gobuster icon indicating copy to clipboard operation
gobuster copied to clipboard

Published 20 hours ago verified publisher icon OJ

[ERROR] Invalid control character in URL

Open duraki opened this issue 4 years ago • 3 comments

Firs time experiencing this issue via gobuster so any help is appreciated. Just scanning webcontent via raft-dir wordlist (from SecList) on a target (ie example.com). Running MacOS Catalina and latest gobuster version.

$  gobuster dir -w $HOME/util/other/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u example.com/admin/ --wildcard -s 200
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://example.com/admin/
[+] Threads:        10
[+] Wordlist:       /Users/zz/util/other/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
[+] Status codes:   200
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/01 14:42:43 Starting gobuster
===============================================================
[ERROR] 2020/05/01 14:45:21 [!] parse http://example.com/admin/error_log: net/url: invalid control character in URL
===============================================================
2020/05/01 14:46:05 Finished
===============================================================

I suspect this is due to 503 response from the target (w/ verbose (-v) option). Would be nice if latest response (status) code is given in the stderr. WDYT?

duraki avatar May 01 '20 12:05 duraki

I am getting the same errors.

jdonsec avatar May 11 '20 02:05 jdonsec

I can't reproduct this on the latest version of gobuter. Can you please have a look at the wordlist on the error_log line with hexdump if there are any control characters included in the wordlist? You can also try it with the latest version of gobuster over here: https://github.com/OJ/gobuster/tree/v3.1-cleaned

firefart avatar May 11 '20 07:05 firefart

Forget my last comment, could reproduce it. The error_log value contains an invalid control character: error\x1f_log

Gobuster sends the wordlist as is so you can modify the input based on your needs. You can pipe the wordlist to gobuster and remove the control character with sed

firefart avatar May 11 '20 07:05 firefart

this error is now ignored on the dev branch and the bruteforce continues

firefart avatar Nov 25 '23 13:11 firefart

Much appreciated @firefart. Looking forward for merge w/in next releases

duraki avatar Nov 27 '23 12:11 duraki