some updates

stamparm · stamparm · commit 43892cddbb60 · 2010-10-11T12:26:35.000Z
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
@@ -96,6 +96,28 @@ def checkSqlInjection(place, parameter, value, parenthesis):
 
     return None
 
+def heuristicCheckSqlInjection(place, parameter, value):
+    prefix = ""
+    postfix = ""
+
+    if conf.prefix or conf.postfix:
+        if conf.prefix:
+            prefix = conf.prefix
+
+        if conf.postfix:
+            postfix = conf.postfix
+
+    payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
+    Request.queryPage(payload, place)
+    result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
+    infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter)
+    if result:
+        infoMsg += "injectable"
+        logger.info(infoMsg)
+    else:
+        infoMsg += "not injectable"
+        logger.warning(infoMsg)
+
 def checkDynParam(place, parameter, value):
     """
     This function checks if the url parameter is dynamic. If it is
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
@@ -24,6 +24,7 @@
 
 from lib.controller.action import action
 from lib.controller.checks import checkSqlInjection
+from lib.controller.checks import heuristicCheckSqlInjection
 from lib.controller.checks import checkDynParam
 from lib.controller.checks import checkStability
 from lib.controller.checks import checkString
@@ -232,6 +233,7 @@ def start():
                         kb.testedParams.add(paramKey)
 
                         if testSqlInj:
+                            heuristicCheckSqlInjection(place, parameter, value)
                             for parenthesis in range(0, 4):
                                 logMsg  = "testing sql injection on %s " % place
                                 logMsg += "parameter '%s' with " % parameter
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -551,7 +551,7 @@ def randomInt(length=4):
 
     return int("".join([random.choice(string.digits) for _ in xrange(0, length)]))
 
-def randomStr(length=4, lowercase=False):
+def randomStr(length=4, lowercase=False, alphabet=None):
     """
     @param length: length of the random string.
     @type length: C{int}
@@ -560,7 +560,9 @@ def randomStr(length=4, lowercase=False):
     @rtype: C{str}
     """
 
-    if lowercase:
+    if alphabet:
+        rndStr = "".join([random.choice(alphabet) for _ in xrange(0, length)])    
+    elif lowercase:
         rndStr = "".join([random.choice(string.lowercase) for _ in xrange(0, length)])
     else:
         rndStr = "".join([random.choice(string.letters) for _ in xrange(0, length)])
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -1024,7 +1024,7 @@ def __setKnowledgeBaseAttributes():
 
     kb.parenthesis    = None
     kb.partRun        = None
-    kb.requestUID     = 0
+    kb.lastRequestUID = 0
     kb.queryCounter   = 0
     kb.resumedQueries = {}
     kb.stackedTest    = None
diff --git a/lib/parse/html.py b/lib/parse/html.py
@@ -57,7 +57,7 @@ def startElement(self, name, attrs):
             if self.__match:
                 self.dbms = self.__dbms
                 self.__match = None
-                kb.lastErrorPage = (kb.requestUID, self.__page)
+                kb.lastErrorPage = (kb.lastRequestUID, self.__page)
 
 def htmlParser(page):
     """
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -90,7 +90,7 @@ def getPage(**kwargs):
         requestHeaders  = ""
         responseHeaders = ""
 
-        kb.requestUID  += 1
+        kb.lastRequestUID  += 1
 
         try:
             if silent:
