Move url-encoding to url.build_query

patch from nnposter: http://seclists.org/nmap-dev/2014/q3/427
2026-01-06 06:29:03 +00:00 · 2014-10-15 18:12:58 +00:00
parent a318db04b3
commit 5952b9745b
6 changed files with 22 additions and 33 deletions
--- a/scripts/http-form-fuzzer.nse
+++ b/scripts/http-form-fuzzer.nse
@@ -97,14 +97,6 @@ local function generate_safe_postdata(form)
  return postdata
 end

-local function generate_get_string(data)
-  local get_str = {"?"}
-  for name,value in pairs(data) do
-    get_str[#get_str+1]=url.escape(name).."="..url.escape(value).."&"
-  end
-  return table.concat(get_str)
-end
-
 -- generate a charset of characters with ascii codes from 33 to 126
 -- you can use http://www.asciitable.com/ to see which characters those actually are
 local charset = generate_charset(33,126)
@@ -156,7 +148,7 @@ local function fuzz_form(form, minlen, maxlen, host, port, path)
  if form["method"]=="post" then
    sending_function = function(data) return http.post(host, port, form_submission_path, nil, nil, data) end
  else
-    sending_function = function(data) return http.get(host, port, form_submission_path..generate_get_string(data), {no_cache=true, bypass_cache=true}) end
+    sending_function = function(data) return http.get(host, port, form_submission_path.."?"..url.build_query(data), {no_cache=true, bypass_cache=true}) end
  end

  for _,field in ipairs(form["fields"]) do
--- a/scripts/http-open-redirect.nse
+++ b/scripts/http-open-redirect.nse
@@ -43,6 +43,8 @@ categories = {"discovery", "intrusive"}

 portrule = shortport.http

+local redirect_canary = "http://scanme.nmap.org/"
+
 local function dbg(str,...)
  stdnse.debug2(str, ...)
 end
@@ -74,10 +76,9 @@ local function checkLocationEcho(query, destination)
  local q = url.parse_query(query);
  -- Check the values (and keys) and see if they are reflected in the location header
  for k,v in pairs(q) do
-    local s,f = string.find(destination, v)
-    if s == 1 then
+    if destination:sub(1, #v) == v then
      -- Build a new URL
-      q[k] = "http%3A%2f%2fscanme.nmap.org%2f";
+      q[k] = redirect_canary;
      return url.build_query(q)
    end
  end
@@ -123,7 +124,7 @@ action = function(host, port)
          dbg("Checking potential open redirect: %s:%s%s", host,port,url);
          local testResponse = http.get(host, port, url);
          --dbgt(testResponse)
-          if isRedirect(testResponse.status) and testResponse.header.location == "http://scanme.nmap.org/" then
+          if isRedirect(testResponse.status) and testResponse.header.location == redirect_canary then
            table.insert(results, ("%s://%s:%s%s"):format(parsed.scheme, host, port,url))
          end
        end
--- a/scripts/http-rfi-spider.nse
+++ b/scripts/http-rfi-spider.nse
@@ -69,14 +69,6 @@ local function generate_safe_postdata(form)
  return postdata
 end

-local function generate_get_string(data)
-  local get_str = {"?"}
-  for name,value in pairs(data) do
-    get_str[#get_str+1]=url.escape(name).."="..url.escape(value).."&"
-  end
-  return table.concat(get_str)
-end
-
 -- checks each field of a form to see if it's vulnerable to rfi
 local function check_form(form, host, port, path)
  local vulnerable_fields = {}
@@ -96,7 +88,7 @@ local function check_form(form, host, port, path)
  if form["method"]=="post" then
    sending_function = function(data) return http.post(host, port, form_submission_path, nil, nil, data) end
  else
-    sending_function = function(data) return http.get(host, port, form_submission_path..generate_get_string(data), nil) end
+    sending_function = function(data) return http.get(host, port, form_submission_path.."?"..url.build_query(data), nil) end
  end

  for _,field in ipairs(form["fields"]) do
@@ -208,7 +200,7 @@ function action(host, port)
      end --for
    end --if

-    -- now try inclusion by parameters
+    -- now try inclusion by query parameters
    local injectable = {}
    -- search for injectable links (as in sql-injection.nse)
    if r.response.status and r.response.body then
--- a/scripts/http-sql-injection.nse
+++ b/scripts/http-sql-injection.nse
@@ -102,7 +102,7 @@ local function build_injection_vector(urls)

      for k, v in pairs(qtab) do
        old_qtab = qtab[k];
-        qtab[k] = qtab[k] ..  "'%20OR%20sqlspider"
+        qtab[k] = qtab[k] ..  "' OR sqlspider"

        utab.query = url.build_query(qtab)
        urlstr = url.build(utab)
--- a/scripts/http-unsafe-output-escaping.nse
+++ b/scripts/http-unsafe-output-escaping.nse
@@ -78,7 +78,7 @@ local function getReflected(parsed, r)
 end

 local function addPayload(v)
-  return v.."ghz%3Ehzx%22zxc%27xcv"
+  return v.."ghz>hzx\"zxc'xcv"
 end

 local function createMinedLinks(reflected_values, all_values)