From 81722b688178d9006564b0ada1a18af97a8b2a06 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 27 Jan 2011 18:36:28 +0000 Subject: [PATCH] major bug fix reported by Ahmed Shawky (there was a possibility of double url encoding of parameter values) --- doc/THANKS | 3 +++ lib/core/common.py | 3 ++- lib/core/target.py | 5 +++-- lib/request/connect.py | 6 +++--- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/doc/THANKS b/doc/THANKS index 5fbc140d0..fdf8df90a 100644 --- a/doc/THANKS +++ b/doc/THANKS @@ -335,6 +335,9 @@ Sven Schluter Uemit Seren for reporting a minor adjustment when running with python 2.6 +Ahmed Shawky + for reporting a major bug with improper handling of parameter values + Brian Shura for reporting a bug diff --git a/lib/core/common.py b/lib/core/common.py index 48bc4492c..95cd9240d 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -45,6 +45,7 @@ from lib.core.data import logger from lib.core.data import paths from lib.core.data import queries from lib.core.convert import htmlunescape +from lib.core.convert import urldecode from lib.core.convert import urlencode from lib.core.enums import DBMS from lib.core.enums import PLACE @@ -704,7 +705,7 @@ def parseTargetUrl(): conf.port = 80 if __urlSplit[3]: - conf.parameters[PLACE.GET] = __urlSplit[3] + conf.parameters[PLACE.GET] = urldecode(__urlSplit[3]) conf.url = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, conf.path) diff --git a/lib/core/target.py b/lib/core/target.py index 79052ec68..f3f0cb201 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -16,6 +16,7 @@ import time from lib.core.common import dataToSessionFile from lib.core.common import paramToDict from lib.core.common import readInput +from lib.core.convert import urldecode from lib.core.data import cmdLineOptions from lib.core.data import conf from lib.core.data import kb @@ -61,7 +62,7 @@ def __setRequestParams(): if conf.data: conf.data = conf.data.replace("\n", " ") - conf.parameters[PLACE.POST] = conf.data + conf.parameters[PLACE.POST] = urldecode(conf.data) # Check if POST data is in xml syntax if re.match("[\n]*<(\?xml |soap\:|ns).*>", conf.data): @@ -104,7 +105,7 @@ def __setRequestParams(): for httpHeader, headerValue in conf.httpHeaders: if httpHeader == PLACE.UA: # No need for url encoding/decoding the user agent - conf.parameters[PLACE.UA] = headerValue + conf.parameters[PLACE.UA] = urldecode(headerValue) condition = not conf.testParameter condition |= PLACE.UA in conf.testParameter diff --git a/lib/request/connect.py b/lib/request/connect.py index d381a2314..281d32141 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -409,16 +409,16 @@ class Connect: checkPayload(value) if PLACE.GET in conf.parameters: - get = conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value + get = urlencode(conf.parameters[PLACE.GET]) if place != PLACE.GET or not value else value if PLACE.POST in conf.parameters: - post = conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value + post = urlencode(conf.parameters[PLACE.POST]) if place != PLACE.POST or not value else value if PLACE.COOKIE in conf.parameters: cookie = conf.parameters[PLACE.COOKIE] if place != PLACE.COOKIE or not value else value if PLACE.UA in conf.parameters: - ua = conf.parameters[PLACE.UA] if place != PLACE.UA or not value else value + ua = urlencode(conf.parameters[PLACE.UA]) if place != PLACE.UA or not value else value if PLACE.URI in conf.parameters: uri = conf.url if place != PLACE.URI or not value else value