gobusterfuzz: preserve percent-encoded sequences in wordlist words#647
Open
ChrisJr404 wants to merge 1 commit intoOJ:masterfrom
Open
gobusterfuzz: preserve percent-encoded sequences in wordlist words#647ChrisJr404 wants to merge 1 commit intoOJ:masterfrom
ChrisJr404 wants to merge 1 commit intoOJ:masterfrom
Conversation
When the user provides a wordlist that contains percent-encoded payloads (e.g. %2e%2e/etc/passwd for path-traversal fuzzing), gobuster fuzz currently double-encodes them on the wire because the FUZZ substitution writes raw bytes into url.Path which is treated as the decoded form by net/url. The % sign in the substituted Path then gets re-escaped to %25 by url.String(), producing requests like /cgi-bin/%252e%252e/etc/passwd that the target sees as the literal string "%2e%2e", not "..". Substitute FUZZ in url.EscapedPath() (which preserves an already-set RawPath) and re-assign through a small helper that puts the encoded form in RawPath and the decoded form in Path. url.String() then uses RawPath verbatim, matching what the user wrote and what curl --path-as-is or wfuzz would send. Adds a SetURLPathPreservingEncoding helper in libgobuster with table-driven tests covering percent-encoded inputs, plain paths, paths with a pre-existing encoded segment in the user URL, and inputs with an invalid percent sequence (which falls back to the previous behavior). Fixes OJ#618
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a wordlist contains percent-encoded payloads (e.g.
%2e%2e/etc/passwdfor path-traversal fuzzing),gobuster fuzzcurrently double-encodes them on the wire. The substitution writes raw bytes intourl.Path(whichnet/urltreats as the decoded form), so the%characters get re-escaped to%25byurl.String()— producing requests like/cgi-bin/%252e%252e/etc/passwdthat the target sees as the literal string%2e%2e, not...End-to-end repro before this PR (with the wordlist from #618):
After this PR:
The fix substitutes
FUZZinurl.EscapedPath()instead ofurl.Pathand re-assigns through a small helper (libgobuster.SetURLPathPreservingEncoding) that puts the encoded form inRawPathand the decoded form inPath.url.String()then emitsRawPathverbatim, since it's a valid encoding ofPath.Plain wordlists (no
%) are unaffected —EscapedPath()already returns the encoded form for plain paths, and the helper just round-trips it. Tests cover four cases: percent-encoded word, plain word, pre-existing%20in the user URL, and invalid percent sequence (falls back to previous behavior).The same fix could be applied to
gobuster dirandgobuster vhost(which also concatenate raw bytes intourl.Path), but the original issue only describesfuzzmode and I wanted to keep this PR minimal. Happy to extend in a follow-up if you'd like.Fixes #618