From 26c7b74e65331c5a76b51945324e16dfb43a809d Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 14 Jan 2010 18:05:03 +0000 Subject: [PATCH] changes regarding Data (GET/POST/Cookie) encoding (Bug #129) --- lib/controller/controller.py | 8 +++----- lib/core/agent.py | 8 +++++++- lib/core/option.py | 3 --- lib/core/optiondict.py | 3 ++- lib/core/target.py | 2 -- lib/parse/cmdline.py | 4 ++++ lib/request/connect.py | 3 +-- sqlmap.conf | 3 +++ 8 files changed, 20 insertions(+), 14 deletions(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index ad01aebc3..5592dfcaf 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -31,7 +31,6 @@ from lib.controller.checks import checkRegexp from lib.controller.checks import checkConnection from lib.core.common import paramToDict from lib.core.common import readInput -from lib.core.common import sanitizeCookie from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger @@ -162,10 +161,9 @@ def start(): setCookieAsInjectable = False if setCookieAsInjectable: - safeCookie = sanitizeCookie(cookieStr) - conf.httpHeaders.append(("Cookie", safeCookie)) - conf.parameters["Cookie"] = safeCookie - __paramDict = paramToDict("Cookie", safeCookie) + conf.httpHeaders.append(("Cookie", cookieStr)) + conf.parameters["Cookie"] = cookieStr + __paramDict = paramToDict("Cookie", cookieStr) if __paramDict: conf.paramDict["Cookie"] = __paramDict diff --git a/lib/core/agent.py b/lib/core/agent.py index fa5986e45..d85a08833 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -26,6 +26,7 @@ import re from lib.core.common import randomInt from lib.core.common import randomStr +from lib.core.convert import urlencode from lib.core.data import conf from lib.core.data import kb from lib.core.data import queries @@ -77,7 +78,12 @@ class Agent: paramString = conf.parameters[place] retValue = paramString.replace("%s=%s" % (parameter, value), "%s=%s" % (parameter, newValue)) - + + if conf.cookieUrlencode and (kb.injPlace == "Cookie" or place == "Cookie"): + name = retValue[:retValue.find('=')] + value = retValue[retValue.find('=') + 1:] + retValue = "%s=%s" % (name, urlencode(value, convall=True)) + return retValue def fullPayload(self, query): diff --git a/lib/core/option.py b/lib/core/option.py index 096e90986..597107534 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -38,7 +38,6 @@ from lib.core.common import getFileType from lib.core.common import parseTargetUrl from lib.core.common import paths from lib.core.common import randomRange -from lib.core.common import sanitizeCookie from lib.core.common import sanitizeStr from lib.core.data import conf from lib.core.data import kb @@ -847,8 +846,6 @@ def __setHTTPCookies(): debugMsg = "setting the HTTP Cookie header" logger.debug(debugMsg) - conf.cookie = sanitizeCookie(conf.cookie, True) - conf.httpHeaders.append(("Connection", "Keep-Alive")) conf.httpHeaders.append(("Cookie", conf.cookie)) diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index 62b4e2f91..26ab10eaa 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -61,7 +61,8 @@ optDict = { "string": "string", "regexp": "string", "eString": "string", - "eRegexp": "string" + "eRegexp": "string", + "cookieUrlencode": "boolean" }, "Techniques": { diff --git a/lib/core/target.py b/lib/core/target.py index 1b0f95e27..5c116893c 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -28,7 +28,6 @@ import time from lib.core.common import dataToSessionFile from lib.core.common import paramToDict from lib.core.common import parseTargetUrl -from lib.core.common import sanitizeCookie from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger @@ -73,7 +72,6 @@ def __setRequestParams(): # Perform checks on Cookie parameters if conf.cookie: - conf.cookie = sanitizeCookie(conf.cookie) conf.parameters["Cookie"] = conf.cookie __paramDict = paramToDict("Cookie", conf.cookie) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index c42383557..6df142877 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -164,6 +164,10 @@ def cmdLineParser(): help="Matches to be excluded before " "comparing page contents") + injection.add_option("--cookie-urlencode", dest="cookieUrlencode", + action="store_true", + help="URLEncode generated cookie injections") + # Techniques options techniques = OptionGroup(parser, "Techniques", "These options can " "be used to test for specific SQL injection " diff --git a/lib/request/connect.py b/lib/request/connect.py index 9717cfcb0..22d89a71c 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -31,7 +31,6 @@ import urlparse import traceback from lib.contrib import multipartpost -from lib.core.common import sanitizeCookie from lib.core.convert import urlencode from lib.core.data import conf from lib.core.data import kb @@ -121,7 +120,7 @@ class Connect: try: # Perform HTTP request - headers = forgeHeaders(sanitizeCookie(cookie), ua) + headers = forgeHeaders(cookie, ua) req = urllib2.Request(url, post, headers) conn = urllib2.urlopen(req) diff --git a/sqlmap.conf b/sqlmap.conf index dc259906c..ee142df00 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -155,6 +155,9 @@ eString = # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) eRegexp = +# URLEncode generated cookie injections. +# Valid: True or False +cookieUrlencode = False [Techniques]