sqlmap/lib/core/target.py

#!/usr/bin/env python

"""
$Id$

This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.

sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""

import codecs
import os
import time

from lib.core.common import dataToSessionFile
from lib.core.common import paramToDict
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.dump import dumper
from lib.core.exception import sqlmapFilePathException
from lib.core.exception import sqlmapGenericException
from lib.core.exception import sqlmapSyntaxException
from lib.core.session import resumeConfKb

def __setRequestParams():
    """
    Check and set the parameters and perform checks on 'data' option for
    HTTP method POST.
    """

    if conf.direct:
        conf.parameters[None] = "direct connection"
        return

    __testableParameters = False

    # Perform checks on GET parameters
    if conf.parameters.has_key("GET") and conf.parameters["GET"]:
        parameters = conf.parameters["GET"]
        __paramDict = paramToDict("GET", parameters)

        if __paramDict:
            conf.paramDict["GET"] = __paramDict
            __testableParameters = True

    # Perform checks on POST parameters
    if conf.method == "POST" and not conf.data:
        errMsg = "HTTP POST method depends on HTTP data value to be posted"
        raise sqlmapSyntaxException, errMsg

    if conf.data:
        conf.parameters["POST"] = conf.data
        __paramDict = paramToDict("POST", conf.data)

        if __paramDict:
            conf.paramDict["POST"] = __paramDict
            __testableParameters = True

        conf.method = "POST"

    # Perform checks on Cookie parameters
    if conf.cookie:
        conf.parameters["Cookie"] = conf.cookie
        __paramDict = paramToDict("Cookie", conf.cookie)

        if __paramDict:
            conf.paramDict["Cookie"] = __paramDict
            __testableParameters = True

    # Perform checks on User-Agent header value
    if conf.httpHeaders:
        for httpHeader, headerValue in conf.httpHeaders:
            if httpHeader == "User-Agent":
                # No need for url encoding/decoding the user agent
                conf.parameters["User-Agent"] = headerValue

                condition  = not conf.testParameter
                condition |= "User-Agent" in conf.testParameter
                condition |= "user-agent" in conf.testParameter
                condition |= "useragent" in conf.testParameter
                condition |= "ua" in conf.testParameter

                if condition:
                    conf.paramDict["User-Agent"] = { "User-Agent": headerValue }
                    __testableParameters = True

    if not conf.parameters:
        errMsg  = "you did not provide any GET, POST and Cookie "
        errMsg += "parameter, neither an User-Agent header"
        raise sqlmapGenericException, errMsg

    elif not __testableParameters:
        errMsg  = "all testable parameters you provided are not present "
        errMsg += "within the GET, POST and Cookie parameters"
        raise sqlmapGenericException, errMsg

def __setOutputResume():
    """
    Check and set the output text file and the resume functionality.
    """

    if not conf.sessionFile:
        conf.sessionFile = "%s%ssession" % (conf.outputPath, os.sep)

    logger.info("using '%s' as session file" % conf.sessionFile)

    if os.path.exists(conf.sessionFile):
        if not conf.flushSession:
            readSessionFP = codecs.open(conf.sessionFile, "r", conf.dataEncoding)
            __url_cache = set()
            __expression_cache = {}

            for line in readSessionFP.readlines(): #xreadlines doesn't return unicode strings when codec.open used
                if line.count("][") == 4:
                    line = line.split("][")

                    if len(line) != 5:
                        continue

                    url, _, _, expression, value = line
    
                    if not value:
                        continue
    
                    if url[0] == "[":
                        url = url[1:]
    
                    value = value.rstrip('\r\n') #strips both chars independently

                    if url not in ( conf.url, conf.hostname ):
                        continue

                    if url not in __url_cache:
                        kb.resumedQueries[url] = {}
                        kb.resumedQueries[url][expression] = value
                        __url_cache.add(url)
                        __expression_cache[url] = set(expression)
    
                    resumeConfKb(expression, url, value)
    
                    if expression not in __expression_cache[url]:
                        kb.resumedQueries[url][expression] = value
                        __expression_cache[url].add(value)
                    elif len(value) >= len(kb.resumedQueries[url][expression]):
                        kb.resumedQueries[url][expression] = value

