fix: XML body truncation in scan requests

- Remove Content-Length header to let sqlmap auto-calculate

- Use binary mode ('wb') for writing request files on Windows

- Normalize body line endings to avoid \\r\\n duplication

- Replace manual JSON string building with Gson/PayloadBuilder in Burp plugins

Author: lanshuizhiyue

src/backEnd/model/Task.py

@@ -277,13 +277,17 @@ def _generate_request_file_name(self):
     def _build_raw_http_request(self):
         """
         根据headers和body构建HTTP原始报文
-        格式:
-        POST /path HTTP/1.1
-        Host: example.com
-        Header1: Value1
-        ...
-        
+        格式（使用标准HTTP换行符 \\r\\n）:
+        POST /path HTTP/1.1\\r\\n
+        Host: example.com\\r\\n
+        Header1: Value1\\r\\n
+        \\r\\n
         body_content
+        
+        注意：
+        - 移除 Content-Length 头，让 sqlmap 根据实际 body 长度自动计算
+        - body 中的换行符统一规范化为 \\n（避免 \\r\\n 被重复转换）
+        - 使用 \\r\\n 作为 HTTP 标准行分隔符
         """
         # 解析URL获取请求路径
         parsed_url = urlparse(self.scanUrl)
@@ -297,11 +301,15 @@ def _build_raw_http_request(self):
         # 构建请求行
         request_line = f"{method} {path} HTTP/1.1"
 
-        # 构建headers部分
+        # 构建headers部分（移除 Content-Length，让 sqlmap 自动计算）
         headers_list = []
         if self.headers:
             for header in self.headers:
                 if header and ":" in header:
+                    # 跳过 Content-Length，由 sqlmap 根据实际 body 重新计算
+                    if header.lower().startswith("content-length:"):
+                        logger.debug(f"[{self.taskid}] Removing Content-Length header, sqlmap will recalculate")
+                        continue
                     # 如果启用了randomAgent，跳过原始User-Agent头
                     # 让SQLMap的_setHTTPUserAgent()添加随机UA
                     if self.options.randomAgent and header.lower().startswith("user-agent:"):
@@ -319,15 +327,21 @@ def _build_raw_http_request(self):
             if host:
                 headers_list.insert(0, f"Host: {host}")
 
-        # 组装完整报文
-        raw_request = request_line + "\n"
-        raw_request += "\n".join(headers_list)
+        # 规范化 body 中的换行符：统一为 \n，避免混合换行符导致字节数不一致
+        body = self.body
+        if body:
+            body = body.replace("\r\n", "\n").replace("\r", "\n")
+        
+        # 使用 \r\n 作为 HTTP 标准行分隔符组装报文
+        CRLF = "\r\n"
+        raw_request = request_line + CRLF
+        raw_request += CRLF.join(headers_list)
 
         # 如果有body，添加空行和body
-        if self.body:
-            raw_request += "\n\n" + self.body
+        if body:
+            raw_request += CRLF + CRLF + body
         else:
-            raw_request += "\n\n"
+            raw_request += CRLF + CRLF
 
         return raw_request
 
@@ -351,9 +365,10 @@ def _create_request_file(self):
         # 构建原始HTTP报文
         raw_request = self._build_raw_http_request()
 
-        # 写入文件
-        with open(file_path, 'w', encoding='utf-8') as f:
-            f.write(raw_request)
+        # 使用二进制模式写入，避免 Windows 文本模式自动将 \n 转换为 \r\n
+        # 导致 body 字节数与 Content-Length 不匹配（XML 等多行 body 的截断根因）
+        with open(file_path, 'wb') as f:
+            f.write(raw_request.encode('utf-8'))
 
         logger.info(f"[{self.taskid}] Created HTTP request file: {file_path}")
         logger.debug(f"[{self.taskid}] HTTP request content:\n{raw_request}")

src/burpEx/legacy-api/src/main/java/com/sqlmapwebui/burp/BurpExtender.java

@@ -8,6 +8,9 @@
 import com.sqlmapwebui.burp.util.TitleRule;
 import com.sqlmapwebui.burp.util.TitleExtractor;
 
