Skip to content

Commit

Permalink
fix --slice when using fuzzres payload
Browse files Browse the repository at this point in the history
  • Loading branch information
@xmendez
xmendez committed Nov 2, 2020
1 parent 2b547b9 commit 7d52087
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 5 deletions.
31 changes: 31 additions & 0 deletions docs/user/advanced.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -633,6 +633,37 @@ The specified expression must return a boolean value, an example, using the uniq
It is worth noting that, the type of payload dictates the available language symbols. For example, a dictionary payload such as in the example
above does not have a full FuzzResult object context and therefore object fields cannot be used.

When slicing a FuzzResult payload, you are accessing the FuzzResult directly, therefore given a previous session such as::

$ wfuzz -z range --zD 0-0 -u http://www.google.com/FUZZ --oF /tmp/test1
...
000000001: 404 11 L 72 W 1558 Ch "0"
...

this can be used to filter the payload::

$ wfpayload -z wfuzzp --zD /tmp/test1 --slice "c=404"
...
000000001: 404 11 L 72 W 1558 Ch "0"
...

$ wfpayload -z wfuzzp --zD /tmp/test1 --slice "c!=404"
...
wfuzz.py:168: UserWarning:Fatal exception: Empty dictionary! Please check payload or filter.
...

In fact, in this situation, FUZZ refers to the previous result (if any)::

$ wfuzz -z wfuzzp --zD /tmp/test1 -u FUZZ --oF /tmp/test2
...
000000001: 404 11 L 72 W 1558 Ch "http://www.google.com/0"
...

$ wfpayload -z wfuzzp --zD /tmp/test2 --efield r.headers.response.date --efield FUZZ[r.headers.response.date]
...
000000001: 404 11 L 72 W 1558 Ch "http://www.google.com/0 | Mon, 02 Nov 2020 19:29:03 GMT | Mon, 02 Nov 2020 19:27:27 GMT"
...

Re-writing a payload
"""""""

Expand Down
17 changes: 13 additions & 4 deletions src/wfuzz/dictionaries.py
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
from .exception import FuzzExceptNoPluginError, FuzzExceptBadOptions
from .facade import Facade
from .filters.ppfilter import FuzzResFilterSlice
from .filters.ppfilter import FuzzResFilterSlice, FuzzResFilter
from .fuzzobjects import FuzzWord, FuzzWordType


Expand Down Expand Up @@ -119,7 +119,8 @@ def next_word(self):

class SliceIt(BaseDictionary):
def __init__(self, payload, slicestr):
self.ffilter = FuzzResFilterSlice(filter_string=slicestr)
self.ffilter = FuzzResFilter(filter_string=slicestr)
self.ffilter_slice = FuzzResFilterSlice(filter_string=slicestr)
self.payload = payload

def count(self):
Expand All @@ -128,10 +129,18 @@ def count(self):
def get_type(self):
return self.payload.get_type()

def _get_filtered_value(self, item):
if item.type == FuzzWordType.FUZZRES:
filter_ret = self.ffilter.is_visible(item.content)
else:
filter_ret = self.ffilter_slice.is_visible(item.content)

return filter_ret

def next_word(self):
# can be refactored using the walrus operator in python 3.8
item = next(self.payload)
filter_ret = self.ffilter.is_visible(item.content)
filter_ret = self._get_filtered_value(item)

if not isinstance(filter_ret, bool) and item.type == FuzzWordType.FUZZRES:
raise FuzzExceptBadOptions(
Expand All @@ -140,7 +149,7 @@ def next_word(self):

while isinstance(filter_ret, bool) and not filter_ret:
item = next(self.payload)
filter_ret = self.ffilter.is_visible(item.content)
filter_ret = self._get_filtered_value(item)

if not isinstance(filter_ret, bool):
return FuzzWord(filter_ret, item.type)
Expand Down
2 changes: 1 addition & 1 deletion tests/test_acceptance.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@
(
"test_desc_assign_fuzz_symbol_op",
"-z range,1-1 {}/FUZZ".format(HTTPBIN_URL),
"-z wfuzzp,$$PREVFILE$$ --slice FUZZ[r.url]:=FUZZ[r.url]|replace('1','2') FUZZ[url]",
"-z wfuzzp,$$PREVFILE$$ --slice r.url:=r.url|replace('1','2') FUZZ[url]",
["http://localhost:9000/2"],
None,
),
Expand Down

0 comments on commit 7d52087

Please sign in to comment.