adding switch --skip-urlencode to skip URL encoding of POST data

stamparm · stamparm · commit c39461074053 · 2012-05-24T23:30:33.000Z
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -48,6 +48,7 @@
                                "scope":             "string",
                                "safUrl":            "string",
                                "saFreq":            "integer",
+                               "skipUrlEncode":     "boolean",
                                "evalCode":          "string"
                              },
 
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -149,6 +149,10 @@ def cmdLineParser():
         request.add_option("--safe-freq", dest="saFreq", type="int",
                            help="Test requests between two visits to a given safe url")
 
+        request.add_option("--skip-urlencode", dest="skipUrlEncode",
+                           action="store_true",
+                           help="Skip URL encoding of POST data")
+
         request.add_option("--eval", dest="evalCode",
                            help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
 
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -559,7 +559,7 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
                 # addendum: as we support url encoding in tampering
                 # functions therefore we need to use % as a safe char
                 if place != PLACE.URI or (value and payload and '?' in value and value.find('?') < value.find(payload)):
-                    payload = urlencode(payload, '%', False, True)
+                    payload = urlencode(payload, '%', False, True) if not place == PLACE.POST and conf.skipUrlEncode else payload
                     value = agent.replacePayload(value, payload)
 
             elif place == PLACE.SOAP:
@@ -653,9 +653,9 @@ def _randomizeParameter(paramString, randomParameter):
                             get += "%s%s=%s" % (delimiter, name, value)
 
         get = urlencode(get, limit=True)
-        if post and place != PLACE.POST and hasattr(post, UNENCODED_ORIGINAL_VALUE):
+        if post and place not in (PLACE.POST, PLACE.SOAP) and hasattr(post, UNENCODED_ORIGINAL_VALUE):
             post = getattr(post, UNENCODED_ORIGINAL_VALUE)
-        else:
+        elif not conf.skipUrlEncode and place not in (PLACE.SOAP,):
             post = urlencode(post)
 
         if timeBasedCompare:
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -138,6 +138,10 @@ safUrl =
 # Default: 0
 saFreq = 0
 
+# Skip URL encoding of POST data
+# Valid: True or False
+skipUrlEncode = False
+
 # Evaluate provided Python code before the request.
 # Example: import hashlib;id2=hashlib.md5(id).hexdigest()
 evalCode = 