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
+
 import javax.swing.*;
 import java.awt.*;
 import java.nio.charset.StandardCharsets;
@@ -378,29 +381,7 @@ private void sendRequestToBackend(IHttpRequestResponse requestResponse, ScanConf
                 body = new String(request, bodyOffset, request.length - bodyOffset, StandardCharsets.UTF_8);
             }
 
-            StringBuilder headersJson = new StringBuilder("[");
-            for (int i = 0; i < headers.size(); i++) {
-                headersJson.append("\"").append(JsonUtils.escapeJson(headers.get(i))).append("\"");
-                if (i < headers.size() - 1) headersJson.append(",");
-            }
-            headersJson.append("]");
-            
             Map<String, Object> options = config.toOptionsMap();
-            StringBuilder optionsJson = new StringBuilder("{");
-            boolean first = true;
-            for (Map.Entry<String, Object> entry : options.entrySet()) {
-                if (!first) optionsJson.append(",");
-                first = false;
-                optionsJson.append("\"").append(entry.getKey()).append("\":");
-                if (entry.getValue() instanceof String) {
-                    optionsJson.append("\"").append(JsonUtils.escapeJson((String)entry.getValue())).append("\"");
-                } else if (entry.getValue() instanceof Boolean) {
-                    optionsJson.append(entry.getValue());
-                } else {
-                    optionsJson.append(entry.getValue());
-                }
-            }
-            optionsJson.append("}");
 
             // 提取HTTP方法（从headers的第一行）
             String method = "GET";
@@ -411,15 +392,17 @@ private void sendRequestToBackend(IHttpRequestResponse requestResponse, ScanConf
                 }
             }
 
-            String jsonPayload = String.format(
-                "{\"scanUrl\":\"%s\",\"host\":\"%s\",\"method\":\"%s\",\"headers\":%s,\"body\":\"%s\",\"options\":%s}",
-                JsonUtils.escapeJson(url),
-                JsonUtils.escapeJson(requestInfo.getUrl().getHost()),
-                JsonUtils.escapeJson(method),
-                headersJson.toString(),
-                JsonUtils.escapeJson(body),
-                optionsJson.toString()
-            );
+            // 使用 Gson 构建 JSON，避免手动拼接导致 XML 等特殊字符转义不完备
+            Gson gson = new Gson();
+            JsonObject payload = new JsonObject();
+            payload.addProperty("scanUrl", url);
+            payload.addProperty("host", requestInfo.getUrl().getHost());
+            payload.addProperty("method", method);
+            payload.add("headers", gson.toJsonTree(headers));
+            payload.addProperty("body", body);
+            payload.add("options", gson.toJsonTree(options));
+            
+            String jsonPayload = gson.toJson(payload);
 
             new Thread(() -> {
                 try {

src/burpEx/legacy-api/src/main/java/com/sqlmapwebui/burp/dialogs/InjectionPointDialog.java

@@ -6,6 +6,9 @@
 import com.sqlmapwebui.burp.SqlmapApiClient;
 import com.sqlmapwebui.burp.SqlmapUITab;
 
+import com.google.gson.Gson;
+import com.google.gson.JsonObject;
+
 import javax.swing.*;
 import java.awt.*;
 import java.io.PrintWriter;
@@ -194,38 +197,26 @@ private void sendMarkedRequestToBackend(IHttpRequestResponse requestResponse, St
             ScanConfig config = configManager.getDefaultConfig().copy();
             Map<String, Object> options = config.toOptionsMap();
 
-            // 构建JSON
-            StringBuilder headersJson = new StringBuilder("[");
-            for (int i = 0; i < headersList.size(); i++) {
-                headersJson.append("\"").append(JsonUtils.escapeJson(headersList.get(i))).append("\"");
-                if (i < headersList.size() - 1) headersJson.append(",");
-            }
-            headersJson.append("]");
-            
-            StringBuilder optionsJson = new StringBuilder("{");
-            boolean first = true;
-            for (Map.Entry<String, Object> entry : options.entrySet()) {
-                if (!first) optionsJson.append(",");
-                first = false;
-                optionsJson.append("\"").append(entry.getKey()).append("\":");
-                if (entry.getValue() instanceof String) {
-                    optionsJson.append("\"").append(JsonUtils.escapeJson((String)entry.getValue())).append("\"");
-                } else if (entry.getValue() instanceof Boolean) {
-                    optionsJson.append(entry.getValue());
-                } else {
-                    optionsJson.append(entry.getValue());
+            // 提取HTTP方法（从headers的第一行）
+            String method = "GET";
+            if (!headersList.isEmpty()) {
+                String firstHeader = headersList.get(0);
+                if (firstHeader != null && firstHeader.contains(" ")) {
+                    method = firstHeader.substring(0, firstHeader.indexOf(" "));
                 }
             }
-            optionsJson.append("}");
 
