Patch for an Issue #360

stamparm · stamparm · commit bb6b89fe9380 · 2013-01-19T18:06:36.000+01:00
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -1959,7 +1959,7 @@ def findMultipartPostBoundary(post):
 
     return retVal
 
-def urldecode(value, encoding=None, unsafe="%%&=;+%s" % CUSTOM_INJECTION_MARK_CHAR, convall=False):
+def urldecode(value, encoding=None, unsafe="%%&=;+%s" % CUSTOM_INJECTION_MARK_CHAR, convall=False, plusspace=True):
     result = value
 
     if value:
@@ -1977,14 +1977,16 @@ def _(match):
                     char = chr(ord(match.group(1).decode("hex")))
                     return char if char in charset else match.group(0)
                 result = re.sub("%([0-9a-fA-F]{2})", _, value)
-                result = result.replace("+", " ")  # plus sign has a special meaning in url encoded data (hence the usage of urllib.unquote_plus in convall case)
+
+                if plusspace:
+                    result = result.replace("+", " ")  # plus sign has a special meaning in url encoded data (hence the usage of urllib.unquote_plus in convall case)
 
     if isinstance(result, str):
         result = unicode(result, encoding or UNICODE_ENCODING, "replace")
 
     return result
 
-def urlencode(value, safe="%&=", convall=False, limit=False):
+def urlencode(value, safe="%&=", convall=False, limit=False, spaceplus=False):
     if conf.direct:
         return value
 
@@ -2016,6 +2018,9 @@ def urlencode(value, safe="%&=", convall=False, limit=False):
             else:
                 break
 
+        if spaceplus:
+            result = result.replace(urllib.quote(' '), '+')
+
     return result
 
 def runningAsAdmin():
@@ -2996,7 +3001,7 @@ def geturl(self):
                 url = urldecode(request.get_full_url(), kb.pageEncoding)
                 method = request.get_method()
                 data = request.get_data() if request.has_data() else None
-                data = urldecode(data, kb.pageEncoding) if data and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in data else data
+                data = urldecode(data, kb.pageEncoding, plusspace=False)
 
                 if not data and method and method.upper() == HTTPMETHOD.POST:
                     debugMsg = "invalid POST form with blank data detected"
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -328,7 +328,7 @@ def _parseBurpLog(content):
 
                 if not(conf.scope and not re.search(conf.scope, url, re.I)):
                     if not kb.targets or url not in addedTargetUrls:
-                        kb.targets.add((url, method, urldecode(data) if data and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in data else data, cookie))
+                        kb.targets.add((url, method, data, cookie))
                         addedTargetUrls.add(url)
 
     fp = openFile(reqFile, "rb")
@@ -1361,15 +1361,6 @@ def _cleanupOptions():
     if conf.data:
         conf.data = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.data, re.I)
 
-        if re.search(r'%[0-9a-f]{2}', conf.data, re.I):
-            class _(unicode):
-                pass
-            original = conf.data
-            conf.data = _(urldecode(conf.data))
-            setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
-        else:
-            conf.data = urldecode(conf.data)
-
     if conf.url:
         conf.url = re.sub(INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.url, re.I)
 
@@ -1591,6 +1582,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.safeCharEncode = False
     kb.singleLogFlags = set()
     kb.skipOthersDbms = None
+    kb.postSpaceToPlus = False
     kb.stickyDBMS = False
     kb.stickyLevel = None
     kb.suppressResumeInfo = False
diff --git a/lib/core/target.py b/lib/core/target.py
@@ -47,6 +47,7 @@
 from lib.core.settings import RESULTS_FILE_FORMAT
 from lib.core.settings import SOAP_RECOGNITION_REGEX
 from lib.core.settings import SUPPORTED_DBMS
+from lib.core.settings import UNENCODED_ORIGINAL_VALUE
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.settings import UNKNOWN_DBMS_VERSION
 from lib.core.settings import URI_INJECTABLE_REGEX
@@ -504,6 +505,18 @@ def initTargetEnv():
         _restoreCmdLineOptions()
         _setDBMS()
 
+    if conf.data:
+        kb.postSpaceToPlus = '+' in conf.data
+
+        if re.search(r'%[0-9a-f]{2}', conf.data, re.I):
+            class _(unicode):
+                pass
+            original = conf.data
+            conf.data = _(urldecode(conf.data))
+            setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
+        else:
+            conf.data = urldecode(conf.data)
+
 def setupTargetEnv():
     _createTargetDirs()
     _setRequestParams()
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -745,7 +745,7 @@ def _randomizeParameter(paramString, randomParameter):
             if place not in (PLACE.POST, PLACE.CUSTOM_POST) and hasattr(post, UNENCODED_ORIGINAL_VALUE):
                 post = getattr(post, UNENCODED_ORIGINAL_VALUE)
             elif not skipUrlEncode and kb.postHint not in POST_HINT_CONTENT_TYPES.keys():
-                post = urlencode(post)
+                post = urlencode(post, spaceplus=kb.postSpaceToPlus)
 
         if timeBasedCompare:
             if len(kb.responseTimes) < MIN_TIME_RESPONSES:
