qsinject (Query String Inject) is a tool that allows you to quickly substitute query string values with regex matches, one-at-a-time.
Injections are done one-at-a-time for URLs with multiple query strings to ensure requests aren't broken if certain
parameters are relied on. URLs that don't have query strings will be ignored. Much of this logic is ported over from qsfuzz
to qsinject as a standalone tool.
qsinject has 2 modes, "dumb" mode, and "regex" mode.
- Dumb mode will allow you to pass in a simple comma separated list of injections that will inject each query string value, one-at-a-time
- Regex mode will allow you to define rules and only replace a query string value if it matches the defined regex
As a side-benefit, qsinject does deduplication to remove duplicates of the same URL and query string keys (with only differing values)
go get github.com/ameenmaali/qsinject
inject takes URLs (with query strings) from stdin, of which you will most likely want in a file such as:
$ cat urls.txt
https://www.google.com/reflectedXss?param=123
https://test.com
http://hello.com/sqli?qs=444&dd=22
https://redir.auth.com/redir?url=https://test.com&redirect_to=http://domain.gov
https://xD.com/redirect?url=https://evil.com
Optionally, you can supply qsinject with a rule/config file (see rule-example.yaml for an example) to perform multiple
regex match/replacements in a given run. If you do not use a config file, you'll be limited to replacing against a single rule.
$ cat rules.yaml
rules:
UrlUpdate:
regex: '^http(s)?:\/\/.+'
replacement: 'https://example.net/home'
append: false
XSS:
regex: '^[a-zA-Z0-9]+$'
replacement: '"><h2>asd</h2>'
append: true
SqlInjection:
regex: '^[a-zA-Z0-9]+$'
replacement: "'"
append: trueYou can have as many rules as you'd like. These are the currently supported fields, annotated with comments above the field:
# This should never change, and indicates the start of the rules list
rules:
# This should be set to the rule's name you are defining
ruleName:
# This is the regex (string) value you'd like to match query string values against. Be careful with escaping, recommended to insert in single quotes
regex:
# This is a (string) value for the injection you'd like to insert for the matched regex
replacement:
# This is a (boolean) value for whether you want to append the injection after the original value (true), or replace all together (false)
append:$ qsinject -h
Usage of qsinject:
-a
Append injections to the original query string value (i.e. q=1 > q=1injection
-append
Append injections to the original query string value (i.e. q=1 > q=1injection
-c string
Pass a regex rules config file instead of flags, which also supports multiple rules per run
-config string
Pass a regex rules config file instead of flags, which also supports multiple rules per run
-d
Inject with URL decoded params (default is encoded)
-decode
Inject with URL decoded params (default is encoded)
-debug
Debug/verbose mode to print more info for failed/malformed URLs
-i string
Injections (comma separated) to inject for all query strings
-injections string
Injections (comma separated) to inject for all query strings
-iu
Included unaltered URLs in results (for when match and replace doesn't affect that URL)
-include-unaltered
Included unaltered URLs in results (for when match and replace doesn't affect that URL)
-m string
Regex string to match query string values to be replaced
-match string
Regex string to match query string values to be replaced
-r string
Replacement values (injection) for the matched regex value
-replace string
Replacement values (injection) for the matched regex value
-v
Get the current version of qsinject
-version
Get the current version of qsinject
-w int
Set the concurrency/worker count (default 15)
-workers int
Set the concurrency/worker count (default 15)
Replace URLs in query string values with your Burp Collaborator instance
cat urls.txt | qsinject -m "^http(s)?:\/\/.+" -r "https://myinstance.burpcollaborator.net"
Using a rule config file, match and replace against multiple rules:
cat urls.txt | qsinject -c rules.yaml
Replace URLs in "Dumb" mode, injecting a list of query strings one-at-a-time in each query string value:
cat urls.txt | qsinject -i "val1,val2,val3,val4"
Replace URLs with a rule config file, include all results (even if unaltered), and include values decoded:
cat urls.txt | qsinject -c rules.yaml -iu -decode
Get unique URLs and query string combinations (i.e. remove duplicates with differing param values), simply pass in a non-existent match and replace rule with -iu flag
cat urls.txt | qsinject -iu -m "12312312312312" -r "12321312312213"
- Some of this code, particularly the deduplication logic, was inspired by Tomnomnom's qsreplace