diff --git a/lib/controller/checks.py b/lib/controller/checks.py index d92ea2a14..abcaa78fb 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -399,6 +399,8 @@ def checkSqlInjection(place, parameter, value): if injection.place is None or injection.parameter is None: if place == PLACE.UA: injection.parameter = conf.agent + elif place == PLACE.REFERER: + injection.parameter = conf.referer else: injection.parameter = parameter diff --git a/lib/core/agent.py b/lib/core/agent.py index 726549225..65dc33a79 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -108,7 +108,7 @@ class Agent: retValue = ET.tostring(root) elif place == PLACE.URI: retValue = paramString.replace("%s%s" % (origValue, URI_INJECTION_MARK_CHAR), self.addPayloadDelimiters(newValue)) - elif place == PLACE.UA: + elif place in (PLACE.UA, PLACE.REFERER): retValue = paramString.replace(origValue, self.addPayloadDelimiters(newValue)) else: retValue = paramString.replace("%s=%s" % (parameter, origValue), diff --git a/lib/core/enums.py b/lib/core/enums.py index 8b9e2bb7a..a025fae26 100644 --- a/lib/core/enums.py +++ b/lib/core/enums.py @@ -41,6 +41,7 @@ class PLACE: URI = "URI" COOKIE = "Cookie" UA = "User-Agent" + REFERER = "Referer" class HTTPMETHOD: GET = "GET" diff --git a/lib/core/target.py b/lib/core/target.py index 26d22cc47..3124a606b 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -123,6 +123,20 @@ def __setRequestParams(): conf.paramDict[PLACE.UA] = { PLACE.UA: headerValue } __testableParameters = True + elif httpHeader == PLACE.REFERER: + # No need for url encoding/decoding the referer + conf.parameters[PLACE.REFERER] = urldecode(headerValue) + + condition = not conf.testParameter + condition |= PLACE.REFERER in conf.testParameter + condition |= "referer" in conf.testParameter + condition |= "referrer" in conf.testParameter + condition |= "ref" in conf.testParameter + + if condition: + conf.paramDict[PLACE.REFERER] = { PLACE.REFERER: headerValue } + __testableParameters = True + if not conf.parameters: errMsg = "you did not provide any GET, POST and Cookie " errMsg += "parameter, neither an User-Agent header" diff --git a/lib/request/basic.py b/lib/request/basic.py index d537c0f34..3378fa984 100644 --- a/lib/request/basic.py +++ b/lib/request/basic.py @@ -30,9 +30,9 @@ from lib.core.settings import UNICODE_ENCODING from lib.parse.headers import headersParser from lib.parse.html import htmlParser -def forgeHeaders(cookie, ua): +def forgeHeaders(cookie, ua, referer): """ - Prepare HTTP Cookie and HTTP User-Agent headers to use when performing + Prepare HTTP Cookie, HTTP User-Agent and HTTP Referer headers to use when performing the HTTP requests """ @@ -43,6 +43,8 @@ def forgeHeaders(cookie, ua): headers[header] = cookie elif ua and header == "User-Agent": headers[header] = ua + elif referer and header == "Referer": + headers[header] = referer else: headers[header] = value diff --git a/lib/request/connect.py b/lib/request/connect.py index 636132427..9ca8cb17a 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -82,6 +82,7 @@ class Connect: method = kwargs.get('method', None) cookie = kwargs.get('cookie', None) ua = kwargs.get('ua', None) + referer = kwargs.get('referer', None) direct = kwargs.get('direct', False) multipart = kwargs.get('multipart', False) silent = kwargs.get('silent', False) @@ -139,7 +140,7 @@ class Connect: requestMsg += " %s" % httplib.HTTPConnection._http_vsn_str # Perform HTTP request - headers = forgeHeaders(cookie, ua) + headers = forgeHeaders(cookie, ua, referer) if conf.realTest: headers["Referer"] = "%s://%s" % (conf.scheme, conf.hostname) @@ -383,6 +384,7 @@ class Connect: post = None cookie = None ua = None + referer = None page = None pageLength = None uri = None @@ -424,6 +426,9 @@ class Connect: if PLACE.UA in conf.parameters: ua = conf.parameters[PLACE.UA] if place != PLACE.UA or not value else value + if PLACE.REFERER in conf.parameters: + referer = conf.parameters[PLACE.REFERER] if place != PLACE.REFERER or not value else value + if PLACE.URI in conf.parameters: uri = conf.url if place != PLACE.URI or not value else value else: @@ -443,7 +448,7 @@ class Connect: if conf.safUrl and conf.saFreq > 0: kb.queryCounter += 1 if kb.queryCounter % conf.saFreq == 0: - Connect.getPage(url=conf.safUrl, cookie=cookie, direct=True, silent=True, ua=ua) + Connect.getPage(url=conf.safUrl, cookie=cookie, direct=True, silent=True, ua=ua, referer=referer) start = time.time() @@ -456,7 +461,7 @@ class Connect: auxHeaders["Range"] = "bytes=-1" - _, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, raise404=raise404) + _, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, silent=silent, method=method, auxHeaders=auxHeaders, raise404=raise404) if kb.nullConnection == NULLCONNECTION.HEAD and 'Content-Length' in headers: pageLength = int(headers['Content-Length']) @@ -464,7 +469,7 @@ class Connect: pageLength = int(headers['Content-Range'][headers['Content-Range'].find('/') + 1:]) if not pageLength: - page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare) + page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, referer=referer, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404, ignoreTimeout=timeBasedCompare) threadData.lastQueryDuration = calculateDeltaSeconds(start)