How to tell SSTImap test form a form WebKit?

[alasalamont]

Hi, assume I have this POST request

POST / HTTP/1.1]
Host: example.com
Content-Length: 1092
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzZgoVbc9kBDZDmAs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="CSRF_TOKEN"

ns0h_eslIv0RNFTCJLEK4puKCu-QaMVmWFJCVG8ZWnP0LhReRUtGI_j6DJ-TQGelTkYFgGzYcInK-W6p4Ru9IxIWchcidxNekB9xFhR6FHw=
-----WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="action"

sprout-forms/entries/save-entry
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="handle"

contact
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[email]"

test@gmail.com
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[phone][country]"

US
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[phone][phone]"

(201) 555-0123
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[message]"

test
------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="alojs01dca85956cc7cf638dda2c9642df2fd"

alojs01dca85956cc7cf638dda2c9642df2fd
------WebKitFormBoundaryzZgoVbc9kBDZDmAs--

How I can tell SSTImap test in from the input of field of Webkit form? I did try to use flag --load-form but it does not work

Regards!

[vladko312]

Currently, SSTImap is not supporting multipart/form-data content type. I am working on it, so hopefully I would be able to release an update soon enough.

[vladko312]

In 1.2.0 it should be possible through text and fromhex data types.
Can you verify?

Proper multipart/form-data support would be added later

[alasalamont]

Can you instruc me the command line? I did try

python3 sstimap.py -u http://example.com -m POST --load-forms ./form --data-type fromhex
python3 sstimap.py -u http://example.com -m POST --load-forms ./form --data-type fromhex
python3 sstimap.py -u http://example.com -m POST --load-forms ./form 

Where form is the form that I saved from Burpsuite

And here is the output

[*] Version: 1.2.0
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Loaded plugins by categories: languages: 5; legacy_engines: 2; engines: 17
[*] Loaded request body types: 4

[-] Error occurred while loading forms from file:
JSONDecodeError('Expecting value: line 1 column 1 (char 0)')
[*] Scanning url: http://example.com
[-] Tested parameters appear to be not injectable.                                               

[vladko312]

--load-forms is used to load forms saved by --save-forms.

For now, SSTImap lacks the ability to load requests or request bodies from files. I will work on this feature.

--data-type fromhex requires you to hex-encode data before adding injection markers.
For example: 536f6d6509*1b62797465730d0a00
This can be done to preserve line endings (0d0a, \r\n) or other unusual bytes

[alasalamont]

--load-forms is used to load forms saved by --save-forms.

For now, SSTImap lacks the ability to load requests or request bodies from files. I will work on this feature.

--data-type fromhex requires you to hex-encode data before adding injection markers. For example: 536f6d6509*1b62797465730d0a00 This can be done to preserve line endings (0d0a, \r\n) or other unusual bytes

If am I not understanding wrong, for this WebKit form, I have to use --data-type fromhex,

Based on the example above, assume I want to test on fields[message] at word test. I have to hex encode data 2 part

• Part 1: from the first data sent to the word test at fields[message]

------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="CSRF_TOKEN

<REDACTED>

------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="fields[message]"

test

Then concatenate with Marker *, and concatenate with Part 2

• Part 2: Everything behind the test at part 1, which are

------WebKitFormBoundaryzZgoVbc9kBDZDmAs
Content-Disposition: form-data; name="alojs01dca85956cc7cf638dda2c9642df2fd"

alojs01dca85956cc7cf638dda2c9642df2fd
------WebKitFormBoundaryzZgoVbc9kBDZDmAs--

will be also hex-encoded too

So the final command will be

python3 sstimap.py -u http://example.com -m POST -d "<hex-encoded-part1>*<hex-encoded-part2>" --data-type fromhex

Am I right?

[vladko312]

Yes, fromhex would be better as you would be able to preserve \r\n line endings as 0d0a