Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 162d01a

Browse files
stamparmstamparm
committed
commit of all sorts (bug fix for heuristics and URI injections, fine tunning of tampering modules with SQL keywords,...)
1 parent cf73d9c commit 162d01a

8 files changed

Lines changed: 328 additions & 23 deletions

File tree

lib/controller/checks.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
from lib.core.common import showStaticWords
3939
from lib.core.common import DynamicContentItem
4040
from lib.core.convert import md5hash
41+
from lib.core.convert import urlencode
4142
from lib.core.data import conf
4243
from lib.core.data import kb
4344
from lib.core.data import logger
@@ -105,9 +106,6 @@ def heuristicCheckSqlInjection(place, parameter, value):
105106
prefix = ""
106107
postfix = ""
107108

108-
if place == "URI":
109-
return
110-
111109
if conf.prefix or conf.postfix:
112110
if conf.prefix:
113111
prefix = conf.prefix
@@ -116,9 +114,11 @@ def heuristicCheckSqlInjection(place, parameter, value):
116114
postfix = conf.postfix
117115

118116
payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
117+
if place == "URI":
118+
payload = conf.paramDict[place][parameter].replace('*', payload)
119119
Request.queryPage(payload, place)
120120
result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
121-
infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter)
121+
infoMsg = "(error based) heuristics show that %s parameter '%s' is " % (place, parameter)
122122
if result:
123123
infoMsg += "injectable"
124124
logger.info(infoMsg)

lib/core/common.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -663,6 +663,7 @@ def setPaths():
663663
paths.SQLMAP_CONFIG = os.path.join(paths.SQLMAP_ROOT_PATH, "sqlmap-%s.conf" % randomStr())
664664
paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
665665
paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
666+
paths.SQLKEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
666667
paths.FUZZ_VECTORS = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
667668
paths.DETECTION_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
668669
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")

lib/core/option.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
from extra.keepalive import keepalive
3737
from extra.xmlobject import xmlobject
3838
from lib.core.common import getConsoleWidth
39+
from lib.core.common import getFileItems
3940
from lib.core.common import getFileType
4041
from lib.core.common import normalizePath
4142
from lib.core.common import ntToPosixSlashes
@@ -1057,12 +1058,13 @@ def __setKnowledgeBaseAttributes():
10571058
kb.lastErrorPage = None
10581059
kb.headersCount = 0
10591060
kb.headersFp = {}
1061+
kb.hintValue = None
10601062
kb.htmlFp = []
10611063
kb.injParameter = None
10621064
kb.injPlace = None
10631065
kb.injType = None
10641066
kb.injections = xmlobject.XMLFile(path=paths.INJECTIONS_XML)
1065-
kb.hintValue = None
1067+
kb.keywords = getFileItems(paths.SQLKEYWORDS)
10661068
kb.nullConnection = None
10671069

10681070
# Back-end DBMS underlying operating system fingerprint via banner (-b)

lib/request/connect.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -307,13 +307,13 @@ def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent
307307

308308
if not place:
309309
place = kb.injPlace
310-
310+
311311
if kb.tamperFunctions:
312312
for function in kb.tamperFunctions:
313313
value = function(place, value)
314314

315315
if "GET" in conf.parameters:
316-
get = conf.parameters["GET"] if place != "GET" or not value else value
316+
get = conf.parameters["GET"] if place != "GET" or not value else value
317317

318318
if "POST" in conf.parameters:
319319
post = conf.parameters["POST"] if place != "POST" or not value else value

tamper/randomblanks.py

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,32 @@
22
import string
33

44
from lib.core.common import randomRange
5-
from lib.core.exception import sqlmapUnsupportedFeatureException
5+
from lib.core.convert import urldecode
6+
from lib.core.convert import urlencode
7+
from lib.core.data import kb
68

79
"""
810
value -> value with inserted random blanks (e.g., INSERT->IN/**/S/**/ERT)
911
"""
10-
#TODO: all
11-
#TODO: only do it for deepness = 0 regarding '"
1212
def tamper(place, value):
13-
return value
13+
retVal = value
14+
if value:
15+
if place != "URI":
16+
retVal = urldecode(retVal)
17+
18+
for match in re.finditer(r"[A-Za-z_]+", retVal):
19+
word = match.group()
20+
21+
if len(word) < 2:
22+
continue
23+
24+
if word.upper() in kb.keywords:
25+
newWord = word[0]
26+
for i in xrange(1, len(word) - 1):
27+
newWord += "%s%s" % ("/**/" if randomRange(0,1) else "", word[i])
28+
newWord += word[-1]
29+
retVal = retVal.replace(word, newWord)
30+
31+
if place != "URI":
32+
retVal = urlencode(retVal)
33+
return retVal

tamper/randomcase.py

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,19 +2,28 @@
22
import string
33

44
from lib.core.common import randomRange
5-
from lib.core.exception import sqlmapUnsupportedFeatureException
5+
from lib.core.convert import urldecode
6+
from lib.core.convert import urlencode
7+
from lib.core.data import kb
68

79
"""
810
value -> chars from value with random case (e.g., INSERT->InsERt)
911
"""
10-
#TODO: only do it for deepness = 0 regarding '"
1112
def tamper(place, value):
1213
retVal = value
1314
if value:
14-
retVal = ""
15-
for i in xrange(len(value)):
16-
if value[i].isalpha():
17-
retVal += value[i].upper() if randomRange(0,1) else value[i].lower()
18-
else:
19-
retVal += value[i]
15+
if place != "URI":
16+
retVal = urldecode(retVal)
17+
18+
for match in re.finditer(r"[A-Za-z_]+", retVal):
19+
word = match.group()
20+
if word.upper() in kb.keywords:
21+
newWord = str()
22+
for i in xrange(len(word)):
23+
newWord += word[i].upper() if randomRange(0,1) else word[i].lower()
24+
retVal = retVal.replace(word, newWord)
25+
26+
if place != "URI":
27+
retVal = urlencode(retVal)
28+
2029
return retVal

tamper/space2comment.py

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,28 @@
66
"""
77
' ' -> /**/ (e.g., SELECT id FROM users->SELECT/**/id/**/FROM users)
88
"""
9-
#TODO: only do it for deepness = 0 regarding '"
109
def tamper(place, value):
10+
retVal = value
1111
if value:
1212
if place != "URI":
1313
value = urldecode(value)
14-
value = value.replace(" ", "/**/")
14+
15+
retVal = ""
16+
qoute, doublequote, firstspace = False, False, False
17+
18+
for i in xrange(len(value)):
19+
if not firstspace:
20+
firstspace = value[i].isspace()
21+
elif value[i] == '\'':
22+
qoute = not qoute
23+
elif value[i] == '"':
24+
doublequote = not doublequote
25+
elif value[i]==" " and not doublequote and not qoute:
26+
retVal += "/**/"
27+
continue
28+
retVal += value[i]
29+
1530
if place != "URI":
16-
value = urlencode(value)
17-
return value
31+
retVal = urlencode(retVal)
32+
return retVal
33+

0 commit comments

Comments
 (0)