Parsing error in "-mode sniper"; "&" character is getting replaced by letter "Z" #579
Description
Hi team,
When running the latest (v1.5.0) ffuf, I encountered the following issue.
I am not used to the go language, but I think that an issue lies in the parser.
Explicitly while the code is trying to execute this feature as mentioned PR #469:
An array of requests is returned by SniperRequests, with one location specified by the user replaced by FUZZ in each request.
What is happening is that when substituting any but the last parameter & character is getting replaced by Z.
To showcase, I prepared a simple payload file as a word list:
$ cat payloads.txt
payload1
payload2
payload3
$ ffuf -w ./payloads.txt -u "http://127.0.0.1:8000/file?id=§a§&sort=§b§&test=§c§" -mode sniper
And following are the logs from my local web server.
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=payload2Zsort=b&test=c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=payload3Zsort=b&test=c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=payload1Zsort=b&test=c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=a&sort=payload3Ztest=c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=a&sort=payload2Ztest=c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=a&sort=payload1Ztest=c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=a&sort=b&test=payload1 HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=a&sort=b&test=payload3 HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:01:34] "GET /file?id=a&sort=b&test=payload2 HTTP/1.1" 200 -
As you can see file?id=§a§&sort=§b§&test=§c§ got replaced by file?id=payload2Zsort=b&test=c, making the request invalid.
I also tried an example mentioned by @denandz in Add Sniper Mode #469; however, the result remains the same.
It worked better, but the replace mechanism replaced the] character with Z.
$ ffuf -w payloads.txt -u "http://127.0.0.1:8000/file?feature=§aaa§&thingie=§bbb§&array[§0§]=§baz§" --mode sniper
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=payload1&thingie=bbb&array[0]=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=payload3&thingie=bbb&array[0]=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=payload2&thingie=bbb&array[0]=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=payload1&array[0]=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=payload3&array[0]=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=payload2&array[0]=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=bbb&array[payload1Z=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=bbb&array[payload2Z=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=bbb&array[payload3Z=baz HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=bbb&array[0]=payload1 HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=bbb&array[0]=payload2 HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [13/Aug/2022 15:02:33] "GET /file?feature=aaa&thingie=bbb&array[0]=payload3 HTTP/1.1" 200 -
I hope it will be fixed because I use ffuf regularly and find sniper integration an ingenious idea.
Thanks and good work!!