Major bug fix in the comparison algorithm to correctly handle also the

case that the url is stable and the False response changes the page content very little.
2024-11-22 09:36:35 +03:00 · 2009-02-09 10:28:03 +00:00 · 2009-02-09 10:28:03 +00:00 · 207e96e2b2
commit 207e96e2b2
parent c405fb51ab
6 changed files with 55 additions and 14 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,11 @@
+sqlmap (0.6.5-1) stable; urgency=low
+
+  * Major bug fix in the comparison algorithm to correctly handle also the
+    case that the url is stable and the False response changes the page
+    content very little.
+
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Day, DD MMM 2009 HH:MM:SS +0000
+
 sqlmap (0.6.4-1) stable; urgency=low

  * Major enhancement to make the comparison algorithm work properly also
--- a/doc/THANKS
+++ b/doc/THANKS
@ -58,6 +58,9 @@ Luke Jahnke <luke.jahnke@gmail.com>
 Anant Kochhar <anant.kochhar@secureyes.net>
    for providing me with feedback on the user's manual

+Alexander Kornbrust <ak@red-database-security.com>
+    for reporting a bug
+
 Nico Leidecker <nico@leidecker.info>
    for providing me with feedback on a few features

--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -31,6 +31,7 @@ from lib.controller.action import action
 from lib.core.agent import agent
 from lib.core.common import randomInt
 from lib.core.common import randomStr
+from lib.core.convert import md5hash
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@ -296,12 +297,17 @@ def checkStability():

    firstPage, firstHeaders = Request.queryPage(content=True)
    time.sleep(1)
-
    secondPage, secondHeaders = Request.queryPage(content=True)

    condition = firstPage == secondPage

-    if condition == False:
+    if condition == True:
+        conf.md5hash = md5hash(firstPage)
+
+        logMsg  = "url is stable"
+        logger.info(logMsg)
+
+    elif condition == False:
        warnMsg  = "url is not stable, sqlmap will base the page "
        warnMsg += "comparison on a sequence matcher, if no dynamic nor "
        warnMsg += "injectable parameters are detected, refer to user's "
@ -309,10 +315,6 @@ def checkStability():
        warnMsg += "string or regular expression to match on"
        logger.warn(warnMsg)

-    if condition == True:
-        logMsg = "url is stable"
-        logger.info(logMsg)
-
    return condition


--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -600,6 +600,7 @@ def __setConfAttributes():
    conf.httpHeaders     = []
    conf.hostname        = None
    conf.loggedToOut     = None
+    conf.md5hash         = None
    conf.multipleTargets = False
    conf.outputPath      = None
    conf.paramDict       = {}
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -30,7 +30,7 @@ import sys


 # sqlmap version and site
-VERSION            = "0.6.4"
+VERSION            = "0.6.5-rc1"
 VERSION_STRING     = "sqlmap/%s" % VERSION
 SITE               = "http://sqlmap.sourceforge.net"

@ -64,15 +64,18 @@ PGSQL_ALIASES     = [ "postgresql", "postgres", "pgsql", "psql", "pg" ]
 ORACLE_ALIASES    = [ "oracle", "orcl", "ora", "or" ]

 SUPPORTED_DBMS    = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES
+SUPPORTED_OS      = ( "linux", "windows" )

 # TODO: port to command line/configuration file options?
 SECONDS           = 5
 RETRIES           = 3
-MATCH_RATIO       = 0.9
+
+MATCH_RATIO       = None

 SQL_STATEMENTS    = {
                      "SQL SELECT statement":  (
                             "select ",
+                             "show ",
                             " top ",
                             " from ",
                             " from dual",
--- a/lib/request/comparison.py
+++ b/lib/request/comparison.py
@ -26,11 +26,16 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

 import re

+from lib.core.convert import md5hash
 from lib.core.data import conf
-from lib.core.settings import MATCH_RATIO
+from lib.core.data import logger
+#from lib.core.settings import MATCH_RATIO

+MATCH_RATIO = None

 def comparison(page, headers=None, getSeqMatcher=False):
+    global MATCH_RATIO
+
    regExpResults = None

    # String to be excluded before calculating page hash
@ -67,15 +72,34 @@ def comparison(page, headers=None, getSeqMatcher=False):
        else:
            return False

-    # By default it returns sequence matcher between the first untouched
-    # HTTP response page content and this content
    conf.seqMatcher.set_seq2(page)
+    ratio = round(conf.seqMatcher.ratio(), 3)

+    # If the url is stable and we did not set yet the match ratio and the
+    # current injected value changes the url page content
+    if MATCH_RATIO == None:
+        if conf.md5hash != None and ratio != 1:
+            logger.debug("Setting match ratio to %.3f" % ratio)
+            MATCH_RATIO = ratio
+        elif conf.md5hash == None:
+            logger.debug("Setting match ratio to default value 0.900")
+            MATCH_RATIO = 0.900
+
+    # If it has been requested to return the ratio and not a comparison
+    # response
    if getSeqMatcher:
-        return round(conf.seqMatcher.ratio(), 3)
+        return ratio

-    elif round(conf.seqMatcher.ratio(), 3) >= MATCH_RATIO:
+    # If the url is stable it returns True if the page has the same MD5
+    # hash of the original one
+    # NOTE: old implementation, it did not handle automatically the fact
+    # that the url could be not stable (due to VIEWSTATE, counter, etc.)
+    #elif conf.md5hash != None:
+    #    return conf.md5hash == md5hash(page)
+
+    # If the url is not stable it returns sequence matcher between the
+    # first untouched HTTP response page content and this content
+    elif ratio > MATCH_RATIO:
        return True
-
    else:
        return False