include($_GET['url'])

Question

include($_GET['url'])

Itach1i opened this issue 2 years ago · 11 comments

Itach1i commented 2 years ago

Hello, can you solve the submission of URL: xxxx.com/? Url = php: // input post data: phpinfo interface normally?

Answer 1 · 2023-04-09T12:36:57.000Z

Sorry that I cannot understand your meaning.

But I think Raw mode may be what you want to use?

If I misunderstood your need, please provide a complete scenario. Thank you.

Answer 2 · 2023-04-09T13:31:16.000Z

I was doing a ctf question, and then I found that the page did not respond after submitting in this way. I also found that the sent package was a post request package through burp capture, but the request body did not carry the following code

<?php system(id)?>

I found that maxhackbar can do it normally, but there are many other bugs without the chrome version, and it is not as simple and perfect as your plugin. Hope you can fix this problem, thanks

Answer 3 · 2023-04-09T15:59:57.000Z

Okay, I think I got it.

The main reason it doesn't work is that there is no equal sign in your POST body so that it cannot construct a form to send it.

The only way to send it now is using Raw mode.

Answer 4 · 2023-04-09T16:01:44.000Z

However, I may check how does maxhackbar work next week.

Maybe I can try to make HackBar more convenient.

Answer 5 · 2023-04-09T16:22:13.000Z

OK, thanks! But I tried the raw mode and it didn't work. . I hope you can succeed, if possible, can you add a Chinese version? Thank you again!

Answer 6 · 2023-04-12T15:45:30.000Z

I tried Raw mode and it works as expected. The following is my screenshot.

Answer 7 · 2023-04-18T15:22:13.000Z

After investigation, both MaxHacKBar and HackBar are using fetch API to perform a request with raw body.

As mentioned in the previous comment, Raw mode is the best choice for your scenario. Maybe you can try it again.

Of course, if you found anything can be improved, please let me know to make HackBar better. Thanks.

Answer 8 · 2023-04-18T19:01:33.000Z

After investigation, both MaxHacKBar and HackBar are using fetch API to perform a request with raw body.

As mentioned in the previous comment, Raw mode is the best choice for your scenario. Maybe you can try it again.

Of course, if you found anything can be improved, please let me know to make HackBar better. Thanks.

But Maxhackbar only needs to write on the post: , RAW is a solution that can be solved, but obviously not the best, so that there will be a problem that sometimes you will not know what to do in the end There is no vulnerability or Payload. If you need RAW to make debugging, you need to open Burp, but then I can modify it directly in Burp. Hackbar also lost convenience. I hope you can still update to make this project more elegant. Thanks

Answer 9 · 2023-04-18T19:06:02.000Z

If you can modify the content of the Modify Header by the way, will he not get my real browser information? For example, the SEC-CH-Ua-Platform, Useragent parameter, etc., or change it to the default parameter value. After all, the use of hackbar obviously does not want to use its own real information, thank you again!

Answer 10 · 2023-04-19T06:10:35.000Z

But Maxhackbar only needs to write on the post: , RAW is a solution that can be solved, but obviously not the best, so that there will be a problem that sometimes you will not know what to do in the end There is no vulnerability or Payload. If you need RAW to make debugging, you need to open Burp, but then I can modify it directly in Burp. Hackbar also lost convenience. I hope you can still update to make this project more elegant. Thanks

TL;DR

I will not change the behavior of Basic mode now.

Details

Strictly speaking, there are two implementation to send POST request in HackBar
The first is known as Basic mode, and the second is Raw mode.

Reconstruct form element and POST it
Use fetch API directly

In your scenario ( i.e. payload without any equal sign ), we cannot reconstruct a form to send request.
Therefore, we only can use second way to send request.

Based on your reply, it seems that you want HackBar to automatically use fetch API just like MaxHacKBar.
However, it may make user confused because there are two different behavior in the same mode.

Please consider the following situation:

Start dev server via yarn dev:server
Execute POST http://127.0.0.1:8888/echo.php with body a=b in Basic mode
Refresh webpage via F5
Execute POST http://127.0.0.1:8888/echo.php with body <?php systemd("id"); in Basic mode
Refresh webpage via F5

After step 3, user will expect that the response is as the following. Actually, it does.

Array
(
    [method] => POST
    [headers] => Array
        (
            [Host] => 127.0.0.1:8888
            [Content-Length] => 3
        )

    [request] => Array
        (
            [a] => b
        )

    [files] => Array
        (
        )

    [input] => a=b
)

Assume that we automatically choose fetch API to send request at step 4.
After step 5, user will expect that the response is as the following. Unfortunately, received response is same as step 3.

Array
(
    [method] => POST
    [headers] => Array
        (
            [Host] => 127.0.0.1:8888
            [Content-Length] => 20
        )

    [request] => Array
        (
            [<?php_systemd("id");] => 
        )

    [files] => Array
        (
        )

    [input] => <?php systemd("id");
)

Since I don't like there are different behavior in the same mode, I introduce Raw mode to let user choose what is he want.
This is why I think Raw mode is the best choice for your scenario now.

Answer 11 · 2023-04-19T06:12:55.000Z

If you can modify the content of the Modify Header by the way, will he not get my real browser information? For example, the SEC-CH-Ua-Platform, Useragent parameter, etc., or change it to the default parameter value. After all, the use of hackbar obviously does not want to use its own real information, thank you again!

You can empty header value and then change Action to Remove header.

After setting, the request will not contain such headers.