w13scan
w13scan copied to clipboard
Published
20 hours ago •
w-digital-scanner
w-digital-scanner
生成payload时,paramsCombination函数有拷贝问题
以命令注入插件为例 new_data = copy.deepcopy(data)应该放在for循环下,源代码在for循环外,导致result添加一组payload之后,下一次for循环,把上一组的new_data修改掉了,最后所有payload都是同一个,其实根本没有遍历payload. `def paramsCombination(self, data: dict, place=PLACE.GET, url_flag={}, hint=POST_HINT.NORMAL, urlsafe='/\'): result = [] payloads = url_flag.keys()
for spli in ['', ';', "&&", "|"]:
if place == PLACE.POST:
if hint == POST_HINT.NORMAL:
for key, value in data.items():
for payload in payloads:
new_data = copy.deepcopy(data)
print("payload : ",payload)
new_data[key] = spli + payload #...
print("new_data : ",new_data)
print((key, value, payload, new_data, url_flag[payload]))
result.append((key, value, payload, new_data, url_flag[payload]))`
