Rework templates

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "x8"
-version = "0.1.0"
+version = "0.2.0"
 authors = ["Alexander Mironov <[email protected]>"]
 edition = "2018"
 

README.md

@@ -31,32 +31,53 @@ Firstly, it makes a few basic requests to learn the target, and then it tries to
 
 # Examples
 #### Send parameters via query
-```x8 -u https://example.com/ -w <wordlist>```
+```bash
+x8 -u "https://example.com/" -w <wordlist>
+```
 
 With some default parameters:
-```x8 -u https://example.com/?something=1 -w <wordlist>```
+```bash
+x8 -u "https://example.com/?something=1" -w <wordlist>
+```
 
 `/?something=1` equals to `/?something=1&%s`
 
 #### Send parameters via body
-`x8 -u https://example.com/ -X POST --as-body -w <wordlist>`
+```bash
+x8 -u "https://example.com/" -X POST --as-body -w <wordlist>
+```
 
 Or with a custom body:
-```x8 -u https://example.com/ -X POST --as-body -b '{"x":{%s}}' -w <wordlist>```
+```bash
+x8 -u "https://example.com/" -X POST --as-body -b '{"x":{%s}}' -w <wordlist>
+```
 `%s` will be replaced with different parameters like `{"x":{"a":"b3a1a", "b":"ce03a", ...}}`
 
 #### Custom template
-```x8 -u https://example.com/ --key-template user[%s] -w <wordlist>```
+```bash
+x8 -u "https://example.com/" --param-template "user[%k]=%v&" -w <wordlist>
+```
+
 Now every request would look like `/?user[a]=hg2s4&user[b]=a34fa&...`
 
+It is even possible to imitate not included body types, for example, application/xml:
+
+```bash
+x8 -u "https://example.com/" --as-body --param-template "<%k>%v</%k>" -H "Content-Type: application/xml" -b "<?xml version="1.0" ?>%s" -w <wordlist>
+```
+
 #### Variables
 In the next example, `something` will take on new values every request:
-```x8 -u https://example.com/?something={{random}}&%s -w <wordlist>```
+```bash
+x8 -u "https://example.com/?something={{random}}&%s" -w <wordlist>
+```
 
 #### Percent encoding
 Sometimes parameters should be encoded. It is also possible:
 
-```x8 -u https://example.com/?path=..%2faction.php%3f%s%23 --encode -w <wordlist>```
+```bash
+x8 -u "https://example.com/?path=..%2faction.php%3f%s%23" --encode -w <wordlist>
+```
 
 ```http
 GET /?path=..%2faction.php%3fWTDa8%3Da7UOS%26rTIDA%3DexMFp...%23 HTTP/1.1
@@ -70,10 +91,12 @@ There are 2 reflected parameters, 4 parameters that change code/headers/body, an
 # Usage
 
 ```
+USAGE:
     x8 [FLAGS] [OPTIONS]
 
 FLAGS:
-        --as-body                        Send parameters via body
+        --as-body                        Send parameters via body.
+                                         Built in body types that can be detected automatically: json, urlencode
         --disable-cachebuster
         --disable-colors
         --disable-custom-parameters      Do not check automatically parameters like admin=true
@@ -82,14 +105,15 @@ FLAGS:
         --encode                         Encodes query or body before a request, i.e & -> %26, = -> %3D
                                          List of chars to encode: ", `, , <, >, &, #, ;, /, =, %
     -L, --follow-redirects               Follow redirections
-        --force-binary                   Ignore 'binary data detected' message
+        --force                          Ignore 'binary data detected', 'the page is too huge', 'param_template lacks
+                                         variables' error messages
     -h, --help                           Prints help information
         --insecure                       Use http instead of https when the request file is used
         --is-json                        If the output is valid json and the content type does not contain 'json'
                                          keyword - specify this argument for a more accurate search
         --replay-once                    If replay proxy is specified, send all found parameters within one request
         --test                           Prints request and response
-        --version                        Prints version information
+    -V, --version                        Prints version information
 
 OPTIONS:
     -b, --body <body>                                       Example: --body '{"x":{%s}}'
@@ -106,15 +130,17 @@ OPTIONS:
 
     -d, --delay <Delay between requests in milliseconds>
     -H, --header <headers>                                  Example: -H 'one:one' 'two:two'
-    -K, --key-template <key_template>                       Example: --key-template 'user[%s]'
-    --learn-requests <learn_requests_count>                 Set the custom number of learning requests. (default is 10)
+        --learn-requests <learn_requests_count>             Set the custom number of learning requests. (default is 10)
     -m, --max <max>
             Change the maximum number of parameters. (default is 128/192/256 for query and 512 for body)
 
