Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

url_encode does not encode properly for query parameters or form fields #979

Closed
xstevens opened this issue Aug 26, 2021 · 1 comment · Fixed by #980
Closed

url_encode does not encode properly for query parameters or form fields #979

xstevens opened this issue Aug 26, 2021 · 1 comment · Fixed by #980
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed.
Projects
v2.5.0

Comments

@xstevens
Copy link
Contributor

Describe the bug
The DSL functions url_encode and url_decode are backed by Go's url.PathEscape. As a result special characters such as & that might be included in attack payloads (e.g. command injection) won't be properly encoded for query parameters or form fields.

Nuclei version
2.4.3

Screenshot of the error or bug
Using a payload such as && cat /etc/passwd inside a command injection template, you might use something like this:

requests:
  - payloads:
      cmdexe: payloads/cmdexe/one.txt
      
    attack: sniper

    raw:
      - |
        GET /get?p={{url_encode(cmdexe)}} HTTP/1.1
        Host: {{Hostname}}
        Connection: close

      - |
        POST /post HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Connection: close

        p={{url_encode(cmdexe)}}

With debug request option on it sends the request:

GET /get?p=&&%20cat%20%2Fetc%2Fpasswd HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Accept: */*
Connection: close
Accept-Encoding: gzip

...

POST /post HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Length: 27
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

p=&&%20cat%20%2Fetc%2Fpasswd

The payload is not correctly encoded.
@Ice3man543 Ice3man543 linked a pull request Aug 26, 2021 that will close this issue
Dsl urlencode decode fix #980
Merged
@Ice3man543
Copy link
Member

@xstevens thank you for reporting this. This has been fixed in the dev branch by #980. This will be available in the next release.

@Ice3man543 Ice3man543 added the Status: Completed Nothing further to be done with this issue. Awaiting to be closed. label Aug 26, 2021
@ehsandeep ehsandeep added this to Done in v2.5.0 Aug 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Completed Nothing further to be done with this issue. Awaiting to be closed.
Projects
No open projects
v2.5.0
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dsl urlencode decode fix projectdiscovery/nuclei
3 participants
@xstevens @ehsandeep @Ice3man543