x8

用 Rust 编写的隐藏参数发现套件。

该工具有助于识别可能存在漏洞或可能被其他测试人员忽略的有趣功能的隐藏参数。它通过逐行比较页面、比较响应代码和反射来实现高精度。

文档

解释每个功能的文档可在 https://sh1yo.art/x8docs/ 获取。文档的源代码位于 /docs.md。

树

• 功能
• 示例
• 测试站点
• 使用方法
• 单词表
• Burp Suite 集成
• 安装

功能

• 快速。
• 通过使用模板和注入点提供灵活的请求配置。
• 高度可扩展，每次运行可检查数千个 URL。
• 与类似工具相比，特别是在困难情况下，提供更高的准确性。
• 能够发现具有非随机值（如 admin=true）的参数。
• 具有广泛的可自定义选项，可高度配置。
• 通过外部库修改实现几乎原始的请求。

示例

检查查询中的参数

x8 -u "https://example.com/" -w <wordlist>

带有默认参数

x8 -u "https://example.com/?something=1" -w <wordlist>

/?something=1 等于 /?something=1&%s

通过正文发送参数

x8 -u "https://example.com/" -X POST -w <wordlist>

或使用自定义正文

x8 -u "https://example.com/" -X POST -b '{"x":{%s}}' -w <wordlist>

%s将被替换为不同的参数，例如：{"x":{"a":"b3a1a", "b":"ce03a", ...}}

并行检查多个URL

x8 -u "https://example.com/" "https://4rt.one/" -W0

自定义模板

x8 -u "https://example.com/" --param-template "user[%k]=%v" -w <wordlist>

现在每个请求看起来像这样：/?user[a]=hg2s4&user[b]=a34fa&...

百分号编码

有时参数需要编码。这也是可能的

x8 -u "https://example.com/?path=..%2faction.php%3f%s%23" --encode -w <wordlist>

GET /?path=..%2faction.php%3fWTDa8%3Da7UOS%26rTIDA%3DexMFp...%23 HTTP/1.1
Host: example.com

搜索头部

x8 -u "https://example.com" --headers -w <wordlist>

搜索头部值

您还可以针对单个头部

x8 -u "https://example.com" -H "Cookie: %s" -w <wordlist>

测试站点

您可以在以下URL上检查该工具并与其他工具进行比较

https://4rt.one/level1 (GET)

https://4rt.one/level3 (GET)

使用方法

USAGE:
    x8 [FLAGS] [OPTIONS]

FLAGS:
        --append                       Append to the output file instead of overwriting it.
    -B                                 Equal to -x https://127.0.0.1:8080
        --check-binary                 Check the body of responses with binary content types
        --disable-additional-checks    Private
        --disable-colors
        --disable-custom-parameters    Do not automatically check parameters like admin=true
        --disable-progress-bar
        --disable-trustdns             Can solve some dns related problems
        --encode                       Encodes query or body before making a request, i.e & -> %26, = -> %3D
                                       List of chars to encode: ", `, , <, >, &, #, ;, /, =, %
    -L, --follow-redirects             Follow redirections
        --force                        Force searching for parameters on pages > 25MB. Remove an error in case there's 1
                                       worker with --one-worker-per-host option.
    -h, --help                         Prints help information
        --headers                      Switch to header discovery mode.
                                       NOTE Content-Length and Host headers are automatically removed from the list
        --invert                       By default, parameters are sent within the body only in case PUT or POST methods
                                       are used.
                                       It's possible to overwrite this behavior by specifying the option
        --mimic-browser                Add default headers that browsers usually set.
        --one-worker-per-host          Multiple urls with the same host will be checked one after another,
                                       while urls with different hosts - are in parallel.
                                       Doesn't increase the number of workers
        --reflected-only               Disable page comparison and search for reflected parameters only.
        --remove-empty                 Skip writing to file outputs of url:method pairs without found parameters
        --replay-once                  If a replay proxy is specified, send all found parameters within one request.
        --strict                       Only report parameters that have changed the different parts of a page
        --test                         Prints request and response
    -V, --version                      Prints version information
        --verify                       Verify found parameters.

