Thread: [sqlmap-users] Major bug fixed (double url encoding of original parameter values)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi all.

Apologies, and big thanks to Ahmed Shawky <ah...@is...> for
pointing to this problem.

If you had FALSE negatives for url parameters having original values
with url encoded data, you've probably have encountered this bug.

Basically, we were improperly urlencoding payloads together with
original parameter values potentially leading to DOUBLE url encoding
of original parameter values (especially the case for multi-word
string values).

Example:

Original:
name=John%20Smith

Improper injection payload (notice the double url encoding %25%20):
name=John%25%20Smith%20AND%201%3D1

Now it should be fixed, but feel free to report "strange" behavior.

Only strange thing is that nobody has noticed this till now :)

KR