Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fix] Fixed multiline output when using only one fuzz variable (issue #645) #656

Merged
merged 4 commits into from
Apr 21, 2023
Merged

[Fix] Fixed multiline output when using only one fuzz variable (issue #645) #656

merged 4 commits into from
Apr 21, 2023

Conversation

p0dalirius
Copy link
Contributor

Description

Fixed multi-line output when using only one fuzz variable (issue #645)

Fixes: #645

Bug source

In version 2.0 of fuff, FFUFHASH was added.

ffuf/CHANGELOG.md

Line 8 in b2c1f94

- Added a new, dynamic keyword `FFUFHASH` that generates hash from job configuration and wordlist position to map blind payloads back to the initial request.

This variable is set in the Input map of the result structure:

ffuf/main.go

Line 397 in b2c1f94

inputdata["FFUFHASH"] = []byte(hash)

This triggers two bugs

Bug 1

Because of this, the size of res.Input is now at least 2. Therefore all output modes will be multi-lines since the condition len(res.Input) > 1 is never met in the function PrintResult() in pkg/output/stdout.go.

https://github.com/p0dalirius/ffuf/blob/b2c1f9471f5bc275912c9c8194e88593d2636597/pkg/output/stdout.go#L375-L377

Changing the condition len(res.Input) > 1 to len(s.fuzzkeywords) > 1 fixes this bug.

Bug 2

Another bug then occurs when only one fuzz variable is passed and results are printed. When prepareInputsOneLine() in pkg/output/stdout.go gets called, the function iterates on res.Input, therefore printing FFUFHASH too.

https://github.com/p0dalirius/ffuf/blob/master/pkg/output/stdout.go#L386

https://github.com/p0dalirius/ffuf/blob/master/pkg/output/stdout.go#L395

Changing the iteration on res.Input to an iteration on s.fuzzkeywords fixes this bug.

New behavior

When fuzzing only one variable:

image

When fuzzing two and more variables:

image

Best regards,

@p0dalirius p0dalirius mentioned this pull request Mar 3, 2023
Closed
@p0dalirius
Copy link
Contributor Author

Hey @joohoi

Can you take a look at this? Everything is fixed in this PR, and the current bug (#645) is really annoying.

Best regards,

joohoi
joohoi requested changes Apr 21, 2023
View reviewed changes
Copy link
Member

@joohoi joohoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix. Besides the one comment this LGTM.

pkg/output/stdout.go Outdated Show resolved Hide resolved
joohoi
joohoi approved these changes Apr 21, 2023
View reviewed changes
Copy link
Member

@joohoi joohoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commited the suggestion, so this is ready to merge.

@joohoi joohoi merged commit 627c871 into ffuf:master Apr 21, 2023
@joohoi joohoi mentioned this pull request Apr 21, 2023
Closed
@sk0x1234
Copy link

using the latest git build

silent/quit -s option producing in wrong format
FUZZ anf FFUFHASH interchanged. im using latest git build

image

image

@felipecaon
Copy link

felipecaon commented Jul 27, 2023
edited
Loading

Seems like this issue is back, using v2.0.0
The issue stated above also happens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joohoi joohoi joohoi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

How to get back the 1 line verbosity like v1.5
4 participants
@p0dalirius @sk0x1234 @felipecaon @joohoi