mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 13:03:50 +03:00
further reflective value handling improvement
This commit is contained in:
parent
b47d3e1da3
commit
21041f8b90
|
@ -82,6 +82,7 @@ from lib.core.settings import DUMP_START_MARKER
|
||||||
from lib.core.settings import DUMP_STOP_MARKER
|
from lib.core.settings import DUMP_STOP_MARKER
|
||||||
from lib.core.settings import MIN_TIME_RESPONSES
|
from lib.core.settings import MIN_TIME_RESPONSES
|
||||||
from lib.core.settings import PAYLOAD_DELIMITER
|
from lib.core.settings import PAYLOAD_DELIMITER
|
||||||
|
from lib.core.settings import REFLECTED_NON_ALPHA_NUM_REGEX
|
||||||
from lib.core.settings import REFLECTED_VALUE_MARKER
|
from lib.core.settings import REFLECTED_VALUE_MARKER
|
||||||
from lib.core.settings import TIME_DEFAULT_DELAY
|
from lib.core.settings import TIME_DEFAULT_DELAY
|
||||||
from lib.core.settings import TIME_STDEV_COEFF
|
from lib.core.settings import TIME_STDEV_COEFF
|
||||||
|
@ -2400,12 +2401,12 @@ def removeReflectiveValues(content, payload):
|
||||||
if all([content, payload]):
|
if all([content, payload]):
|
||||||
payload = payload.replace(PAYLOAD_DELIMITER, '')
|
payload = payload.replace(PAYLOAD_DELIMITER, '')
|
||||||
|
|
||||||
regex = filterStringValue(payload, r'[A-Za-z0-9]', r'[^\s]+')
|
regex = filterStringValue(payload, r'[A-Za-z0-9]', REFLECTED_NON_ALPHA_NUM_REGEX)
|
||||||
|
|
||||||
while r'[^\s]+[^\s]+' in regex:
|
while 2 * REFLECTED_NON_ALPHA_NUM_REGEX in regex:
|
||||||
regex = regex.replace(r'[^\s]+[^\s]+', r'[^\s]+')
|
regex = regex.replace(2 * REFLECTED_NON_ALPHA_NUM_REGEX, REFLECTED_NON_ALPHA_NUM_REGEX)
|
||||||
|
|
||||||
retVal = re.compile(regex).sub(REFLECTED_VALUE_MARKER, content)
|
retVal = re.sub(regex, REFLECTED_VALUE_MARKER, content)
|
||||||
|
|
||||||
if retVal != content:
|
if retVal != content:
|
||||||
debugMsg = "reflective value found and filtered out"
|
debugMsg = "reflective value found and filtered out"
|
||||||
|
|
|
@ -268,3 +268,6 @@ EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREA
|
||||||
|
|
||||||
# Mark used for replacement of reflected values
|
# Mark used for replacement of reflected values
|
||||||
REFLECTED_VALUE_MARKER = '__REFLECTED_VALUE__'
|
REFLECTED_VALUE_MARKER = '__REFLECTED_VALUE__'
|
||||||
|
|
||||||
|
# Regular expression used for marking non-alphanum characters
|
||||||
|
REFLECTED_NON_ALPHA_NUM_REGEX = r'[^<>\r\n]+'
|
||||||
|
|
|
@ -490,7 +490,7 @@ class Connect:
|
||||||
if content or response:
|
if content or response:
|
||||||
return page, headers
|
return page, headers
|
||||||
|
|
||||||
page = removeReflectiveValues(page, value)
|
page = removeReflectiveValues(page, payload)
|
||||||
|
|
||||||
if getRatioValue:
|
if getRatioValue:
|
||||||
return comparison(page, getRatioValue=False, pageLength=pageLength), comparison(page, getRatioValue=True, pageLength=pageLength)
|
return comparison(page, getRatioValue=False, pageLength=pageLength), comparison(page, getRatioValue=True, pageLength=pageLength)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user