From 00f190fc925510a2218128534700575fcaf57c1c Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 17 Jul 2015 10:14:35 +0200 Subject: [PATCH] Fixes #1303 --- lib/controller/controller.py | 3 ++ lib/core/option.py | 1 + lib/core/target.py | 80 +++++++++++++++--------------------- 3 files changed, 37 insertions(+), 47 deletions(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 90043a5b0..52f2c8c28 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -430,6 +430,9 @@ def start(): if skip: continue + if kb.testOnlyCustom and place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER): + continue + if place not in conf.paramDict: continue diff --git a/lib/core/option.py b/lib/core/option.py index 33345c57b..75885f878 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1864,6 +1864,7 @@ def _setKnowledgeBaseAttributes(flushAll=True): kb.technique = None kb.tempDir = None kb.testMode = False + kb.testOnlyCustom = False kb.testQueryCount = 0 kb.testType = None kb.threadContinue = True diff --git a/lib/core/target.py b/lib/core/target.py index 0fb70769c..442a8cd7a 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -80,7 +80,6 @@ def _setRequestParams(): return testableParameters = False - skipHeaders = False # Perform checks on GET parameters if conf.parameters.get(PLACE.GET): @@ -125,16 +124,7 @@ def _setRequestParams(): kb.processUserMarks = not test or test[0] not in ("n", "N") if kb.processUserMarks: - skipHeaders = True - - conf.parameters.clear() - conf.paramDict.clear() - - if "=%s" % CUSTOM_INJECTION_MARK_CHAR in conf.data: - warnMsg = "it seems that you've provided empty parameter value(s) " - warnMsg += "for testing. Please, always use only valid parameter values " - warnMsg += "so sqlmap could be able to run properly" - logger.warn(warnMsg) + kb.testOnlyCustom = True if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if re.search(JSON_RECOGNITION_REGEX, conf.data): @@ -249,10 +239,7 @@ def _setRequestParams(): kb.processUserMarks = not test or test[0] not in ("n", "N") if kb.processUserMarks: - skipHeaders = True - - conf.parameters.clear() - conf.paramDict.clear() + kb.testOnlyCustom = True if "=%s" % CUSTOM_INJECTION_MARK_CHAR in _: warnMsg = "it seems that you've provided empty parameter value(s) " @@ -317,50 +304,49 @@ def _setRequestParams(): if conf.get(item): conf[item] = conf[item].replace(CUSTOM_INJECTION_MARK_CHAR, "") - if not skipHeaders: - # Perform checks on Cookie parameters - if conf.cookie: - conf.parameters[PLACE.COOKIE] = conf.cookie - paramDict = paramToDict(PLACE.COOKIE, conf.cookie) + # Perform checks on Cookie parameters + if conf.cookie: + conf.parameters[PLACE.COOKIE] = conf.cookie + paramDict = paramToDict(PLACE.COOKIE, conf.cookie) - if paramDict: - conf.paramDict[PLACE.COOKIE] = paramDict - testableParameters = True + if paramDict: + conf.paramDict[PLACE.COOKIE] = paramDict + testableParameters = True - # Perform checks on header values - if conf.httpHeaders: - for httpHeader, headerValue in conf.httpHeaders: - # Url encoding of the header values should be avoided - # Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value + # Perform checks on header values + if conf.httpHeaders: + for httpHeader, headerValue in conf.httpHeaders: + # Url encoding of the header values should be avoided + # Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value - httpHeader = httpHeader.title() + httpHeader = httpHeader.title() - if httpHeader == HTTP_HEADER.USER_AGENT: - conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue) + if httpHeader == HTTP_HEADER.USER_AGENT: + conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue) - condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES))) + condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES))) - if condition: - conf.paramDict[PLACE.USER_AGENT] = {PLACE.USER_AGENT: headerValue} - testableParameters = True + if condition: + conf.paramDict[PLACE.USER_AGENT] = {PLACE.USER_AGENT: headerValue} + testableParameters = True - elif httpHeader == HTTP_HEADER.REFERER: - conf.parameters[PLACE.REFERER] = urldecode(headerValue) + elif httpHeader == HTTP_HEADER.REFERER: + conf.parameters[PLACE.REFERER] = urldecode(headerValue) - condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES))) + condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES))) - if condition: - conf.paramDict[PLACE.REFERER] = {PLACE.REFERER: headerValue} - testableParameters = True + if condition: + conf.paramDict[PLACE.REFERER] = {PLACE.REFERER: headerValue} + testableParameters = True - elif httpHeader == HTTP_HEADER.HOST: - conf.parameters[PLACE.HOST] = urldecode(headerValue) + elif httpHeader == HTTP_HEADER.HOST: + conf.parameters[PLACE.HOST] = urldecode(headerValue) - condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES))) + condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES))) - if condition: - conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue} - testableParameters = True + if condition: + conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue} + testableParameters = True if not conf.parameters: errMsg = "you did not provide any GET, POST and Cookie "