fix unresolved interactsh-url variable with fuzzing (#5289)

RamanaReddy0M · web-flow · commit 33dbb51505c7 · 2024-07-26T00:01:05.000+05:30
* fix unresolved interactsh variable with fuzzing

* fix variables override with fuzzing
diff --git a/pkg/fuzz/execute.go b/pkg/fuzz/execute.go
@@ -167,9 +167,12 @@ func (rule *Rule) evaluateVarsWithInteractsh(data map[string]interface{}, intera
 	if rule.options.Interactsh != nil {
 		// Iterate through the data to replace and evaluate variables with Interactsh URLs
 		for k, v := range data {
+			value := fmt.Sprint(v)
 			// Replace variables with Interactsh URLs and collect new URLs
-			got, oastUrls := rule.options.Interactsh.Replace(fmt.Sprint(v), interactshUrls)
-
+			got, oastUrls := rule.options.Interactsh.Replace(value, interactshUrls)
+			if got != value {
+				data[k] = got
+			}
 			// Append new OAST URLs if any
 			if len(oastUrls) > 0 {
 				interactshUrls = append(interactshUrls, oastUrls...)
diff --git a/pkg/fuzz/parts.go b/pkg/fuzz/parts.go
@@ -181,9 +181,9 @@ func (rule *Rule) execWithInput(input *ExecuteRuleInput, httpReq *retryablehttp.
 // for fuzzing.
 func (rule *Rule) executeEvaluate(input *ExecuteRuleInput, _, value, payload string, interactshURLs []string) (string, []string) {
 	// TODO: Handle errors
-	values := generators.MergeMaps(input.Values, map[string]interface{}{
+	values := generators.MergeMaps(rule.options.Variables.GetAll(), map[string]interface{}{
 		"value": value,
-	}, rule.options.Options.Vars.AsMap(), rule.options.Variables.GetAll())
+	}, rule.options.Options.Vars.AsMap(), input.Values)
 	firstpass, _ := expressions.Evaluate(payload, values)
 	interactData, interactshURLs := rule.options.Interactsh.Replace(firstpass, interactshURLs)
 	evaluated, _ := expressions.Evaluate(interactData, values)
diff --git a/pkg/protocols/common/interactsh/const.go b/pkg/protocols/common/interactsh/const.go
@@ -8,7 +8,7 @@ import (
 
 var (
 	defaultInteractionDuration = 60 * time.Second
-	interactshURLMarkerRegex   = regexp.MustCompile(`{{interactsh-url(?:_[0-9]+){0,3}}}`)
+	interactshURLMarkerRegex = regexp.MustCompile(`(%7[B|b]|\{){2}(interactsh-url(?:_[0-9]+){0,3})(%7[D|d]|\}){2}`)
 
 	ErrInteractshClientNotInitialized = errors.New("interactsh client not initialized")
 )

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ import (`
`8`	`8`
`9`	`9`	`var (`
`10`	`10`	`defaultInteractionDuration = 60 * time.Second`
`11`		- interactshURLMarkerRegex = regexp.MustCompile(`{{interactsh-url(?:_[0-9]+){0,3}}}`)
	`11`	+ interactshURLMarkerRegex = regexp.MustCompile(`(%7[B\|b]\|\{){2}(interactsh-url(?:_[0-9]+){0,3})(%7[D\|d]\|\}){2}`)
`12`	`12`
`13`	`13`	`ErrInteractshClientNotInitialized = errors.New("interactsh client not initialized")`
`14`	`14`	`)`