Support sending the payload in the body by using the --body flag.

orf · Jul 19, 2017 · 17ae46d · 17ae46d
1 parent 0c7cd71
commit 17ae46d
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 34 deletions.
diff --git a/README.rst b/README.rst
@@ -26,33 +26,42 @@ Install:
 
 .. code:: console
 
-    pip3 install xcat
+   pip3 install xcat
 
 **Note:** This requires Python 3.5 and above to run.
 
 
 .. code-block:: console
 
-    > xcat --help
-    XCat.
+   > xcat --help
 
-    Usage:
-        xcat <url> <target_parameter> [<parameters>]... (--true-string=<string> | --true-code=<code>) [--method=<method>]
-             [--fast] [--oob-ip=<ip> (--oob-port=<port>)] [--stats] [--concurrency=<val>]
-             [--features] [--body=<body>] [--cookie=<cookie>] [(--shell | --shellcmd=<cmd>)]
-        xcat detectip
+   XCat.
+
+   Usage:
+       xcat <url> <target_parameter> [<parameters>]... (--true-string=<string> | --true-code=<code>) [--method=<method>]
+            [--fast] [--oob-ip=<ip> (--oob-port=<port>)] [--stats] [--concurrency=<val>]
+            [--features] [--body] [--cookie=<cookie>] [(--shell | --shellcmd=<cmd>)]
+       xcat detectip
+
+   Options:
+       -s, --shell                 Open the psudo-shell for exploring injections
+       -S, --shellcmd=<cmd>        Execute a single shell command.
+       -m, --method=<method>       HTTP method to use for requests [default: GET]
+       -o, --oob-ip=<ip>           Use this IP for OOB injection attacks
+       -p, --oob-port=<port>       Use this port for injection attacks
+       -x, --concurrency=<val>     Make this many connections to the target server [default: 10]
+       -b, --body                  Send the parameters in the request body as form data. Used with POST requests.
+       -c, --cookie=<cookie>       A string that will be sent as the Cookie header
+       -f, --fast                  Only fetch the first 15 characters of string values
+       -t, --true-string=<string>  Interpret this string in the response body as being a truthful request. Negate with '!'
+       -tc, --true-code=<code>     Interpret this status code as being truthful. Negate with '!'
+       --stats                     Print statistics at the end of the session
 
-    Options:
-        -s, --shell                 Open the psudo-shell for exploring injections
-        -S, --shellcmd=<cmd>        Execute a single shell command.
-        -m, --method=<method>       HTTP method to use for requests [default: GET]
-        -o, --oob-ip=<ip>           Use this IP for OOB injection attacks
-        -p, --oob-port=<port>       Use this port for injection attacks
-        --stats                     Print statistics at the end of the session
-        -x, --concurrency=<val>     Make this many connections to the target server [default: 10]
-        -b, --body=<body>           A string that will be sent in the request body
-        -c, --cookie=<cookie>       A string that will be sent as the Cookie header
-        -f, --fast                  Only fetch the first 15 characters of string values
 
 
 More examples and documentation can be found at http://xcat.readthedocs.org/
+
+Example Application
+-------------------
+
+There is a vulnerable Java web application for testing/demoing available here: https://github.com/orf/xcat_app
diff --git a/xcat/cli.py b/xcat/cli.py
@@ -4,7 +4,7 @@
 Usage:
     xcat <url> <target_parameter> [<parameters>]... (--true-string=<string> | --true-code=<code>) [--method=<method>]
          [--fast] [--oob-ip=<ip> (--oob-port=<port>)] [--stats] [--concurrency=<val>]
-         [--features] [--body=<body>] [--cookie=<cookie>] [(--shell | --shellcmd=<cmd>)]
+         [--features] [--body] [--cookie=<cookie>] [(--shell | --shellcmd=<cmd>)]
     xcat detectip
 
 Options:
@@ -13,11 +13,13 @@
     -m, --method=<method>       HTTP method to use for requests [default: GET]
     -o, --oob-ip=<ip>           Use this IP for OOB injection attacks
     -p, --oob-port=<port>       Use this port for injection attacks
-    --stats                     Print statistics at the end of the session
     -x, --concurrency=<val>     Make this many connections to the target server [default: 10]
-    -b, --body=<body>           A string that will be sent in the request body
+    -b, --body                  Send the parameters in the request body as form data. Used with POST requests.
     -c, --cookie=<cookie>       A string that will be sent as the Cookie header
     -f, --fast                  Only fetch the first 15 characters of string values
+    -t, --true-string=<string>  Interpret this string in the response body as being a truthful request. Negate with '!'
+    -tc, --true-code=<code>     Interpret this status code as being truthful. Negate with '!'
+    --stats                     Print statistics at the end of the session
 """
 import asyncio
 import operator
@@ -157,6 +159,9 @@ def make_match_function(arguments) -> Callable[[Response, str], bool]:
         true_code_invert = True
         true_code = true_code[1:]
 
+    if true_code:
+        true_code = int(true_code)
+
     true_string, true_string_invert = arguments['--true-string'] or '', False
 
     if true_string.startswith('!'):

diff --git a/xcat/requester.py b/xcat/requester.py
@@ -26,7 +26,7 @@ def __init__(self, url: str, target_parameter: str, parameters: List[str],
                  session: aiohttp.ClientSession, concurrency=None, method="get",
                  injector: Callable[[str, str], str] = None,
                  external_ip=None, external_port=0,
-                 fast=False, cookie='', body='', structure_only=False):
+                 fast=False, cookie='', body=False, structure_only=False):
         self.url = url
         self.parameters = process_parameters(parameters)
 
@@ -96,25 +96,18 @@ def payload_to_parameters(self, payload: str):
     async def check(self, payload) -> bool:
         async with self.semaphore:
             params = self.payload_to_parameters(payload)
-            paramsAsString = "";
-            for k,v in params.items():
-                paramsAsString = paramsAsString + "&"+k+"="+v;
 
             headers = {}
             if self.cookie:
                 headers['Cookie'] = self.cookie
 
             start = time.time()
-            if self.method.upper() == "POST":
+
+            if self.body:
                 headers['Content-Type'] = "application/x-www-form-urlencoded"
-                body = self.body
-                if self.body:
-                    body = body + paramsAsString
-                else:
-                    body = paramsAsString[1:]
-                response = await self.session.request(self.method, self.url, data=body, headers=headers)
+                response = await self.session.request(self.method, self.url, data=params, headers=headers)
             else:
-                response = await self.session.request(self.method, self.url, params=params, data=self.body, headers=headers)
+                response = await self.session.request(self.method, self.url, params=params, headers=headers)
 
             body = await response.text()
             request_time = time.time() - start