Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b7f2602

Browse files
bdamelebdamele
committed
A bit more entropy in the sql injection detection
1 parent 2b0ec18 commit b7f2602

1 file changed

Lines changed: 4 additions & 4 deletions

File tree

lib/controller/checks.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ def checkSqlInjection(place, parameter, value, parenthesis):
129129
trueResult = Request.queryPage(payload, place)
130130

131131
if trueResult == kb.defaultResult:
132-
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
132+
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
133133
falseResult = Request.queryPage(payload, place)
134134

135135
if falseResult != kb.defaultResult:
@@ -160,7 +160,7 @@ def checkSqlInjection(place, parameter, value, parenthesis):
160160
trueResult = Request.queryPage(payload, place)
161161

162162
if trueResult == kb.defaultResult:
163-
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
163+
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
164164
falseResult = Request.queryPage(payload, place)
165165

166166
if falseResult != kb.defaultResult:
@@ -191,7 +191,7 @@ def checkSqlInjection(place, parameter, value, parenthesis):
191191
trueResult = Request.queryPage(payload, place)
192192

193193
if trueResult == kb.defaultResult:
194-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
194+
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
195195
falseResult = Request.queryPage(payload, place)
196196

197197
if falseResult != kb.defaultResult:
@@ -222,7 +222,7 @@ def checkSqlInjection(place, parameter, value, parenthesis):
222222
trueResult = Request.queryPage(payload, place)
223223

224224
if trueResult == kb.defaultResult:
225-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + 'A'))
225+
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
226226
falseResult = Request.queryPage(payload, place)
227227

228228
if falseResult != kb.defaultResult:

0 commit comments

Comments
 (0)