From 2bb5ba7fa21ed06081442fff1c94f63b13f312ea Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 14 Nov 2019 11:49:30 +0100
Subject: [PATCH] Bug fix (payload escaping in XML payloads)

---
 extra/vulnserver/vulnserver.py | 2 +-
 lib/core/settings.py           | 2 +-
 lib/request/connect.py         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/extra/vulnserver/vulnserver.py b/extra/vulnserver/vulnserver.py
index 257fc93a4..694761615 100644
--- a/extra/vulnserver/vulnserver.py
+++ b/extra/vulnserver/vulnserver.py
@@ -103,7 +103,7 @@ class ReqHandler(BaseHTTPRequestHandler):
             if self.data.startswith('{') and self.data.endswith('}'):
                 params.update(json.loads(self.data))
             elif self.data.startswith('<') and self.data.endswith('>'):
-                params.update(dict(re.findall(r'name="([^"]+)" value="([^"]*)"', self.data)))
+                params.update(dict((_[0], _[1].replace("&apos;", "'").replace("&quot;", '"').replace("&lt;", '<').replace("&gt;", '>').replace("&amp;", '&')) for _ in re.findall(r'name="([^"]+)" value="([^"]*)"', self.data)))
             else:
                 params.update(parse_qs(self.data))
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
index c9cfdc10a..7e902c680 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.11.46"
+VERSION = "1.3.11.47"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/request/connect.py b/lib/request/connect.py
index af2ddb299..649fe5fc8 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -932,7 +932,7 @@ class Connect(object):
                 if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):
                     # payloads in SOAP/XML should have chars > and < replaced
                     # with their HTML encoded counterparts
-                    payload = payload.replace('>', "&gt;").replace('<', "&lt;")
+                    payload = payload.replace('&', "&amp;").replace('>', "&gt;").replace('<', "&lt;").replace('"', "&quot;").replace("'", "&apos;")  # Reference: https://stackoverflow.com/a/1091953
                 elif kb.postHint == POST_HINT.JSON:
                     payload = escapeJsonValue(payload)
                 elif kb.postHint == POST_HINT.JSON_LIKE: