From 229d3a7dd043c4b5c5b047ec90aee8be9f0523d9 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 30 May 2016 16:46:23 +0200 Subject: [PATCH] Patch for cases when error page looks more like original, than the False one does --- lib/controller/checks.py | 7 +++++++ lib/controller/controller.py | 8 ++++---- lib/core/option.py | 1 + lib/core/settings.py | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index d8a477cc1..0b19df9ec 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -79,6 +79,7 @@ from lib.core.settings import URI_HTTP_HEADER from lib.core.settings import UPPER_RATIO_BOUND from lib.core.threads import getCurrentThreadData from lib.request.connect import Connect as Request +from lib.request.comparison import comparison from lib.request.inject import checkBooleanExpression from lib.request.templates import getPageTemplate from lib.techniques.union.test import unionTest @@ -464,6 +465,11 @@ def checkSqlInjection(place, parameter, value): errorResult = Request.queryPage(errorPayload, place, raise404=False) if errorResult: continue + elif not any((conf.string, conf.notString, conf.regexp, conf.code, kb.nullConnection)): + _ = comparison(kb.heuristicPage, None, getRatioValue=True) + if _ > kb.matchRatio: + kb.matchRatio = _ + logger.debug("adjusting match ratio for current parameter to %.3f" % kb.matchRatio) infoMsg = "%s parameter '%s' appears to be '%s' injectable " % (paramType, parameter, title) logger.info(infoMsg) @@ -899,6 +905,7 @@ def heuristicCheckSqlInjection(place, parameter): payload = agent.payload(place, parameter, newValue=payload) page, _ = Request.queryPage(payload, place, content=True, raise404=False) + kb.heuristicPage = page kb.heuristicMode = False parseFilePaths(page) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 24f702f15..88f8a3c1d 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -593,24 +593,24 @@ def start(): if not conf.string and not conf.notString and not conf.regexp: errMsg += " Also, you can try to rerun by providing " errMsg += "either a valid value for option '--string' " - errMsg += "(or '--regexp')" + errMsg += "(or '--regexp')." elif conf.string: errMsg += " Also, you can try to rerun by providing a " errMsg += "valid value for option '--string' as perhaps the string you " errMsg += "have chosen does not match " - errMsg += "exclusively True responses" + errMsg += "exclusively True responses." elif conf.regexp: errMsg += " Also, you can try to rerun by providing a " errMsg += "valid value for option '--regexp' as perhaps the regular " errMsg += "expression that you have chosen " - errMsg += "does not match exclusively True responses" + errMsg += "does not match exclusively True responses." if not conf.tamper: errMsg += " If you suspect that there is some kind of protection mechanism " errMsg += "involved (e.g. WAF) maybe you could retry " errMsg += "with an option '--tamper' (e.g. '--tamper=space2comment')" - raise SqlmapNotVulnerableException(errMsg) + raise SqlmapNotVulnerableException(errMsg.rstrip('.')) else: # Flush the flag kb.testMode = False diff --git a/lib/core/option.py b/lib/core/option.py index cb7a9b863..20520ef30 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1855,6 +1855,7 @@ def _setKnowledgeBaseAttributes(flushAll=True): kb.headersFp = {} kb.heuristicDbms = None kb.heuristicMode = False + kb.heuristicPage = False kb.heuristicTest = None kb.hintValue = None kb.htmlFp = [] diff --git a/lib/core/settings.py b/lib/core/settings.py index 27de65ddf..1d6a45e6e 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import OS from lib.core.revision import getRevisionNumber # sqlmap version (...) -VERSION = "1.0.5.110" +VERSION = "1.0.5.112" REVISION = getRevisionNumber() STABLE = VERSION.count('.') <= 2 VERSION_STRING = "sqlmap/%s#%s" % (VERSION, "stable" if STABLE else "dev")