Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inject GET parameter in POST request #42

Closed
Tompazi opened this issue Sep 18, 2016 · 7 comments
Closed

Inject GET parameter in POST request #42

Tompazi opened this issue Sep 18, 2016 · 7 comments
Labels
help wanted

Comments

@Tompazi
Copy link

Tompazi commented Sep 18, 2016

Hi, I like your tool a lot, but I have a problem.

here is a simplified version of what I want to do:

commix -u http://10.0.0.1/index.pl?INJECT_HERE --data=$POST_DATA

I want to inject into the URL (yes directly after the '?' there is no parameter name), but commix sees it's a POST request and happily starts to inject POST parameters, completely ignoring the INJECT_HERE tag in the URL. Even with a parameter name and the '-p' option it only looks for the parameter in the post data.
ONLY POST PARAMETERS ARE TESTED.

Is there currently a way how to do this? If not, I really think this should be possible to do with commix without having to write a http proxy that adds the post data afterwards...

Also I miss the possibility to skip parameters/tests during tests or please tell me if this is possible.

using version 1.3.16 as delivered in Kali Linux.

Cheers
@stasinopoulos
Copy link
Member

stasinopoulos commented Sep 19, 2016
edited
Loading

Hey @Tompazi, try to use the "*" wildcard in order to specify where to inject (in the URI) i.e. commix -u http://10.0.0.1/index.pl?*

@Tompazi
Copy link
Author

Tompazi commented Sep 19, 2016
edited
Loading

Same result, keep in mind there is also POST data.

also:

$ grep INJECT_TAG /usr/share/commix/src/utils/settings.py
INJECT_TAG = "INJECT_HERE"
$ grep VERSION_NUM /usr/share/commix/src/utils/settings.py -m 1
VERSION_NUM = "1.3.16"

Am I using the wrong version?

@stasinopoulos
Copy link
Member

Try to use commix -u http://10.0.0.1/index.pl?* and then enter your post data.

@Tompazi
Copy link
Author

Tompazi commented Sep 19, 2016

I'm sorry but what do you mean? How shouId I enter my post data, I do it like this:

commix -u http://10.0.0.1/index.pl?* --data=$POST_DATA

It's still only injecting the post parameters.

@stasinopoulos
Copy link
Member

You should be entering it like this: commix -u http://10.0.0.1/index.pl/* --data="POST_DATA" (without the $ symbol). For example, if there are two POST A and B parameters and you want to test the URL itself, you should write: commix -u http://10.0.0.1/index.pl/* --data="A=whatever&B=whatever". (The "INJECT_HERE" is replaced by "*".) For more info, please check Commix Wiki Page at https://github.com/stasinopoulos/commix/wiki/Usage-Examples.

@Tompazi
Copy link
Author

Tompazi commented Sep 19, 2016
edited
Loading

I think we are not communicating correctly. Look at this, is this intended behavior? I do not want to test the post parameters.
commix1
commix2

@palaziv palaziv mentioned this issue Nov 2, 2021
Closed
@github-actions
Copy link

github-actions bot commented Feb 1, 2022

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related issues.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stasinopoulos @Tompazi