dwisiswant0 / crlfuzz Goto Github PK

Can you make a way to add to the payloads? Like a payloads.txt file?

I would like to incorporate this tool into my automated suite for bug hunting, but it ends up breaking my internet connection due to producing too many request,

It would be great if an option to specify requests per second or to specify the delay between requests was added, something like the --delay option on sqlmap.

Thanks!

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

1. install crlfuzz

2. run crlfuzz -l

3. not giving any output just showing this

crlfuzz -l ~/Desktop/recon/urls.txt

| | __ | | | | _ ___ ___
| --| -| || | | |- _|- _|
|||||| |||__|

  v1.4.0 - @dwisiswant0

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

4.while you run the crlfuzz -u "http://test.com"

working fine

5. while subfinder target.com | crlfuzz

working fine

Steps to reproduce the behavior:

** it is expected to run tool while giving input as file**

A clear and concise description of what you expected to happen.

[****](url

)

If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• OS: [linux]
• OS version: [Linux kali 5.9.0-kali2-amd64 #1 SMP Debian 5.9.6-1kali1 (2020-11-11) x86_64 GNU/Linux
  ]
• CRLFuzz Version [crlfuzz -- v1.4.0]

hy bro this tool run on windows 10 .

net/url: invalid control character in URL

Hey mate,

I tried curlfuzz with -l flag defined wordlist and theres a error in output.

└──╼ #crlfuzz -l /root/Desktop/domains.resolved.txt

| | __ | | | | _ ___ ___
| --| -| || | | |- _|- _|
|||||| |||__|

  v1.4.0 - @dwisiswant0

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

All i get is blank result.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Use all payloads from https://github.com/cujanovic/CRLF-Injection-Payloads/blob/master/CRLF-payloads.txt

I am not a pro dev. So I cant help here.

Is there any vuln website to test it locally

Hi , Please create a -o results.txt which saves all the vulnerable urls in the results.txt file. While running this awesome tool on thousands of domains makes it difficult to scroll and search for the results.

Hi, :)
Describe the bug

While adding custom headers tools break.

To Reproduce

cat live_targets.txt | crlfuzz -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"

cat targets.txt | httpx | crlfuzz -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0"

Expected behavior

The tool should able to add a custom header in every HTTP request.

Environment (please complete the following information):

• OS: tested in both Ubuntu and in kali
• OS version: 18.04 and 5.10.13-1kali1 (2021-02-08) x86_64
• CRLFuzz Version: CRLFuzz 1.4.0

Additional context

Below is the error log.

[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x659cc9]

goroutine 40 [running]:
github.com/dwisiswant0/crlfuzz/pkg/crlfuzz.Scan(0xc0000f6480, 0x37, 0x0, 0x0, 0x0, 0x0, 0xc0000a0bf0, 0x1, 0x1, 0x0, ...)
        /root/go/pkg/mod/github.com/dwisiswant0/[email protected]/pkg/crlfuzz/crlfuzz.go:22 +0x3e9
github.com/dwisiswant0/crlfuzz/internal/runner.(*Options).run(0xc0000bea00, 0xc0000f6480, 0x37)
        /root/go/pkg/mod/github.com/dwisiswant0/[email protected]/internal/runner/runner.go:41 +0xb2
github.com/dwisiswant0/crlfuzz/internal/runner.New.func1(0xc000096180, 0xc0000bea00, 0xc0000b82e0)
        /root/go/pkg/mod/github.com/dwisiswant0/[email protected]/internal/runner/runner.go:22 +0x65
created by github.com/dwisiswant0/crlfuzz/internal/runner.New
        /root/go/pkg/mod/github.com/dwisiswant0/[email protected]/internal/runner/runner.go:20 +0xcc```

Let me know if any additional information required.
Take care,
unstabl3

Describe the bug

Hello, thanks for this great tool. However when I run the tool I get this error:

   _____ _____ __    _____             
  |     | __  |  |  |   __|_ _ ___ ___ 
  |   --|    -|  |__|   __| | |- _|- _|
  |_____|__|__|_____|__|  |___|___|___|

      v1.4.0 - @dwisiswant0

[WRN] Use with caution. You are responsible for your actions
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[ERR] parse "https://example.com/\r\tSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/\rSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/\r%20Set-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/\r\nSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/\r\n%20Set-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/\r\n\tSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/crlfuzz\rSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/crlfuzz\r%20Set-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/crlfuzz\r\nSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/crlfuzz\r\n%20Set-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/crlfuzz\r\n\tSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/crlfuzz\r\tSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/?crlfuzz=\r%20Set-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/?crlfuzz=\r\nSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/?crlfuzz=\r\n%20Set-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/?crlfuzz=\r\n\tSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/?crlfuzz=\r\tSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL
[ERR] parse "https://example.com/?crlfuzz=\rSet-Cookie:param=crlfuzz;": net/url: invalid control character in URL

I got the same error even though I tested it on 2 different linux machines.

Environment:

• OS: linux
• OS version:
  1- Linux tester 5.11.0-1027-azure #30~20.04.1-Ubuntu SMP Wed Jan 12 20:56:50 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
  2- Linux kali 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux
• CRLFuzz Version: CRLFuzz 1.4.0

This link may be helpful: https://stackoverflow.com/questions/55945325/golang-url-parse-always-return-invalid-control-character-url

Thanks

C:\Users\user>go get -u -v github.com/dwisiswant0/crlfuzz/cmd/crlfuzz
github.com/dwisiswant0/crlfuzz (download)
unrecognized import path "dw1.io/crlfuzz/internal/runner": https fetch: Get "https://dw1.io/crlfuzz/internal/runner?go-get=1": dial tcp 5.189.188.232:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

tried this too
go get -v -u dw1.io/crlfuzz/cmd/crlfuzz
same error , please take a look at it., However i have done it with git clone but still.

go version used : go version go1.14.2 windows/amd64

Thank You