Fix false positives on ID command

wapiti-scanner · Feb 18, 2025 · b000f5c · b000f5c
1 parent 90ed601
commit b000f5c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/wapitiCore/attack/mod_exec.py b/wapitiCore/attack/mod_exec.py
@@ -168,7 +168,7 @@ async def attack(self, request: Request, response: Optional[Response] = None):
                 vuln_info = None
 
                 # No timeout raised, check for patterns in response
-                if any(rule in response.content for rule in payload_info.rules):
+                if any(rule.replace("<SPACE>", " ") in response.content for rule in payload_info.rules):
                     vuln_info = payload_info.description
                     # We reached maximum exploitation for this parameter, don't send more payloads
                     vulnerable_parameter = True

diff --git a/wapitiCore/data/attacks/execPayloads.ini b/wapitiCore/data/attacks/execPayloads.ini
@@ -1,24 +1,24 @@
 [DEFAULT]
 payload = None
-; rules will be used as a boolean AND if there are multiple
+; rules will be used as a boolean OR if there are multiple
 rules = None
 description = None
 status = vulnerability
 type = pattern
 
 [no_escape]
 payload = id
-rules = uid=
-    gid=
-    groupes=
+rules = ' gid='
+    ' groupes='
+    ' groups='
 description = Command execution
 status = vulnerability
 
 [no_escape_owasp_benchmark]
 payload = id
-rules = uid&#x3d;
-    gid&#x3d;
-    groupes&#x3d;
+rules = ' gid&#x3d;'
+    ' groupes&#x3d;'
+    ' groups&#x3d;'
 description = Command execution
 status = vulnerability