@@ -103,39 +103,49 @@ def process(match, repl):
103103
104104 return retVal
105105
106- if re . search ( JSON_RECOGNITION_REGEX , conf . data ) :
107- message = "JSON like data found in %s data. " % conf . method
108- message += "Do you want to process it? [Y/n/q] "
106+ if kb . processUserMarks is None :
107+ message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
108+ message += "'--data'. Do you want to process it? [Y/n/q] "
109109 test = readInput (message , default = "Y" )
110110 if test and test [0 ] in ("q" , "Q" ):
111111 raise SqlmapUserQuitException
112- elif test [0 ] not in ("n" , "N" ):
113- conf .data = conf .data .replace (CUSTOM_INJECTION_MARK_CHAR , ASTERISK_MARKER )
114- conf .data = re .sub (r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"' , functools .partial (process , repl = r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR ), conf .data )
115- conf .data = re .sub (r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)' , functools .partial (process , repl = r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR ), conf .data )
116- kb .postHint = POST_HINT .JSON
117-
118- elif re .search (SOAP_RECOGNITION_REGEX , conf .data ):
119- message = "SOAP/XML like data found in %s data. " % conf .method
120- message += "Do you want to process it? [Y/n/q] "
121- test = readInput (message , default = "Y" )
122- if test and test [0 ] in ("q" , "Q" ):
123- raise SqlmapUserQuitException
124- elif test [0 ] not in ("n" , "N" ):
125- conf .data = conf .data .replace (CUSTOM_INJECTION_MARK_CHAR , ASTERISK_MARKER )
126- conf .data = re .sub (r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)" , functools .partial (process , repl = r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR ), conf .data )
127- kb .postHint = POST_HINT .SOAP if "soap" in conf .data .lower () else POST_HINT .XML
128-
129- elif re .search (MULTIPART_RECOGNITION_REGEX , conf .data ):
130- message = "Multipart like data found in %s data. " % conf .method
131- message += "Do you want to process it? [Y/n/q] "
132- test = readInput (message , default = "Y" )
133- if test and test [0 ] in ("q" , "Q" ):
134- raise SqlmapUserQuitException
135- elif test [0 ] not in ("n" , "N" ):
136- conf .data = conf .data .replace (CUSTOM_INJECTION_MARK_CHAR , ASTERISK_MARKER )
137- conf .data = re .sub (r"(?si)(Content-Disposition.+?)((\r)?\n--)" , r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR , conf .data )
138- kb .postHint = POST_HINT .MULTIPART
112+ else :
113+ kb .processUserMarks = not test or test [0 ] not in ("n" , "N" )
114+
115+ if not (kb .processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf .data ):
116+ if re .search (JSON_RECOGNITION_REGEX , conf .data ):
117+ message = "JSON like data found in %s data. " % conf .method
118+ message += "Do you want to process it? [Y/n/q] "
119+ test = readInput (message , default = "Y" )
120+ if test and test [0 ] in ("q" , "Q" ):
121+ raise SqlmapUserQuitException
122+ elif test [0 ] not in ("n" , "N" ):
123+ conf .data = conf .data .replace (CUSTOM_INJECTION_MARK_CHAR , ASTERISK_MARKER )
124+ conf .data = re .sub (r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"' , functools .partial (process , repl = r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR ), conf .data )
125+ conf .data = re .sub (r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)' , functools .partial (process , repl = r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR ), conf .data )
126+ kb .postHint = POST_HINT .JSON
127+
128+ elif re .search (SOAP_RECOGNITION_REGEX , conf .data ):
129+ message = "SOAP/XML like data found in %s data. " % conf .method
130+ message += "Do you want to process it? [Y/n/q] "
131+ test = readInput (message , default = "Y" )
132+ if test and test [0 ] in ("q" , "Q" ):
133+ raise SqlmapUserQuitException
134+ elif test [0 ] not in ("n" , "N" ):
135+ conf .data = conf .data .replace (CUSTOM_INJECTION_MARK_CHAR , ASTERISK_MARKER )
136+ conf .data = re .sub (r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)" , functools .partial (process , repl = r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR ), conf .data )
137+ kb .postHint = POST_HINT .SOAP if "soap" in conf .data .lower () else POST_HINT .XML
138+
139+ elif re .search (MULTIPART_RECOGNITION_REGEX , conf .data ):
140+ message = "Multipart like data found in %s data. " % conf .method
141+ message += "Do you want to process it? [Y/n/q] "
142+ test = readInput (message , default = "Y" )
143+ if test and test [0 ] in ("q" , "Q" ):
144+ raise SqlmapUserQuitException
145+ elif test [0 ] not in ("n" , "N" ):
146+ conf .data = conf .data .replace (CUSTOM_INJECTION_MARK_CHAR , ASTERISK_MARKER )
147+ conf .data = re .sub (r"(?si)(Content-Disposition.+?)((\r)?\n--)" , r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR , conf .data )
148+ kb .postHint = POST_HINT .MULTIPART
139149
140150 if not kb .postHint :
141151 if CUSTOM_INJECTION_MARK_CHAR in conf .data : # later processed
0 commit comments