            readSessionFP.close()
        else:
            try:
                os.remove(conf.sessionFile)
                logger.info("flushing session file")
            except OSError, msg:
                errMsg = "unable to flush the session file (%s)" % msg
                raise sqlmapFilePathException, errMsg

    try:
        conf.sessionFP = codecs.open(conf.sessionFile, "a", conf.dataEncoding)
        dataToSessionFile("\n[%s]\n" % time.strftime("%X %x"))
    except IOError:
        errMsg = "unable to write on the session file specified"
        raise sqlmapFilePathException, errMsg

def __createFilesDir():
    """
    Create the file directory.
    """

    if not conf.rFile:
        return

    conf.filePath = paths.SQLMAP_FILES_PATH % conf.hostname

    if not os.path.isdir(conf.filePath):
        os.makedirs(conf.filePath, 0755)

def __createDumpDir():
    """
    Create the dump directory.
    """

    if not conf.dumpTable and not conf.dumpAll:
        return

    conf.dumpPath = paths.SQLMAP_DUMP_PATH % conf.hostname

    if not os.path.isdir(conf.dumpPath):
        os.makedirs(conf.dumpPath, 0755)

def __createTargetDirs():
    """
    Create the output directory.
    """

    conf.outputPath = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep, conf.hostname)

    if not os.path.isdir(paths.SQLMAP_OUTPUT_PATH):
        os.makedirs(paths.SQLMAP_OUTPUT_PATH, 0755)

    if not os.path.isdir(conf.outputPath):
        os.makedirs(conf.outputPath, 0755)

    dumper.setOutputFile()

    __createDumpDir()
    __createFilesDir()

def initTargetEnv():
    """
    Initialize target environment.
    """

    if conf.multipleTargets:
        if conf.cj:
            conf.cj.clear()

        conf.paramDict    = {}
        conf.parameters   = {}
        conf.sessionFile  = None

        kb.dbms           = None
        kb.dbmsDetected   = False
        kb.dbmsVersion    = [ "Unknown" ]
        kb.injParameter   = None
        kb.injPlace       = None
        kb.injType        = None
        kb.parenthesis    = None
        kb.unionComment   = ""
        kb.unionCount     = None
        kb.unionPosition  = None

def setupTargetEnv():
    __createTargetDirs()
    __setRequestParams()
    __setOutputResume()
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`This file is part of the sqlmap project, http://sqlmap.sourceforge.net.`

Updated copyright 2010-03-03 18:26:27 +03:00			`Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`sqlmap is free software; you can redistribute it and/or modify it under`
			`the terms of the GNU General Public License as published by the Free`
			`Software Foundation version 2 of the License.`

			`sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY`
			`WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`details.`

			`You should have received a copy of the GNU General Public License along`
			`with sqlmap; if not, write to the Free Software Foundation, Inc., 51`
			`Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`"""`

added support for proper unicode session(s) storage/retrieval 2010-05-24 15:00:49 +04:00			`import codecs`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`import os`
			`import time`

			`from lib.core.common import dataToSessionFile`
			`from lib.core.common import paramToDict`
			`from lib.core.data import conf`
			`from lib.core.data import kb`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`from lib.core.data import logger`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import paths`
			`from lib.core.dump import dumper`
			`from lib.core.exception import sqlmapFilePathException`
			`from lib.core.exception import sqlmapGenericException`
			`from lib.core.exception import sqlmapSyntaxException`
			`from lib.core.session import resumeConfKb`

			`def __setRequestParams():`
			`"""`
			`Check and set the parameters and perform checks on 'data' option for`
			`HTTP method POST.`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`conf.parameters[None] = "direct connection"`
			`return`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`__testableParameters = False`

			`# Perform checks on GET parameters`
			`if conf.parameters.has_key("GET") and conf.parameters["GET"]:`
			`parameters = conf.parameters["GET"]`
			`__paramDict = paramToDict("GET", parameters)`

			`if __paramDict:`
			`conf.paramDict["GET"] = __paramDict`
			`__testableParameters = True`

			`# Perform checks on POST parameters`
			`if conf.method == "POST" and not conf.data:`
			`errMsg = "HTTP POST method depends on HTTP data value to be posted"`
			`raise sqlmapSyntaxException, errMsg`

