceback (most recent call last):
  File "/usr/bin/wapiti", line 33, in <module>
    sys.exit(load_entry_point('wapiti3==3.0.4', 'console_scripts', 'wapiti')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/wapitiCore/main/wapiti.py", line 1206, in wapiti_main
    wap.browse()
  File "/usr/lib/python3/dist-packages/wapitiCore/main/wapiti.py", line 328, in browse
    for resource in explorer.explore(self._start_urls, self._excluded_urls):
  File "/usr/lib/python3/dist-packages/wapitiCore/net/crawler.py", line 659, in explore
    regexes.append(wildcard_translate(excluded_url))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/wapitiCore/net/crawler.py", line 95, in wildcard_translate
    return re.compile(res + r'\Z(?ms)')
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/re/__init__.py", line 227, in compile
    return _compile(pattern, flags)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/re/__init__.py", line 294, in _compile
    p = _compiler.compile(pattern, flags)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/re/_compiler.py", line 743, in compile
    p = _parser.parse(p, flags)
        ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/re/_parser.py", line 980, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/re/_parser.py", line 455, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/re/_parser.py", line 841, in _parse
    raise source.error('global flags not at the start '
re.error: global flags not at the start of the expression at position 63

The argument is of the form: --exclude 'http://www2.website.com/chatville/members/login_proc.php'

I must specify that it's a POST form, maybe I need to exclude all parameters instead of the URL ?

Wapiti-3.0.4 (wapiti.sourceforge.io) Debian 12