mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-02-03 13:14:13 +03:00
minor change in workflow for "tainted" parameter values
This commit is contained in:
Miroslav Stampar
parent
2604e73d88
commit
3f15c52188
|
|
@ -73,6 +73,7 @@ from lib.core.exception import sqlmapFilePathException
|
||||||
from lib.core.exception import sqlmapGenericException
|
from lib.core.exception import sqlmapGenericException
|
||||||
from lib.core.exception import sqlmapNoneDataException
|
from lib.core.exception import sqlmapNoneDataException
|
||||||
from lib.core.exception import sqlmapMissingDependence
|
from lib.core.exception import sqlmapMissingDependence
|
||||||
|
from lib.core.exception import sqlmapSilentQuitException
|
||||||
from lib.core.exception import sqlmapSyntaxException
|
from lib.core.exception import sqlmapSyntaxException
|
||||||
from lib.core.optiondict import optDict
|
from lib.core.optiondict import optDict
|
||||||
from lib.core.settings import BIGARRAY_CHUNK_LENGTH
|
from lib.core.settings import BIGARRAY_CHUNK_LENGTH
|
||||||
|
|
@ -702,13 +703,19 @@ def paramToDict(place, parameters=None):
|
||||||
testableParameters[parameter] = "=".join(elem[1:])
|
testableParameters[parameter] = "=".join(elem[1:])
|
||||||
if testableParameters[parameter].strip(DUMMY_SQL_INJECTION_CHARS) != testableParameters[parameter]\
|
if testableParameters[parameter].strip(DUMMY_SQL_INJECTION_CHARS) != testableParameters[parameter]\
|
||||||
or re.search(r'\A9{3,}', testableParameters[parameter]) or re.search(DUMMY_USER_INJECTION, testableParameters[parameter]):
|
or re.search(r'\A9{3,}', testableParameters[parameter]) or re.search(DUMMY_USER_INJECTION, testableParameters[parameter]):
|
||||||
errMsg = "you have provided tainted parameter values "
|
warnMsg = "it appears that you have provided tainted parameter values "
|
||||||
errMsg += "('%s') with most probably leftover " % element
|
warnMsg += "('%s') with most probably leftover " % element
|
||||||
errMsg += "chars from manual sql injection "
|
warnMsg += "chars from manual sql injection "
|
||||||
errMsg += "tests (%s) or non-valid numerical value. " % DUMMY_SQL_INJECTION_CHARS
|
warnMsg += "tests (%s) or non-valid numerical value. " % DUMMY_SQL_INJECTION_CHARS
|
||||||
errMsg += "Please, always use only valid parameter values "
|
warnMsg += "Please, always use only valid parameter values "
|
||||||
errMsg += "so sqlmap could be able to properly run"
|
warnMsg += "so sqlmap could be able to properly run "
|
||||||
raise sqlmapSyntaxException, errMsg
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
message = "Are you sure you want to continue? [y/N] "
|
||||||
|
test = readInput(message, default="N")
|
||||||
|
if test[0] not in ("y", "Y"):
|
||||||
|
raise sqlmapSilentQuitException
|
||||||
|
|
||||||
else:
|
else:
|
||||||
root = ET.XML(parameters)
|
root = ET.XML(parameters)
|
||||||
iterator = root.getiterator()
|
iterator = root.getiterator()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user