v2.2.2 build

arjun/__main__.py

@@ -30,7 +30,7 @@ parser.add_argument('-w', help='Wordlist file path. (default: {arjundir}/db/larg
 parser.add_argument('-m', help='Request method to use: GET/POST/XML/JSON/HEADERS. (default: GET)', dest='method', default='GET')
 parser.add_argument('-i', help='Import target URLs from file.', dest='import_file', nargs='?', const=True)
 parser.add_argument('-T', help='HTTP request timeout in seconds. (default: 15)', dest='timeout', type=float, default=15)
-parser.add_argument('-c', help='Chunk size. The number of parameters to be sent at once', type=int, dest='chunks', default=500)
+parser.add_argument('-c', help='Chunk size. The number of parameters to be sent at once', type=int, dest='chunks', default=250)
 parser.add_argument('-q', help='Quiet mode. No output.', dest='quiet', action='store_true')
 parser.add_argument('--headers', help='Add headers. Separate multiple headers with a new line.', dest='headers', nargs='?', const=True)
 parser.add_argument('--passive', help='Collect parameter names from passive sources like wayback, commoncrawl and otx.', dest='passive', nargs='?', const='-')
@@ -58,6 +58,9 @@ mem.var = vars(args)
 
 mem.var['method'] = mem.var['method'].upper()
 
+if mem.var['method'] != 'GET':
+    mem.var['chunks'] = 500
+
 if mem.var['stable'] or mem.var['delay']:
     mem.var['threads'] = 1
 if mem.var['wordlist'] in ('large', 'medium', 'small'):
@@ -117,18 +120,27 @@ def initialize(request, wordlist, single_url=False):
     if not request['url']:
         return 'skipped'
     else:
-        fuzz = random_str(6)
-        response_1 = requester(request, {fuzz: fuzz[::-1]})
+        fuzz = "z" + random_str(6)
+        response_1 = requester(request, {fuzz[:-1]: fuzz[::-1][:-1]})
         if single_url:
             print('%s Analysing HTTP response for anomalies' % run)
-        fuzz = random_str(6)
-        response_2 = requester(request, {fuzz: fuzz[::-1]})
+        response_2 = requester(request, {fuzz[:-1]: fuzz[::-1][:-1]})
         if type(response_1) == str or type(response_2) == str:
             return 'skipped'
+
+        # params from response must be extracted before factors but displayed later
+        found, words_exist = heuristic(response_1, wordlist)
+
         factors = define(response_1, response_2, fuzz, fuzz[::-1], wordlist)
+        zzuf = "z" + random_str(6)
+        response_3 = requester(request, {zzuf[:-1]: zzuf[::-1][:-1]})
+        while factors:
+            reason = compare(response_3, factors, {zzuf[:-1]: zzuf[::-1][:-1]})[2]
+            if not reason:
+                break
+            factors[reason] = []
         if single_url:
             print('%s Analysing HTTP response for potential parameter names' % run)
-        found, words_exist = heuristic(response_1, wordlist)
         if found:
             num = len(found)
             if words_exist:
@@ -147,8 +159,8 @@ def initialize(request, wordlist, single_url=False):
         while True:
             param_groups = narrower(request, factors, param_groups)
             if len(param_groups) > prev_chunk_count:
-                response_3 = requester(request, {fuzz: fuzz[::-1]})
-                if compare(response_3, factors, {fuzz: fuzz[::-1]}) != '':
+                response_3 = requester(request, {zzuf[:-1]: zzuf[::-1][:-1]})
+                if compare(response_3, factors, {zzuf[:-1]: zzuf[::-1][:-1]})[0] != '':
                     print('%s Target is misbehaving. Try the --stable switch.' % bad)
                     return []
             if mem.var['kill']: