mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
unfix
This commit is contained in:
Miroslav Stampar
parent
6b66fce72c
commit
120b0d756e
|
|
@ -80,7 +80,6 @@ def checkSqlInjection(place, parameter, value):
|
|||
if kb.endDetection:
|
||||
break
|
||||
|
||||
proceed = True
|
||||
title = test.title
|
||||
stype = test.stype
|
||||
clause = test.clause
|
||||
|
|
@ -103,6 +102,7 @@ def checkSqlInjection(place, parameter, value):
|
|||
else:
|
||||
title = title.replace("[COLSTART]", str(conf.uColsStart))
|
||||
title = title.replace("[COLSTOP]", str(conf.uColsStop))
|
||||
|
||||
elif conf.uCols is not None:
|
||||
debugMsg = "skipping test '%s' because the user " % title
|
||||
debugMsg += "provided custom column range %s" % conf.uCols
|
||||
|
|
@ -211,17 +211,6 @@ def checkSqlInjection(place, parameter, value):
|
|||
logger.debug(debugMsg)
|
||||
continue
|
||||
|
||||
if len(kb.tested) > 0 and stype in kb.tested:
|
||||
debugMsg = "skipping test '%s' because this " % title
|
||||
debugMsg += "technique has already been detected "
|
||||
debugMsg += "in a previous run"
|
||||
logger.debug(debugMsg)
|
||||
|
||||
proceed = False
|
||||
|
||||
if not proceed:
|
||||
continue
|
||||
|
||||
infoMsg = "testing '%s'" % title
|
||||
logger.info(infoMsg)
|
||||
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ from lib.core.exception import sqlmapSilentQuitException
|
|||
from lib.core.exception import sqlmapValueException
|
||||
from lib.core.exception import sqlmapUserQuitException
|
||||
from lib.core.session import setInjection
|
||||
from lib.core.session import setTestedTechniques
|
||||
from lib.core.settings import EMPTY_FORM_FIELDS_REGEX
|
||||
from lib.core.settings import IGNORE_PARAMETERS
|
||||
from lib.core.settings import REFERER_ALIASES
|
||||
|
|
@ -198,7 +197,6 @@ def start():
|
|||
initTargetEnv()
|
||||
parseTargetUrl()
|
||||
|
||||
proceed = False
|
||||
testSqlInj = False
|
||||
|
||||
if PLACE.GET in conf.parameters:
|
||||
|
|
@ -319,15 +317,9 @@ def start():
|
|||
# TODO: consider the following line in __setRequestParams()
|
||||
# __testableParameters = True
|
||||
|
||||
if len(kb.tested) > 0:
|
||||
for t in conf.tech:
|
||||
if t not in kb.tested:
|
||||
proceed = True
|
||||
break
|
||||
else:
|
||||
proceed = True
|
||||
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
|
||||
and (kb.injection.place is None or kb.injection.parameter is None):
|
||||
|
||||
if proceed:
|
||||
if not conf.string and not conf.regexp:
|
||||
# NOTE: this is not needed anymore, leaving only to display
|
||||
# a warning message to the user in case the page is not stable
|
||||
|
|
@ -435,8 +427,6 @@ def start():
|
|||
warnMsg += "injectable"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
setTestedTechniques()
|
||||
|
||||
if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None):
|
||||
if not conf.realTest:
|
||||
errMsg = "all parameters are not injectable."
|
||||
|
|
@ -457,8 +447,8 @@ def start():
|
|||
|
||||
if not conf.string and not conf.regexp:
|
||||
errMsg += " Rerun by providing either a valid --string "
|
||||
errMsg += "or a valid --regexp (refer to the user's "
|
||||
errMsg += "manual for details)"
|
||||
errMsg += "or a valid --regexp, refer to the user's "
|
||||
errMsg += "manual for details"
|
||||
elif conf.string:
|
||||
errMsg += " Rerun by providing a valid --string, perhaps "
|
||||
errMsg += "the string that you have choosen does not match "
|
||||
|
|
|
|||
|
|
@ -41,23 +41,6 @@ def unSafeFormatString(value):
|
|||
retVal = retVal.replace("__LEFT_SQUARE_BRACKET__", "[").replace("__RIGHT_SQUARE_BRACKET__", "]")
|
||||
return retVal
|
||||
|
||||
def setTestedTechniques():
|
||||
"""
|
||||
Save information retrieved about dynamic markings to the
|
||||
session file.
