Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8ef4730

Browse files
stamparmstamparm
committed
added checking of header values for GREP (error); still UNION to do
1 parent a6f2cd5 commit 8ef4730

3 files changed

Lines changed: 22 additions & 5 deletions

File tree

lib/controller/checks.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
from lib.core.common import getCompiledRegex
2323
from lib.core.common import getSortedInjectionTests
2424
from lib.core.common import getUnicode
25+
from lib.core.common import listToStrValue
2526
from lib.core.common import popValue
2627
from lib.core.common import pushValue
2728
from lib.core.common import randomInt
@@ -320,8 +321,9 @@ def checkSqlInjection(place, parameter, value):
320321
elif method == PAYLOAD.METHOD.GREP:
321322
# Perform the test's request and grep the response
322323
# body for the test's <grep> regular expression
323-
reqBody, _ = Request.queryPage(reqPayload, place, content=True, raise404=False)
324-
output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE)
324+
page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)
325+
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)\
326+
or extractRegexResult(check, listToStrValue(headers.headers if headers else None), re.DOTALL | re.IGNORECASE)
325327

326328
if output:
327329
result = output.replace(kb.misc.space, " ") == "1"

lib/core/common.py

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2292,3 +2292,16 @@ def unhandledExceptionMessage():
22922292
errMsg += "Technique: %s\n" % (enumValueToNameLookup(PAYLOAD.TECHNIQUE, kb.technique) if kb.technique else None)
22932293
errMsg += "Back-end DBMS: %s" % kb.dbms
22942294
return errMsg
2295+
2296+
def listToStrValue(value):
2297+
"""
2298+
Flattens list to a string value
2299+
>>> listToStrValue([1,2,3])
2300+
'1, 2, 3'
2301+
"""
2302+
if isinstance(value, list):
2303+
retValue = value.__str__().lstrip('[').rstrip(']')
2304+
else:
2305+
retValue = value
2306+
2307+
return retValue

lib/techniques/error/use.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,12 +11,13 @@
1111
import time
1212

1313
from lib.core.agent import agent
14+
from lib.core.common import Backend
1415
from lib.core.common import calculateDeltaSeconds
1516
from lib.core.common import dataToSessionFile
1617
from lib.core.common import extractRegexResult
17-
from lib.core.common import Backend
1818
from lib.core.common import initTechnique
1919
from lib.core.common import isNumPosStrValue
20+
from lib.core.common import listToStrValue
2021
from lib.core.common import randomInt
2122
from lib.core.common import replaceNewlineTabs
2223
from lib.core.common import safeStringFormat
@@ -55,12 +56,13 @@ def __oneShotErrorUse(expression, field):
5556
payload = agent.payload(newValue=injExpression)
5657

5758
# Perform the request
58-
page, _ = Request.queryPage(payload, content=True)
59+
page, headers = Request.queryPage(payload, content=True)
5960
reqCount += 1
6061

6162
# Parse the returned page to get the exact error-based
6263
# sql injection output
63-
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)
64+
output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)\
65+
or extractRegexResult(check, listToStrValue(headers.headers if headers else None), re.DOTALL | re.IGNORECASE)
6466

6567
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(output)))
6668

0 commit comments

Comments
 (0)