Implementing a check for an Issue #25

2025-02-03 05:04:11 +03:00 · 2013-01-17 13:56:04 +01:00 · 2013-01-17 13:56:04 +01:00 · 65273295e3
commit 65273295e3
parent 9428d1819e
1 changed files with 18 additions and 4 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -516,16 +516,16 @@ def paramToDict(place, parameters=None):
    for element in splitParams:
        element = re.sub(r"%s(.+?)%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), r"&\g<1>;", element)
-        elem = element.split("=")
+        parts = element.split("=")
-        if len(elem) >= 2:
+        if len(parts) >= 2:
-            parameter = elem[0].replace(" ", "")
+            parameter = parts[0].replace(" ", "")
            condition = not conf.testParameter
            condition |= parameter in conf.testParameter
            if condition:
-                testableParameters[parameter] = "=".join(elem[1:])
+                testableParameters[parameter] = "=".join(parts[1:])
                if not conf.multipleTargets:
                    _ = urldecode(testableParameters[parameter], convall=True)
                    if _.strip(DUMMY_SQL_INJECTION_CHARS) != _\
@ -564,6 +564,20 @@ def paramToDict(place, parameters=None):
                warnMsg += "is not inside the %s" % place
                logger.warn(warnMsg)
    if testableParameters:
        for parameter, value in testableParameters.items():
            if value and not value.isdigit():
                for encoding in ("hex", "base64"):
                    try:
                        decoded = value.decode(encoding)
                        if all(_ in string.printable for _ in decoded):
                            warnMsg = "provided parameter '%s' " % parameter
                            warnMsg += "seems to be '%s' encoded" % encoding
                            logger.warn(warnMsg)
                            break
                    except:
                        pass
    return testableParameters
 def getDocRoot():