|
||||
"""
|
||||
|
||||
condition = (
|
||||
( not kb.resumedQueries
|
||||
or ( kb.resumedQueries.has_key(conf.url) and
|
||||
not kb.resumedQueries[conf.url].has_key("Tested techniques")) )
|
||||
or ( kb.resumedQueries[conf.url].has_key("Tested techniques")
|
||||
and base64unpickle(kb.resumedQueries[conf.url]["Tested techniques"][:-1]) != conf.tech
|
||||
) )
|
||||
|
||||
if condition:
|
||||
dataToSessionFile("[%s][%s][%s][Tested techniques][%s]\n" % (conf.url, None, None, base64pickle(conf.tech)))
|
||||
|
||||
def setInjection(inj):
|
||||
"""
|
||||
Save information retrieved about injection place and parameter in the
|
||||
|
|
@ -68,9 +51,9 @@ def setInjection(inj):
|
|||
or ( kb.resumedQueries.has_key(conf.url) and
|
||||
not kb.resumedQueries[conf.url].has_key("Injection data"))
|
||||
or ( kb.resumedQueries[conf.url].has_key("Injection data")
|
||||
and intersect(base64unpickle(kb.resumedQueries[conf.url]["Injection data"][:-1]).data.keys(), \
|
||||
and intersect(base64unpickle(kb.resumedQueries[conf.url]["Injection data"][:-1]).data.keys(),\
|
||||
inj.data.keys()) != inj.data.keys()
|
||||
) )
|
||||
) )
|
||||
|
||||
if condition:
|
||||
dataToSessionFile("[%s][%s][%s][Injection data][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), base64pickle(inj)))
|
||||
|
|
@ -182,40 +165,21 @@ def setXpCmdshellAvailability(available):
|
|||
dataToSessionFile("[%s][%s][%s][xp_cmdshell availability][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), str(available).lower()))
|
||||
|
||||
def resumeConfKb(expression, url, value):
|
||||
if expression == "Tested techniques" and url == conf.url:
|
||||
kb.tested.extend(base64unpickle(value[:-1]))
|
||||
kb.tested = list(set(kb.tested))
|
||||
kb.tested.sort()
|
||||
|
||||
elif expression == "Injection data" and url == conf.url:
|
||||
if expression == "Injection data" and url == conf.url:
|
||||
injection = base64unpickle(value[:-1])
|
||||
|
||||
infoMsg = "resuming injection data from session file"
|
||||
logger.info(infoMsg)
|
||||
|
||||
if injection.place in conf.paramDict and \
|
||||
injection.parameter in conf.paramDict[injection.place]:
|
||||
|
||||
if not conf.tech or intersect(conf.tech, injection.data.keys()):
|
||||
# Strip not required techniques (--technique switch)
|
||||
if intersect(conf.tech, injection.data.keys()):
|
||||
injection.data = dict(filter(lambda (key, item): key in conf.tech, injection.data.items()))
|
||||
|
||||
infoMsg = "resuming injection data for technique%s " % ("s" if len(injection.data.keys()) > 1 else "")
|
||||
infoMsg += "%s " % " & ".join([PAYLOAD.SQLINJECTION[k] for k in injection.data.keys()])
|
||||
infoMsg += "from session file"
|
||||
logger.info(infoMsg)
|
||||
|
||||
if len(kb.injections) == 0:
|
||||
if injection not in kb.injections:
|
||||
kb.injections.append(injection)
|
||||
else:
|
||||
for resumedInj in kb.injections:
|
||||
for inj, data in injection.data.items():
|
||||
if inj not in resumedInj.data:
|
||||
kb.injections[kb.injections.index(resumedInj)].data[inj] = data
|
||||
else:
|
||||
warnMsg = "not resuming injection data for technique%s " % ("s" if len(injection.data.keys()) > 1 else "")
|
||||
warnMsg += "%s " % " & ".join([PAYLOAD.SQLINJECTION[k] for k in injection.data.keys()])
|
||||
warnMsg += "from session file because you provided "
|
||||
warnMsg += "different technique(s) to be tested on this run"
|
||||
logger.warn(warnMsg)
|
||||
else:
|
||||
warnMsg = "there is an injection in %s parameter '%s' " % (injection.place, injection.parameter)
|
||||
warnMsg += "but you did not provided it this time"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user