Implementation for an Issue #264

lib/core/option.py

@@ -90,12 +90,14 @@ from lib.core.settings import ACCESS_ALIASES
 from lib.core.settings import BURP_REQUEST_REGEX
 from lib.core.settings import CODECS_LIST_PAGE
 from lib.core.settings import CRAWL_EXCLUDE_EXTENSIONS
+from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import DB2_ALIASES
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_PAGE_ENCODING
 from lib.core.settings import DEFAULT_TOR_HTTP_PORTS
 from lib.core.settings import DEFAULT_TOR_SOCKS_PORT
 from lib.core.settings import FIREBIRD_ALIASES
+from lib.core.settings import INJECT_HERE_MARK
 from lib.core.settings import IS_WIN
 from lib.core.settings import LOCALHOST
 from lib.core.settings import MAXDB_ALIASES
@@ -1350,6 +1352,8 @@ def __cleanupOptions():
         setOptimize()
 
     if conf.data:
+        conf.data = re.sub(INJECT_HERE_MARK, CUSTOM_INJECTION_MARK_CHAR, conf.data, re.I)
+
         if re.search(r'%[0-9a-f]{2}', conf.data, re.I):
             original = conf.data
             class _(unicode): pass
@@ -1358,6 +1362,9 @@ def __cleanupOptions():
         else:
             conf.data = urldecode(conf.data)
 
+    if conf.url:
+        conf.url = re.sub(INJECT_HERE_MARK, CUSTOM_INJECTION_MARK_CHAR, conf.url, re.I)
+
     if conf.os:
         conf.os = conf.os.capitalize()
 

lib/core/settings.py

@@ -269,6 +269,9 @@ MAX_RATIO = 1.0
 # Character used for marking injectable position inside provided data
 CUSTOM_INJECTION_MARK_CHAR = '*'
 
+# Other way to declare injection position
+INJECT_HERE_MARK = '%INJECT HERE%'
+
 # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
 MYSQL_ERROR_CHUNK_LENGTH = 50