Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 36f2bb5

Browse files
stamparmstamparm
committed
Minor beautification (e.g. HTTP header cases like Host parameter 'Host')
1 parent 23d0a04 commit 36f2bb5

5 files changed

Lines changed: 28 additions & 33 deletions

File tree

lib/controller/checks.py

Lines changed: 12 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -575,7 +575,7 @@ def genCmpPayload():
575575
conf.string = candidate
576576
injectable = True
577577

578-
infoMsg = "%s parameter '%s' appears to be '%s' injectable (with --string=\"%s\")" % (paramType, parameter, title, repr(conf.string).lstrip('u').strip("'"))
578+
infoMsg = "%sparameter '%s' appears to be '%s' injectable (with --string=\"%s\")" % ("%s " % paramType if paramType != parameter else "", parameter, title, repr(conf.string).lstrip('u').strip("'"))
579579
logger.info(infoMsg)
580580

581581
break
@@ -585,7 +585,7 @@ def genCmpPayload():
585585
if all((falseCode, trueCode)) and falseCode != trueCode:
586586
conf.code = trueCode
587587

588-
infoMsg = "%s parameter '%s' appears to be '%s' injectable (with --code=%d)" % (paramType, parameter, title, conf.code)
588+
infoMsg = "%sparameter '%s' appears to be '%s' injectable (with --code=%d)" % ("%s " % paramType if paramType != parameter else "", parameter, title, conf.code)
589589
logger.info(infoMsg)
590590
else:
591591
trueSet = set(extractTextTagContent(trueRawResponse))
@@ -610,7 +610,7 @@ def genCmpPayload():
610610

611611
conf.string = candidate
612612

613-
infoMsg = "%s parameter '%s' appears to be '%s' injectable (with --string=\"%s\")" % (paramType, parameter, title, repr(conf.string).lstrip('u').strip("'"))
613+
infoMsg = "%sparameter '%s' appears to be '%s' injectable (with --string=\"%s\")" % ("%s " % paramType if paramType != parameter else "", parameter, title, repr(conf.string).lstrip('u').strip("'"))
614614
logger.info(infoMsg)
615615

616616
if not any((conf.string, conf.notString)):
@@ -624,11 +624,11 @@ def genCmpPayload():
624624

625625
conf.notString = candidate
626626

627-
infoMsg = "%s parameter '%s' appears to be '%s' injectable (with --not-string=\"%s\")" % (paramType, parameter, title, repr(conf.notString).lstrip('u').strip("'"))
627+
infoMsg = "%sparameter '%s' appears to be '%s' injectable (with --not-string=\"%s\")" % ("%s " % paramType if paramType != parameter else "", parameter, title, repr(conf.notString).lstrip('u').strip("'"))
628628
logger.info(infoMsg)
629629

630630
if not any((conf.string, conf.notString, conf.code)):
631-
infoMsg = "%s parameter '%s' appears to be '%s' injectable " % (paramType, parameter, title)
631+
infoMsg = "%sparameter '%s' appears to be '%s' injectable " % ("%s " % paramType if paramType != parameter else "", parameter, title)
632632
singleTimeLogMessage(infoMsg)
633633

634634
# In case of error-based SQL injection
@@ -646,7 +646,7 @@ def genCmpPayload():
646646
result = output == "1"
647647

648648
if result:
649-
infoMsg = "%s parameter '%s' is '%s' injectable " % (paramType, parameter, title)
649+
infoMsg = "%sparameter '%s' is '%s' injectable " % ("%s " % paramType if paramType != parameter else "", parameter, title)
650650
logger.info(infoMsg)
651651

652652
injectable = True
@@ -675,7 +675,7 @@ def genCmpPayload():
675675
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
676676

677677
if trueResult:
678-
infoMsg = "%s parameter '%s' appears to be '%s' injectable " % (paramType, parameter, title)
678+
infoMsg = "%sparameter '%s' appears to be '%s' injectable " % ("%s " % paramType if paramType != parameter else "", parameter, title)
679679
logger.info(infoMsg)
680680

681681
injectable = True
@@ -714,7 +714,7 @@ def genCmpPayload():
714714
reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)
715715

716716
if isinstance(reqPayload, six.string_types):
717-
infoMsg = "%s parameter '%s' is '%s' injectable" % (paramType, parameter, title)
717+
infoMsg = "%sparameter '%s' is '%s' injectable" % ("%s " % paramType if paramType != parameter else "", parameter, title)
718718
logger.info(infoMsg)
719719