-            String jsonPayload = String.format(
-                "{\"scanUrl\":\"%s\",\"host\":\"%s\",\"headers\":%s,\"body\":\"%s\",\"options\":%s}",
-                JsonUtils.escapeJson(url),
-                JsonUtils.escapeJson(host),
-                headersJson.toString(),
-                JsonUtils.escapeJson(body),
-                optionsJson.toString()
-            );
+            // 使用 Gson 构建 JSON，避免手动拼接导致特殊字符转义不完备
+            Gson gson = new Gson();
+            JsonObject payload = new JsonObject();
+            payload.addProperty("scanUrl", url);
+            payload.addProperty("host", host);
+            payload.addProperty("method", method);
+            payload.add("headers", gson.toJsonTree(headersList));
+            payload.addProperty("body", body);
+            payload.add("options", gson.toJsonTree(options));
+            
+            String jsonPayload = gson.toJson(payload);
 
             long markCount = markedRequestText.chars().filter(ch -> ch == '*').count();
 

src/burpEx/montoya-api/src/main/java/com/sqlmapwebui/burp/dialogs/InjectionPointDialog.java

@@ -8,6 +8,7 @@
 import com.sqlmapwebui.burp.ScanConfig;
 import com.sqlmapwebui.burp.SqlmapApiClient;
 import com.sqlmapwebui.burp.SqlmapUITab;
+import com.sqlmapwebui.burp.util.PayloadBuilder;
 
 import javax.swing.*;
 import java.awt.*;
@@ -194,37 +195,18 @@ private void sendMarkedRequestToBackend(HttpRequest originalRequest, String mark
             ScanConfig config = configManager.getDefaultConfig().copy();
             Map<String, Object> options = config.toOptionsMap();
 
-            // 构建JSON
-            StringBuilder headersJson = new StringBuilder("[");
-            for (int i = 0; i < headersList.size(); i++) {
-                headersJson.append("\"").append(JsonUtils.escapeJson(headersList.get(i))).append("\"");
-                if (i < headersList.size() - 1) headersJson.append(",");
-            }
-            headersJson.append("]");
-            
-            StringBuilder optionsJson = new StringBuilder("{");
-            boolean first = true;
-            for (Map.Entry<String, Object> entry : options.entrySet()) {
-                if (!first) optionsJson.append(",");
-                first = false;
-                optionsJson.append("\"").append(entry.getKey()).append("\":");
-                if (entry.getValue() instanceof String) {
-                    optionsJson.append("\"").append(JsonUtils.escapeJson((String)entry.getValue())).append("\"");
-                } else if (entry.getValue() instanceof Boolean) {
-                    optionsJson.append(entry.getValue());
-                } else {
-                    optionsJson.append(entry.getValue());
+            // 提取HTTP方法（从headers的第一行）
+            String method = "GET";
+            if (!headersList.isEmpty()) {
+                String firstHeader = headersList.get(0);
+                if (firstHeader != null && firstHeader.contains(" ")) {
+                    method = firstHeader.substring(0, firstHeader.indexOf(" "));
                 }
             }
-            optionsJson.append("}");
 
-            String jsonPayload = String.format(
-                "{\"scanUrl\":\"%s\",\"host\":\"%s\",\"headers\":%s,\"body\":\"%s\",\"options\":%s}",
-                JsonUtils.escapeJson(url),
-                JsonUtils.escapeJson(host),
-                headersJson.toString(),
-                JsonUtils.escapeJson(body),
-                optionsJson.toString()
+            // 使用 PayloadBuilder 构建 JSON，避免手动拼接导致特殊字符转义不完备
+            String jsonPayload = PayloadBuilder.buildTaskPayload(
+                url, host, method, headersList, body, options
             );
 
             long markCount = markedRequestText.chars().filter(ch -> ch == '*').count();