Scanner & path preparation fix. Magic concatenation support (#11)

Zigrin-Security · Jun 28, 2023 · b7f2546 · b7f2546
1 parent 6e95147
commit b7f2546
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 15 deletions.
diff --git a/cakefuzzer/phpfiles/AppInstrument.php b/cakefuzzer/phpfiles/AppInstrument.php
@@ -290,6 +290,8 @@ private function __get_http_path($path, $payloads, $payload_guid_phrase=null) {
         $fuzz_const = "_CAKE_FUZZER_";
         $pattern = "/${fuzz_const}[a-zA-Z0-9_]+/i";
         $inject = null;
+        $defaults = range(0,100);
+        $defaults = array_merge($defaults, array_fill(0, 200, null));
 
         preg_match_all($pattern, $path, $dynamic_parts);
 
@@ -304,7 +306,7 @@ private function __get_http_path($path, $payloads, $payload_guid_phrase=null) {
         $path = str_replace($inject, $selected_payload, $path);
         foreach($dynamic_parts[0] as $dyn_part) {
             if($inject !== $dyn_part) {
-                $path = str_replace($dyn_part, rand(0,100), $path); # TODO: Take this from config maybe?
+                $path = str_replace($dyn_part, $defaults[array_rand($defaults)], $path); # TODO: Take this from config maybe?
             }
         }
 

diff --git a/cakefuzzer/phpfiles/MagicObjects.php b/cakefuzzer/phpfiles/MagicObjects.php
@@ -128,17 +128,12 @@ public function getAndSaveForFurtherGets($key) {
         // This is not supported and lacks saving payload first probably
         if(is_string($is_injectable)) return $is_injectable;
 
-        // Draw payload
-        if(is_null($this->_payloads)) {
-            $details = array(
-                'superglobal'=> $this->_superglobal_name,
-                'original' => $this->original,
-                'parameters' => $this->parameters
-            );
-            warning(array(array('error'=>'Superglobal does not have any payloads. This should not happen.', 'details'=>$details)));
-            die;
-        }
+        $payload = $this->_drawPayload();
+        $this->parameters[$key] = $payload;
+        return $payload;
+    }
 
+    protected function _drawPayload() {
         // Draw payload type
         $r = rand() % 5;
         if($this->_prefix !== '') $r = 5; // Assume prefix is only in _SERVER. No arrays there.
@@ -157,7 +152,6 @@ public function getAndSaveForFurtherGets($key) {
             $payload = $this->_replaceDynamic($this->_payloads[array_rand($this->_payloads)]);
         }
 
-        $this->parameters[$key] = $payload;
         return $payload;
     }
 
@@ -253,7 +247,8 @@ protected function _replaceDynamic($payload) {
     }
 
     public function __toString() {
-        return $this->_superglobal_name.'_magic';
+        // return $this->_superglobal_name.'_magic';
+        return $this->_drawPayload();
     }
 }
 

diff --git a/cakefuzzer/scanners/utils.py b/cakefuzzer/scanners/utils.py
@@ -67,12 +67,13 @@ def get_vulnerability_objects(
                 if "CAKEFUZZER_PAYLOAD_GUID" in match.groupdict().keys()
                 else None
             )
+            detection_location = []
             if context_location is not None:
                 locations = find_html_location(self.string, detection_result)
                 detection_location = fnmatch.filter(locations, context_location)
 
             # If the context location is not where it should be, skip it
-            if detection_location is None or detection_location == []:
+            if detection_location == []:
                 continue
 
             vulnerabilities.append(
@@ -100,7 +101,7 @@ def get_vulnerability_objects(
 def find_html_location(
     contents: str,
     phrase: str,
-) -> None:
+) -> List[str]:
     soup = BeautifulSoup(contents, "html.parser")
     tags = []
     for tag in soup.find_all():