sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 00:04:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor fix to check for inline query payloads regardless of previously identified payloads and code cleanup

Browse Source
This commit is contained in:
Bernardo Damele 2015-02-20 18:30:42 +00:00
parent 3b3205c532
commit 214b9360e9
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/controller/checks.py
View File

@ -179,7 +179,6 @@ def checkSqlInjection(place, parameter, value):
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue
# Skip DBMS-specific test if it does not match either the # Skip DBMS-specific test if it does not match either the
# previously identified or the user's provided DBMS (either # previously identified or the user's provided DBMS (either
# from program switch or from parsed error message(s)) # from program switch or from parsed error message(s))
@ -250,11 +249,11 @@ def checkSqlInjection(place, parameter, value):
if clause != [0] and injection.clause and injection.clause != [0] and not clauseMatch: if clause != [0] and injection.clause and injection.clause != [0] and not clauseMatch:
debugMsg = "skipping test '%s' because the clauses " % title debugMsg = "skipping test '%s' because the clauses " % title
debugMsg += "differs from the clause already identified" debugMsg += "differ from the clause already identified"
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue
# Skip test if the user provided custom character # Skip test if the user provided custom character (for UNION-based payloads)
if conf.uChar is not None and ("random number" in title or "(NULL)" in title): if conf.uChar is not None and ("random number" in title or "(NULL)" in title):
debugMsg = "skipping test '%s' because the user " % title debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided a specific character, %s" % conf.uChar debugMsg += "provided a specific character, %s" % conf.uChar
@ -314,14 +313,13 @@ def checkSqlInjection(place, parameter, value):
# Parse boundary's <prefix>, <suffix> and <ptype> # Parse boundary's <prefix>, <suffix> and <ptype>
prefix = boundary.prefix if boundary.prefix else "" prefix = boundary.prefix if boundary.prefix else ""
suffix = boundary.suffix if boundary.suffix else "" suffix = boundary.suffix if boundary.suffix else ""
ptype = boundary.ptype
# Options --prefix/--suffix have a higher priority (if set by user) # Options --prefix/--suffix have a higher priority (if set by user)
prefix = conf.prefix if conf.prefix is not None else prefix prefix = conf.prefix if conf.prefix is not None else prefix
suffix = conf.suffix if conf.suffix is not None else suffix suffix = conf.suffix if conf.suffix is not None else suffix
comment = None if conf.suffix is not None else comment comment = None if conf.suffix is not None else comment
ptype = boundary.ptype
# If the previous injections succeeded, we know which prefix, # If the previous injections succeeded, we know which prefix,
# suffix and parameter type to use for further tests, no # suffix and parameter type to use for further tests, no
# need to cycle through the boundaries for the following tests # need to cycle through the boundaries for the following tests
@ -329,7 +327,9 @@ def checkSqlInjection(place, parameter, value):
condBound &= (injection.prefix != prefix or injection.suffix != suffix) condBound &= (injection.prefix != prefix or injection.suffix != suffix)
condType = injection.ptype is not None and injection.ptype != ptype condType = injection.ptype is not None and injection.ptype != ptype
if condBound or condType: # If the payload is an inline query test for it regardless
# of previously identified injection types
if stype != PAYLOAD.TECHNIQUE.QUERY and (condBound or condType):
continue continue
# For each test's <where> # For each test's <where>