minor change in workflow for "tainted" parameter values

2025-02-03 05:04:11 +03:00 · 2012-02-14 09:26:52 +00:00 · 2012-02-14 09:26:52 +00:00 · 3f15c52188
commit 3f15c52188
parent 2604e73d88
1 changed files with 14 additions and 7 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -73,6 +73,7 @@ from lib.core.exception import sqlmapFilePathException
 from lib.core.exception import sqlmapGenericException
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapMissingDependence
+from lib.core.exception import sqlmapSilentQuitException
 from lib.core.exception import sqlmapSyntaxException
 from lib.core.optiondict import optDict
 from lib.core.settings import BIGARRAY_CHUNK_LENGTH
@ -702,13 +703,19 @@ def paramToDict(place, parameters=None):
                    testableParameters[parameter] = "=".join(elem[1:])
                    if testableParameters[parameter].strip(DUMMY_SQL_INJECTION_CHARS) != testableParameters[parameter]\
                      or re.search(r'\A9{3,}', testableParameters[parameter]) or re.search(DUMMY_USER_INJECTION, testableParameters[parameter]):
-                        errMsg = "you have provided tainted parameter values "
-                        errMsg += "('%s') with most probably leftover " % element
-                        errMsg += "chars from manual sql injection "
-                        errMsg += "tests (%s) or non-valid numerical value. " % DUMMY_SQL_INJECTION_CHARS
-                        errMsg += "Please, always use only valid parameter values "
-                        errMsg += "so sqlmap could be able to properly run"
-                        raise sqlmapSyntaxException, errMsg
+                        warnMsg = "it appears that you have provided tainted parameter values "
+                        warnMsg += "('%s') with most probably leftover " % element
+                        warnMsg += "chars from manual sql injection "
+                        warnMsg += "tests (%s) or non-valid numerical value. " % DUMMY_SQL_INJECTION_CHARS
+                        warnMsg += "Please, always use only valid parameter values "
+                        warnMsg += "so sqlmap could be able to properly run "
+                        logger.warn(warnMsg)
+
+                        message = "Are you sure you want to continue? [y/N] "
+                        test = readInput(message, default="N")
+                        if test[0] not in ("y", "Y"):
+                            raise sqlmapSilentQuitException
+
    else:
        root = ET.XML(parameters)
        iterator = root.getiterator()