720720
injectable = True
@@ -1053,8 +1053,7 @@ def heuristicCheckSqlInjection(place, parameter):
10531053
parseFilePaths(page)
10541054
result = wasLastResponseDBMSError()
10551055

1056-
infoMsg = "heuristic (basic) test shows that %s parameter " % paramType
1057-
infoMsg += "'%s' might " % parameter
1056+
infoMsg = "heuristic (basic) test shows that %sparameter '%s' might " % ("%s " % paramType if paramType != parameter else "", parameter)
10581057

10591058
def _(page):
10601059
return any(_ in (page or "") for _ in FORMAT_EXCEPTION_STRINGS)
@@ -1116,14 +1115,12 @@ def _(page):
11161115
paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
11171116

11181117
if value.lower() in (page or "").lower():
1119-
infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType
1120-
infoMsg += "'%s' might be vulnerable to cross-site scripting (XSS) attacks" % parameter
1118+
infoMsg = "heuristic (XSS) test shows that %sparameter '%s' might be vulnerable to cross-site scripting (XSS) attacks" % ("%s " % paramType if paramType != parameter else "", parameter)
11211119
logger.info(infoMsg)
11221120

11231121
for match in re.finditer(FI_ERROR_REGEX, page or ""):
11241122
if randStr1.lower() in match.group(0).lower():
1125-
infoMsg = "heuristic (FI) test shows that %s parameter " % paramType
1126-
infoMsg += "'%s' might be vulnerable to file inclusion (FI) attacks" % parameter
1123+
infoMsg = "heuristic (FI) test shows that %sparameter '%s' might be vulnerable to file inclusion (FI) attacks" % ("%s " % paramType if paramType != parameter else "", parameter)
11271124
logger.info(infoMsg)
11281125
break
11291126

@@ -1147,7 +1144,7 @@ def checkDynParam(place, parameter, value):
11471144

11481145
paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
11491146

1150-
infoMsg = "testing if %s parameter '%s' is dynamic" % (paramType, parameter)
1147+
infoMsg = "testing if %sparameter '%s' is dynamic" % ("%s " % paramType if paramType != parameter else "", parameter)
11511148
logger.info(infoMsg)
11521149

11531150
try:

lib/controller/controller.py

Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -498,7 +498,7 @@ def start():
498498
if paramKey in kb.testedParams:
499499
testSqlInj = False
500500

501-
infoMsg = "skipping previously processed %s parameter '%s'" % (paramType, parameter)
501+
infoMsg = "skipping previously processed %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
502502
logger.info(infoMsg)
503503

504504
elif any(_ in conf.testParameter for _ in (parameter, removePostHintPrefix(parameter))):
@@ -507,19 +507,19 @@ def start():
507507
elif parameter in conf.rParam:
508508
testSqlInj = False
509509

510-
infoMsg = "skipping randomizing %s parameter '%s'" % (paramType, parameter)
510+
infoMsg = "skipping randomizing %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
511511
logger.info(infoMsg)
512512

513513
elif parameter in conf.skip or kb.postHint and parameter.split(' ')[-1] in conf.skip:
514514
testSqlInj = False
515515

516-
infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
516+
infoMsg = "skipping %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
517517
logger.info(infoMsg)
518518

519519
elif conf.paramExclude and (re.search(conf.paramExclude, parameter, re.I) or kb.postHint and re.search(conf.paramExclude, parameter.split(' ')[-1], re.I)):
520520
testSqlInj = False
521521

522-
infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
522+
infoMsg = "skipping %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
523523
logger.info(infoMsg)
524524

525525
elif conf.csrfToken and re.search(conf.csrfToken, parameter, re.I):
@@ -532,23 +532,23 @@ def start():
532532
elif conf.level < 4 and (parameter.upper() in IGNORE_PARAMETERS or any(_ in parameter.lower() for _ in CSRF_TOKEN_PARAMETER_INFIXES) or parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX)):
533533
testSqlInj = False
534534

535-
infoMsg = "ignoring %s parameter '%s'" % (paramType, parameter)
535+
infoMsg = "ignoring %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
536536
logger.info(infoMsg)
537537

