Make XML/HTML encoding in SOAP requests optional (#6015)

Co-authored-by: soffensive <soffensive>

Author: soffensive

lib/core/optiondict.py

@@ -63,6 +63,7 @@
         "safeReqFile": "string",
         "safeFreq": "integer",
         "skipUrlEncode": "boolean",
+        "skipXmlEncode": "boolean",
         "csrfToken": "string",
         "csrfUrl": "string",
         "csrfMethod": "string",

lib/parse/cmdline.py

@@ -276,6 +276,9 @@ def cmdLineParser(argv=None):
         request.add_argument("--skip-urlencode", dest="skipUrlEncode", action="store_true",
             help="Skip URL encoding of payload data")
 
+        request.add_argument("--skip-xml-encode", dest="skipXmlEncode", action="store_true",
+            help="Skip HTML encoding of payload data for SOAP/XML")
+
         request.add_argument("--csrf-token", dest="csrfToken",
             help="Parameter used to hold anti-CSRF token")
 

lib/request/connect.py

@@ -1116,7 +1116,7 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
             logger.log(CUSTOM_LOGGING.PAYLOAD, safecharencode(payload.replace('\\', BOUNDARY_BACKSLASH_MARKER)).replace(BOUNDARY_BACKSLASH_MARKER, '\\'))
 
             if place == PLACE.CUSTOM_POST and kb.postHint:
-                if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):
+                if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML) and not conf.skipXmlEncode:
                     # payloads in SOAP/XML should have chars > and < replaced
                     # with their HTML encoded counterparts
                     payload = payload.replace("&#", SAFE_HEX_MARKER)

sqlmap.conf

@@ -198,6 +198,10 @@ safeFreq = 0
 # Valid: True or False
 skipUrlEncode = False
 
+# Skip HTML encoding of payload data for SOAP/XML.
+# Valid: True or False
+skipXmlEncode = False
+
 # Parameter used to hold anti-CSRF token.
 csrfToken =