From 43892cddbb6094ea3150976e13ce4315fa22ef7d Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 11 Oct 2010 12:26:35 +0000 Subject: [PATCH] some updates --- lib/controller/checks.py | 22 ++++++++++++++++++++++ lib/controller/controller.py | 2 ++ lib/core/common.py | 6 ++++-- lib/core/option.py | 2 +- lib/parse/html.py | 2 +- lib/request/connect.py | 2 +- 6 files changed, 31 insertions(+), 5 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 9cb06af33..2520a0a1c 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -96,6 +96,28 @@ def checkSqlInjection(place, parameter, value, parenthesis): return None +def heuristicCheckSqlInjection(place, parameter, value): + prefix = "" + postfix = "" + + if conf.prefix or conf.postfix: + if conf.prefix: + prefix = conf.prefix + + if conf.postfix: + postfix = conf.postfix + + payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix) + Request.queryPage(payload, place) + result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID + infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter) + if result: + infoMsg += "injectable" + logger.info(infoMsg) + else: + infoMsg += "not injectable" + logger.warning(infoMsg) + def checkDynParam(place, parameter, value): """ This function checks if the url parameter is dynamic. If it is diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 708918451..5ee884d92 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA from lib.controller.action import action from lib.controller.checks import checkSqlInjection +from lib.controller.checks import heuristicCheckSqlInjection from lib.controller.checks import checkDynParam from lib.controller.checks import checkStability from lib.controller.checks import checkString @@ -232,6 +233,7 @@ def start(): kb.testedParams.add(paramKey) if testSqlInj: + heuristicCheckSqlInjection(place, parameter, value) for parenthesis in range(0, 4): logMsg = "testing sql injection on %s " % place logMsg += "parameter '%s' with " % parameter diff --git a/lib/core/common.py b/lib/core/common.py index ea52e9a39..e64d17dd7 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -551,7 +551,7 @@ def randomInt(length=4): return int("".join([random.choice(string.digits) for _ in xrange(0, length)])) -def randomStr(length=4, lowercase=False): +def randomStr(length=4, lowercase=False, alphabet=None): """ @param length: length of the random string. @type length: C{int} @@ -560,7 +560,9 @@ def randomStr(length=4, lowercase=False): @rtype: C{str} """ - if lowercase: + if alphabet: + rndStr = "".join([random.choice(alphabet) for _ in xrange(0, length)]) + elif lowercase: rndStr = "".join([random.choice(string.lowercase) for _ in xrange(0, length)]) else: rndStr = "".join([random.choice(string.letters) for _ in xrange(0, length)]) diff --git a/lib/core/option.py b/lib/core/option.py index d74fdced9..da4d25978 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1024,7 +1024,7 @@ def __setKnowledgeBaseAttributes(): kb.parenthesis = None kb.partRun = None - kb.requestUID = 0 + kb.lastRequestUID = 0 kb.queryCounter = 0 kb.resumedQueries = {} kb.stackedTest = None diff --git a/lib/parse/html.py b/lib/parse/html.py index 1269d173d..8e8ada376 100644 --- a/lib/parse/html.py +++ b/lib/parse/html.py @@ -57,7 +57,7 @@ class htmlHandler(ContentHandler): if self.__match: self.dbms = self.__dbms self.__match = None - kb.lastErrorPage = (kb.requestUID, self.__page) + kb.lastErrorPage = (kb.lastRequestUID, self.__page) def htmlParser(page): """ diff --git a/lib/request/connect.py b/lib/request/connect.py index af9645ea5..d4c96b847 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -90,7 +90,7 @@ class Connect: requestHeaders = "" responseHeaders = "" - kb.requestUID += 1 + kb.lastRequestUID += 1 try: if silent: