sqlmap icon indicating copy to clipboard operation
sqlmap copied to clipboard
verified publisher icon sqlmapproject

Incorrect payload location marking in Multipart forms

Open rohitkumarankam opened this issue 2 years ago • 1 comments

Describe the bug Currently sqlmap is trying to mark all fields in multipart forms which is leading to corruption of file contents.

this is dumped by adding print(conf.data) after line 229 of /lib/core/target.py

--AaB03x
Content-Disposition: form-data; name="submit-name"

Larry*
--AaB03x
Content-Disposition: form-data; name="files"; filename="file1.txt"
Content-Type: text/plain

... contents of file1.txt ...*
--AaB03x
Content-Disposition: form-data; name="test-name"

IDK*
--AaB03x
Content-Disposition: form-data; name="files"
Content-Type: multipart/mixed; boundary=BbC04y
*
--BbC04y
Content-Disposition: file; filename="file1.txt"
Content-Type: text/plain

... contents of file1.txt ...*
--BbC04y
Content-Disposition: file; filename="file2.gif"
Content-Type: image/gif
Content-Transfer-Encoding: binary

...contents of file2.gif...*
--BbC04y--
--AaB03x--

Test file multipart-test.req.txt test file is based on multipart/form-data spec

To Reproduce

  1. Run 'sqlmap -r multipart-test.req.txt'

Expected behavior Ideally it should only mark submit-name and test-name fields of the test file attached.

--AaB03x
Content-Disposition: form-data; name="submit-name"

Larry*
--AaB03x
Content-Disposition: form-data; name="files"; filename="file1.txt"
Content-Type: text/plain

... contents of file1.txt ...
--AaB03x
Content-Disposition: form-data; name="test-name"

IDK*
--AaB03x
Content-Disposition: form-data; name="files"
Content-Type: multipart/mixed; boundary=BbC04y

--BbC04y
Content-Disposition: file; filename="file1.txt"
Content-Type: text/plain

... contents of file1.txt ...
--BbC04y
Content-Disposition: file; filename="file2.gif"
Content-Type: image/gif
Content-Transfer-Encoding: binary

...contents of file2.gif...
--BbC04y--
--AaB03x--

Running environment:

  • sqlmap version: 1.8.1.2#dev
  • Installation method: git
  • Operating system: macOS 14.2.1 23C71 arm64
  • Python version: 3.9.6

rohitkumarankam avatar Jan 10 '24 11:01 rohitkumarankam

thats being bug for years

mastercho avatar Jan 14 '24 01:01 mastercho

To resolve this issue, modify the logic within sqlmap to specifically target and mark only text-based form fields (like submit-name and test-name), leaving file contents untouched.

Sample Patch:

Here's a conceptual patch suggestion to handle marking:

# Example patch for target.py around line 229
def mark_text_fields(form_data):
    boundary = '--AaB03x'
    marked_data = ""
    for part in form_data.split(boundary):
        if 'filename=' not in part:
            part = part.replace('\n\n', '\n\n*\n')
        marked_data += boundary + part
    return marked_data

conf.data = mark_text_fields(conf.data)

This patch ensures only non-file fields are marked, preventing file content corruption. Further testing and refinement would be required to integrate and verify this patch within the sqlmap codebase.

tr4m0ryp avatar Jul 20 '24 23:07 tr4m0ryp