modzero/mod0BurpUploadScanner

Bug

soufianetahiri opened this issue · 0 comments

soufianetahiri commented 
Traceback (most recent call last):
  File "/home/soufiane/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 981, in doActiveScan
    self.do_checks(injector)
  File "/home/soufiane/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1073, in do_checks
    colab_tests.extend(self._magick(injector, burp_colab))
  File "/home/soufiane/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1073, in do_checks
    colab_tests.extend(self._magick(injector, burp_colab))
  File "/home/soufiane/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 1439, in _magick
    self._send_sleep_based(injector, basename, content, types, injector.opts.sleep_time, issue)
  File "/home/soufiane/.BurpSuite/bapps/b2244cbb6953442cb3c82fa0a0d908fa/UploadScanner.py", line 4314, in _send_sleep_based
    new_content = content.replace(BurpExtender.MARKER_CACHE_DEFEAT_URL, "https://example.org/" + ''.join(random.sample(string.ascii_letters, 11)) + "/")
AttributeError: 'NoneType' object has no attribute 'replace'

Upload Scanner Version: 1.0.8

Extension code location: doActiveScan
Jython version: 2.7.2 (v2.7.2:925a3cc3b49d, Mar 21 2020, 10:03:58)
[OpenJDK 64-Bit Server VM (Oracle Corporation)]
Java version: 16.0.2
Burp version: Burp Suite Professional 2021 10.2
Command line arguments: 
Was loaded from BApp: True
Request: 'POST /admin/rs/media/library/uploadmultifiles/xxxxxxx/xxxxxxxxxx
HTTP/1.1\r\nHost: xxxxxxxx.com\r\nCookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxx;
SERVERID=pp-xxxx\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101
Firefox/94.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r
\nX-Requested-With: XMLHttpRequest\r\nContent-Type: multipart/form-data;
boundary=---------------------------425317772017903238912665175467\r\nContent-Length: 322\r\nOrigin:
https://xxxx.com\r\nReferer: https://xxxxx.com/xxx-
admin/account/customization/xxxxxxx/xxxxxxxxxxxx\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-
Fetch-Site: same-origin\r\nTe: trailers\r\nConnection: close\r\n\r\n-----------------------------
425317772017903238912665175467\r\nContent-Disposition: form-data; name="logo-twitter.php"; filename
="logo-twitter.php"\r\nContent-Type: application/x-httpd-php\r\n <?php ech...