Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix time-based matcher #575

Merged
merged 3 commits into from Feb 2, 2023
Merged

Fix time-based matcher #575

merged 3 commits into from Feb 2, 2023

Conversation

denandz
Copy link
Contributor

@denandz denandz commented Aug 1, 2022

The time-based matcher was being processed as a filter. This PR makes the time-matcher work as expected. The issue was that the -mt flag was being sunk into AddFilter instead of AddMatcher.

Here is a simple test setup, run a test vuln webapp with docker run -d -p 1234:8000 -it appsecco/dsvw (there's a blind sqlite injection bug in here)

$ wget https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SQL%20Injection/Intruder/Generic_TimeBased.txt
...yoink...  

2022-08-01 19:55:30 (15.3 MB/s) - ‘Generic_TimeBased.txt’ saved [2351/2351]
$ while read -r i; do echo -n "$i" | ~/go/bin/pencode urlencode; echo; done < Generic_TimeBased.txt > urlencoded.txt
$ ~/go/src/github.com/ffuf/ffuf/ffuf -t 1 -u "http://127.0.0.1:1234/?id=§2§"  -mode sniper -w urlencoded.txt -mt ">1000"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://127.0.0.1:1234/?id=§2§
 :: Wordlist         : FUZZ: urlencoded.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Matcher          : Response time: >1000
________________________________________________

RANDOMBLOB%28500000000%2F2%29 [Status: 200, Size: 1338, Words: 115, Lines: 11, Duration: 2125ms]
RANDOMBLOB%281000000000%2F2%29 [Status: 200, Size: 1338, Words: 115, Lines: 11, Duration: 4239ms]
:: Progress: [95/95] :: Job [1/1] :: 1295 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

Fixes: #558

@denandz
Copy link
Contributor Author

denandz commented Aug 1, 2022

And an example using the filter instead, for completeness. This is working as expected and hasn't been modified by this PR.

$ ~/go/src/github.com/ffuf/ffuf/ffuf -t 1 -u "http://127.0.0.1:1234/?id=§2§" -mode sniper -w urlencoded.txt -mc all -ft "<1000"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://127.0.0.1:1234/?id=§2§
 :: Wordlist         : FUZZ: urlencoded.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Matcher          : Response status: all
 :: Filter           : Response time: <1000
________________________________________________

RANDOMBLOB%28500000000%2F2%29 [Status: 200, Size: 1338, Words: 115, Lines: 11, Duration: 2122ms]
RANDOMBLOB%281000000000%2F2%29 [Status: 200, Size: 1338, Words: 115, Lines: 11, Duration: 4167ms]
:: Progress: [95/95] :: Job [1/1] :: 1182 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

@D3vil0p3r
Copy link

And an example using the filter instead, for completeness. This is working as expected and hasn't been modified by this PR.

$ ~/go/src/github.com/ffuf/ffuf/ffuf -t 1 -u "http://127.0.0.1:1234/?id=§2§" -mode sniper -w urlencoded.txt -mc all -ft "<1000"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://127.0.0.1:1234/?id=§2§
 :: Wordlist         : FUZZ: urlencoded.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 1
 :: Matcher          : Response status: all
 :: Filter           : Response time: <1000
________________________________________________

RANDOMBLOB%28500000000%2F2%29 [Status: 200, Size: 1338, Words: 115, Lines: 11, Duration: 2122ms]
RANDOMBLOB%281000000000%2F2%29 [Status: 200, Size: 1338, Words: 115, Lines: 11, Duration: 4167ms]
:: Progress: [95/95] :: Job [1/1] :: 1182 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

Hello @denandz When this PR will be merged?

@denandz
Copy link
Contributor Author

denandz commented Oct 22, 2022

Hello @denandz When this PR will be merged?

No idea, sorry. Question for @joohoi

@joohoi joohoi merged commit 7bff9e7 into ffuf:master Feb 2, 2023
@joohoi
Copy link
Member

joohoi commented Feb 2, 2023

Sorry for the delay, I fixed the merge conflict I caused meanwhile this was in the PR queue. It's merged now :)

joohoi added a commit that referenced this pull request Feb 3, 2023
@denandz @joohoi
Fix time-based matcher (#575)
ceb2142 
* Fix time-based matcher

* add time filter/matcher double quotes in readme

---------

Co-authored-by: Joona Hoikkala <joohoi@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

FFUF v1.5.0 Kali Exclusive - Bug on time-based matcher and not correct working on output
3 participants
@denandz @D3vil0p3r @joohoi