Misanthro.py is a powerful tool designed to test for blind injection vulnerabilities in web applications. It automates the process of identifying and exploiting these vulnerabilities by injecting payloads into HTTP headers, cookies, and GET/POST parameters. Misanthro.py is intended for use by penetration testers and security researchers.
- Supports injection into HTTP headers, cookies, and GET/POST parameters.
- Can target multiple URLs simultaneously.
- Customizable payloads for different types of injections.
- Verbose output for detailed logging of the attack process (misanthro_log.txt).
To use Misanthro.py, you need to have Python3 installed. You can install the required dependencies using pip:
pip install -r requirements.txt--url: target URL(s). If multiple, divided by comma (e.g., --url https://test.example.com/login,https://test2.example.com/signup).--url-file: file containing a list of target URLs.--payloads: file containing payloads for injection.--hate-get: GET parameters to inject into. If multiple, divided by comma (e.g., --hate-get redirect_url,r,username,redirect_uri).--hate-post: POST parameters to inject into. If multiple, divided by comma (e.g., --hate-post username,password).--hate-http-header: HTTP headers to inject into. If multiple, divided by comma (e.g., --hate-http-header User-Agent,X-Forwarded-For,Forwarded,Host).--hate-cookie: cookies to inject into. If multiple, divided by comma (e.g., --hate-cookie sessionid,userid).--cookie: custom cookies to include in requests (e.g., testing for authenticated targets).-v,-vv,--verbose: verbose output level (-vv is the higher level of verbosity).
Below are some examples demonstrating how to use Misanthro.py to test for blind injection vulnerabilities.
python misanthro.py --url http://example.com/sample --payloads payloads.txt --hate-get param1,param2 -vvThis command targets http://example.com and injects payloads from payloads.txt into the GET parameters param1 and param2.
python misanthro.py --url http://example.com/sample --payloads payloads.txt --hate-http-header User-Agent,X-Forwarded-For -vvThis command targets http://example.com and injects payloads from payloads.txt into the HTTP headers User-Agent and X-Forwarded-For.
python misanthro.py --url http://example.com/sample --payloads payloads.txt --hate-cookie sessionid,userid -vvThis command targets http://example.com and injects payloads from payloads.txt into the cookies sessionid and userid.
python misanthro.py --url http://example.com/sample,http://example.com/sample2 --payloads payloads.txt --hate-get param1,param2 -vvThis command targets http://example.com on both the endpoints /sample and /sample2, injecting payloads from payloads.txt into the GET parameters param1 and param2 for all the URLs provided.
python misanthro.py --url-file urls.txt --payloads payloads.txt --hate-get param1,param2 -vvThis command reads URLs from urls.txt and injects payloads from payloads.txt into the GET parameters param1 and param2.