Original Value is not replaced in Multipart POST requests #5122
Description
Describe the bug
On the rare occasion that I need to use sqlmap to deal with multipart POST requests I found that it does not correctly replace the original value in payloads that expect replacement of the original value "in place" e.g. Boolean-based blind - Parameter replace (CASE - original value).
I have a proposed fix after tracing through the code but due to the complexity of the code and the convergence of multipart handling with other complex POSTs such as JSON, XML, I am not submitting a patch proposal but rather at least a fix that I was able to confirm will resolve the issue I was facing with a multipart payload and replacement of the original value.
I made the change below in/around line 137 of agent.py:
else:
_ = extractRegexResult(r"(?s)(?P<result>[^\s<>{}();'\"&]+\Z)", origValue) or ""
# PJM origValue = _.split('=', 1)[1] if '=' in _ else ""
origValue = _.split('=', 1)[1] if '=' in _ else _
elif place == PLACE.CUSTOM_HEADER:Basically, if the regex field value can't be split by = character, use the value which was extracted (_) rather than an empty string.
To Reproduce
- Save the attached file as
multipart.txt
- Run the following command:
python -u sqlmap.py -r multipart.txt -p person --test-filter "Boolean-based blind - Parameter replace (original value)" --skip-waf --skip-heuristics
Note this is being POSTed to Burp Collaborator, you can POST to whatever site you like to record the generated payload. We can see that the original value is not correctly replaced with the contents of the payload, and the [ORIGVALUE] placeholder in the payload does not contain the original value, instead we see the following:
----------------------d74496d66958873e
Content-Disposition: form-data; name="person"
anonymous(SELECT (CASE WHEN (8177=8416) THEN '' ELSE (SELECT 8416 UNION SELECT 6176) END))
Note that this is not specific to this test and will occur with any test defined with <where>3</where>.
Expected behavior
I would expect to see the payload as follows, with the payload replacing the original value, and the [ORIGVALUE] placeholder replaced with the original value anonymous:
----------------------d74496d66958873e
Content-Disposition: form-data; name="person"
(SELECT (CASE WHEN (8177=8416) THEN 'anonymous' ELSE (SELECT 8416 UNION SELECT 6176) END))
Note that if we submit the same request as a form POST (non-multipart) we see the expected behavior. This issue occurs only with multipart form POST and only with payloads that involve replacement of the original value. This issue is reproducible on Windows or Unix and was tested with 3.5 and 3.6 versions of sqlmap.
Screenshots
N/A
Running environment:
- sqlmap version 1.6#stable, 1.6.6.3#dev
- Installation method zip, git
- Operating system: This occurs both on Windows and Linux
- Python version 3.8.11
Target details:
N/A (this is not a target-specific issue)
Additional context
I have confirmed that the code change suggested corrects this behavior. I hope this report is sufficiently detailed and look forward to any other contributions I can make.