allow postdata using any allowed http verb

meprajjwal · May 28, 2018 · 769bef3 · 769bef3
1 parent fede146
commit 769bef3
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 19 deletions.
diff --git a/src/wfuzz/externals/reqresp/Request.py b/src/wfuzz/externals/reqresp/Request.py
@@ -62,7 +62,7 @@ def __init__(self):
 
                 self.time = None                  # 23:00:00
                 self.ip = None                    # 192.168.1.1
-                self.method = "GET"               # GET o POST (EN MAYUSCULAS SI PUEDE SER)
+                self._method = None
                 self.protocol = "HTTP/1.1"        # HTTP/1.1
                 self.__performHead = ""
                 self.__performBody = ""
@@ -83,13 +83,27 @@ def __init__(self):
 
                 self.totaltime = None
 
+        @property
+        def method(self):
+            if self._method is None:
+                return "POST" if self.postdata else "GET"
+
+            return self._method
+
+        @method.setter
+        def method(self, value):
+            if value == "None":
+                value = None
+
+            self._method = value
+
         def setFinalUrl(self, fu):
             self.__finalurl = fu
 
         def __str__(self):
                 str = "[ URL: %s" % (self.completeUrl)
-                if self.method == "POST":
-                        str += " - POST: \"%s\"" % self.postdata
+                if self.postdata:
+                        str += " - {}: \"{}\"".format(self.method, self.postdata)
                 if "Cookie" in self._headers:
                         str += " - COOKIE: \"%s\"" % self._headers["Cookie"]
                 str += " ]"
@@ -104,7 +118,7 @@ def getXML(self, obj):
                 url = obj.createElement("URL")
                 url.appendChild(obj.createTextNode(self.completeUrl))
                 r.appendChild(url)
-                if self.method == "POST":
+                if self.postdata:
                         pd = obj.createElement("PostData")
                         pd.appendChild(obj.createTextNode(self.postdata))
                         r.appendChild(pd)
@@ -191,7 +205,6 @@ def existPOSTVar(self, key):
                 return self.__variablesPOST.existsVar(key)
 
         def setVariablePOST(self, key, value):
-                self.method = "POST"
                 v = self.__variablesPOST.getVariable(key)
                 v.update(value)
 #               self._headers["Content-Length"] = str(len(self.postdata))
@@ -208,7 +221,6 @@ def getPOSTVars(self):
 
         def setPostData(self, pd, boundary=None):
                 self.__variablesPOST = VariablesSet()
-                self.method = "POST"
                 if self.ContentType == "application/x-www-form-urlencoded":
                         self.__variablesPOST.parseUrlEncoded(pd)
                 elif self.ContentType == "multipart/form-data":
@@ -321,7 +333,7 @@ def to_pycurl_object(c, req):
             else:
                 c.setopt(pycurl.CUSTOMREQUEST, req.method)
 
-            if req.method == "POST":
+            if req.postdata:
                 c.setopt(pycurl.POSTFIELDS, req.postdata)
 
             c.setopt(pycurl.FOLLOWLOCATION, 1 if req.followLocation else 0)
@@ -428,17 +440,16 @@ def parseRequest(self, rawRequest, prot="http"):
 
                 self.setUrl(prot + "://" + self._headers["Host"] + pathTMP)
 
-                if self.method.upper() == "POST":
-
-                        pd = ""
-                        while tp.readLine():
-                                pd += tp.lastFull_line
+                pd = ""
+                while tp.readLine():
+                        pd += tp.lastFull_line
 
-                        boundary = None
-                        if "Content-Type" in self._headers:
-                                values = self._headers["Content-Type"].split(";")
-                                self.ContentType = values[0].strip().lower()
-                                if self.ContentType == "multipart/form-data":
-                                        boundary = values[1].split("=")[1].strip()
+                if pd:
+                    boundary = None
+                    if "Content-Type" in self._headers:
+                            values = self._headers["Content-Type"].split(";")
+                            self.ContentType = values[0].strip().lower()
+                            if self.ContentType == "multipart/form-data":
+                                    boundary = values[1].split("=")[1].strip()
 
-                        self.setPostData(pd, boundary)
+                    self.setPostData(pd, boundary)
diff --git a/tests/test_acceptance.py b/tests/test_acceptance.py
@@ -39,6 +39,10 @@
 ]
 
 basic_tests = [
+    # postdata tests
+    # pycurl does not allow it ("test_get_postdata", "%s/FUZZ?var=1&var2=2" % HTTPBIN_URL, [["anything"]], dict(postdata='a=1', filter="content~'\"form\":{\"a\":\"1\"}'"), [(200, '/anything')], None),
+    ("test_allmethods_postdata", "%s/FUZZ?var=1&var2=2" % HTTPBIN_URL, [["anything"], ['PUT', 'POST', 'DELETE'], ['333888']], dict(method='FUZ2Z', postdata='a=FUZ3Z', filter="content~FUZ2Z and content~'\"form\":{\"a\":\"' and content~FUZ3Z"), [(200, '/anything')] * 3, None),
+
     # httpbin extra tests
     ("test_gzip", "%s/FUZZ" % HTTPBIN_URL, [["gzip"]], dict(filter="content~'\"gzipped\":true'"), [(200, '/gzip')], None),
     ("test_response_utf8", "%s/encoding/FUZZ" % HTTPBIN_URL, [["utf8"]], dict(), [(200, '/encoding/utf8')], None),