Yakit Tools: Sequence Operation of WebFuzzer Module

Introduction

Web Fuzzer sequence is to connect multiple Web Fuzzer nodes in series to achieve more complex logic and functions. For example, we need to log in first and then perform other operations. At this time, we can use the Web Fuzzer sequence function. Or it may be a scenario where we need several steps to verify whether there are vulnerabilities in a penetration test.
Scenarios like this that require several steps to operate using burp are often difficult to implement. It is relatively easy to implement in Yakit. Next, let’s take a look at how we use sequences to complete uploading and verification when uploading files.

Prerequisite knowledge

Before using sequences, we need to understand several advanced configurations: matchers, data extractors, and variables.

Matcher

Let’s first look at the three matching modes: discard, retain, and match only. These three modes are easy to understand:

  1. Drop: Drop mode will drop return packets if the matcher is matched.
  2. Retain: The retain mode will retain the return packet when matching the matcher, and the remaining return packets will be discarded directly.
  3. Match only: The match-only mode will dye the corresponding return packet when it matches the matcher, without doing other operations.
    Next to the match mode, there is a red circle, which is actually the color button, used to set the dye color in match-only mode.

Looking further to the right, there are two two-choice buttons: AND and OR. These two buttons are used to set the matching logic of multiple data extractors. AND means that the conditions of all matchers need to match, and OR means that only one of the conditions needs to match.

Next, let’s explain how to add a matcher. We click the add button below or the add/debug button in the upper right corner of the picture to add a matcher.

The matcher provides us with a variety of matching types and matching positions, making it easier for us to write complex matchers.

First let’s introduce the matching types:

  1. Keyword: The keyword is the keyword that matches the input in the matching position.
  2. Regular expression: A regular expression is a regular expression that matches the input in the matching position.
  3. Status code: (Ignore the matching position) The status code is the status code of the matching response. We only need to fill in the status code we want to match.
  4. Hexadecimal: In some cases, you want to match a string that is not a normally visible ASCII code. In this case, you can use the hexadecimal matching type and enter a hexadecimal string (such as the string \ “302” corresponds to the hexadecimal string “333032”).
  5. Expression: (ignoring the matching position) Expression can more flexibly write the matching rules we want, and it can also be linked with the advanced configuration: variables to be discussed later. The syntax of expressions is compatible with nuclei-dsl syntax. Masters who are familiar with nuclei tools can try to write some complex matching rules in expressions.

Then we will introduce the matching position. Let’s take the following response packet as an example:

HTTP/1.1 302 Found
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Location: https://www.baidu.com/
Content-Length: 154

<html><body>302 Found</body></html>
  1. Status code: The matching scope is only status code.
  2. Response headers: The match range includes the first line of the response (in this case HTTP/1.1 302 Found) and the response headers.
  3. Response body: The match scope contains the response body (302 Found in the example).
  4. All responses: The matching range is the entire response packet.

Data Extractor


The function of the data extractor is to extract certain data from the response packet.

The data extractor also provides us with a variety of extraction types and extraction locations, making it easier for us to write complex data extractors. We can see that there is a write button next to the upper left corner of the data extractor (data_0), which is used to modify the name of the extractor. This name can be used in subsequent variables and Web Fuzzer sequences.
First let’s introduce the extraction types:

  1. Regular expression: Regular expression is to extract the content matched by the input regular expression in the extraction position. We know that parentheses can be used to group in regular expressions. At this time, we can select grouping in the matching regular grouping, so that we can extract the desired content. (In regular expressions, group 0 is everything matched by the regular expression)
  2. XPath: (The extraction range can only be the response body) XPath is to extract the content matched by the input XPath at the extraction location. XPath is a language for selecting nodes in XML documents, and we can easily copy the complete Xpath using browser development tools.
  3. Key-value pairs: The extraction rules for key-value pairs are a little more complicated. The key-value pair will try to extract the values corresponding to all possible json keys, as well as all values similar to the value in key=value. If the extraction location contains a response header (the extraction scope is response header or Raw), it will also try to extract the value in the response header. There are also two special key-value pairs, namely proto and status_code, which respectively correspond to the response HTTP protocol version and response status code.
  4. JQ(*): (The extraction range can only be the response body) jq is a tool for selecting nodes in JSON documents, and its corresponding document tutorial is here.
  5. Expression: (ignoring the matching position) The expression is the same as the expression in the matcher above and will not be repeated here.

Variables


We mentioned that the name of the data extractor can be used in variables, which is actually equivalent to us assigning a variable. Similarly, we can also directly assign variables directly to the variable.
In the picture above, we can set the variable name and variable value, and the variables can be used in subsequent variables, Web Fuzzer sequences, and the current Web Fuzzer. We can use variables by using fuzztag: {{params(variable name)}} or {{p(variable name)}}.

Variables also have three modes: nuclei, fuzztag, and raw.

  1. nuclei: In nucleii mode, its variable value is actually an expression of nuclei, and most functions included in nucleic-dsl can be called. It should be noted that when you reference other variables, their values are of type string, so you may need to perform type conversion manually. A simple example is as follows: {{int(a) + 3}}.
  2. fuzztag: In fuzzta mode, its variable value is actually fuzztag. Using fuzztag in the value will also cause Web Fuzzer to send multiple request packets. A simple example is as follows: {{int(1-2)}}.
  3. raw: In raw mode, the variable value is equivalent to the string you input and will not be parsed.

Upload and verification sequence operations of file upload vulnerability

This place uses the first level of uploadlabs for demonstration.
The first level is mainly front-end verification, so we capture the uploaded data packets and then modify the file suffix.

Send the corresponding upload file request to webfuzzer, WF-[1], and create a data extractor: path

Then send the request to verify whether the upload is successful to webfuzzer, WF-[3], and set the variables:

Pay special attention to this place:

A data extractor is set up in WF-[1] with the name path. This path finally obtains the image path. The signature of this image path has a../
So we need to remove this ../
Then set a variable in WF-[3]: fixpath, the value is {<!-- -->{trim_left(path, '../')}}
trim_left: is the built-in nuclei function
path: is the name of the data extractor of WF-[1], which will be automatically inherited after setting the sequence.

Then set the sequence:

The WF in the sequence will inherit the cookies and variables of the previous WF by default:

Click to start execution:

You will find that step 0 is executed first and then step 1 is executed.
And the final result 123 also came out. This 123 is the content output in the shell.php file.
This is where the sequence operation is introduced. If you are not sure, you can read the official documentation.