538538
elif PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech or conf.skipStatic:
539539
check = checkDynParam(place, parameter, value)
540540

541541
if not check:
542-
warnMsg = "%s parameter '%s' does not appear to be dynamic" % (paramType, parameter)
542+
warnMsg = "%sparameter '%s' does not appear to be dynamic" % ("%s " % paramType if paramType != parameter else "", parameter)
543543
logger.warn(warnMsg)
544544

545545
if conf.skipStatic:
546-
infoMsg = "skipping static %s parameter '%s'" % (paramType, parameter)
546+
infoMsg = "skipping static %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
547547
logger.info(infoMsg)
548548

549549
testSqlInj = False
550550
else:
551-
infoMsg = "%s parameter '%s' appears to be dynamic" % (paramType, parameter)
551+
infoMsg = "%sparameter '%s' appears to be dynamic" % ("%s " % paramType if paramType != parameter else "", parameter)
552552
logger.info(infoMsg)
553553

554554
kb.testedParams.add(paramKey)
@@ -563,12 +563,11 @@ def start():
563563

564564
if check != HEURISTIC_TEST.POSITIVE:
565565
if conf.smart or (kb.ignoreCasted and check == HEURISTIC_TEST.CASTED):
566-
infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
566+
infoMsg = "skipping %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
567567
logger.info(infoMsg)
568568
continue
569569

570-
infoMsg = "testing for SQL injection on %s " % paramType
571-
infoMsg += "parameter '%s'" % parameter
570+
infoMsg = "testing for SQL injection on %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter)
572571
logger.info(infoMsg)
573572

574573
injection = checkSqlInjection(place, parameter, value)
@@ -587,7 +586,7 @@ def start():
587586
if not proceed:
588587
break
589588

590-
msg = "%s parameter '%s' " % (injection.place, injection.parameter)
589+
msg = "%sparameter '%s' " % ("%s " % injection.place if injection.place != injection.parameter else "", injection.parameter)
591590
msg += "is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
592591

593592
if not readInput(msg, default='N', boolean=True):
@@ -596,8 +595,7 @@ def start():
596595
kb.testedParams.add(paramKey)
597596

598597
if not injectable:
599-
warnMsg = "%s parameter '%s' does not seem to be " % (paramType, parameter)
600-
warnMsg += "injectable"
598+
warnMsg = "%sparameter '%s' does not seem to be injectable" % ("%s " % paramType if paramType != parameter else "", parameter)
601599
logger.warn(warnMsg)
602600

603601
finally:

lib/core/common.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -679,7 +679,7 @@ def walk(head, current=None):
679679
walk(deserialized)
680680

681681
if candidates:
682-
message = "it appears that provided value for %s parameter '%s' " % (place, parameter)
682+
message = "it appears that provided value for %sparameter '%s' " % ("%s " % place if place != parameter else "", parameter)
683683
message += "is JSON deserializable. Do you want to inject inside? [y/N] "
684684

685685
if readInput(message, default='N', boolean=True):
@@ -692,7 +692,7 @@ def walk(head, current=None):
692692
pass
693693

694694
_ = re.sub(regex, r"\g<1>%s\g<%d>" % (kb.customInjectionMark, len(match.groups())), testableParameters[parameter])
695-
message = "it appears that provided value for %s parameter '%s' " % (place, parameter)
695+
message = "it appears that provided value for %sparameter '%s' " % ("%s " % place if place != parameter else "", parameter)
696696
message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % getUnicode(_)
697697

698698
if readInput(message, default='N', boolean=True):

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
from thirdparty.six import unichr as _unichr
1919

2020
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
21-
VERSION = "1.3.5.121"
21+
VERSION = "1.3.5.122"
2222
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2323
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2424
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/core/target.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -407,7 +407,7 @@ def process(match, repl):
407407

408408
for parameter in conf.paramDict.get(place, {}):
409409
if any(parameter.lower().count(_) for _ in CSRF_TOKEN_PARAMETER_INFIXES):
410-
message = "%s parameter '%s' appears to hold anti-CSRF token. " % (place, parameter)
410+
message = "%sparameter '%s' appears to hold anti-CSRF token. " % ("%s " % place if place != parameter else "", parameter)
411411
message += "Do you want sqlmap to automatically update it in further requests? [y/N] "
412412

413413
if readInput(message, default='N', boolean=True):

0 commit comments

Comments
 (0)