some updates

2025-02-02 20:54:13 +03:00 · 2010-10-11 12:26:35 +00:00 · 2010-10-11 12:26:35 +00:00 · 43892cddbb
commit 43892cddbb
parent 8b0a132fa9
6 changed files with 31 additions and 5 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -96,6 +96,28 @@ def checkSqlInjection(place, parameter, value, parenthesis):

    return None

+def heuristicCheckSqlInjection(place, parameter, value):
+    prefix = ""
+    postfix = ""
+
+    if conf.prefix or conf.postfix:
+        if conf.prefix:
+            prefix = conf.prefix
+
+        if conf.postfix:
+            postfix = conf.postfix
+
+    payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
+    Request.queryPage(payload, place)
+    result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
+    infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter)
+    if result:
+        infoMsg += "injectable"
+        logger.info(infoMsg)
+    else:
+        infoMsg += "not injectable"
+        logger.warning(infoMsg)
+
 def checkDynParam(place, parameter, value):
    """
    This function checks if the url parameter is dynamic. If it is
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

 from lib.controller.action import action
 from lib.controller.checks import checkSqlInjection
+from lib.controller.checks import heuristicCheckSqlInjection
 from lib.controller.checks import checkDynParam
 from lib.controller.checks import checkStability
 from lib.controller.checks import checkString
@ -232,6 +233,7 @@ def start():
                        kb.testedParams.add(paramKey)

                        if testSqlInj:
+                            heuristicCheckSqlInjection(place, parameter, value)
                            for parenthesis in range(0, 4):
                                logMsg  = "testing sql injection on %s " % place
                                logMsg += "parameter '%s' with " % parameter
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -551,7 +551,7 @@ def randomInt(length=4):

    return int("".join([random.choice(string.digits) for _ in xrange(0, length)]))

-def randomStr(length=4, lowercase=False):
+def randomStr(length=4, lowercase=False, alphabet=None):
    """
    @param length: length of the random string.
    @type length: C{int}
@ -560,7 +560,9 @@ def randomStr(length=4, lowercase=False):
    @rtype: C{str}
    """

-    if lowercase:
+    if alphabet:
+        rndStr = "".join([random.choice(alphabet) for _ in xrange(0, length)])    
+    elif lowercase:
        rndStr = "".join([random.choice(string.lowercase) for _ in xrange(0, length)])
    else:
        rndStr = "".join([random.choice(string.letters) for _ in xrange(0, length)])
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1024,7 +1024,7 @@ def __setKnowledgeBaseAttributes():

    kb.parenthesis    = None
    kb.partRun        = None
-    kb.requestUID     = 0
+    kb.lastRequestUID = 0
    kb.queryCounter   = 0
    kb.resumedQueries = {}
    kb.stackedTest    = None
--- a/lib/parse/html.py
+++ b/lib/parse/html.py
@ -57,7 +57,7 @@ class htmlHandler(ContentHandler):
            if self.__match:
                self.dbms = self.__dbms
                self.__match = None
-                kb.lastErrorPage = (kb.requestUID, self.__page)
+                kb.lastErrorPage = (kb.lastRequestUID, self.__page)

 def htmlParser(page):
    """
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -90,7 +90,7 @@ class Connect:
        requestHeaders  = ""
        responseHeaders = ""

-        kb.requestUID  += 1
+        kb.lastRequestUID  += 1

        try:
            if silent: