From b2eef12b15ef097cbf72f5c82d5562dadedf2b52 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 9 Jun 2024 00:52:09 +0200 Subject: [PATCH] Fix JSON and headers for raw data --- core/requester.py | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/core/requester.py b/core/requester.py index 6c3aab5..971e777 100644 --- a/core/requester.py +++ b/core/requester.py @@ -29,6 +29,9 @@ class Requester(object): # Parse headers for header in content[1:]: + if header == '': + # edge-case, when data is sent raw (json/xml) + break name, _, value = header.partition(': ') if not name or not value: continue @@ -75,16 +78,21 @@ class Requester(object): def do_request(self, param, value, timeout=3, stream=False): try: + # Debug information + logging.debug(f"Request param: {param}") + logging.debug(f"Request value: {value}") + logging.debug(f"Request timeout: {timeout}") + # Handle injection in the headers # Copying data to avoid multiple variables edit header_injected = self.headers.copy() - if param in self.headers: + if param in header_injected: header_injected[param] = value - print('inject in header') - print(header_injected) - + logging.debug("Request inject: Injecting payload in HTTP Header") + logging.debug(f"Request method: {self.method}") if self.method == "POST": + # Copying data to avoid multiple variables edit data_injected = self.data.copy() @@ -93,10 +101,13 @@ class Requester(object): # Handle JSON data if self.headers['Content-Type'] and "application/json" in self.headers['Content-Type']: + logging.debug("Request type: JSON") + logging.debug(f"Request data: {data_injected}") + r = requests.post( self.protocol + "://" + self.host + self.action, - headers=header_injected, - json=data_injected, + data=json.dumps(data_injected), + headers=self.headers, timeout=timeout, stream=stream, verify=False, @@ -105,16 +116,20 @@ class Requester(object): # Handle XML data elif self.headers['Content-Type'] and "application/xml" in self.headers['Content-Type']: + logging.debug("Request type: XML") + if "*FUZZ*" in data_injected['__xml__']: + logging.debug("Request inject: XML parameter") # replace the injection point with the payload data_xml = data_injected['__xml__'] data_xml = data_xml.replace('*FUZZ*', value) + logging.debug(f"Request data: {data_xml}") r = requests.post( - self.protocol + "://" + self.host + self.action, - headers=header_injected, + self.protocol + "://" + self.host + self.action, data=data_xml, + headers=self.headers, timeout=timeout, stream=stream, verify=False, @@ -127,7 +142,12 @@ class Requester(object): # Handle FORM data else: - if param == '': data_injected = value + if param == '': + logging.debug("Request inject: POST raw data") + data_injected = value + else: + logging.debug("Request inject: POST parameter") + r = requests.post( self.protocol + "://" + self.host + self.action, headers=header_injected, @@ -142,6 +162,8 @@ class Requester(object): logging.error("No injection point found ! (use -p)") exit(1) else: + logging.debug("Request inject: GET parameter") + # String is immutable, we don't have to do a "forced" copy regex = re.compile(param+"=([^&]+)") value = urllib.parse.quote(value, safe='')