- New payload for Twig exploiting CVE-2022-23614
Old payload renamed to Twig_v1
Alternate payload: legacy/Twig_filter
- Request body type support:
form: URLencoded form data (default)
json: JSON data
text: Plain text data
fromhex: Binary data encoded as HEX
- Blind detection now uses separate longer time for verification and exploitation
Detected blind injections are now verified to produce less false positives
Warning is printed if detected delays vary more than expected
- Improved some payloads by removing unused closures
- Added a way to specify expected target system shell
- URLs without params are no longer treated as forms by default
- Added clarity with text and colors
- Fixed some bugs