			`if conf.data:`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`conf.parameters["POST"] = conf.data`
			`__paramDict = paramToDict("POST", conf.data)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if __paramDict:`
			`conf.paramDict["POST"] = __paramDict`
			`__testableParameters = True`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`conf.method = "POST"`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`# Perform checks on Cookie parameters`
			`if conf.cookie:`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`conf.parameters["Cookie"] = conf.cookie`
			`__paramDict = paramToDict("Cookie", conf.cookie)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if __paramDict:`
			`conf.paramDict["Cookie"] = __paramDict`
			`__testableParameters = True`

			`# Perform checks on User-Agent header value`
			`if conf.httpHeaders:`
			`for httpHeader, headerValue in conf.httpHeaders:`
			`if httpHeader == "User-Agent":`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`# No need for url encoding/decoding the user agent`
			`conf.parameters["User-Agent"] = headerValue`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`condition = not conf.testParameter`
			`condition \|= "User-Agent" in conf.testParameter`
			`condition \|= "user-agent" in conf.testParameter`
			`condition \|= "useragent" in conf.testParameter`
			`condition \|= "ua" in conf.testParameter`

			`if condition:`
			`conf.paramDict["User-Agent"] = { "User-Agent": headerValue }`
			`__testableParameters = True`

			`if not conf.parameters:`
			`errMsg = "you did not provide any GET, POST and Cookie "`
			`errMsg += "parameter, neither an User-Agent header"`
			`raise sqlmapGenericException, errMsg`

			`elif not __testableParameters:`
			`errMsg = "all testable parameters you provided are not present "`
			`errMsg += "within the GET, POST and Cookie parameters"`
			`raise sqlmapGenericException, errMsg`

			`def __setOutputResume():`
			`"""`
			`Check and set the output text file and the resume functionality.`
			`"""`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`if not conf.sessionFile:`
			`conf.sessionFile = "%s%ssession" % (conf.outputPath, os.sep)`

			`logger.info("using '%s' as session file" % conf.sessionFile)`

			`if os.path.exists(conf.sessionFile):`
added new option --flush-session 2010-03-04 16:01:18 +03:00			`if not conf.flushSession:`
code refactoring regarding issue #184 2010-05-24 15:12:40 +04:00			`readSessionFP = codecs.open(conf.sessionFile, "r", conf.dataEncoding)`
speedup of initial session file handling 2010-05-11 17:36:30 +04:00			`__url_cache = set()`
			`__expression_cache = {}`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
added support for proper unicode session(s) storage/retrieval 2010-05-24 15:00:49 +04:00			`for line in readSessionFP.readlines(): #xreadlines doesn't return unicode strings when codec.open used`
added new option --flush-session 2010-03-04 16:01:18 +03:00			`if line.count("][") == 4:`
			`line = line.split("][")`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
added new option --flush-session 2010-03-04 16:01:18 +03:00			`if len(line) != 5:`
			`continue`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
added new option --flush-session 2010-03-04 16:01:18 +03:00			`url, _, _, expression, value = line`

			`if not value:`
			`continue`

			`if url[0] == "[":`
			`url = url[1:]`

fix for that float() report from Shaohua Pan 2010-05-25 00:12:37 +04:00			`value = value.rstrip('\r\n') #strips both chars independently`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
			`if url not in ( conf.url, conf.hostname ):`
added new option --flush-session 2010-03-04 16:01:18 +03:00			`continue`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
speedup of initial session file handling 2010-05-11 17:36:30 +04:00			`if url not in __url_cache:`
added new option --flush-session 2010-03-04 16:01:18 +03:00			`kb.resumedQueries[url] = {}`
			`kb.resumedQueries[url][expression] = value`
speedup of initial session file handling 2010-05-11 17:36:30 +04:00			`__url_cache.add(url)`
minor fix 2010-05-11 17:55:30 +04:00			`__expression_cache[url] = set(expression)`
added new option --flush-session 2010-03-04 16:01:18 +03:00
			`resumeConfKb(expression, url, value)`

