diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 49b972b30..fa0f7ba7f 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -166,10 +166,6 @@ def checkSqlInjection(place, parameter, value): continue - # Force back-end DBMS according to the current - # test value for proper payload unescaping - Backend.forceDbms(dbms) - # Skip test if it does not match the same SQL injection clause # already identified by another test clauseMatch = False @@ -196,9 +192,13 @@ def checkSqlInjection(place, parameter, value): infoMsg = "testing '%s'" % title logger.info(infoMsg) + # Force back-end DBMS according to the current + # test value for proper payload unescaping + Backend.forceDbms(dbms) + # Parse test's comment = agent.getComment(test.request) - fstPayload = agent.cleanupPayload(test.request.payload, value) + fstPayload = agent.cleanupPayload(test.request.payload, origValue=value) for boundary in conf.boundaries: injectable = False @@ -279,11 +279,11 @@ def checkSqlInjection(place, parameter, value): # payload was successful # Parse test's for method, check in test.response.items(): - check = agent.cleanupPayload(check, value) + check = agent.cleanupPayload(check, origValue=value) # In case of boolean-based blind SQL injection if method == PAYLOAD.METHOD.COMPARISON: - sndPayload = agent.cleanupPayload(test.response.comparison, value) + sndPayload = agent.cleanupPayload(test.response.comparison, origValue=value) # Forge response payload by prepending with # boundary's prefix and appending the boundary's diff --git a/lib/core/agent.py b/lib/core/agent.py index 1be719e63..48652c36c 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -139,6 +139,7 @@ class Agent: if conf.direct: return self.payloadDirect(expression) + expression = self.cleanupPayload(expression) expression = unescaper.unescape(expression) query = None @@ -167,7 +168,6 @@ class Agent: query += " " query = "%s%s" % (query, expression) - query = self.cleanupPayload(query) return query @@ -180,6 +180,7 @@ class Agent: if conf.direct: return self.payloadDirect(expression) + expression = self.cleanupPayload(expression) expression = unescaper.unescape(expression) if comment is not None: @@ -198,11 +199,9 @@ class Agent: elif suffix is not None: expression += " %s" % suffix - expression = self.cleanupPayload(expression) - return expression.rstrip() - def cleanupPayload(self, payload, origvalue=None, query=None): + def cleanupPayload(self, payload, origValue=None): if payload is None: return @@ -220,11 +219,8 @@ class Agent: payload = payload.replace("[SPACE_REPLACE]", kb.misc.space) payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) - if query is not None: - payload = payload.replace("[QUERY]", query.lstrip()) - - if origvalue is not None: - payload = payload.replace("[ORIGVALUE]", origvalue) + if origValue is not None: + payload = payload.replace("[ORIGVALUE]", origValue) if "[INFERENCE]" in payload: if Backend.getIdentifiedDbms() is not None: diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 5fc54d373..7ecfa7a6b 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -47,7 +47,7 @@ def __oneShotErrorUse(expression, field): nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(%d))" % MYSQL_ERROR_TRIM_LENGTH) # Forge the error-based SQL injection request - vector = agent.cleanupPayload(kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector) + vector = kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector query = agent.prefixQuery(vector) query = agent.suffixQuery(query) injExpression = expression.replace(field, nulledCastedField, 1)