     -X, --method <method>
-            Available: GET, POST, PUT, PATH, DELETE, HEAD. (default is "GET")
+            Available: GET, POST, PUT, PATCH, DELETE, HEAD. (default is "GET")
 
     -o, --output <file>
+    -P, --param-template <parameter_template>
+            %k - key, %v - value. Example: --param-template 'user[%k]=%v&'
+
     -x, --proxy <proxy>
         --replay-proxy <replay-proxy>
             Request target with every found parameter via replay proxy at the end
@@ -126,7 +152,6 @@ OPTIONS:
         --value-size <value_size>
             Custom value size. Affects {{random}} variables as well (default is 5)
 
-    -V, --value-template <value_template>                   Example: --value-template 'https://example.com/%s'
     -v, --verbose <verbose>                                 Verbose level 0/1/2 (default is 1)
     -w, --wordlist <wordlist>                               The file with parameters
 ```
@@ -158,7 +183,5 @@ OPTIONS:
 
 # Donation
 Want to support the project? You can donate to the following addresses:
-
 Monero: 46pni5AY9Ra399sivBykVucaK6KdU3rYiSqFsZinfaEgd3qUkeZvRxjEdhPPmsmZQwTDPBSrvSpkaj4LsHqLH6GG7zMmgiW
-
 Bitcoin: bc1q8q9hfmejxd65jcrszwpgj7xnwhy32gpxay2h604xwvjwtw8jh8vq8kev5r

src/args.rs

@@ -39,17 +39,10 @@ pub fn get_config() -> (Config, usize) {
                 .takes_value(true),
         )
         .arg(
-            Arg::with_name("key_template")
-                .short("K")
-                .long("key-template")
-                .help("Example: --key-template 'user[%s]'")
-                .takes_value(true),
-        )
-        .arg(
-            Arg::with_name("value_template")
-                .short("V")
-                .long("value-template")
-                .help("Example: --value-template 'https://example.com/%s'")
+            Arg::with_name("parameter_template")
+                .short("P")
+                .long("param-template")
+                .help("%k - key, %v - value. Example: --param-template 'user[%k]=%v&'")
                 .takes_value(true),
         )
         .arg(
@@ -107,12 +100,12 @@ pub fn get_config() -> (Config, usize) {
         .arg(
             Arg::with_name("as-body")
                 .long("as-body")
-                .help("Send parameters via body")
+                .help("Send parameters via body.\nBuilt in body types that can be detected automatically: json, urlencode")
         )
         .arg(
-            Arg::with_name("force-binary")
-                .long("force-binary")
-                .help("Ignore 'binary data detected' message")
+            Arg::with_name("force")
+                .long("force")
+                .help("Ignore 'binary data detected', 'the page is too huge', 'param_template lacks variables' error messages")
         )
         .arg(
             Arg::with_name("disable-response-correction")
@@ -345,7 +338,7 @@ pub fn get_config() -> (Config, usize) {
         args.value_of("body-type").unwrap_or("urlencode-").to_string()
     };
 
-    let body = if !body.is_empty() && !body.contains("%s") && args.is_present("as-body") {
+    let body = if !body.contains("%s") && args.is_present("as-body") {
         adjust_body(body, &body_type)
     } else {
         body.to_string()
@@ -412,18 +405,23 @@ pub fn get_config() -> (Config, usize) {
         path.push_str("?%s");
     }
 
-    let /*mut*/ value_template = args.value_of("value_template").unwrap_or("").to_string();
-    let /*mut*/ key_template = args.value_of("key_template").unwrap_or("").to_string();
+    let mut parameter_template = args.value_of("parameter_template").unwrap_or("");
+
+    if !parameter_template.is_empty()
+        && (!parameter_template.contains("%k") || !parameter_template.contains("%v"))
+        && !args.is_present("force") {
+            writeln!(io::stderr(), "param_template lacks important variables like %k or %v").ok();
+            std::process::exit(1);
+    }
+
+    if parameter_template.is_empty() {
+        if body_type.contains("urlencode") {
+            parameter_template = "%k=%v&";
+        } else if body_type.contains("json") {
+            parameter_template = "\"%k\":\"%v\", ";
+        }
+    }
 
-    /*if args.is_present("fuzz") {
-        match args.value_of("fuzz").unwrap_or("x") {
-            "1" => value_template = "%s'\">;".to_string(),
-            "2" => value_template = "%s%00%ff".to_string(),
-            "3" => key_template = "%s[]".to_string(),
-            "4" => key_template = "%s[something]".to_string(),
-            _ => ()
-        };
-    }*/
 
     let custom_keys: Vec<String> = match args.values_of("custom-parameters") {
