v0.6.11

New features:

• Allow users to ignore ssl cert
• --detect-waf-keywords: allow users to enable and disable waf keywords detections. It will fuzz banned keywords based on waf.
• --waf-keyword: manually specify waf keywords

v0.6.9

New features:

• just more rules adding whitespaces

Bugfix:

• a bug in waf detection

v0.6.7

New features:

• Provide crack-path and scan functionalities in webui, which were only available in cli interface.
• Open browser automatically when starting webui

Optimization:

• better waf detection

v0.6.6

New features:

• better webui
• better prompt for cli

Optimization:

• more rule
• a new way to detect replaced keywords

Full Changelog: v0.6.5...0.6.6

v0.6.5

Optimization:

• More rules
• Optimized ability for attacking python2
  Bug fix:
• many

Full Changelog: v0.6.0.1...v0.6.5

v0.6.0.1

New features:

• Remove redundant brackets in payload with precedence calculation.
• Now scan function will guess parameters by intrusion.
• Test whether WAF banned long payloads.
• Add tons of rules...
• Add --extra-param and --extra-data options

Bug fixes:

• environment param ignored in do_crack_path_pre
• long param WAF test cause wrong WAF detection

Full Changelog: v0.5.8...v0.6.0.1

v0.5.8

New features:

• Auto fixing 500 algorithm! When HTTP status code is 500 the algo just FIX it! Details in #16
• More rules, we can add some rules back because that algo will disable them when they don't work.
• Bug fix: eval dont work in eval-args-payload mode

Full Changelog: v0.5.5.1...v0.5.8

v0.5.5.1

New feature:

• Real Terminal!
  • eval a python expression on the target, for meterpreter python session and others.
  • get a flask config of the target, sometimes flag is there.
  • implement ls and cat alternative in the terminal, will be useful when the PATH environment is broken.
• normal stuff like more rules...
• none.

Full Changelog: v0.5.2.1...v0.5.5.1

v0.5.2.1

Optimization:

• More rules!
• Better WAF detection
• Check WAF when generating literals
• Check whether tamperers' output ends in '\n'
• Improve code quality

Full Changelog: v0.5.1...v0.5.2.1

v0.5.1

So I finally closed issue #10
New features:

• --eval-args-payload option, pass payload in the GET/POST args, and use SSTI to execute it.
• --proxy option for just setting proxy.

Optimization:

• Stop adding brackets when getting attributes of something
• add a internal generate target ONEOF for generate one of the requirements, now the payload generator can genrate things like "__g""lobals__" besides "_""_""g""l""o""b""a""l""s""_""_"
• generate target EVAL now requires a generate target instead of a string, useful for generating things like eval(request.value.x)

Full Changelog: v0.4.8...v0.5.1