crash.software
Projects
Pull Requests
Issues
Builds
ghauri
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ghauri Commits 095b2abf
🤬

  • updated code quality, fixed #25 (No params found issue), also fixed #26 (not detecting the mark properly)

  • Loading...
  • r0oth3x49 committed 1 year ago
    095b2abf
    1 parent a6e41d7e
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■
    ghauri/common/utils.py
    skipped 1085 lines
    1086 1086   injection_type=injection_type,
    1087 1087   is_multipart=is_multipart,
    1088 1088   )
     1089 + value = urlencode(
     1090 + value=value,
     1091 + safe="/=*?&:;,+",
     1092 + decode_first=True,
     1093 + injection_type=injection_type,
     1094 + is_multipart=is_multipart,
     1095 + )
    1089 1096   if encode and not is_json:
    1090 1097   payload = urlencode(
    1091 1098   value=payload,
    skipped 2 lines
    1094 1101   is_multipart=is_multipart,
    1095 1102   )
    1096 1103   key_to_split_by = urldecode(key)
    1097  - if injection_type in ["GET", "POST", "COOKIE", "HEADER"] and "*" in key_to_split_by:
     1104 + if (
     1105 + injection_type in ["GET", "POST", "COOKIE", "HEADER"]
     1106 + and "*" in key_to_split_by
     1107 + and key_to_split_by != "#1*"
     1108 + ):
    1098 1109   init, last = text.split(key_to_split_by)
    1099 1110   key_new = key_to_split_by.replace("*", "")
    1100 1111   prepared_payload = f"{init}{key_new}{payload}{last}"
    skipped 3 lines
    1104 1115   else:
    1105 1116   key = re.escape(key)
    1106 1117   value = re.escape(value)
    1107  - REGEX_GET_POST_COOKIE_INJECTION = r"(?is)(?:((?:\?| |&)%s)(=)(%s))" % (
     1118 + REGEX_GET_POST_COOKIE_INJECTION = r"(?is)(?:((?:\?| |&)?%s)(=)(%s))" % (
    1108 1119   f"{'' if injection_type == 'GET' else '?'}{key}",
    1109 1120   value,
    1110 1121   )
    skipped 99 lines
    1210 1221   prepared_payload = re.sub(
    1211 1222   REGEX_MULTIPART_INJECTION, "\\1\\2\\3%s\\4" % (payload), text
    1212 1223   )
     1224 + logger.debug(f"prepared payload: {prepared_payload}")
    1213 1225   return prepared_payload
    1214 1226   
    1215 1227   
    skipped 227 lines
    1443 1455   # logger.debug(f"type: {_type}, param: {entry}")
    1444 1456   if value and "*" in value:
    1445 1457   custom_injection_in.append(_type)
    1446  - if key and "*" in key:
     1458 + if key and "*" in key and key != "#1*":
    1447 1459   custom_injection_in.append(_type)
    1448 1460   _temp = InjectionPoints(
    1449  - custom_injection_in=custom_injection_in,
     1461 + custom_injection_in=list(set(custom_injection_in)),
    1450 1462   injection_points=_injection_points,
    1451 1463   is_multipart=is_multipart,
    1452 1464   is_json=is_json,
    1453 1465   )
     1466 + logger.debug(_temp)
    1454 1467   return _temp
    1455 1468   
    1456 1469   
    skipped 315 lines
Please wait...
Page is in error, reload to recover