From 0f4272fabe241563ad563bab06d7971de65e3497 Mon Sep 17 00:00:00 2001 From: Dirk Date: Mon, 17 Jul 2017 18:54:03 +0200 Subject: [PATCH] Add --ignore-400 I encountered a situation where the console - I am running usally at debug level 2 or 3 is flooded with HTTP 400 (which are kind of annoying): ``` [15:02:41] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:41] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:43] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:43] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:45] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:45] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:47] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:47] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:48] [DEBUG] got HTTP error code: 400 (Bad Request) [15:02:52] [DEBUG] got HTTP error code: 400 (Bad Request) ``` as this is triggered by almost every request. This is a workaround for the above scenario so that on the console I see only what I wanted to, like: ``` [18:51:18] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)' [18:51:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment) (NOT)' [18:52:06] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)' [18:52:06] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL) (original value)' [18:52:07] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)' [18:52:08] [INFO] testing 'Boolean-based blind - Parameter replace (CASE) (original value)' [18:52:08] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' [18:52:34] [INFO] testing 'Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' [18:52:57] [INFO] testing 'Oracle boolean-based blind - Parameter replace' [18:52:57] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)' [18:52:58] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause' [18:52:59] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)' [18:53:00] [INFO] testing 'Oracle boolean-based blind - Stacked queries' [18:53:23] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [18:53:41] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)' [18:53:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)' [18:54:13] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)' [18:54:26] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' [18:54:43] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)' [18:54:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' [18:55:13] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)' [18:55:27] [INFO] testing 'Oracle error-based - Parameter replace' [18:55:27] [INFO] testing 'Oracle error-based - ORDER BY, GROUP BY clause' ``` Admittedly this is may seem a bit hackish as it only addresses HTTP 400 and doesn't cover other app specific errors which can happen in other scenarios. It could also be that ``--suppress-400`` would sound better as it would describe better what it does but as there's ``--ignore-401`` so I settled for ``--ignore-400``. --- lib/parse/cmdline.py | 3 +++ lib/request/connect.py | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 218f80fd2..5d920efb5 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -150,6 +150,9 @@ def cmdLineParser(argv=None): request.add_option("--auth-file", dest="authFile", help="HTTP authentication PEM cert/private key file") + request.add_option("--ignore-400", dest="ignore400", action="store_true", + help="Suppress HTTP Error 400 (Bad Request)") + request.add_option("--ignore-401", dest="ignore401", action="store_true", help="Ignore HTTP Error 401 (Unauthorized)") diff --git a/lib/request/connect.py b/lib/request/connect.py index 23b6b44ab..e73839e73 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -619,8 +619,9 @@ class Connect(object): else: raise SqlmapConnectionException(warnMsg) else: - debugMsg = "got HTTP error code: %d (%s)" % (code, status) - logger.debug(debugMsg) + if ex.code == httplib.BAD_REQUEST and not conf.ignore400: + debugMsg = "got HTTP error code: %d (%s)" % (code, status) + logger.debug(debugMsg) except (urllib2.URLError, socket.error, socket.timeout, httplib.HTTPException, struct.error, binascii.Error, ProxyError, SqlmapCompressionException, WebSocketException, TypeError, ValueError): tbMsg = traceback.format_exc()