minor update regarding --randomize

stamparm · stamparm · commit e0f521cf9d57 · 2011-08-29T13:08:25.000Z
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -102,6 +102,7 @@
 from lib.core.settings import BURP_SPLITTER
 from lib.core.settings import LOCALHOST
 from lib.core.settings import MAX_NUMBER_OF_THREADS
+from lib.core.settings import PARAMETER_SPLITTING_REGEX
 from lib.core.settings import TIME_DELAY_CANDIDATES
 from lib.core.settings import UNKNOWN_DBMS_VERSION
 from lib.core.settings import WEBSCARAB_SPLITTER
@@ -778,7 +779,7 @@ def __setTamperingFunctions():
         resolve_priorities = False
         priorities = []
 
-        for tfile in re.split(r'[,|;]', conf.tamper):
+        for tfile in re.split(PARAMETER_SPLITTING_REGEX, conf.tamper):
             found = False
 
             tfile = tfile.strip()
@@ -1276,13 +1277,19 @@ def __cleanupOptions():
     if conf.testParameter:
         conf.testParameter = urldecode(conf.testParameter)
         conf.testParameter = conf.testParameter.replace(" ", "")
-        conf.testParameter = conf.testParameter.split(",")
+        conf.testParameter = re.split(PARAMETER_SPLITTING_REGEX, conf.testParameter)
     else:
         conf.testParameter = []
 
     if conf.user:
         conf.user = conf.user.replace(" ", "")
 
+    if conf.rParam:
+        conf.rParam = conf.rParam.replace(" ", "")
+        conf.rParam = re.split(PARAMETER_SPLITTING_REGEX, conf.rParam)
+    else:
+        conf.rParam = []
+
     if conf.delay:
         conf.delay = float(conf.delay)
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -394,3 +394,6 @@
 
 # Maximum number of times for revalidation of a character in time-based injections
 MAX_TIME_REVALIDATION_STEPS = 5
+
+# Characters that can be used to split parameter values in provided command line (e.g. in --tamper)
+PARAMETER_SPLITTING_REGEX = r'[,|;]'
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -580,15 +580,16 @@ def _randomizeParameter(paramString, randomParameter):
                     retVal = re.sub("%s=[^&;]+" % randomParameter, "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
                 return retVal
 
-            for item in [PLACE.GET, PLACE.POST, PLACE.COOKIE]:                
-                if item in conf.parameters:
-                    origValue = conf.parameters[item]
-                    if item == PLACE.GET and get:
-                        get = _randomizeParameter(get, conf.rParam)
-                    elif item == PLACE.POST and post:
-                        post = _randomizeParameter(post, conf.rParam)
-                    elif item == PLACE.COOKIE and cookie:
-                        cookie = _randomizeParameter(cookie, conf.rParam)
+            for randomParameter in conf.rParam:
+                for item in [PLACE.GET, PLACE.POST, PLACE.COOKIE]:
+                    if item in conf.parameters:
+                        origValue = conf.parameters[item]
+                        if item == PLACE.GET and get:
+                            get = _randomizeParameter(get, randomParameter)
+                        elif item == PLACE.POST and post:
+                            post = _randomizeParameter(post, randomParameter)
+                        elif item == PLACE.COOKIE and cookie:
+                            cookie = _randomizeParameter(cookie, randomParameter)
 
         get = urlencode(get, limit=True)
         post = urlencode(post)
