mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-28 12:33:49 +03:00
support operations that have a request body
This commit is contained in:
parent
f6201dae42
commit
4aeed819f7
|
@ -5385,6 +5385,31 @@ def parseRequestFile(reqFile, checkParams=True):
|
|||
parameterPath = parameterPath.replace("{%s}" %p["name"], "%s*" %p["example"])
|
||||
return parameterPath
|
||||
|
||||
def _swaggerRef(swagger, refPath):
|
||||
paths = refPath.replace("#/", "", 1).split('/')
|
||||
r = swagger
|
||||
for p in paths:
|
||||
r = r[p]
|
||||
return r
|
||||
|
||||
def _swaggerBody(swagger, refPath):
|
||||
body = {}
|
||||
ref = _swaggerRef(swagger, refPath)
|
||||
if "type" in ref and ref["type"] == "object" and "properties" in ref:
|
||||
properties = ref["properties"]
|
||||
for prop in properties:
|
||||
if "example" in properties[prop]:
|
||||
value = properties[prop]["example"]
|
||||
#if properties[prop]["type"] in ["string", "enum"] and value[0] != '"':
|
||||
# value = "\"%s\"" %value
|
||||
body[prop] = value
|
||||
elif "$ref" in properties[prop]:
|
||||
body[prop] = _swaggerBody(swagger, properties[prop]["$ref"])
|
||||
elif properties[prop]["type"] == "array" and "$ref" in properties[prop]["items"]:
|
||||
body[prop] = [ _swaggerBody(swagger, properties[prop]["items"]["$ref"]) ]
|
||||
|
||||
return body
|
||||
|
||||
|
||||
def _parseSwagger(content):
|
||||
"""
|
||||
|
@ -5414,13 +5439,17 @@ def parseRequestFile(reqFile, checkParams=True):
|
|||
for operation in swagger["paths"][path]:
|
||||
op = swagger["paths"][path][operation]
|
||||
|
||||
tags = conf.swaggerTags.split(",") if conf.swaggerTags is not None else None
|
||||
tags = conf.swaggerTags
|
||||
|
||||
if ((tags is None or any(tag in op["tags"] for tag in tags))
|
||||
and operation == "get"):
|
||||
if tags is None or any(tag in op["tags"] for tag in tags):
|
||||
|
||||
body = {}
|
||||
if "requestBody" in op:
|
||||
ref = op["requestBody"]["content"]["application/json"]["schema"]["$ref"]
|
||||
body = _swaggerBody(swagger, ref)
|
||||
|
||||
# header injection is not currently supported
|
||||
if len(_swaggerOperationParameters(op["parameters"], ["query", "path"])) > 0:
|
||||
if (len(_swaggerOperationParameters(op["parameters"], ["query", "path"]))) > 0 or body:
|
||||
url = None
|
||||
method = None
|
||||
data = None
|
||||
|
@ -5430,6 +5459,8 @@ def parseRequestFile(reqFile, checkParams=True):
|
|||
qs = _swaggerOperationQueryString(op["parameters"])
|
||||
url = "%s%s" % (server, parameterPath)
|
||||
method = operation.upper()
|
||||
if body:
|
||||
data = json.dumps(body)
|
||||
|
||||
if qs is not None:
|
||||
url += "?" + qs
|
||||
|
@ -5458,8 +5489,9 @@ def parseRequestFile(reqFile, checkParams=True):
|
|||
for target in _parseWebScarabLog(content):
|
||||
yield target
|
||||
|
||||
for target in _parseSwagger(content):
|
||||
yield target
|
||||
if conf.swaggerFile:
|
||||
for target in _parseSwagger(content):
|
||||
yield target
|
||||
|
||||
def getSafeExString(ex, encoding=None):
|
||||
"""
|
||||
|
|
|
@ -1793,7 +1793,7 @@ def _cleanupOptions():
|
|||
if conf.tmpPath:
|
||||
conf.tmpPath = ntToPosixSlashes(normalizePath(conf.tmpPath))
|
||||
|
||||
if any((conf.googleDork, conf.logFile, conf.bulkFile, conf.forms, conf.crawlDepth, conf.stdinPipe)):
|
||||
if any((conf.googleDork, conf.logFile, conf.bulkFile, conf.forms, conf.crawlDepth, conf.stdinPipe, conf.swaggerFile)):
|
||||
conf.multipleTargets = True
|
||||
|
||||
if conf.optimize:
|
||||
|
@ -1940,6 +1940,9 @@ def _cleanupOptions():
|
|||
if conf.dummy:
|
||||
conf.batch = True
|
||||
|
||||
if conf.swaggerTags:
|
||||
conf.swaggerTags = [_.strip() for _ in re.split(PARAMETER_SPLITTING_REGEX, conf.swaggerTags)]
|
||||
|
||||
threadData = getCurrentThreadData()
|
||||
threadData.reset()
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user