         Some(val) => {
@@ -474,10 +472,9 @@ pub fn get_config() -> (Config, usize) {
         method: args.value_of("method").unwrap_or("GET").to_string(),
         url,
         host: host.to_string(),
-        path: path.to_string(),
+        path,
         wordlist: args.value_of("wordlist").unwrap_or("").to_string(),
-        key_template,
-        value_template,
+        parameter_template: parameter_template.to_string(),
         custom_parameters,
         headers,
         body,
@@ -489,7 +486,7 @@ pub fn get_config() -> (Config, usize) {
         save_responses: args.value_of("save-responses").unwrap_or("").to_string(),
         tmp_directory: args.value_of("tmp-directory").unwrap_or(temp_dir().to_str().unwrap_or("/tmp")).to_string()+"/",
         as_body: args.is_present("as-body"),
-        force_binary: args.is_present("force-binary"),
+        force: args.is_present("force"),
         disable_response_correction: args.is_present("disable-response-correction"),
         disable_custom_parameters: args.is_present("disable-custom-parameters"),
         disable_progress_bar: args.is_present("disable-progress-bar"),

src/logic.rs

@@ -30,7 +30,7 @@ pub fn cycles(
     let all = params.len() / max;
 
     for (count, chunk) in params.chunks(max).enumerate() {
-        let query = &make_hashmap(&chunk, &config.value_template, &config.key_template, config.value_size);
+        let query = &make_hashmap(&chunk, config.value_size);
 
         let response = request(config, client, query, reflections_count);
 
@@ -251,8 +251,6 @@ pub fn cycles(
 
                         let query = make_hashmap(
                             &random_params[..],
-                            &config.value_template,
-                            &config.key_template,
                             config.value_size,
                         );
 

src/main.rs

@@ -102,8 +102,6 @@ fn main() {
     //generate random query for the first request
     let query = make_hashmap(
         &(0..max).map(|_| random_line(config.value_size)).collect::<Vec<String>>(),
-        &config.value_template,
-        &config.key_template,
         config.value_size,
     );
 
@@ -306,8 +304,6 @@ fn main() {
                 &replay_client,
                 &make_hashmap(
                     &found_params,
-                    &config.value_template,
-                    &config.key_template,
                     config.value_size
                 ),
                 0
@@ -319,8 +315,6 @@ fn main() {
                     &replay_client,
                     &make_hashmap(
                         &[param.to_owned()],
-                        &config.value_template,
-                        &config.key_template,
                         config.value_size
                     ),
                     0
@@ -339,7 +333,7 @@ fn main() {
             let response = request(
                 &config, &client,
                 &random_hashmap(
-                    &[param.clone()], &config.value_template, &config.key_template
+                    &[param.clone()], &config.parameter_template, &config.parameter_delimiter
                 ),
                 reflections_count
             );

src/requests.rs

@@ -40,7 +40,7 @@ pub fn empty_reqs(
             io::stdout().flush().unwrap_or(());
         }
 
-        if response.text.len() > 25 * 1024 * 1024 && !config.force_binary {
+        if response.text.len() > 25 * 1024 * 1024 && !config.force {
             writeln!(io::stderr(), "[!] {} the page is too huge", &config.url).ok();
             std::process::exit(1)
         }
@@ -97,8 +97,6 @@ pub fn random_request(
         &client,
         &make_hashmap(
             &(0..max).map(|_| random_line(config.value_size)).collect::<Vec<String>>(),
-            &config.value_template,
-            &config.key_template,
             config.value_size,
         ),
         reflections

src/structs.rs

@@ -28,8 +28,7 @@ pub struct Config {
     pub host: String,
     pub path: String,
     pub wordlist: String,
-    pub value_template: String,
-    pub key_template: String,
+    pub parameter_template: String,
     pub custom_parameters: HashMap<String, Vec<String>>,
     pub headers: HashMap<String, String>,
     pub body: String,
@@ -38,7 +37,7 @@ pub struct Config {
     pub output_file: String,
     pub save_responses: String,
     pub tmp_directory: String,
-    pub force_binary: bool,
+    pub force: bool,
     pub disable_response_correction: bool,
     pub disable_custom_parameters: bool,
     pub disable_progress_bar: bool,