OPTIONS:
    -b, --body <body>                                       Example: --body '{"x":{%s}}'
                                                            Available variables: {{random}}
    -c <concurrency>                                        The number of concurrent requests per url [default: 1]
        --custom-parameters <custom-parameters>
            Check these parameters with non-random values like true/false yes/no
            (default is "admin bot captcha debug disable encryption env show sso test waf")
        --custom-values <custom-values>
            Values for custom parameters (default is "1 0 false off null true yes no")

    -t, --data-type <data-type>
            Available: urlencode, json
            Can be detected automatically if --body is specified (default is "urlencode")
    -d, --delay <Delay between requests in milliseconds>     [default: 0]
    -H <headers>                                            Example: -H 'one:one' 'two:two'
        --http <http>                                       HTTP version. Supported versions: --http 1.1, --http 2
    -j, --joiner <joiner>
            How to join parameter templates. Example: --joiner '&'
            Default: urlencoded - '&', json - ', ', header values - '; '
        --learn-requests <learn-requests-count>             Set the custom number of learn requests. [default: 9]
    -m, --max <max>
            Change the maximum number of parameters per request.
            (default is <= 256 for query, 64 for headers and 512 for body)
    -X, --method <methods>                                  Multiple values are supported: -X GET POST
    -o, --output <file>
    -O, --output-format <output-format>                     standart, json, url, request [default: standart]
    -P, --param-template <parameter-template>
            %k - key, %v - value. Example: --param-template 'user[%k]=%v'
            Default: urlencoded - <%k=%v>, json - <"%k":%v>, headers - <%k=%v>
    -p, --port <port>                                       Port to use with request file
        --progress-bar-len <progress-bar-len>                [default: 26]
        --proto <proto>                                     Protocol to use with request file (default is "https")
    -x, --proxy <proxy>
        --recursion-depth <recursion-depth>
            Check the same list of parameters with the found parameters until there are no new parameters to be found.
            Conflicts with --verify for now.
        --replay-proxy <replay-proxy>
            Request target with every found parameter via the replay proxy at the end.

    -r, --request <request>                                 The file with the raw http request
        --save-responses <save-responses>
            Save request and response to a directory when a parameter is found

        --split-by <split-by>
            Split the request into lines by the provided sequence. By default splits by \r, \n and \r\n

        --timeout <timeout>                                 HTTP request timeout in seconds. [default: 15]
    -u, --url <url>
            You can add a custom injection point with %s.
            Multiple urls and filenames are supported:
            -u filename.txt
            -u https://url1 http://url2
    -v, --verbose <verbose>                                 Verbose level 0/1/2 [default: 1]
    -w, --wordlist <wordlist>
            The file with parameters (leave empty to read from stdin) [default: ]

    -W, --workers <workers>
            The number of concurrent url checks.
            Use -W0 to run everything in parallel [default: 1]

单词表

参数

• 列表
• arjun

头部

• 参数挖掘器

Burp Suite 集成

burpsuite集成是通过发送到扩展完成的。

设置

1. 启动Burp Suite并导航到“扩展”选项卡。
2. 从BApp Store中找到并安装“自定义发送到”扩展。
3. 打开“发送到”选项卡，然后单击“添加”按钮以配置扩展。

给条目命名，并在命令中插入以下行

/path/to/x8 --progress-bar-len 20 -c 3 -r %R -w /path/to/wordlist --proto %T --port %P

您还可以添加您常用的参数，如--output-format，--replay-proxy，--recursion-depth等。

注意如果进度条无法正常工作——尝试减小--progress-bar-len的值。

从“在后台运行”切换到“在终端运行”。

如果您在终端中遇到字体渲染问题，您可以在“发送到其他选项”中调整xterm选项。只需将现有内容替换为xterm -rv -fa 'Monospace' -fs 10 -hold -e %C，或者用您喜欢的终端模拟器替换xterm。