removing that boring message "reflective value found and filtered out" for headers case (we always include Uri header)

2024-11-22 09:36:35 +03:00 · 2011-03-29 20:45:21 +00:00 · 2011-03-29 20:45:21 +00:00 · 12f3024c8a
commit 12f3024c8a
parent 9f707febf5
3 changed files with 6 additions and 7 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -2411,7 +2411,7 @@ def cpuThrottle(value):
    delay = 0.00001 * (value ** 2)
    time.sleep(delay)

-def removeReflectiveValues(content, payload):
+def removeReflectiveValues(content, payload, suppressWarning=False):
    """
    Neutralizes (static/marked) reflective values in a given content based on a payload
    (e.g. ?search=sql injection ---> ...value="sql%20injection")
@ -2429,7 +2429,7 @@ def removeReflectiveValues(content, payload):

        retVal = re.sub(regex, REFLECTED_VALUE_MARKER, content, re.I)

-        if retVal != content:
+        if retVal != content and not suppressWarning:
            debugMsg = "reflective value found and filtered out"
            logger.debug(debugMsg)

--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@ -124,10 +124,9 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe

        # Perform the request
        page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
-        content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
-
-        # Remove possible reflective values from content (especially headers part)
-        content = removeReflectiveValues(content, payload)
+        content = "%s%s".lower() % (removeReflectiveValues(page, payload) or "", \
+            removeReflectiveValues(listToStrValue(headers.headers if headers else None), \
+            payload, True) or "")

        if content and phrase in content:
            validPayload = payload
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -65,7 +65,7 @@ def __oneShotUnionUse(expression, unpack=True):
    # sql injection output
    output = extractRegexResult(check, removeReflectiveValues(page, payload), re.DOTALL | re.IGNORECASE) \
            or extractRegexResult(check, removeReflectiveValues(listToStrValue(headers.headers \
-            if headers else None), payload), re.DOTALL | re.IGNORECASE)
+            if headers else None), payload, True), re.DOTALL | re.IGNORECASE)

    if output:
        output = getUnicode(output, kb.pageEncoding)