speedup of initial session file handling 2010-05-11 17:36:30 +04:00			`if expression not in __expression_cache[url]:`
added new option --flush-session 2010-03-04 16:01:18 +03:00			`kb.resumedQueries[url][expression] = value`
speedup of initial session file handling 2010-05-11 17:36:30 +04:00			`__expression_cache[url].add(value)`
added new option --flush-session 2010-03-04 16:01:18 +03:00			`elif len(value) >= len(kb.resumedQueries[url][expression]):`
			`kb.resumedQueries[url][expression] = value`
speedup of initial session file handling 2010-05-11 17:36:30 +04:00
added new option --flush-session 2010-03-04 16:01:18 +03:00			`readSessionFP.close()`
			`else:`
			`try:`
			`os.remove(conf.sessionFile)`
			`logger.info("flushing session file")`
			`except OSError, msg:`
			`errMsg = "unable to flush the session file (%s)" % msg`
			`raise sqlmapFilePathException, errMsg`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`try:`
code refactoring regarding issue #184 2010-05-24 15:12:40 +04:00			`conf.sessionFP = codecs.open(conf.sessionFile, "a", conf.dataEncoding)`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`dataToSessionFile("\n[%s]\n" % time.strftime("%X %x"))`
			`except IOError:`
			`errMsg = "unable to write on the session file specified"`
			`raise sqlmapFilePathException, errMsg`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def __createFilesDir():`
			`"""`
			`Create the file directory.`
			`"""`

			`if not conf.rFile:`
			`return`

			`conf.filePath = paths.SQLMAP_FILES_PATH % conf.hostname`

			`if not os.path.isdir(conf.filePath):`
			`os.makedirs(conf.filePath, 0755)`

			`def __createDumpDir():`
			`"""`
			`Create the dump directory.`
			`"""`

			`if not conf.dumpTable and not conf.dumpAll:`
			`return`

			`conf.dumpPath = paths.SQLMAP_DUMP_PATH % conf.hostname`

			`if not os.path.isdir(conf.dumpPath):`
			`os.makedirs(conf.dumpPath, 0755)`

minor cosmetic update 2010-03-15 14:55:13 +03:00			`def __createTargetDirs():`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`"""`
			`Create the output directory.`
			`"""`

			`conf.outputPath = "%s%s%s" % (paths.SQLMAP_OUTPUT_PATH, os.sep, conf.hostname)`

			`if not os.path.isdir(paths.SQLMAP_OUTPUT_PATH):`
			`os.makedirs(paths.SQLMAP_OUTPUT_PATH, 0755)`

			`if not os.path.isdir(conf.outputPath):`
			`os.makedirs(conf.outputPath, 0755)`

			`dumper.setOutputFile()`

			`__createDumpDir()`
			`__createFilesDir()`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`def initTargetEnv():`
			`"""`
			`Initialize target environment.`
			`"""`

Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`if conf.multipleTargets:`
Minor code restyling 2010-04-06 14:15:19 +04:00			`if conf.cj:`
fix for that update (conf.cj) problem mentioned by shiftzwei@gmail.com 2010-04-09 14:16:15 +04:00			`conf.cj.clear()`
Minor code restyling 2010-04-06 14:15:19 +04:00
fix for Issue #170 2010-03-15 14:33:34 +03:00			`conf.paramDict = {}`
			`conf.parameters = {}`
Fix for "bug: -g uses wrong session file" 2010-03-15 15:02:04 +03:00			`conf.sessionFile = None`
Minor code restyling 2010-04-06 14:15:19 +04:00
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`kb.dbms = None`
			`kb.dbmsDetected = False`
fix for bug reported by shiftzwei@gmail.com regarding formatDBMSfp with unknown DBMS version 2010-04-09 14:40:08 +04:00			`kb.dbmsVersion = [ "Unknown" ]`
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`kb.injParameter = None`
			`kb.injPlace = None`
			`kb.injType = None`
			`kb.parenthesis = None`
			`kb.unionComment = ""`
			`kb.unionCount = None`
			`kb.unionPosition = None`

fix for Issue #170 2010-03-15 14:33:34 +03:00			`def setupTargetEnv():`
minor cosmetic update 2010-03-15 14:55:13 +03:00			`__createTargetDirs()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`__setRequestParams()`
			`__setOutputResume()`