diff --git a/lib/attacks/tamper_scripts/url_encode.py b/lib/attacks/tamper_scripts/url_encode.py index d4c88d7..32eee14 100644 --- a/lib/attacks/tamper_scripts/url_encode.py +++ b/lib/attacks/tamper_scripts/url_encode.py @@ -1,7 +1,7 @@ # coding=utf-8 -def tamper(payload, **kwargs): +def tamper(payload, safe="%&=-_", **kwargs): encodings = { " ": "%20", "!": "%21", '"': "%22", "#": "%23", "$": "%24", "%": "%25", "&": "%26", "'": "%27", "(": "%28", ")": "%29", "*": "%2A", "+": "%2B", ",": "%2C", "-": "%2D", ".": "%2E", "/": "%2F", @@ -35,8 +35,11 @@ def tamper(payload, **kwargs): if isinstance(payload, unicode): payload = str(payload) for char in payload: - try: - retval += encodings[char] - except KeyError: + if char not in safe: + try: + retval += encodings[char] + except KeyError: + retval += char + else: retval += char return retval