Fixes #1065

Author: stasinopoulos

src/core/injections/controller/controller.py

@@ -119,7 +119,9 @@ def heuristic_request(url, http_request_method, check_parameter, payload, whites
       settings.USER_DEFINED_POST_DATA = checks.remove_tags(settings.USER_DEFINED_POST_DATA)
       data = settings.USER_DEFINED_POST_DATA.encode(settings.DEFAULT_CODEC)
   if settings.INJECT_TAG in url:
-    tmp_url = checks.process_injectable_value(payload, url)
+    # Encode query string, preserving delimiters and configured parameter delimiter
+    encoded_payload = _urllib.parse.quote(payload, safe=settings.SAFE_QUERY)
+    tmp_url = checks.process_injectable_value(encoded_payload, url)
   else:
     tmp_url = checks.remove_tags(tmp_url)
     url = checks.remove_tags(url)

src/core/requests/headers.py

@@ -49,9 +49,9 @@ def encode_non_ascii_url(request):
   url = request.get_full_url()
   parts = _urllib.parse.urlsplit(url)
   # Encode path, preserving '/', '*', and '%' to avoid over-encoding
-  path = _urllib.parse.quote(parts.path, safe="*%/")
+  path = _urllib.parse.quote(parts.path, safe=settings.SAFE_PATH)
   # Encode query string, preserving delimiters and configured parameter delimiter
-  query = _urllib.parse.quote(parts.query, safe="*=?/%" + settings.URL_PARAM_DELIMITER)
+  query = _urllib.parse.quote(parts.query, safe=settings.SAFE_QUERY + settings.URL_PARAM_DELIMITER)
   # Reconstruct the full URL with encoded path and query
   request.full_url = _urllib.parse.urlunsplit((parts.scheme, parts.netloc, path, query, parts.fragment))
 

src/utils/settings.py

@@ -261,7 +261,7 @@ def sys_argv_errors():
 DESCRIPTION = "The command injection exploiter"
 AUTHOR  = "Anastasios Stasinopoulos"
 VERSION_NUM = "4.1"
-REVISION = "117"
+REVISION = "118"
 STABLE_RELEASE = False
 VERSION = "v"
 if STABLE_RELEASE:
@@ -321,6 +321,11 @@ def sys_argv_errors():
 VALUE_BOUNDARIES = r'[\\/](.+?)[\\/]'
 INJECT_INSIDE_BOUNDARIES = None
 
+ # Safe characters to keep unescaped in URL paths
+SAFE_PATH = "*%/"
+  # Safe characters to keep unescaped in query strings
+SAFE_QUERY = SAFE_PATH + "=?"
+
 # Default (windows) target host's python interpreter
 WIN_PYTHON_INTERPRETER = "python.exe"
 WIN_CUSTOM_PYTHON_INTERPRETER = "C:\\Python27\\python.exe"
@@ -1390,5 +1395,4 @@ class END_LINE:
 USE_PCRE_E_MODIFIER = None
 PCRE_MODIFIER = "/e"
 
-
 # eof