@@ -604,6 +604,44 @@ def paramToDict(place, parameters=None):
604604 for regex in (r"\A((?:<[^>]+>)+\w+)((?:<[^>]+>)+)\Z" , r"\A([^\w]+.*\w+)([^\w]+)\Z" ):
605605 match = re .search (regex , testableParameters [parameter ])
606606 if match :
607+ try :
608+ candidates = OrderedDict ()
609+
610+ def walk (head , current = None ):
611+ current = current or head
612+ if isListLike (current ):
613+ for _ in current :
614+ walk (head , _ )
615+ elif isinstance (current , dict ):
616+ for key in current .keys ():
617+ value = current [key ]
618+ if isinstance (value , (list , tuple , set , dict )):
619+ walk (head , value )
620+ elif isinstance (value , (bool , int , float , basestring )):
621+ original = current [key ]
622+ if isinstance (value , bool ):
623+ current [key ] = "%s%s" % (str (value ).lower (), BOUNDED_INJECTION_MARKER )
624+ else :
625+ current [key ] = "%s%s" % (value , BOUNDED_INJECTION_MARKER )
626+ candidates ["%s #%d%s" % (parameter , len (candidates ) + 1 , CUSTOM_INJECTION_MARK_CHAR )] = json .dumps (deserialized )
627+ current [key ] = original
628+
629+ deserialized = json .loads (testableParameters [parameter ])
630+ walk (deserialized )
631+
632+ if candidates :
633+ message = "it appears that provided value for %s parameter '%s' " % (place , parameter )
634+ message += "is JSON deserializable. Do you want to inject inside? [y/N] "
635+ test = readInput (message , default = "N" )
636+ if test [0 ] in ("y" , "Y" ):
637+ del testableParameters [parameter ]
638+ testableParameters .update (candidates )
639+ break
640+ except (KeyboardInterrupt , SqlmapUserQuitException ):
641+ raise
642+ except Exception :
643+ pass
644+
607645 _ = re .sub (regex , "\g<1>%s\g<%d>" % (CUSTOM_INJECTION_MARK_CHAR , len (match .groups ())), testableParameters [parameter ])
608646 message = "it appears that provided value for %s parameter '%s' " % (place , parameter )
609647 message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % _
0 commit comments