Implements #3549

stamparm · stamparm · commit 519538a1d387 · 2019-05-17T11:00:51.000+02:00
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
@@ -466,6 +466,8 @@ def start():
                     skip |= (place == PLACE.COOKIE and intersect(PLACE.COOKIE, conf.skip, True) not in ([], None))
                     skip |= (place == PLACE.HOST and intersect(PLACE.HOST, conf.skip, True) not in ([], None))
 
+                    skip |= (conf.paramFilter and place.upper() not in conf.paramFilter)
+
                     skip &= not (place == PLACE.USER_AGENT and intersect(USER_AGENT_ALIASES, conf.testParameter, True))
                     skip &= not (place == PLACE.REFERER and intersect(REFERER_ALIASES, conf.testParameter, True))
                     skip &= not (place == PLACE.HOST and intersect(HOST_ALIASES, conf.testParameter, True))
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -1590,6 +1590,11 @@ def _cleanupOptions():
     else:
         conf.testParameter = []
 
+    if conf.paramFilter:
+        conf.paramFilter = [_.strip() for _ in re.split(PARAMETER_SPLITTING_REGEX, conf.paramFilter.upper())]
+    else:
+        conf.paramFilter = []
+
     if conf.base64Parameter:
         conf.base64Parameter = urldecode(conf.base64Parameter)
         conf.base64Parameter = conf.base64Parameter.replace(" ", "")
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -79,6 +79,7 @@
         "skip": "string",
         "skipStatic": "boolean",
         "paramExclude": "string",
+        "paramFilter": "string",
         "dbms": "string",
         "dbmsCred": "string",
         "os": "string",
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -18,7 +18,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.5.102"
+VERSION = "1.3.5.103"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -261,6 +261,9 @@ def cmdLineParser(argv=None):
         injection.add_option("--param-exclude", dest="paramExclude",
                              help="Regexp to exclude parameters from testing (e.g. \"ses\")")
 
+        injection.add_option("--param-filter", dest="paramFilter",
+                             help="Select testable parameter(s) by place (e.g. \"POST\")")
+
         injection.add_option("--dbms", dest="dbms",
                              help="Force back-end DBMS to provided value")
 
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -245,6 +245,9 @@ skipStatic = False
 # Regexp to exclude parameters from testing (e.g. "ses").
 paramExclude =
 
+# Select testable parameter(s) by place (e.g. "POST").
+paramFilter =
+
 # Force back-end DBMS to provided value. If this option is set, the back-end
 # DBMS identification process will be minimized as needed.
 # If not set, sqlmap will detect back-end DBMS automatically by default.
