Payload for the URL is always encoded, not matching script output

[johndoe2293022490]

🐛 Summary

URL is encoded by the Requests library. Only URL encoded attacks on the URI are being sent to the target(s) which is leading to false negatives.

I believe this is unexpected behavior, and the payload is intended to be sent via the URL as output by the script (not encoded). However, it is possible unencoded characters would just lead to more dropped packets, so it may be best to include both.

To reproduce

Steps to reproduce the behavior:

1. Capture the traffic when executing the script and observe the HTTP requests. These do not match the output provided in the script due to how the Requests library functions.

Expected behavior

Expected behavior would send a request containing the exact payload printed by the script. Using a function such as urllib.request.urlopen() is able to deliver the payload properly in the URL.

Any helpful log output or screenshots

The following code was added to send a non-urlencoded request. from urllib import parse as urlparse, request

...

print("sending a payload using a different library...")

cprint(f"[•] URL: {url} | PAYLOAD: {payload}", "cyan")

request.urlopen(url + "?v=" + payload)

This was added to the end of the script to compare over Wireshark.

In this instance within a lab environment, the current script was not able to successfully attack a known vulnerable version due to this. Once modified to deliver the payload as printed, the attack was successful.

[genericcontributor]

Thank you for bringing this issue up!

We're going to discuss internally.

Maybe we send both URL encoded and non-encoded payloads at the target? This would cover the two use-cases but also increase request counts in large scale scans. Thoughts?

[fujibearly]

Make it an option, so large scale scans can exclude it as needed? --skip-unencoded-requests