GithubHelp home page GithubHelp logo

Not working verify about dalfox HOT 5 CLOSED

hahwul avatar hahwul commented on August 10, 2024
Not working verify

from dalfox.

Comments (5)

hahwul avatar hahwul commented on August 10, 2024 
[W] Reflected Payload: cat='><iFrAme/src=jaVascRipt:alert(45) id=dalfox></iFramE>
    48 line:  syntax to use near ''><iFrAme/src=jaVascRipt:alert(45) id=dalfox></iFramE>' at l
 -  http://testphp.vulnweb.com/listproducts.php?cat=%27%3E%3CiFrAme%2Fsrc%3DjaVascRipt%3Aalert%2845%29+id%3Ddalfox%3E%3C%2FiFramE%3E

from dalfox.

hahwul avatar hahwul commented on August 10, 2024

코드에 io reader closer을 바이트로 변환해서 찍어보니..

[*] Start parameter analysis.. 🔍



◑ Waiting routines..

결국 값이 제대로 들어오지 않아 발생한 문제

from dalfox.

hahwul avatar hahwul commented on August 10, 2024 
bytes, _ := ioutil.ReadAll(resp.Body)
str := string(bytes)

vds := VerifyDOM(resp.Body)

느낌적인 느낌이 resp.Body 즉 웹 요청 이후의 ioReader가 강제로 closing되서 데이터가 없는 것 같음.
만들때도 이 문제 인지했었고, 일부러 defer 뺐었는데..

from dalfox.

hahwul avatar hahwul commented on August 10, 2024

https://golang.org/pkg/strings/#NewReader 참고

	r := ioutil.NopCloser(strings.NewReader("hello world")) // r type is io.ReadCloser
	
	// example to test r
	buf := new(bytes.Buffer)
	buf.ReadFrom(r)
	r.Close()
	s := buf.String()
	fmt.Println(s)

from dalfox.

hahwul avatar hahwul commented on August 10, 2024

VerifyDOM의 인자를 string으로 바꾸고, 내부에서 ReadCloser로 바꿈.

 21 func VerifyDOM(s string) bool { //(body io.ReadCloser) bool {
 22
 23         body := ioutil.NopCloser(strings.NewReader(s)) // r type is io.ReadCloser
 24         defer body.Close()

잘됨

[W] Reflected Payload: cat='><iFrAme/src=jaVascRipt:alert(45) class=dalfox></iFramE>
    48 line:  syntax to use near ''><iFrAme/src=jaVascRipt:alert(45) class=dalfox></iFramE>' a
[V] Injected Object from Payload: cat='><iFrAme/src=jaVascRipt:alert(45) class=dalfox></iFramE>

from dalfox.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.