From 4c1fc095d82ad0ee7901512a5ed8a9c7908675e8 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 14 Jan 2016 09:59:13 +0100 Subject: [PATCH] Adding heuristic check for FI vulnerability --- lib/controller/checks.py | 12 +++++++++--- lib/core/settings.py | 4 ++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index ff5b9c002..b5d7d2d2a 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -63,7 +63,7 @@ from lib.core.exception import SqlmapNoneDataException from lib.core.exception import SqlmapSilentQuitException from lib.core.exception import SqlmapUserQuitException from lib.core.settings import DEFAULT_GET_POST_DELIMITER -from lib.core.settings import DUMMY_XSS_CHECK_APPENDIX +from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX from lib.core.settings import FORMAT_EXCEPTION_STRINGS from lib.core.settings import HEURISTIC_CHECK_ALPHABET from lib.core.settings import SUHOSIN_MAX_VALUE_LENGTH @@ -919,7 +919,8 @@ def heuristicCheckSqlInjection(place, parameter): kb.heuristicMode = True - value = "%s%s%s" % (randomStr(), DUMMY_XSS_CHECK_APPENDIX, randomStr()) + randStr1, randStr2 = randomStr(), randomStr() + value = "%s%s%s" % (randStr1, DUMMY_NON_SQLI_CHECK_APPENDIX, randStr2) payload = "%s%s%s" % (prefix, "'%s" % value, suffix) payload = agent.payload(place, parameter, newValue=payload) page, _ = Request.queryPage(payload, place, content=True, raise404=False) @@ -928,7 +929,12 @@ def heuristicCheckSqlInjection(place, parameter): if value in (page or ""): infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType - infoMsg += "'%s' might be vulnerable to XSS attacks" % parameter + infoMsg += "'%s' might be vulnerable to cross-site scripting attacks" % parameter + logger.info(infoMsg) + + if re.search(r"(?i)Failed opening[^\n]+%s" % randStr1, page or ""): + infoMsg = "heuristic (FI) test shows that %s parameter " % paramType + infoMsg += "'%s' might be vulnerable to file inclusion attacks" % parameter logger.info(infoMsg) kb.heuristicMode = False diff --git a/lib/core/settings.py b/lib/core/settings.py index 7508c6b33..52e2ba738 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -548,8 +548,8 @@ DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.ascii_letters) # Alphabet used for heuristic checks HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', ',', '.') -# String used for dummy XSS check of a tested parameter value -DUMMY_XSS_CHECK_APPENDIX = "<'\">" +# String used for dummy non-SQLi (e.g. XSS) check of a tested parameter value +DUMMY_NON_SQLI_CHECK_APPENDIX = "<'\">" # Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections) MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024