ci_fuzz - Command Injection Web Fuzzer Script for mitmproxy.

ci_fuzz – Command Injection Web Fuzzer Script for mitmproxy.

ci_fuzz script fuzz’s for Command Injection vulnerabilities resulting in remote command execution.
+ Similiar OWASP vulnerablities are explained here –> https://www.owasp.org/index.php/Command_Injection
+ The script will attempt to execute OS commands by injecting into every value in the body of a POST/PUT.
+ Detecting execution requires another tool such as listening for web/icmp traffic or watching a directory

ci_fuzz

For example, if the script observes a user has performed a single POST with body set to {“webfunction”: “settime”, “hour”: “10”, “minute”: “00”}
The script will generate 5 POST’s

If the payload was executed, the attacker would recieve an icmp ping packet. In this example, the web application is vulnerable to command injection/execution via setting the system time.

Dependencies:
+ mitmproxy 3.0.0+

Usage:

Source: https://github.com/mvdevnull