Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a024884

Browse files
stamparmstamparm
committed
Support for a HTTP parameter pollution (Issue #267)
1 parent 42f4c2b commit a024884

4 files changed

Lines changed: 51 additions & 1 deletion

File tree

lib/core/optiondict.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,7 @@
197197
"dependencies": "boolean",
198198
"disableColoring": "boolean",
199199
"googlePage": "integer",
200+
"hpp": "boolean",
200201
"mobile": "boolean",
201202
"pageRank": "boolean",
202203
"smart": "boolean",

lib/parse/cmdline.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -630,6 +630,10 @@ def cmdLineParser():
630630
miscellaneous.add_option("--gpage", dest="googlePage", type="int",
631631
help="Use Google dork results from specified page number")
632632

633+
miscellaneous.add_option("--hpp", dest="hpp",
634+
action="store_true",
635+
help="Use HTTP parameter pollution")
636+
633637
miscellaneous.add_option("--mobile", dest="mobile",
634638
action="store_true",
635639
help="Imitate smartphone through HTTP User-Agent header")

lib/request/connect.py

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
from extra.safe2bin.safe2bin import safecharencode
1919
from lib.core.agent import agent
2020
from lib.core.common import asciifyUrl
21+
from lib.core.common import Backend
2122
from lib.core.common import calculateDeltaSeconds
2223
from lib.core.common import clearConsoleLine
2324
from lib.core.common import cpuThrottle
@@ -43,19 +44,22 @@
4344
from lib.core.dicts import POST_HINT_CONTENT_TYPES
4445
from lib.core.enums import ADJUST_TIME_DELAY
4546
from lib.core.enums import CUSTOM_LOGGING
47+
from lib.core.enums import DBMS
4648
from lib.core.enums import HTTPHEADER
4749
from lib.core.enums import HTTPMETHOD
4850
from lib.core.enums import NULLCONNECTION
4951
from lib.core.enums import PAYLOAD
5052
from lib.core.enums import PLACE
5153
from lib.core.enums import POST_HINT
5254
from lib.core.enums import REDIRECTION
55+
from lib.core.enums import WEB_API
5356
from lib.core.exception import SqlmapCompressionException
5457
from lib.core.exception import SqlmapConnectionException
5558
from lib.core.exception import SqlmapSyntaxException
5659
from lib.core.exception import SqlmapValueException
5760
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
5861
from lib.core.settings import DEFAULT_CONTENT_TYPE
62+
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
5963
from lib.core.settings import HTTP_ACCEPT_HEADER_VALUE
6064
from lib.core.settings import HTTP_ACCEPT_ENCODING_HEADER_VALUE
6165
from lib.core.settings import HTTP_SILENT_TIMEOUT
@@ -66,6 +70,7 @@
6670
from lib.core.settings import MIN_TIME_RESPONSES
6771
from lib.core.settings import IS_WIN
6872
from lib.core.settings import LARGE_CHUNK_TRIM_MARKER
73+
from lib.core.settings import PAYLOAD_DELIMITER
6974
from lib.core.settings import PERMISSION_DENIED_REGEX
7075
from lib.core.settings import UNENCODED_ORIGINAL_VALUE
7176
from lib.core.settings import URI_HTTP_HEADER
@@ -617,6 +622,42 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
617622
payload = urlencode(payload, '%', False, True) if place in (PLACE.GET, PLACE.COOKIE, PLACE.URI) and not skipUrlEncode else payload
618623
value = agent.replacePayload(value, payload)
619624

625+
if conf.hpp:
626+
if not any(conf.url.lower().endswith(_.lower()) for _ in (WEB_API.ASP, WEB_API.ASPX)):
627+
warnMsg = "HTTP parameter pollution should work only against "
628+
warnMsg += "ASP(.NET) targets"
629+
singleTimeWarnMessage(warnMsg)
630+
if place in (PLACE.GET, PLACE.POST):
631+
_ = re.escape(PAYLOAD_DELIMITER)
632+
match = re.search("(\w+)=%s(.+?)%s" % (_, _), value)
633+
if match:
634+
parameter, content = match.groups()
635+
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.MSSQL, DBMS.PGSQL): # DBMSes that support inline comments
636+
for splitter in (urlencode(' '), ' '):
637+
if splitter in content:
638+
prefix, suffix = ("*/", "/*") if splitter == ' ' else (urlencode(_) for _ in ("*/", "/*"))
639+
parts = content.split(splitter)
640+
parts[0] = "%s%s" % (parts[0], suffix)
641+
parts[-1] = "%s%s=%s%s" % (DEFAULT_GET_POST_DELIMITER, parameter, prefix, parts[-1])
642+
for i in xrange(1, len(parts) - 1):
643+
parts[i] = "%s%s=%s%s%s" % (DEFAULT_GET_POST_DELIMITER, parameter, prefix, parts[i], suffix)
644+
payload = "".join(parts)
645+
value = agent.replacePayload(value, payload)
646+
break
647+
else:
648+
for splitter in (urlencode(','), ','): # generic
649+
if splitter in content:
650+
parts = content.split(splitter)
651+
for i in xrange(1, len(parts)):
652+
parts[i] = "%s%s=%s" % (DEFAULT_GET_POST_DELIMITER, parameter, parts[i])
653+
payload = "".join(parts)
654+
value = agent.replacePayload(value, payload)
655+
break
656+
else:
657+
warnMsg = "HTTP parameter pollution works only with regular "
658+
warnMsg += "GET and POST parameters"
659+
singleTimeWarnMessage(warnMsg)
660+
620661
if place:
621662
value = agent.removePayloadDelimiters(value)
622663

@@ -669,7 +710,7 @@ def _randomizeParameter(paramString, randomParameter):
669710
cookie = _randomizeParameter(cookie, randomParameter)
670711

671712
if conf.evalCode:
672-
delimiter = conf.pDel or "&"
713+
delimiter = conf.pDel or DEFAULT_GET_POST_DELIMITER
673714
variables = {}
674715
originals = {}
675716

sqlmap.conf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -679,6 +679,10 @@ disableColoring = False
679679
# Default: 1
680680
googlePage = 1
681681

682+
# Use HTTP parameter pollution.
683+
# Valid: True or False
684+
hpp = False
685+
682686
# Imitate smartphone through HTTP User-Agent header.
683687
# Valid: True or False
684688
mobile = False

0 commit comments

Comments
 (0)