Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f3f752d

Browse files
stamparmstamparm
committed
Patch for an Issue #452 
1 parent a85a0e5 commit f3f752d

2 files changed

Lines changed: 49 additions & 35 deletions

File tree

lib/core/option.py

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -258,15 +258,19 @@ def _parseBurpLog(content):
258258
newline = None
259259
lines = request.split('\n')
260260

261-
for line in lines:
261+
for index in xrange(len(lines)):
262+
line = lines[index]
263+
264+
if not line.strip() and index == len(lines) - 1:
265+
break
266+
262267
newline = "\r\n" if line.endswith('\r') else '\n'
263268
line = line.strip('\r')
264269
match = re.search(r"\A(%s) (.+) HTTP/[\d.]+\Z" % "|".join(getPublicTypeMembers(HTTPMETHOD, True)), line) if not method else None
265270

266-
if len(line) == 0:
267-
if method in (HTTPMETHOD.POST, HTTPMETHOD.PUT) and data is None:
268-
data = ""
269-
params = True
271+
if len(line) == 0 and method in (HTTPMETHOD.POST, HTTPMETHOD.PUT) and data is None:
272+
data = ""
273+
params = True
270274

271275
elif match:
272276
method = match.group(1)

lib/core/target.py

Lines changed: 40 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -103,39 +103,49 @@ def process(match, repl):
103103

104104
return retVal
105105

106-
if re.search(JSON_RECOGNITION_REGEX, conf.data):
107-
message = "JSON like data found in %s data. " % conf.method
108-
message += "Do you want to process it? [Y/n/q] "
106+
if kb.processUserMarks is None:
107+
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
108+
message += "'--data'. Do you want to process it? [Y/n/q] "
109109
test = readInput(message, default="Y")
110110
if test and test[0] in ("q", "Q"):
111111
raise SqlmapUserQuitException
112-
elif test[0] not in ("n", "N"):
113-
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
114-
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
115-
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
116-
kb.postHint = POST_HINT.JSON
117-
118-
elif re.search(SOAP_RECOGNITION_REGEX, conf.data):
119-
message = "SOAP/XML like data found in %s data. " % conf.method
120-
message += "Do you want to process it? [Y/n/q] "
121-
test = readInput(message, default="Y")
122-
if test and test[0] in ("q", "Q"):
123-
raise SqlmapUserQuitException
124-
elif test[0] not in ("n", "N"):
125-
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
126-
conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
127-
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
128-
129-
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
130-
message = "Multipart like data found in %s data. " % conf.method
131-
message += "Do you want to process it? [Y/n/q] "
132-
test = readInput(message, default="Y")
133-
if test and test[0] in ("q", "Q"):
134-
raise SqlmapUserQuitException
135-
elif test[0] not in ("n", "N"):
136-
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
137-
conf.data = re.sub(r"(?si)(Content-Disposition.+?)((\r)?\n--)", r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
138-
kb.postHint = POST_HINT.MULTIPART
112+
else:
113+
kb.processUserMarks = not test or test[0] not in ("n", "N")
114+
115+
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data):
116+
if re.search(JSON_RECOGNITION_REGEX, conf.data):
117+
message = "JSON like data found in %s data. " % conf.method
118+
message += "Do you want to process it? [Y/n/q] "
119+
test = readInput(message, default="Y")
120+
if test and test[0] in ("q", "Q"):
121+
raise SqlmapUserQuitException
122+
elif test[0] not in ("n", "N"):
123+
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
124+
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
125+
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
126+
kb.postHint = POST_HINT.JSON
127+
128+
elif re.search(SOAP_RECOGNITION_REGEX, conf.data):
129+
message = "SOAP/XML like data found in %s data. " % conf.method
130+
message += "Do you want to process it? [Y/n/q] "
131+
test = readInput(message, default="Y")
132+
if test and test[0] in ("q", "Q"):
133+
raise SqlmapUserQuitException
134+
elif test[0] not in ("n", "N"):
135+
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
136+
conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
137+
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
138+
139+
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
140+
message = "Multipart like data found in %s data. " % conf.method
141+
message += "Do you want to process it? [Y/n/q] "
142+
test = readInput(message, default="Y")
143+
if test and test[0] in ("q", "Q"):
144+
raise SqlmapUserQuitException
145+
elif test[0] not in ("n", "N"):
146+
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
147+
conf.data = re.sub(r"(?si)(Content-Disposition.+?)((\r)?\n--)", r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
148+
kb.postHint = POST_HINT.MULTIPART
139149

140150
if not kb.postHint:
141151
if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed

0 commit comments

Comments
 (0)