diff --git a/lib/controller/checks.py b/lib/controller/checks.py index df2ec0b1c..c9573f89c 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -151,7 +151,7 @@ def checkSqlInjection(place, parameter, value): # Parse test's comment = agent.getComment(test.request) - fstPayload = agent.cleanupPayload(test.request.payload) + fstPayload = agent.cleanupPayload(test.request.payload, value) fstPayload = unescapeDbms(fstPayload, injection, dbms) fstPayload = "%s%s" % (fstPayload, comment) @@ -246,18 +246,18 @@ def checkSqlInjection(place, parameter, value): # test's ' ' string boundPayload = "%s%s %s %s" % (origValue, prefix, fstPayload, suffix) boundPayload = boundPayload.strip() - boundPayload = agent.cleanupPayload(boundPayload) + boundPayload = agent.cleanupPayload(boundPayload, value) reqPayload = agent.payload(place, parameter, value, boundPayload) # Perform the test's request and check whether or not the # payload was successful # Parse test's for method, check in test.response.items(): - check = agent.cleanupPayload(check) + check = agent.cleanupPayload(check, value) # In case of boolean-based blind SQL injection if method == "comparison": - sndPayload = agent.cleanupPayload(test.response.comparison) + sndPayload = agent.cleanupPayload(test.response.comparison, value) sndPayload = unescapeDbms(sndPayload, injection, dbms) sndPayload = "%s%s" % (sndPayload, comment) @@ -267,7 +267,7 @@ def checkSqlInjection(place, parameter, value): # string boundPayload = "%s%s %s %s" % (origValue, prefix, sndPayload, suffix) boundPayload = boundPayload.strip() - boundPayload = agent.cleanupPayload(boundPayload) + boundPayload = agent.cleanupPayload(boundPayload, value) cmpPayload = agent.payload(place, parameter, value, boundPayload) # Useful to set conf.matchRatio at first based on diff --git a/lib/core/agent.py b/lib/core/agent.py index c5d661966..509fdd2f8 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -76,6 +76,7 @@ class Agent: paramString = conf.parameters[kb.injection.place] paramDict = conf.paramDict[kb.injection.place] value = paramDict[kb.injection.parameter] + newValue = self.cleanupPayload(newValue, value) if "POSTxml" in conf.paramDict and kb.injection.place == PLACE.POST: root = ET.XML(paramString) @@ -155,9 +156,9 @@ class Agent: string += " %s" % kb.injection.suffix string = self.cleanupPayload(string) - return string + return string.rstrip() - def cleanupPayload(self, payload): + def cleanupPayload(self, payload, origvalue=None): if payload is None: return @@ -174,6 +175,12 @@ class Agent: payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop) payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) + if origvalue is not None: + if not origvalue.isdigit(): + origvalue = "'%s'" % origvalue + + payload = payload.replace("[ORIGVALUE]", origvalue) + return payload def getComment(self, reqObj): diff --git a/lib/request/inject.py b/lib/request/inject.py index 31ac9a08f..d8676d1a8 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -99,7 +99,12 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r parameter through a bisection algorithm. """ - query = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query) + if kb.injection.data[1].epayload is not None: + vector = agent.cleanupPayload(kb.injection.data[1].epayload) + else: + vector = queries[kb.misc.testedDbms].inference.query + + query = agent.prefixQuery(vector) query = agent.suffixQuery(query) payload = agent.payload(newValue=query) count = None diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index c39183c45..52f0f1e3f 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -35,7 +35,6 @@ def errorUse(expression): """ output = None - randInt = randomInt(1) query = agent.cleanupPayload(kb.injection.data[2].epayload) query = unescaper.unescape(query) query = agent.prefixQuery(query)