-
Notifications
You must be signed in to change notification settings - Fork 92
/
TODO
40 lines (35 loc) · 3.03 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
### TODO
- there a minor issue with the directory checker - when payloads are removed from the relative dirs (the list coming from the "Propagate to psychoPATH" option), they are still used in the attack, prolly cause the intruder payload generator is operating on a copy instead of the list object directly
- consider replacing /etc/passwd -> root: detection pattern with /etc/resolv.conf -> nameserver or /etc/hosts -> localhost pattern (dockerized apps usually don't have passwd in the container)
- redirect support in scanner would also be nice, although seems a bit pain in the ass with the current API
- introduce best effort payloads
Add output encoding setting to the byte generator.
- UTF:
Directory Traversal Checklist:
16 bit Unicode encoding:
. = %u002e, / = %u2215, \ = %u2216
Double URL encoding:
. = %252e, / = %252f, \ = %255c
UTF-8 Unicode encoding:
. = %c0%2e, %e0%40%ae, %c0ae, / = %c0%af, %e0%80%af, %c0%2f, \ = %c0%5c, %c0%80%5c
- I don't think we ever generate payloads with the base value as suffix... https://t.co/tbI4Zfun7u ouch!
- mixed-encoding payloads ARE a good idea: https://hackerone.com/reports/307666
- Scanner integration for the LFI mode
- Scanner integration/full automation of the upload mode is also worth implementing - as an addition to semi-automated Intruder
- for foo.bar.com domains, add foobar, barfoo webroot targets
- consider /.. and ./ non-recursive filters
- add the ability to prefix the absolute path with the file:https:/// protocol handler
- add $ and > as default breakup sequences (works nice with python - these are automatically removed and not replaced with anything)
- add more configuration options:
- windows evasive techniques (the ones mentioned here https://soroush.secproject.com/blog/2014/07/file-upload-and-php-on-iis-wildcards/)
- any evasive techniques being a mix of \ and /? e.g. ....\/ -> rm ..\ -> ../
- add the ability to append the filename with arbitrary characters (manageable just like the break-up strings - useful for LFI mode, but could as well be used to bypass extension controls - which will be implemented as another mode -> another payload generator to use, once we're already able to upload legitimate files to the webroot) + configurable list of benign extensions (jpg, jpeg, png, gif, whatever)
- replace the lengthy screenshots with videos presenting different operation modes or a separate PDF
#### Nice-to-haves:
- test on different resolution, make sure the project is easily runnable/importable
- separate apache-like suffixes from the main list, they are there by default and do not go away once other than all/apache webroot set is picked
- more examples of test cases
- add a "Copy to clipboard" button for generated payloads, so the output payloads can be used with other tools
- add support for ZIP traversals
- extend the tool with extension control mode (defeating the filters in order to upload an executable - different tricks depending on the platform)??
- in case of a positive result, automatically track back the payload that did the trick (instead of the dir check mode?)