Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!

bdamele · bdamele · commit 17486e472a3c · 2010-11-17T22:00:09.000Z
diff --git a/doc/THANKS b/doc/THANKS
@@ -213,7 +213,7 @@ Gabriel Lima <pato@bugnet.com.br>
     for reporting a couple of bugs
 
 Mark Lowe <larkmowe@gmail.com>
-    for reporting a bug
+    for reporting a couple of bugs
 
 Truong Duc Luong <luongductruong@gmail.com>
     for reporting a minor bug
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
@@ -52,23 +52,23 @@ def checkSqlInjection(place, parameter, value, parenthesis):
     randInt = randomInt()
     randStr = randomStr()
     prefix = ""
-    postfix = ""
+    suffix = ""
     retVal = None
 
-    if conf.prefix or conf.postfix:
+    if conf.prefix or conf.suffix:
         if conf.prefix:
             prefix = conf.prefix
 
-        if conf.postfix:
-            postfix = conf.postfix
+        if conf.suffix:
+            suffix = conf.suffix
 
     for case in kb.injections.root.case:
         conf.matchRatio = None
 
         positive = case.test.positive
         negative = case.test.negative
 
-        if not prefix and not postfix and case.name == "custom":
+        if not prefix and not suffix and case.name == "custom":
             continue
 
         infoMsg  = "testing %s (%s) injection " % (case.desc, logic)
@@ -116,16 +116,16 @@ def heuristicCheckSqlInjection(place, parameter, value):
         return
 
     prefix = ""
-    postfix = ""
+    suffix = ""
 
-    if conf.prefix or conf.postfix:
+    if conf.prefix or conf.suffix:
         if conf.prefix:
             prefix = conf.prefix
 
-        if conf.postfix:
-            postfix = conf.postfix
+        if conf.suffix:
+            suffix = conf.suffix
 
-    payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
+    payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), suffix)
     payload = agent.payload(place, parameter, value, payload)
     Request.queryPage(payload, place, raise404=False)
     result = wasLastRequestDBMSError()
@@ -209,30 +209,30 @@ def checkDynamicContent(firstPage, secondPage):
 
         for i in xrange(len(blocks) - 1):
             prefix = firstPage[blocks[i][0]:blocks[i][0] + blocks[i][2]] if blocks[i] else None
-            postfix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
+            suffix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
 
             if prefix is None and blocks[i + 1][0] == 0:
                 continue
 
-            if postfix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
+            if suffix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
                 continue
 
-            kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength:]) if prefix else None, re.escape(postfix[:conf.dynMarkLength]) if postfix else None))
+            kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength:]) if prefix else None, re.escape(suffix[:conf.dynMarkLength]) if suffix else None))
 
     if len(kb.dynamicMarkings) > 0:
         infoMsg = "dynamic content marked for removal (%d region%s)" % (len(kb.dynamicMarkings), 's' if len(kb.dynamicMarkings) > 1 else '')
         logger.info(infoMsg)
 
         if conf.seqMatcher.a:
             for item in kb.dynamicMarkings:
-                prefix, postfix = item
+                prefix, suffix = item
 
                 if prefix is None:
-                    conf.seqMatcher.a = re.sub('(?s)^.+%s' % postfix, postfix, conf.seqMatcher.a)
-                elif postfix is None:
+                    conf.seqMatcher.a = re.sub('(?s)^.+%s' % suffix, suffix, conf.seqMatcher.a)
+                elif suffix is None:
                     conf.seqMatcher.a = re.sub('(?s)%s.+$' % prefix, prefix, conf.seqMatcher.a)
                 else:
-                    conf.seqMatcher.a = re.sub('(?s)%s.+%s' % (prefix, postfix), '%s%s' % (prefix, postfix), conf.seqMatcher.a)
+                    conf.seqMatcher.a = re.sub('(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), conf.seqMatcher.a)
 
 def checkStability():
     """
@@ -347,14 +347,14 @@ def checkString():
 
     if conf.string in page:
         setString()
-        return True
     else:
-        errMsg  = "you provided '%s' as the string to " % conf.string
-        errMsg += "match, but such a string is not within the target "
-        errMsg += "URL page content, please provide another string."
-        logger.error(errMsg)
+        warnMsg  = "you provided '%s' as the string to " % conf.string
+        warnMsg += "match, but such a string is not within the target "
+        warnMsg += "URL page content original request, sqlmap will "
+        warnMsg += "keep going anyway"
+        logger.warn(warnMsg)
 
-        return False
+    return True
 
 def checkRegexp():
     if not conf.regexp:
@@ -377,15 +377,14 @@ def checkRegexp():
 
     if re.search(conf.regexp, page, re.I | re.M):
         setRegexp()
-        return True
     else:
-        errMsg  = "you provided '%s' as the regular expression to " % conf.regexp
-        errMsg += "match, but such a regular expression does not have any "
-        errMsg += "match within the target URL page content, please provide "
-        errMsg += "another regular expression."
-        logger.error(errMsg)
+        warnMsg  = "you provided '%s' as the regular expression to " % conf.regexp
+        warnMsg += "match, but such a regular expression does not have any "
+        warnMsg += "match within the target URL page content, sqlmap "
+        warnMsg += "will keep going anyway"
+        logger.warn(warnMsg)
 
-        return False
+    return True
 
 def checkNullConnection():
     """
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -120,7 +120,7 @@ def fullPayload(self, query):
             return self.payloadDirect(query)
 
         query   = self.prefixQuery(query)
-        query   = self.postfixQuery(query)
+        query   = self.suffixQuery(query)
         payload = self.payload(newValue=query)
 
         return payload
@@ -156,7 +156,7 @@ def prefixQuery(self, string):
 
         return query
 
-    def postfixQuery(self, string, comment=None):
+    def suffixQuery(self, string, comment=None):
         """
         This method appends the DBMS comment to the
         SQL injection request
@@ -182,10 +182,10 @@ def postfixQuery(self, string, comment=None):
         if comment:
             string += comment
 
-        if conf.postfix:
-            string += " %s" % conf.postfix
+        if conf.suffix:
+            string += " %s" % conf.suffix
         else:
-            string += case.usage.postfix.format % eval(case.usage.postfix.params)
+            string += case.usage.suffix.format % eval(case.usage.suffix.params)
 
         return string
 
@@ -499,7 +499,7 @@ def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL"):
         if intoRegExp:
             inbandQuery += intoRegExp
 
-        inbandQuery = self.postfixQuery(inbandQuery, kb.unionComment)
+        inbandQuery = self.suffixQuery(inbandQuery, kb.unionComment)
 
         return inbandQuery
 
@@ -636,7 +636,7 @@ def removePayloadDelimiters(self, inpStr, urlencode_=True):
                 regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
 
                 for match in regObj.finditer(inpStr):
-                    retVal = retVal.replace(match.group("result"), urlencode(match.group("result").strip(PAYLOAD_DELIMITER), convall=True))
+                    retVal = retVal.replace(match.group("result"), match.group("result").strip(PAYLOAD_DELIMITER))
             else:
                 retVal = retVal.replace(PAYLOAD_DELIMITER, '')
 
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -58,7 +58,7 @@
                                "dbms":              "string",
                                "os":                "string",
                                "prefix":            "string",
-                               "postfix":           "string",
+                               "suffix":            "string",
                                "tamper":            "string"
                              },
 
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -169,8 +169,8 @@ def cmdLineParser():
         injection.add_option("--prefix", dest="prefix",
                              help="Injection payload prefix string")
 
-        injection.add_option("--postfix", dest="postfix",
-                             help="Injection payload postfix string")
+        injection.add_option("--suffix", dest="suffix",
+                             help="Injection payload suffix string")
 
         injection.add_option("--tamper", dest="tamper",
                              help="Use given script(s) for tampering injection data")
diff --git a/lib/request/comparison.py b/lib/request/comparison.py
@@ -60,14 +60,14 @@ def comparison(page, headers=None, getSeqMatcher=False, pageLength=None):
         # Dynamic content lines to be excluded before comparison
         if not kb.nullConnection and not conf.longestCommon:
             for item in kb.dynamicMarkings:
-                prefix, postfix = item
+                prefix, suffix = item
 
                 if prefix is None:
-                    page = re.sub('(?s)^.+%s' % postfix, postfix, page)
-                elif postfix is None:
+                    page = re.sub('(?s)^.+%s' % suffix, suffix, page)
+                elif suffix is None:
                     page = re.sub('(?s)%s.+$' % prefix, prefix, page)
                 else:
-                    page = re.sub('(?s)%s.+%s' % (prefix, postfix), '%s%s' % (prefix, postfix), page)
+                    page = re.sub('(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), page)
 
         if not pageLength:
             pageLength = len(page)
diff --git a/lib/request/inject.py b/lib/request/inject.py
@@ -99,7 +99,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
     """
 
     query          = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query)
-    query          = agent.postfixQuery(query)
+    query          = agent.suffixQuery(query)
     payload        = agent.payload(newValue=query)
     count          = None
     startLimit     = 0
@@ -398,7 +398,7 @@ def goStacked(expression, silent=False):
 
     comment = queries[kb.dbms].comment.query
     query   = agent.prefixQuery("; %s" % expression)
-    query   = agent.postfixQuery("%s;%s" % (query, comment))
+    query   = agent.suffixQuery("%s;%s" % (query, comment))
 
     debugMsg = "query: %s" % query
     logger.debug(debugMsg)
diff --git a/lib/takeover/web.py b/lib/takeover/web.py
@@ -99,7 +99,7 @@ def __webFileInject(self, fileContent, fileName, directory):
         query       = "LIMIT 1 INTO OUTFILE '%s' " % outFile
         query      += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
         query       = agent.prefixQuery(query)
-        query       = agent.postfixQuery(query)
+        query       = agent.suffixQuery(query)
         payload     = agent.payload(newValue=query)
         page        = Request.queryPage(payload)
         return page
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
@@ -442,7 +442,7 @@ def downloadThread():
                     # One-shot query containing equals commonValue
                     testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
                     query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
-                    query = agent.postfixQuery(query)
+                    query = agent.suffixQuery(query)
                     queriesCount[0] += 1
                     result = Request.queryPage(agent.payload(newValue=query))
 
@@ -466,7 +466,7 @@ def downloadThread():
                     subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
                     testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
                     query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
-                    query = agent.postfixQuery(query)
+                    query = agent.suffixQuery(query)
                     queriesCount[0] += 1
                     result = Request.queryPage(agent.payload(newValue=query))
 
diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py
@@ -28,7 +28,7 @@ def timeTest():
 
     timeQuery = getDelayQuery(andCond=True)
     query     = agent.prefixQuery("AND %s" % timeQuery)
-    query     = agent.postfixQuery(query)
+    query     = agent.suffixQuery(query)
     payload   = agent.payload(newValue=query)
     start     = time.time()
     _         = Request.queryPage(payload)
diff --git a/lib/techniques/brute/use.py b/lib/techniques/brute/use.py
@@ -38,7 +38,7 @@ def tableExists(tableFile):
         if conf.db and '(*)' not in conf.db:
             table = "%s.%s" % (conf.db, table)
         query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
-        query = agent.postfixQuery(query)
+        query = agent.suffixQuery(query)
         result = Request.queryPage(agent.payload(newValue=query))
 
         if result:
@@ -89,7 +89,7 @@ def columnExists(columnFile):
 
     for column in columns:
         query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s)", (column, table)))
-        query = agent.postfixQuery(query)
+        query = agent.suffixQuery(query)
         result = Request.queryPage(agent.payload(newValue=query))
 
         if result:
@@ -114,7 +114,7 @@ def columnExists(columnFile):
 
         for column in retVal:
             query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s WHERE %s>0)", (column, table, column)))
-            query = agent.postfixQuery(query)
+            query = agent.suffixQuery(query)
             result = Request.queryPage(agent.payload(newValue=query))
 
             if result:
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
@@ -40,7 +40,7 @@ def errorUse(expression, returnPayload=False):
     logic          = conf.logic
     randInt        = randomInt(1)
     query          = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
-    query          = agent.postfixQuery(query)
+    query          = agent.suffixQuery(query)
     startLimiter   = ""
     endLimiter     = ""
 
diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py
@@ -128,7 +128,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
         if kb.dbms == DBMS.ORACLE:
             query += " FROM DUAL"
 
-        commentedQuery = agent.postfixQuery(query, comment)
+        commentedQuery = agent.suffixQuery(query, comment)
         payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
         test, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
 
@@ -145,7 +145,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):
 
     for count in range(1, conf.uCols+2):
         query = agent.prefixQuery("ORDER BY %d" % count)
-        orderByQuery = agent.postfixQuery(query, comment)
+        orderByQuery = agent.suffixQuery(query, comment)
         payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
         _, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
 
diff --git a/lib/utils/parenthesis.py b/lib/utils/parenthesis.py
@@ -37,7 +37,7 @@ def checkForParenthesis():
     if kb.parenthesis is not None:
         return
 
-    if conf.prefix or conf.postfix:
+    if conf.prefix or conf.suffix:
         kb.parenthesis = 0
         return
 
@@ -46,7 +46,7 @@ def checkForParenthesis():
         randStr = randomStr()
 
         query = case.usage.prefix.format % eval(case.usage.prefix.params)
-        query = query[:-1] + case.usage.postfix.format % eval(case.usage.postfix.params)
+        query = query[:-1] + case.usage.suffix.format % eval(case.usage.suffix.params)
 
         payload = agent.payload(newValue=query)
         result = Request.queryPage(payload)
diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py
@@ -41,7 +41,7 @@ def __sandBoxCheck(self):
                 table = "MSysAccessStorage"
             if table:
                 query   = agent.prefixQuery("AND EXISTS(SELECT CURDIR() FROM %s)" % table)
-                query   = agent.postfixQuery(query)
+                query   = agent.suffixQuery(query)
                 payload = agent.payload(newValue=query)
                 result  = Request.queryPage(payload)
                 retVal = "not sandboxed" if result else "sandboxed"
@@ -71,7 +71,7 @@ def __sysTablesCheck(self):
                     table = table[1:]
                 randInt = randomInt()
                 query   = agent.prefixQuery("AND EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
-                query   = agent.postfixQuery(query)
+                query   = agent.suffixQuery(query)
                 payload = agent.payload(newValue=query)
                 result  = Request.queryPage(payload)
                 if result is None:
@@ -95,7 +95,7 @@ def __getDatabaseDir(self):
         randInt = randomInt()
         randStr = randomStr()
         query   = agent.prefixQuery("AND EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
-        query   = agent.postfixQuery(query)
+        query   = agent.suffixQuery(query)
         payload = agent.payload(newValue=query)
         page  = Request.queryPage(payload, content=True)
 
diff --git a/plugins/dbms/maxdb/fingerprint.py b/plugins/dbms/maxdb/fingerprint.py
diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py
diff --git a/plugins/dbms/mysql/takeover.py b/plugins/dbms/mysql/takeover.py
diff --git a/sqlmap.conf b/sqlmap.conf
diff --git a/xml/injections.xml b/xml/injections.xml
