Critical bug patch for --crawl/--forms (introduced last week)

stamparm · stamparm · commit 360d89cecc7a · 2019-11-07T16:23:52.000+01:00
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -18,7 +18,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.11.16"
+VERSION = "1.3.11.17"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -362,6 +362,9 @@
 # Regular expression used for parsing refresh info from meta html headers
 META_REFRESH_REGEX = r'(?si)<head>(?!.*?<noscript.*?</head).*?<meta http-equiv="?refresh"?[^>]+content="?[^">]+url=["\']?(?P<result>[^\'">]+).*</head>'
 
+# Regular expression used for parsing Javascript redirect request
+JAVASCRIPT_HREF_REGEX = r'<script>\s*(\w+\.)?location\.href\s*=["\'](?P<result>[^"\']+)'
+
 # Regular expression used for parsing empty fields in tested form data
 EMPTY_FORM_FIELDS_REGEX = r'(&|\A)(?P<result>[^=]+=(&|\Z))'
 
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -98,6 +98,7 @@ class WebSocketException(Exception):
 from lib.core.settings import HTTP_ACCEPT_HEADER_VALUE
 from lib.core.settings import IPS_WAF_CHECK_PAYLOAD
 from lib.core.settings import IS_WIN
+from lib.core.settings import JAVASCRIPT_HREF_REGEX
 from lib.core.settings import LARGE_READ_TRIM_MARKER
 from lib.core.settings import MAX_CONNECTION_READ_SIZE
 from lib.core.settings import MAX_CONNECTIONS_REGEX
@@ -563,10 +564,16 @@ class _(dict):
                     debugMsg = "got HTML meta refresh header"
                     logger.debug(debugMsg)
 
+                if not refresh:
+                    refresh = extractRegexResult(JAVASCRIPT_HREF_REGEX, page)
+
+                    debugMsg = "got Javascript redirect request"
+                    logger.debug(debugMsg)
+
                 if refresh:
                     if kb.alwaysRefresh is None:
                         msg = "got a refresh request "
-                        msg += "(redirect like response common to login pages). "
+                        msg += "(redirect like response common to login pages) to '%s'. " % refresh
                         msg += "Do you want to apply the refresh "
                         msg += "from now on (or stay on the original page)? [Y/n]"
 
diff --git a/lib/utils/crawler.py b/lib/utils/crawler.py
@@ -28,6 +28,7 @@
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.datatype import OrderedSet
+from lib.core.enums import HTTPMETHOD
 from lib.core.enums import MKSTEMP_PREFIX
 from lib.core.exception import SqlmapConnectionException
 from lib.core.exception import SqlmapSyntaxException
@@ -116,7 +117,7 @@ def crawlThread():
                                 if (extractRegexResult(r"\A[^?]+\.(?P<result>\w+)(\?|\Z)", url) or "").lower() not in CRAWL_EXCLUDE_EXTENSIONS:
                                     with kb.locks.value:
                                         threadData.shared.deeper.add(url)
-                                        if re.search(r"(.*?)\?(.+)", url):
+                                        if re.search(r"(.*?)\?(.+)", url) and not re.search(r"\?\d+\Z", url):
                                             threadData.shared.value.add(url)
                     except UnicodeEncodeError:  # for non-HTML files
                         pass
@@ -211,12 +212,15 @@ def crawlThread():
                 results = OrderedSet()
 
                 for target in kb.targets:
-                    match = re.search(r"/[^/?]*\?.*\Z", target[0])
-                    if match:
-                        key = re.sub(r"=[^=&]*", "=", match.group(0))
-                        if key not in seen:
-                            results.add(target)
-                            seen.add(key)
+                    if target[1] == HTTPMETHOD.GET:
+                        match = re.search(r"/[^/?]*\?.*\Z", target[0])
+                        if match:
+                            key = re.sub(r"=[^=&]*", "=", match.group(0))
+                            if key not in seen:
+                                results.add(target)
+                                seen.add(key)
+                    else:
+                        results.add(target)
 
                 kb.targets = results
 
