Bhedak

A replacement of qsreplace, accepts URLs as standard input, replaces all query string values with user-supplied values and stdout. Works on every OS. Made with python

Installation

$ pip3 install bhedak

Usage

• For linux, unix and debian based systems

  

  $ waybackurls target.tld | bhedak "payload"
  

• For windows based systems

  

  cmd> type urls.txt | python bhedak.py "payload"
  

• If no payload passed

  $ waybackurls subdomain.target.tld | bhedak
  
  http://subdomain.target.tld/comment.php?pid=FUZZ&user=FUZZ
  http://subdomain.target.tld/disclaimer.php=FUZZ
  http://subdomain.target.tld/hpp/index.php?pp=FUZZ
  http://subdomain.target.tld/hpp/?pp=FUZZ&user=FUZZ
  

• Example input file

  $ waybackurls subdomain.target.tld | tee -a urls
  
  http://subdomain.target.tld/comment.php?pid=username&user=1
  http://subdomain.target.tld/disclaimer.php=1
  http://subdomain.target.tld/hpp/index.php?pp=12
  http://subdomain.target.tld/hpp/?pp=12&user=5
  

• Replace query string values

  $ cat urls | bhedak "FUZZ"
  
  http://subdomain.target.tld/comment.php?pid=FUZZ&user=FUZZ
  http://subdomain.target.tld/disclaimer.php=FUZZ
  http://subdomain.target.tld/hpp/index.php?pp=FUZZ
  http://subdomain.target.tld/hpp/?pp=FUZZ&user=FUZZ
  

• Replace query string with custom payloads

  $ cat urls | bhedak "\"><svg/onload=alert(1)>*'/---+{{7*7}}"
  
  http://subdomain.target.tld/comment.php?pid=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%2A%27%2F---%2B%7B%7B7%2A7%7D%7D&user=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%2A%27%2F---%2B%7B%7B7%2A7%7D%7D
  http://subdomain.target.tld/disclaimer.php=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%2A%27%2F---%2B%7B%7B7%2A7%7D%7D
  http://subdomain.target.tld/hpp/index.php?pp=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%2A%27%2F---%2B%7B%7B7%2A7%7D%7D
  http://subdomain.target.tld/hpp/?pp=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%2A%27%2F---%2B%7B%7B7%2A7%7D%7D&user=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%2A%27%2F---%2B%7B%7B7%2A7%7D%7D
  

• Remove duplicate urls

  $ cat urls | bhedak "FUZZ" | sort -u
  
  http://subdomain.target.tld/comment.php?pid=FUZZ&user=FUZZ
  http://subdomain.target.tld/disclaimer.php=FUZZ
  http://subdomain.target.tld/hpp/index.php?pp=FUZZ
  http://subdomain.target.tld/hpp/?pp=FUZZ&user=FUZZ
  

• Comparsion

<br/><img src="https://github.com/R0X4R/bhedak/raw/main/.github/image.jpg"><br/>


```bash
$ echo "http://fakedomain.com/fakefile.jsp;jsessionid=2ed4262dbe69850d25bc7c6424ba59db?hardwareid=14&tarifid=9998" | qsreplace "FUZZ"
http://fakedomain.com/fakefile.jsp;jsessionid=2ed4262dbe69850d25bc7c6424ba59db?hardwareid=FUZZ&tarifid=FUZZ

$ echo "http://fakedomain.com/fakefile.jsp;jsessionid=2ed4262dbe69850d25bc7c6424ba59db?hardwareid=14&tarifid=9998" | bhedak "FUZZ"
http://fakedomain.com/fakefile.jsp;jsessionid=FUZZ?hardwareid=FUZZ&tarifid=FUZZ
```

Donate

Thanks to @tomnomnom for making an amazing tool called qsreplace, from using qsreplace I got idea to make bhedak