crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.69b: parameter encoding, User-Agent, password fixes 

- Minor improvements to parameter encoding, User-Agent controls.
  - Password detector improvement.
This commit is contained in:
Steve Pinkham 2010-10-01 00:00:03 -04:00
parent de39e6a7a3
commit 69e6c20648
6 changed files with 30 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
Version 1.69b:
--------------
- Minor improvements to parameter encoding, User-Agent controls.
Version 1.68b:
--------------
- Password detector improvement.
Version 1.67b: Version 1.67b:
-------------- --------------

2
Makefile
View File

@ -20,7 +20,7 @@
# #
PROGNAME = skipfish PROGNAME = skipfish
VERSION = 1.67b VERSION = 1.69b
OBJFILES = http_client.c database.c crawler.c analysis.c report.c OBJFILES = http_client.c database.c crawler.c analysis.c report.c
INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \ INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \

5
analysis.c
View File

@ -2354,11 +2354,12 @@ static void check_for_stuff(struct http_request* req,
(x - sniffbuf) < 64) x++; (x - sniffbuf) < 64) x++;
if (x != sniffbuf && *x == ':' && x[1] != '/' && x[1] != '.') { if (x != sniffbuf && *x == ':' && x[1] != '/' && x[1] != '.') {
x++; u8* start_x = ++x;
while (*x && (isalnum(*x) || strchr("./*!+=$", *x)) && while (*x && (isalnum(*x) || strchr("./*!+=$", *x)) &&
(x - sniffbuf) < 128) x++; (x - sniffbuf) < 128) x++;
if (*x == ':' || !*x || *x == '\r' || *x == '\n') if (*x == ':' || ((start_x != x) && (!*x || *x == '\r' || *x == '\n')))
problem(PROB_FILE_POI, req, res, (u8*) problem(PROB_FILE_POI, req, res, (u8*)
"Possible password file", req->pivot, 0); "Possible password file", req->pivot, 0);

2
config.h
View File

@ -34,7 +34,7 @@
/* Various default settings for HTTP client (cmdline override): */ /* Various default settings for HTTP client (cmdline override): */
#define MAX_CONNECTIONS 50 /* Simultaneous connection cap */ #define MAX_CONNECTIONS 40 /* Simultaneous connection cap */
#define MAX_CONN_HOST 10 /* Per-host connction cap */ #define MAX_CONN_HOST 10 /* Per-host connction cap */
#define MAX_REQUESTS 1e8 /* Total request count cap */ #define MAX_REQUESTS 1e8 /* Total request count cap */
#define MAX_FAIL 100 /* Max consecutive failed requests */ #define MAX_FAIL 100 /* Max consecutive failed requests */

25
http_client.c
View File

@ -440,7 +440,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus) {
tokens. We otherwise let pretty much everything else go through, as it tokens. We otherwise let pretty much everything else go through, as it
may help with the exploitation of certain vulnerabilities. */ may help with the exploitation of certain vulnerabilities. */
u8* url_encode_token(u8* str, u32 len) { u8* url_encode_token(u8* str, u32 len, u8 also_slash) {
u8 *ret = ck_alloc(len * 3 + 1); u8 *ret = ck_alloc(len * 3 + 1);
u8 *src = str, *dst = ret; u8 *src = str, *dst = ret;
@ -448,7 +448,8 @@ u8* url_encode_token(u8* str, u32 len) {
while (len--) { while (len--) {
u8 c = *(src++); u8 c = *(src++);
if (c <= 0x20 || c >= 0x80 || strchr("#%&=/+;,!$?", c)) { if (c <= 0x20 || c >= 0x80 || strchr("#%&=+;,!$?", c) ||
(also_slash && c == '/')) {
if (c == 0xFF) c = 0; if (c == 0xFF) c = 0;
sprintf((char*)dst, "%%%02X", c); sprintf((char*)dst, "%%%02X", c);
dst += 3; dst += 3;
@ -666,13 +667,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
if (req->par.n[i]) { if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]); u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len); u8* str = url_encode_token(req->par.n[i], len, 1);
ASD(str); ASD("="); ASD(str); ASD("=");
ck_free(str); ck_free(str);
} }
if (req->par.v[i]) { if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]); u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len); u8* str = url_encode_token(req->par.v[i], len, 1);
ASD(str); ASD(str);
ck_free(str); ck_free(str);
} }
@ -699,13 +700,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
if (req->par.n[i]) { if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]); u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len); u8* str = url_encode_token(req->par.n[i], len, 0);
ASD(str); ASD("="); ASD(str); ASD("=");
ck_free(str); ck_free(str);
} }
if (req->par.v[i]) { if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]); u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len); u8* str = url_encode_token(req->par.v[i], len, 0);
ASD(str); ASD(str);
ck_free(str); ck_free(str);
} }
@ -725,13 +726,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) {
if (req->par.n[i]) { if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]); u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len); u8* str = url_encode_token(req->par.n[i], len, 0);
ASD(str); ASD("="); ASD(str); ASD("=");
ck_free(str); ck_free(str);
} }
if (req->par.v[i]) { if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]); u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len); u8* str = url_encode_token(req->par.v[i], len, 0);
ASD(str); ASD(str);
ck_free(str); ck_free(str);
} }
@ -869,7 +870,9 @@ u8* build_request_data(struct http_request* req) {
ASD("Accept-Encoding: gzip\r\n"); ASD("Accept-Encoding: gzip\r\n");
ASD("Connection: keep-alive\r\n"); ASD("Connection: keep-alive\r\n");
ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n");
if (!GET_HDR((u8*)"User-Agent", &req->par))
ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n");
/* Some servers will reject to gzip responses unless "Mozilla/..." /* Some servers will reject to gzip responses unless "Mozilla/..."
is seen in User-Agent. Bleh. */ is seen in User-Agent. Bleh. */
@ -1017,14 +1020,14 @@ u8* build_request_data(struct http_request* req) {
if (pay_pos) ADD_STR_DATA(pay_buf, pay_pos, "&"); if (pay_pos) ADD_STR_DATA(pay_buf, pay_pos, "&");
if (req->par.n[i]) { if (req->par.n[i]) {
u32 len = strlen((char*)req->par.n[i]); u32 len = strlen((char*)req->par.n[i]);
u8* str = url_encode_token(req->par.n[i], len); u8* str = url_encode_token(req->par.n[i], len, 0);
ADD_STR_DATA(pay_buf, pay_pos, str); ADD_STR_DATA(pay_buf, pay_pos, str);
ADD_STR_DATA(pay_buf, pay_pos, "="); ADD_STR_DATA(pay_buf, pay_pos, "=");
ck_free(str); ck_free(str);
} }
if (req->par.v[i]) { if (req->par.v[i]) {
u32 len = strlen((char*)req->par.v[i]); u32 len = strlen((char*)req->par.v[i]);
u8* str = url_encode_token(req->par.v[i], len); u8* str = url_encode_token(req->par.v[i], len, 0);
ADD_STR_DATA(pay_buf, pay_pos, str); ADD_STR_DATA(pay_buf, pay_pos, str);
ck_free(str); ck_free(str);
} }

2
http_client.h
View File

@ -285,7 +285,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus);
otherwise let pretty much everything else go through, as it may help with otherwise let pretty much everything else go through, as it may help with
the exploitation of certain vulnerabilities. */ the exploitation of certain vulnerabilities. */
u8* url_encode_token(u8* str, u32 len); u8* url_encode_token(u8* str, u32 len, u8 also_slash);
/* Reconstructs URI from http_request data. Includes protocol and host /* Reconstructs URI from http_request data. Includes protocol and host
if with_host is non-zero. */ if with_host is non-zero. */