crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.38b: Small bugfixes 

- Decompression now honors user-specified size limits more reliably.
- Retry logic corrected to account for certain Oracle servers.
- Terminal I/O fix for debug mode.
This commit is contained in:
Steve Pinkham 2010-06-21 10:53:17 -04:00
parent 30aa479d14
commit 15c43e8675
8 changed files with 40 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
Version 1.38b:
--------------
- Decompression now honors user-specified size limits more reliably.
- Retry logic corrected to account for certain Oracle servers.
- Terminal I/O fix for debug mode.
Version 1.37b:
--------------

1
assets/index.html
View File

@ -405,6 +405,7 @@ function show_dat(path, ignore) {
return false;
}
/* Displays request or response dump in a proper window. */
function show_win(path, ignore) {

2
config.h
View File

@ -23,7 +23,7 @@
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#define VERSION "1.37b"
#define VERSION "1.38b"
#define USE_COLOR 1 /* Use terminal colors */

25
http_client.c
View File

@ -204,7 +204,7 @@ u8 parse_url(u8* url, struct http_request* req, struct http_request* ref) {
/* Interpret, skip //[login[:pass@](\[ipv4\]|\[ipv6\]|host)[:port] part of the
URL, if present. Note that "http:blarg" is a valid relative URL to most
browsers, and "//example.com/blarg" is a valid non-FQDN absolute one.
browsers, and "//example.com/blarg" is a valid non-FQ absolute one.
We need to mimick this, which complicates the code a bit.
We only accept /, ?, #, and : to mark the end of a host name. Some browsers
@ -432,7 +432,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus) {
/* URL-encodes a string according to custom rules. The assumption here is that
the data is already tokenized as "special" boundaries such as ?, =, &, /,
the data is already tokenized at "special" boundaries such as ?, =, &, /,
;, !, $, and , so these characters must always be escaped if present in
tokens. We otherwise let pretty much everything else go through, as it
may help with the exploitation of certain vulnerabilities. */
@ -906,9 +906,11 @@ u8* build_request_data(struct http_request* req) {
}
/* Request a limited range up front to minimize unwanted traffic. */
/* Request a limited range up front to minimize unwanted traffic.
Note that some Oracle servers apparently fail on certain ranged
requests; maybe do something smarter to detect this? */
if (size_limit) {
{
u8 limit[32];
sprintf((char*)limit, "Range: bytes=0-%u\r\n", size_limit - 1);
ASD(limit);
@ -1511,12 +1513,12 @@ u8 parse_response(struct http_request* req, struct http_response* res,
u8* tmp_buf;
/* Deflate or gzip - zlib can handle both the same way. We lazily allocate
a SIZE_LIMIT output buffer, then truncate it if necessary. */
a size_limit output buffer, then truncate it if necessary. */
z_stream d;
s32 err;
tmp_buf = ck_alloc(SIZE_LIMIT + 1);
tmp_buf = ck_alloc(size_limit + 1);
d.zalloc = 0;
d.zfree = 0;
@ -1524,7 +1526,7 @@ u8 parse_response(struct http_request* req, struct http_response* res,
d.next_in = res->payload;
d.avail_in = res->pay_len;
d.next_out = tmp_buf;
d.avail_out = SIZE_LIMIT;
d.avail_out = size_limit;
/* Say hello to third-party vulnerabilities! */
@ -1546,7 +1548,7 @@ u8 parse_response(struct http_request* req, struct http_response* res,
bytes_deflated += res->pay_len;
res->pay_len = SIZE_LIMIT - d.avail_out;
res->pay_len = size_limit - d.avail_out;
res->payload = ck_realloc(tmp_buf, res->pay_len + 1);
res->payload[res->pay_len] = 0;
@ -1967,11 +1969,12 @@ network_error:
and failed instantly with no data read; might be just that
the server got bored. */
if (c->q && c->reused && !c->read_len) {
if (c->q && !c->q->retrying && c->reused && !c->read_len) {
c->q->res->state = STATE_NOTINIT;
c->q->c = 0;
c->q = 0;
c->q->retrying = 1;
c->q->c = 0;
c->q = 0;
req_retried++;

1
http_client.h
View File

@ -213,6 +213,7 @@ struct queue_entry {
struct conn_entry* c; /* Connection currently used */
struct queue_entry* prev; /* Previous queue entry */
struct queue_entry* next; /* Next queue entry */
u8 retrying; /* Request being retried? */
};
/* DNS cache item: */

4
report.c
View File

@ -287,7 +287,7 @@ static void compute_counts(struct pivot_desc* pv) {
}
if ((!(proc_cnt++ % 50)) || pv->type == PIVOT_ROOT) {
SAY(cLGN "\r[+] " cNOR "Counting unique issues: %u", proc_cnt);
SAY(cLGN "\r[+] " cNOR "Counting unique nodes: %u", proc_cnt);
fflush(0);
}
@ -598,7 +598,7 @@ static void output_crawl_tree(struct pivot_desc* pv) {
}
if ((!(proc_cnt++ % 50)) || pv->type == PIVOT_ROOT) {
SAY(cLGN "\r[+] " cNOR "Counting unique issues: %u", proc_cnt);
SAY(cLGN "\r[+] " cNOR "Writing crawl tree: %u", proc_cnt);
fflush(0);
}

3
skipfish.1
View File

@ -60,6 +60,9 @@ exclude URLs matching 'string'
.B \-S string
exclude pages containing 'string'
.TP
.B \-K string
do not fuzz query parameters or form fields named 'string'
.TP
.B \-D domain
also crawl cross-site links to a specified domain
.TP

13
skipfish.c
View File

@ -434,11 +434,11 @@ int main(int argc, char** argv) {
optind++;
}
/* Char-by char stdio. */
/* Char-by char stdin. */
tcgetattr(0, &term);
term.c_lflag &= ~ICANON;
tcsetattr(0, TCSAFLUSH, &term);
tcsetattr(0, TCSANOW, &term);
fcntl(0, F_SETFL, O_NONBLOCK);
gettimeofday(&tv, NULL);
@ -474,7 +474,7 @@ int main(int argc, char** argv) {
SAY(" \r");
if (read(0, keybuf, sizeof(keybuf)) > 0) {
if (fread(keybuf, 1, sizeof(keybuf), stdin) > 0) {
display_mode ^= 1;
clear_screen = 1;
}
@ -484,11 +484,14 @@ int main(int argc, char** argv) {
gettimeofday(&tv, NULL);
en_time = tv.tv_sec * 1000 + tv.tv_usec / 1000;
SAY("\n");
if (stop_soon)
SAY(cYEL "[!] " cBRI "Scan aborted by user, bailing out!" cNOR "\n");
term.c_lflag |= ICANON;
tcsetattr(0, TCSAFLUSH, &term);
tcsetattr(0, TCSANOW, &term);
fcntl(0, F_SETFL, O_SYNC);
if (!dont_save_words) save_keywords((u8*)wordlist);
@ -511,6 +514,8 @@ int main(int argc, char** argv) {
}
#endif /* DEBUG_ALLOCATOR */
fflush(0);
return 0;
}