Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix url re-encoding issues #3294

Merged
merged 4 commits into from
Feb 10, 2023
Merged

fix url re-encoding issues #3294

merged 4 commits into from
Feb 10, 2023

Conversation

tarunKoyalwar
Copy link
Member

@tarunKoyalwar tarunKoyalwar commented Feb 9, 2023
edited

Proposed changes

  • fix url re-encoding issue in non-unsafe templates

closes #3292

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@tarunKoyalwar
Copy link
Member Author 

$ ./nuclei -u scanme.sh -t ~/test/url-encode.yaml -debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.8.8

		projectdiscovery.io

[INF] Using Nuclei Engine 2.8.8 (latest)
[INF] Using Nuclei Templates 9.3.6 (latest)
[INF] Templates added in last update: 30
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[INF] [basic-raw-example] Dumped HTTP request for https://scanme.sh/


GET /%0D%0A HTTP/1.1
Host: scanme.sh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [basic-raw-example] Dumped HTTP response https://scanme.sh/


HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Content-Type: text/plain; charset=utf-8
Date: Thu, 09 Feb 2023 13:19:07 GMT

ok
[INF] [basic-raw-example] Dumped HTTP request for https://scanme.sh/
Set-Cookie:crlfinjection=crlfinjection

GET /%0D%0ASet-Cookie:crlfinjection=crlfinjection HTTP/1.1
Host: scanme.sh
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [basic-raw-example] Dumped HTTP response https://scanme.sh/
Set-Cookie:crlfinjection=crlfinjection

HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Content-Type: text/plain; charset=utf-8
Date: Thu, 09 Feb 2023 13:19:07 GMT

ok
[INF] No results found. Better luck next time!

@tarunKoyalwar
Copy link
Member Author

Example Template

id: basic-raw-example

info:
  name: Test RAW Template
  author: pdteam
  severity: info

requests:
  - method: GET
    path:
      - "{{BaseURL}}/%0D%0A"

  - raw:
    - |+
        GET %0D%0ASet-Cookie:crlfinjection=crlfinjection HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
        Connection: close

    stop-at-first-match: true
    matchers:
      - type: regex
        regex:
          - '(?m)^(?:Set-Cookie\s*?:(?:\s*?|.*?;\s*?))(crlfinjection=crlfinjection)(?:\s*?)(?:$|;)'%

@tarunKoyalwar tarunKoyalwar linked an issue Feb 9, 2023 that may be closed by this pull request
double url encoding issue in non-unsafe templates #3292
Closed
@tarunKoyalwar tarunKoyalwar mentioned this pull request Feb 9, 2023
Merged
7 tasks
ehsandeep
ehsandeep requested changes Feb 9, 2023
View reviewed changes
Copy link
Member

@ehsandeep ehsandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line break in verbose / debug mode.

[INF] [basic-raw-example] Dumped HTTP request for https://scanme.sh/
Set-Cookie:crlfinjection=crlfinjection

@tarunKoyalwar
Copy link
Member Author 

$ ./nuclei -u scanme.sh -t ~/test/url-encode.yaml -v

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v2.8.8

		projectdiscovery.io

[INF] Using Nuclei Engine 2.8.8 (latest)
[INF] Using Nuclei Templates 9.3.6 (latest)
[INF] Templates added in last update: 30
[INF] Templates loaded for scan: 1
[INF] Targets loaded for scan: 1
[INF] Running httpx on input host
[INF] Found 1 URL from httpx
[VER] [basic-raw-example] Sent HTTP request to https://scanme.sh/%0D%0A
[VER] [basic-raw-example] Sent HTTP request to https://scanme.sh/%0D%0ASet-Cookie:crlfinjection=crlfinjection
[INF] No results found. Better luck next time!

@ehsandeep ehsandeep merged commit e622b98 into dev Feb 10, 2023
@ehsandeep ehsandeep deleted the issue-3292-url-reencoding branch February 10, 2023 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehsandeep ehsandeep ehsandeep approved these changes

@Mzack9999 Mzack9999 Mzack9999 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

double url encoding issue in non-unsafe templates
3 participants
@tarunKoyalwar @ehsandeep @Mzack9999