1.69b: parameter encoding, User-Agent, password fixes
- Minor improvements to parameter encoding, User-Agent controls. - Password detector improvement.
This commit is contained in:
parent
de39e6a7a3
commit
69e6c20648
10
ChangeLog
10
ChangeLog
|
@ -1,3 +1,13 @@
|
|||
Version 1.69b:
|
||||
--------------
|
||||
|
||||
- Minor improvements to parameter encoding, User-Agent controls.
|
||||
|
||||
Version 1.68b:
|
||||
--------------
|
||||
|
||||
- Password detector improvement.
|
||||
|
||||
Version 1.67b:
|
||||
--------------
|
||||
|
||||
|
|
2
Makefile
2
Makefile
|
@ -20,7 +20,7 @@
|
|||
#
|
||||
|
||||
PROGNAME = skipfish
|
||||
VERSION = 1.67b
|
||||
VERSION = 1.69b
|
||||
|
||||
OBJFILES = http_client.c database.c crawler.c analysis.c report.c
|
||||
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \
|
||||
|
|
|
@ -2354,11 +2354,12 @@ static void check_for_stuff(struct http_request* req,
|
|||
(x - sniffbuf) < 64) x++;
|
||||
|
||||
if (x != sniffbuf && *x == ':' && x[1] != '/' && x[1] != '.') {
|
||||
x++;
|
||||
u8* start_x = ++x;
|
||||
|
||||
while (*x && (isalnum(*x) || strchr("./*!+=$", *x)) &&
|
||||
(x - sniffbuf) < 128) x++;
|
||||
|
||||
if (*x == ':' || !*x || *x == '\r' || *x == '\n')
|
||||
if (*x == ':' || ((start_x != x) && (!*x || *x == '\r' || *x == '\n')))
|
||||
problem(PROB_FILE_POI, req, res, (u8*)
|
||||
"Possible password file", req->pivot, 0);
|
||||
|
||||
|
|
2
config.h
2
config.h
|
@ -34,7 +34,7 @@
|
|||
|
||||
/* Various default settings for HTTP client (cmdline override): */
|
||||
|
||||
#define MAX_CONNECTIONS 50 /* Simultaneous connection cap */
|
||||
#define MAX_CONNECTIONS 40 /* Simultaneous connection cap */
|
||||
#define MAX_CONN_HOST 10 /* Per-host connction cap */
|
||||
#define MAX_REQUESTS 1e8 /* Total request count cap */
|
||||
#define MAX_FAIL 100 /* Max consecutive failed requests */
|
||||
|
|
|
@ -440,7 +440,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus) {
|
|||
tokens. We otherwise let pretty much everything else go through, as it
|
||||
may help with the exploitation of certain vulnerabilities. */
|
||||
|
||||
u8* url_encode_token(u8* str, u32 len) {
|
||||
u8* url_encode_token(u8* str, u32 len, u8 also_slash) {
|
||||
|
||||
u8 *ret = ck_alloc(len * 3 + 1);
|
||||
u8 *src = str, *dst = ret;
|
||||
|
@ -448,7 +448,8 @@ u8* url_encode_token(u8* str, u32 len) {
|
|||
while (len--) {
|
||||
u8 c = *(src++);
|
||||
|
||||
if (c <= 0x20 || c >= 0x80 || strchr("#%&=/+;,!$?", c)) {
|
||||
if (c <= 0x20 || c >= 0x80 || strchr("#%&=+;,!$?", c) ||
|
||||
(also_slash && c == '/')) {
|
||||
if (c == 0xFF) c = 0;
|
||||
sprintf((char*)dst, "%%%02X", c);
|
||||
dst += 3;
|
||||
|
@ -666,13 +667,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
|
|||
|
||||
if (req->par.n[i]) {
|
||||
u32 len = strlen((char*)req->par.n[i]);
|
||||
u8* str = url_encode_token(req->par.n[i], len);
|
||||
u8* str = url_encode_token(req->par.n[i], len, 1);
|
||||
ASD(str); ASD("=");
|
||||
ck_free(str);
|
||||
}
|
||||
if (req->par.v[i]) {
|
||||
u32 len = strlen((char*)req->par.v[i]);
|
||||
u8* str = url_encode_token(req->par.v[i], len);
|
||||
u8* str = url_encode_token(req->par.v[i], len, 1);
|
||||
ASD(str);
|
||||
ck_free(str);
|
||||
}
|
||||
|
@ -699,13 +700,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
|
|||
|
||||
if (req->par.n[i]) {
|
||||
u32 len = strlen((char*)req->par.n[i]);
|
||||
u8* str = url_encode_token(req->par.n[i], len);
|
||||
u8* str = url_encode_token(req->par.n[i], len, 0);
|
||||
ASD(str); ASD("=");
|
||||
ck_free(str);
|
||||
}
|
||||
if (req->par.v[i]) {
|
||||
u32 len = strlen((char*)req->par.v[i]);
|
||||
u8* str = url_encode_token(req->par.v[i], len);
|
||||
u8* str = url_encode_token(req->par.v[i], len, 0);
|
||||
ASD(str);
|
||||
ck_free(str);
|
||||
}
|
||||
|
@ -725,13 +726,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
|
|||
|
||||
if (req->par.n[i]) {
|
||||
u32 len = strlen((char*)req->par.n[i]);
|
||||
u8* str = url_encode_token(req->par.n[i], len);
|
||||
u8* str = url_encode_token(req->par.n[i], len, 0);
|
||||
ASD(str); ASD("=");
|
||||
ck_free(str);
|
||||
}
|
||||
if (req->par.v[i]) {
|
||||
u32 len = strlen((char*)req->par.v[i]);
|
||||
u8* str = url_encode_token(req->par.v[i], len);
|
||||
u8* str = url_encode_token(req->par.v[i], len, 0);
|
||||
ASD(str);
|
||||
ck_free(str);
|
||||
}
|
||||
|
@ -869,7 +870,9 @@ u8* build_request_data(struct http_request* req) {
|
|||
|
||||
ASD("Accept-Encoding: gzip\r\n");
|
||||
ASD("Connection: keep-alive\r\n");
|
||||
ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n");
|
||||
|
||||
if (!GET_HDR((u8*)"User-Agent", &req->par))
|
||||
ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n");
|
||||
|
||||
/* Some servers will reject to gzip responses unless "Mozilla/..."
|
||||
is seen in User-Agent. Bleh. */
|
||||
|
@ -1017,14 +1020,14 @@ u8* build_request_data(struct http_request* req) {
|
|||
if (pay_pos) ADD_STR_DATA(pay_buf, pay_pos, "&");
|
||||
if (req->par.n[i]) {
|
||||
u32 len = strlen((char*)req->par.n[i]);
|
||||
u8* str = url_encode_token(req->par.n[i], len);
|
||||
u8* str = url_encode_token(req->par.n[i], len, 0);
|
||||
ADD_STR_DATA(pay_buf, pay_pos, str);
|
||||
ADD_STR_DATA(pay_buf, pay_pos, "=");
|
||||
ck_free(str);
|
||||
}
|
||||
if (req->par.v[i]) {
|
||||
u32 len = strlen((char*)req->par.v[i]);
|
||||
u8* str = url_encode_token(req->par.v[i], len);
|
||||
u8* str = url_encode_token(req->par.v[i], len, 0);
|
||||
ADD_STR_DATA(pay_buf, pay_pos, str);
|
||||
ck_free(str);
|
||||
}
|
||||
|
|
|
@ -285,7 +285,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus);
|
|||
otherwise let pretty much everything else go through, as it may help with
|
||||
the exploitation of certain vulnerabilities. */
|
||||
|
||||
u8* url_encode_token(u8* str, u32 len);
|
||||
u8* url_encode_token(u8* str, u32 len, u8 also_slash);
|
||||
|
||||
/* Reconstructs URI from http_request data. Includes protocol and host
|
||||
if with_host is non-zero. */
|
||||
|
|
Loading…
Reference in New Issue