Apache Mod Rewrite with flexible parameters - apache

i've a problem with apache mod rewrite, I need to generate a SEF query with flexible parameters
example:
www.myname.com/category.php?p1=itemname&p2=categoryname&p3=color&p4=size
or
www.myname.com/category.php?p1=itemname&p3=color
or
www.myname.com/category.php?p3=color&p4=size
the combinations are always different.
how I can do it dynamically?
I started with:
RewriteRule ^search/([^/]+)-([^/]+)-([^/]+)$ category.php?p1=$1&p2=$2&p3=$3&p4=$4
Thank You!!

It's not possible to build a regexp that matches in the flexible way you want.
I see some alternatives:
You could assing a position to earch parameter in the url, something like:
http://www.myname.com/param1-param2-param3-param4
BUT in the absence of one of the parameters, the separator char should still apear in the url:
http://www.myname.com/--color-size
this, in my opinion the url is UGLY
You can evaluate the use of URL path params, take a look at what every developer should know about url encoding
with this alternative the url could be something like:
http://www.myname.com/item;name=xxx;category=yyy;color=zzz
I do not know how search engines would consider this urls, but I imagine that it's SEF.

Related

JMeter - get value from href

I am load testing an application that has a link that looks like this:
https://example.com/myapp/table?qid=1434e99d-5b7c-4e74-b64e-c24e9564514d&rsid=5c94ddc7-e2e4-4e69-8547-49572486f4d1
I need to get the dynamic value of the rsid so I can use it later in my script.
So far I have tried using the regex extractor and I am probably doing it wrong.
I have tried things like:
name = myvar
regular expression = rsid=(.*?) # didnt work
regular expression = <a href=".*?rsid=(.*?)"> # didnt work
Template = $1$
I have one extractor set up to get the csrf value and that one works as expected but that is also because the csrf value is in the page source.
The above link is NOT in the page source as far as I can see but it DOES show up when I inspect the link. I dont know if that is obfuscation or something else?
How can I extract the value of the rsid? Is the regular expression extractor the right one to use for this?
Should I be using something else?
Is it just a formula issue?
Thanks in advance.
Try something like:
rsid=[0-9A-Fa-f\-]{36}
the above regular expression should match a GUID-like structure and your rsid seems to be an instance of it.
Demo:
Also be aware of the Boundary Extractor, it's sufficient to specify "left" and "right" boundaries and it will extract everything in-between. In general coming up with "boundaries" is much easier than creating a regular expression, it's more readable and JMeter processes the Boundary Extractors much faster. More information: The Boundary Extractor vs. the Regular Expression Extractor in JMeter

SQL injection on clean url

I would like to test my website for SQL injection using sqlmap. I'm using mod_rewrite and my URL looks like this:
http://www.example.com/forum/&nav_page=1
(where nav_page is the parameter name and 1 is value)
The problem I'm having is that I can't find a way to tell sqlmap to perform the injection test just on the value.
The URL also not contain the ? sign because it's SEO friendly.
Your ideas of seo-frienliness are quite vague. It is not symbols that make an url look "seo-friendly". It's technology that doesn't involve parameter names and values.
So, you have to decide either you are using query string parameters or not.
If not - make your urls real seo-friendly. like http://www.example.com/forum/nav_page1/
If you still want to use query string variables - then use them properly, using ? mark to define a query string.

(mod) Rewriting Out of Order Parameters

Is it possible to re-write parameters that are not always in the same order in a URL?
For example, we might have a url like
/products/type/animal/id/123456
But it could also appear as:
/products/id/ab123456/type/animal
Using a mod rewrite statement like
/products[.html?]?(?:/id/([^/])?)/?(?:/type/([^/])?)/? "products.html?id=$1&type=$2" [L, NC]
works fine for the the first example but of course fails for the second. Is there anyway around this?
EDIT:There are multiple key/value pairs (perhaps 7 or 8) so it would not be possible to use a universal /([^/]+)/?/([^/]+)/ type regex.
Just write multiple rules that match each of the possible source orderings!

Change Url using Regex

I have url, for example:
http://i.myhost.com/myimage.jpg
I want to change this url to
http://i.myhost.com/myimageD.jpg.
(Add D after image name and before point)
i.e I want add some words after image name and before point using regex.
What is the best way do it using regex?
Try using ^(.*)\.([a-zA-Z]{3,5}) and replacing with \1D\2. I'm assuming the extension is 3-5 alphanumeric numbers but you can modify it to suit. E.g. if it's just jpg images then you can put that instead of the [a-zA-Z]{3,5}.
Sounds like a homework question given the solution must use a regex, on that assumption here is an outline to get you going.
If all you have is a URL then #mathematical.coffee's solution will suit. However if you have a chunk of text within which is one or more URLs and you have to locate and change just those then you'll need something a little more involved.
Look at the structure of a URL: {protocol}{address}{item}; where
{protocol} is "http://", "ftp://" etc.;
{address} is a name, e.g. "www.google.com", or a number, e.g. "74.125.237.116" - there will always be at least one dot in the address; and
{item} is "/name" where name is quite flexible - there will be zero or more items, you can think of them as directories and a file but this isn't strictly true. Also the sequence of items can end in a "/" (including when there are zero of them).
To make a regex which matches a URL start by matching each part. In the case of the items you'll want to match the last in the sequence separately - you'll have zero or more "directories" and one "file", the latter must be of the form "name.extension".
Once you have regexes for each part you just concatenate them to produce a regex for the whole. To form the replacement pattern you can surround parts of your regex with parentheses and refer to those parts using \number in the replacement string - see #mathematical.coffee's solution for an example.
The best way to learn regexs is to use an editor which supports them and just experiment. The exact syntax may not be the same as NSRegularExpression but they are mostly pretty similar for the basic stuff and you can translate from one to another easily.

Apache mod_rewrite %2B and plus (+) signs

I'm using apache / mod_rewrite to re-write URLs but I am having problems with the plus sign.
With the following rule..
RewriteRule ^/(.+[^/])/?$ http://localhost:8080/app/home?tag=$1 [P,L]
Both:
http://localhost/1+1 and http://localhost/1%2B2
end up as
uri=http://localhost:8080/app/home, args=tag=1+2
So in both cases the application translates the plus sign into a space so it cannot differentiate between spaces and plus signs anymore.
If I use the "B" flag, then in both cases the + signs are translated into %2B and the application ends up with the same problem but reversed (both spaces and plus signs are plus signs)
Is there a way to get apache to properly escape %2B into a plus sign and not a space?
I read something about mod_security but I am not using that so I am not sure if there is some other security mechanism that is causing this?
Any help would be greatly appreciated!
No, this isn't quite the same as the referenced question. The problem here is specifically plus signs and the answer to Apache: mod_rewrite: Spcaes & Special Characters in URL not working doesn't address that.
There's also an issue with slashes, for which see http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes
(but you do need access to the Apache config to do this - .htaccess won't do).
In fact it is impossible to do using a rewrite rule alone. Apache decodes the URL before putting it through rewrite, but it doesn't understand plus signs: http://example.com/a+b.html wouldn't deliver a file called
"a b.html".
The plus signs are decoded by PHP into the $_GET array (or whatever the relevant language mechanism is) for query strings, because form handlers in browsers put them in. So Apache will translate %2B to + before applying the rewrite, and leave + itself alone, meaning you can't tell the difference.
Of course, one could argue that + used as space is simply invalid in such URLs and one should use only %20. However, if you don't have control over generating them, you're bound to see them. Browsers won't generate them automatically though.
The answer is DIY, and in many ways it is more predictable and simpler:
RewriteRule .* index.php [L]
Hence everything turns into index.php and there's no attempt to construct a query string. If you want to exclude certain patterns, e.g. those with slashes in, or where an explicit file does exist, the obvious amendments apply. e.g.
RewriteCond %{REQUEST_FILENAME} !-f
Then in index.php
$uri = substr($_SERVER['REQUEST_URI'], 1); // remove leading slash
$qmpos = strpos($uri, '?'); // is there a question mark, if so where
if ($qmpos !== FALSE) { $uri = substr($uri, 0, $qmpos); } // only the bit before q.m.
$decoded = urldecode($uri); // decode the part before the URL
if (! empty($decoded)) { $_GET['args'] = $decoded; } // add result to $_GET
That decodes the original request (excluding the leading slash - would be slightly different if you're deeper down a hierarchy, but the principle is the same - and excluding any additional query string), and decodes the args parameter according to PHP's normal rules and puts it into $_GET so you can process it along with the rest of the $_GET query string parameters in the usual way.
I believe this should work for empty URLs (http://example.com/) or those which only have a query string (http://example.com/?foo=1), as well as the simple case (http://example.com/bar) and the case with a query string as well (http://example.com/bar?foo=1). No doubt similar approaches will work for other languages.
In your particular case, you actually don't want the pluses decoded in the PHP at all. That's fine, use rawurldecode instead, which doesn't do pluses.