raghavd3v / crlfsuite Goto Github PK
View Code? Open in Web Editor NEWThe most powerful CRLF injection (HTTP Response Splitting) scanner.
License: MIT License
The most powerful CRLF injection (HTTP Response Splitting) scanner.
License: MIT License
Traceback (most recent call last):
File "/usr/bin/crlfsuite", line 33, in
sys.exit(load_entry_point('CRLFsuite==2.0', 'console_scripts', 'crlfsuite')())
File "/usr/bin/crlfsuite", line 22, in importlib_load_entry_point
for entry_point in distribution(dist_name).entry_points
File "/usr/lib/python3.9/importlib/metadata.py", line 542, in distribution
return Distribution.from_name(distribution_name)
File "/usr/lib/python3.9/importlib/metadata.py", line 196, in from_name
raise PackageNotFoundError(name)
importlib.metadata.PackageNotFoundError: CRLFsuite
Please see the readme of this project: https://github.com/ItsIgnacioPortal/Improper-Quotes-Monitor
TL;DR: CRLFsuite is vulnerable to privilege escalation because it tries to access a file without quotation marks. More specifically, when I run crlfsuite --help
, python tries to run:
C:\Program Files\Python39\python.exe C:\Program Files\Python39\Scripts\crlfsuite-script.py --help
but because the path was not quoted properly, it actually runs:
C:\Program.exe Files\Python39\python.exe C:\Program Files\Python39\Scripts\crlfsuite-script.py --help
This vulnerability isn't super serious because crlfsuite doesn't need to be ran as Administrator at any point, and no "default" Windows configuration makes this exploitable. Old Windows versions (such as Windows 8.1) are still vulnerable though.
Traceback (most recent call last):
File "/usr/local/bin/crlfsuite", line 33, in
sys.exit(load_entry_point('CRLFsuite==2.0', 'console_scripts', 'crlfsuite')())
File "/usr/local/bin/crlfsuite", line 25, in importlib_load_entry_point
return next(matches).load()
File "/usr/lib/python3.10/importlib/metadata/init.py", line 171, in load
module = import_module(match.group('module'))
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/usr/local/lib/python3.10/dist-packages/CRLFsuite-2.0-py3.10.egg/crlfsuite/main.py", line 4, in
from crlfsuite.core.cli import url, threads, verbose, urls, silent, method, std, cookies, data, user_agent, timeout, verify, read_urls, output_file, s_payloads
ImportError: cannot import name 'verbose' from 'crlfsuite.core.cli' (/usr/local/lib/python3.10/dist-packages/CRLFsuite-2.0-py3.10.egg/crlfsuite/core/cli.py)
Is there any way to use both method GET/POST at same time?
I've installed CRLFsuite under Kali latest version with all updates.
$ git clone https://github.com/Nefcore/CRLFsuite.git
$ cd CRLFsuite
$ sudo python3 setup.py install
When I tried to run for the very first time got the error below.
$ crlfsuite -h
Traceback (most recent call last):
File "/usr/local/bin/crlfsuite", line 33, in <module>
sys.exit(load_entry_point('CRLFsuite==2.1.1', 'console_scripts', 'crlfsuite')())
File "/usr/local/bin/crlfsuite", line 25, in importlib_load_entry_point
return next(matches).load()
StopIteration
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.