forked from ewilded/psychoPATH
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
34 lines (30 loc) · 2.29 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
### TODO
- UTF:
Directory Traversal Checklist:
16 bit Unicode encoding:
. = %u002e, / = %u2215, \ = %u2216
Double URL encoding:
. = %252e, / = %252f, \ = %255c
UTF-8 Unicode encoding:
. = %c0%2e, %e0%40%ae, %c0ae, / = %c0%af, %e0%80%af, %c0%2f, \ = %c0%5c, %c0%80%5c
2 replies 42 retweets 129 likes
- mixed-encoding payloads ARE a good idea: https://hackerone.com/reports/307666
- Scanner integration for the LFI mode
- Scanner integration/full automation of the upload mode is also worth implementing - as an addition to semi-automated Intruder
- for foo.bar.com domains, add foobar, barfoo webroot targets
- consider /.. and ./ non-recursive filters
- add the ability to prefix the absolute path with the file:/// protocol handler
- add $ and > as default breakup sequences (works nice with python - these are automatically removed and not replaced with anything)
- add more configuration options:
- windows evasive techniques (the ones mentioned here https://soroush.secproject.com/blog/2014/07/file-upload-and-php-on-iis-wildcards/)
- any evasive techniques being a mix of \ and /? e.g. ....\/ -> rm ..\ -> ../
- add the ability to append the filename with arbitrary characters (manageable just like the break-up strings - useful for LFI mode, but could as well be used to bypass extension controls - which will be implemented as another mode -> another payload generator to use, once we're already able to upload legitimate files to the webroot) + configurable list of benign extensions (jpg, jpeg, png, gif, whatever)
- replace the lengthy screenshots with videos presenting different operation modes or a separate PDF
#### Nice-to-haves:
- test on different resolution, make sure the project is easily runnable/importable
- separate apache-like suffixes from the main list, they are there by default and do not go away once other than all/apache webroot set is picked
- more examples of test cases
- add a "Copy to clipboard" button for generated payloads, so the output payloads can be used with other tools
- add support for ZIP traversals
- extend the tool with extension control mode (defeating the filters in order to upload an executable - different tricks depending on the platform)??
- in case of a positive result, automatically track back the payload that did the trick (instead of the dir check mode?)