some updates

lib/controller/checks.py

@@ -96,6 +96,28 @@ def checkSqlInjection(place, parameter, value, parenthesis):
 
     return None
 
+def heuristicCheckSqlInjection(place, parameter, value):
+    prefix = ""
+    postfix = ""
+
+    if conf.prefix or conf.postfix:
+        if conf.prefix:
+            prefix = conf.prefix
+
+        if conf.postfix:
+            postfix = conf.postfix
+
+    payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
+    Request.queryPage(payload, place)
+    result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
+    infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter)
+    if result:
+        infoMsg += "injectable"
+        logger.info(infoMsg)
+    else:
+        infoMsg += "not injectable"
+        logger.warning(infoMsg)
+
 def checkDynParam(place, parameter, value):
     """
     This function checks if the url parameter is dynamic. If it is

lib/controller/controller.py

@@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 from lib.controller.action import action
 from lib.controller.checks import checkSqlInjection
+from lib.controller.checks import heuristicCheckSqlInjection
 from lib.controller.checks import checkDynParam
 from lib.controller.checks import checkStability
 from lib.controller.checks import checkString
@@ -232,6 +233,7 @@ def start():
                         kb.testedParams.add(paramKey)
 
                         if testSqlInj:
+                            heuristicCheckSqlInjection(place, parameter, value)
                             for parenthesis in range(0, 4):
                                 logMsg  = "testing sql injection on %s " % place
                                 logMsg += "parameter '%s' with " % parameter

lib/core/common.py

@@ -551,7 +551,7 @@ def randomInt(length=4):
 
     return int("".join([random.choice(string.digits) for _ in xrange(0, length)]))
 
-def randomStr(length=4, lowercase=False):
+def randomStr(length=4, lowercase=False, alphabet=None):
     """
     @param length: length of the random string.
     @type length: C{int}
@@ -560,7 +560,9 @@ def randomStr(length=4, lowercase=False):
     @rtype: C{str}
     """
 
-    if lowercase:
+    if alphabet:
+        rndStr = "".join([random.choice(alphabet) for _ in xrange(0, length)])    
+    elif lowercase:
         rndStr = "".join([random.choice(string.lowercase) for _ in xrange(0, length)])
     else:
         rndStr = "".join([random.choice(string.letters) for _ in xrange(0, length)])

lib/core/option.py

@@ -1024,7 +1024,7 @@ def __setKnowledgeBaseAttributes():
 
     kb.parenthesis    = None
     kb.partRun        = None
-    kb.requestUID     = 0
+    kb.lastRequestUID = 0
     kb.queryCounter   = 0
     kb.resumedQueries = {}
     kb.stackedTest    = None

lib/parse/html.py

@@ -57,7 +57,7 @@ class htmlHandler(ContentHandler):
             if self.__match:
                 self.dbms = self.__dbms
                 self.__match = None
-                kb.lastErrorPage = (kb.requestUID, self.__page)
+                kb.lastErrorPage = (kb.lastRequestUID, self.__page)
 
 def htmlParser(page):
     """

lib/request/connect.py

@@ -90,7 +90,7 @@ class Connect:
         requestHeaders  = ""
         responseHeaders = ""
 
-        kb.requestUID  += 1
+        kb.lastRequestUID  += 1
 
         try:
             if silent: