From 43a85fc645fbc88f7bb753018a0069558e432693 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Fri, 9 May 2014 21:21:04 +0200
Subject: [PATCH] additional GET parameters

---
 modules/exploits/multi/http/struts_code_exec_parameters.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb
index e78bf4d370..77ff5104d0 100644
--- a/modules/exploits/multi/http/struts_code_exec_parameters.rb
+++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb
@@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
           OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']),
           OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
           OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]),
-          OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a&param2=b". Do not URL encode the Parameters, they are encoded before sending by the module.', nil]),
+          OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a&param2=b". Do apply URL encoding to the Parameters.', nil]),
     ], self.class)
   end
 
@@ -86,7 +86,9 @@ class Metasploit3 < Msf::Exploit::Remote
     splitted.each { |item|
       name, value = item.split('=')
       # no check here, value can be nil if parameter is &param
-      retval[name] = value
+      decoded_name = name ? Rex::Text::uri_decode(name) : nil
+      decoded_value = value ? Rex::Text::uri_decode(value) : nil
+      retval[decoded_name] = decoded_value
     }
     retval
   end