crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.69b: parameter encoding, User-Agent, password fixes 

- Minor improvements to parameter encoding, User-Agent controls.
  - Password detector improvement.
This commit is contained in:
Steve Pinkham 2010-10-01 00:00:03 -04:00
parent de39e6a7a3
commit 69e6c20648
6 changed files with 30 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
Version 1.69b:
--------------
- Minor improvements to parameter encoding, User-Agent controls.
Version 1.68b:
--------------
- Password detector improvement.
Version 1.67b:
--------------

2
Makefile
View File

@ -20,7 +20,7 @@
#
PROGNAME = skipfish
VERSION = 1.67b
VERSION = 1.69b
OBJFILES = http_client.c database.c crawler.c analysis.c report.c
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \

5
analysis.c
View File

@ -2354,11 +2354,12 @@ static void check_for_stuff(struct http_request* req,
(x - sniffbuf) < 64) x++;
if (x != sniffbuf && *x == ':' && x[1] != '/' && x[1] != '.') {
x++;
u8* start_x = ++x;
while (*x && (isalnum(*x) || strchr("./*!+=$", *x)) &&
(x - sniffbuf) < 128) x++;
if (*x == ':' || !*x || *x == '\r' || *x == '\n')
if (*x == ':' || ((start_x != x) && (!*x || *x == '\r' || *x == '\n')))
problem(PROB_FILE_POI, req, res, (u8*)
"Possible password file", req->pivot, 0);

2
config.h
View File

@ -34,7 +34,7 @@
/* Various default settings for HTTP client (cmdline override): */
#define MAX_CONNECTIONS 50 /* Simultaneous connection cap */
#define MAX_CONNECTIONS 40 /* Simultaneous connection cap */
#define MAX_CONN_HOST 10 /* Per-host connction cap */
#define MAX_REQUESTS 1e8 /* Total request count cap */
#define MAX_FAIL 100 /* Max consecutive failed requests */

25
http_client.c
View File

@ -440,7 +440,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus) {
tokens. We otherwise let pretty much everything else go through, as it
may help with the exploitation of certain vulnerabilities. */
u8* url_encode_token(u8* str, u32 len) {
u8* url_encode_token(u8* str, u32 len, u8 also_slash) {
u8 *ret = ck_alloc(len * 3 + 1);
u8 *src = str, *dst = ret;
@ -448,7 +448,8 @@ u8* url_encode_token(u8* str, u32 len) {
while (len--) {
u8 c = *(src++);
if (c <= 0x20 || c >= 0x80 || strchr("#%&=/+;,!$?", c)) {
if (c <= 0x20 || c >= 0x80 || strchr("#%&=+;,!$?", c) ||
(also_slash && c == '/')) {
if (c == 0xFF) c = 0;
sprintf((char*)dst, "%%%02X", c);
dst += 3;
@ -666,13 +667,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len);
u8* str = url_encode_token(req->par.n[i], len, 1);
ASD(str); ASD("=");
ck_free(str);
}
if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len);
u8* str = url_encode_token(req->par.v[i], len, 1);
ASD(str);
ck_free(str);
}
@ -699,13 +700,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len);
u8* str = url_encode_token(req->par.n[i], len, 0);
ASD(str); ASD("=");
ck_free(str);
}
if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len);
u8* str = url_encode_token(req->par.v[i], len, 0);
ASD(str);
ck_free(str);
}
@ -725,13 +726,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len);
u8* str = url_encode_token(req->par.n[i], len, 0);
ASD(str); ASD("=");
ck_free(str);
}
if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len);
u8* str = url_encode_token(req->par.v[i], len, 0);
ASD(str);
ck_free(str);
}
@ -869,7 +870,9 @@ u8* build_request_data(struct http_request* req) {
ASD("Accept-Encoding: gzip\r\n");
ASD("Connection: keep-alive\r\n");
ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n");
if (!GET_HDR((u8*)"User-Agent", &req->par))
ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n");
/* Some servers will reject to gzip responses unless "Mozilla/..."
is seen in User-Agent. Bleh. */
@ -1017,14 +1020,14 @@ u8* build_request_data(struct http_request* req) {
if (pay_pos) ADD_STR_DATA(pay_buf, pay_pos, "&");
if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len);
u8* str = url_encode_token(req->par.n[i], len, 0);
ADD_STR_DATA(pay_buf, pay_pos, str);
ADD_STR_DATA(pay_buf, pay_pos, "=");
ck_free(str);
}
if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len);
u8* str = url_encode_token(req->par.v[i], len, 0);
ADD_STR_DATA(pay_buf, pay_pos, str);
ck_free(str);
}

2
http_client.h
View File

@ -285,7 +285,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus);
otherwise let pretty much everything else go through, as it may help with
the exploitation of certain vulnerabilities. */
u8* url_encode_token(u8* str, u32 len);
u8* url_encode_token(u8* str, u32 len, u8 also_slash);
/* Reconstructs URI from http_request data. Includes protocol and host
if with_host is non-zero. */