QSreplace – Tool to Replace All Query String Values With User Suplied Value

qsreplace - Tool to Replace All Query String Values With User Suplied Value

qsreplace

Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.

Install

With Go:

go get -u github.com/tomnomnom/qsreplace

Or download a release and put it somewhere in your $PATH (e.g. in /usr/local/bin).

Usage

Example input file:

▶ cat urls.txt https://example.com/path?one=1&two=2 https://example.com/path?two=2&one=1 https://example.com/pathtwo?two=2&one=1 https://example.net/a/path?two=2&one=1

Replace Query String Values

▶ cat urls.txt | qsreplace newval https://example.com/path?one=newval&two=newval https://example.com/pathtwo?one=newval&two=newval https://example.net/a/path?one=newval&two=newval

Append to Query String Values

▶ cat urls.txt | qsreplace -a newval https://example.com/path?one=1newval&two=2newval https://example.com/pathtwo?one=1newval&two=2newval https://example.net/a/path?one=1newval&two=2newval

Remove Duplicate URL and Parameter Combinations

You can omit the argument to -a to only output each combination of URL and query string parameters once:

▶ cat urls.txt | qsreplace -a https://example.com/path?one=1&two=2 https://example.com/pathtwo?one=1&two=2 https://example.net/a/path?one=1&two=2

Automated XSS

You can perform automated XSS scanning with qsreplace and waybackurls.

waybackurls testphp.vulnweb.com| grep ‘=’ | qsreplace ‘”>Your XSS Payload’ | while read host do ; do curl -s –path-as-is –insecure “$host” | grep -qs “Your XSS Payload” && echo “$host \033[0;31m” Vulnerable;done


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 1 =