added IGNORE_PARAMETERS to skip testing of state/session web server parameters

2024-11-22 09:36:35 +03:00 · 2011-04-13 19:01:02 +00:00 · 2011-04-13 19:01:02 +00:00 · 21114d1748
commit 21114d1748
parent 58a93c5b1f
2 changed files with 10 additions and 0 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -44,6 +44,7 @@ from lib.core.exception import sqlmapValueException
 from lib.core.exception import sqlmapUserQuitException
 from lib.core.session import setInjection
 from lib.core.settings import EMPTY_FORM_FIELDS_REGEX
+from lib.core.settings import IGNORE_PARAMETERS
 from lib.core.settings import REFERER_ALIASES
 from lib.core.settings import USER_AGENT_ALIASES
 from lib.core.target import initTargetEnv
@ -369,6 +370,12 @@ def start():
                            infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
                            logger.info(infoMsg)

+                        elif parameter.upper() in IGNORE_PARAMETERS:
+                            testSqlInj = False
+
+                            infoMsg = "ignoring %s parameter '%s'" % (place, parameter)
+                            logger.info(infoMsg)
+
                        # Avoid dinamicity test if the user provided the
                        # parameter manually
                        elif parameter in conf.testParameter or conf.realTest:
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -301,3 +301,6 @@ HASH_MOD_ITEM_DISPLAY = 1117

 # Maximum integer value
 MAX_INT = sys.maxint
+
+# Parameters to be ignored in detection phase
+IGNORE_PARAMETERS = ("__VIEWSTATE", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION")