Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL Encoding resulting in false negatives #67

Closed
kildonan5 opened this issue Jun 27, 2018 · 2 comments
Closed

URL Encoding resulting in false negatives #67

kildonan5 opened this issue Jun 27, 2018 · 2 comments
Labels
hacktoberfest no-issue-activity

Comments

@kildonan5
Copy link

What's the problem (or question)?

NoSQLMap does url encoding of parameters, including the = which causes unexpected behavior (false negatives) when running vulnerability checks in some applications. For example, in an application I am currently pen testing, if I do a query in a browser, with a the target param blank such as;
https://url/program.py?Param=
Every possible row is returned (essentially no filter is applied so everything is selected).
If I provide a non existent value, such as
https://url/program.py?Param=xxx
No rows are returned, since there are no matching records (as expected).

Choosing a 3 (random) character test string, this is the url that NoSQLMap requests (substituting xxx with the 3 character string);
https://url/program.py?Param%3Dxxx
In this application all row are returned for the baseline, because the %3D (encoded "=") is not properly handled. Its unclear to me what is at fault here (the web server? the application itself?) but its clear the app does not behave as expected when the request url's are encoded. I believe this may have worked before the function "urllib.quote_plus" was introduced to the nsmweb.py file, but I hadnt tried this tool prior to this week.

Do you have an idea for a solution?

I modified line 968 of nsmweb.py from;
uriArray[x]=split_uri[0]+"?"+urllib.quote_plus(uriArray[x][:-1])
To;
uriArray[x]=split_uri[0]+"?"+uriArray[x][:-1]

This resolved the issue for me and the false negatives dissapeared.

How can we reproduce the issue?

Its unclear to me what is at fault in my scenario. It is probably the application (the python script) not properly handling url encoding, in which case you would need to setup an app that tried to read the url parameters as "Raw" strings.

What are the running context details?

NoSQLMap v0.7 (i pulled from git this week).
@kildonan5
Copy link
Author

kildonan5 commented Jun 27, 2018
edited

from some further testing actually, the url encoding is still necessary, otherwise the injection is just resulting in stack traces. the issue is the = cant be url encoded (thats whats causing the issue).

@github-actions
Copy link

Stale issue message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hacktoberfest no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codingo @kildonan5