diff --git a/lib/core/agent.py b/lib/core/agent.py index 4c35c9152..83d720678 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -162,6 +162,7 @@ class Agent(object): match = None for match in re.finditer(pattern, string): pass + if match: while True: _ = re.search(r"\\g<([^>]+)>", repl) @@ -173,7 +174,8 @@ class Agent(object): return retVal if origValue: - retVal = _(r"(\A|\b)%s=%s(\Z|\b)" % (re.escape(parameter), re.escape(origValue)), "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString) + regex = r"(\A|\b)%s=%s%s" % (re.escape(parameter), re.escape(origValue), r"(\Z|\b)" if origValue[-1].isalnum() else "") + retVal = _(regex, "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString) else: retVal = _(r"(\A|\b)%s=%s(\Z|%s|%s|\s)" % (re.escape(parameter), re.escape(origValue), DEFAULT_GET_POST_DELIMITER, DEFAULT_COOKIE_DELIMITER), "%s=%s\g<2>" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString) if retVal == paramString and urlencode(parameter) != parameter: diff --git a/lib/core/common.py b/lib/core/common.py index c3951b33b..264452e0d 100755 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -97,7 +97,6 @@ from lib.core.settings import DEFAULT_COOKIE_DELIMITER from lib.core.settings import DEFAULT_GET_POST_DELIMITER from lib.core.settings import DEFAULT_MSSQL_SCHEMA from lib.core.settings import DESCRIPTION -from lib.core.settings import DUMMY_SQL_INJECTION_CHARS from lib.core.settings import DUMMY_USER_INJECTION from lib.core.settings import DYNAMICITY_MARK_LENGTH from lib.core.settings import ERROR_PARSING_REGEXES @@ -573,7 +572,7 @@ def paramToDict(place, parameters=None): testableParameters[parameter] = "=".join(parts[1:]) if not conf.multipleTargets and not (conf.csrfToken and parameter == conf.csrfToken): _ = urldecode(testableParameters[parameter], convall=True) - if (_.strip(DUMMY_SQL_INJECTION_CHARS) != _\ + if (_.endswith("'") and _.count("'") == 1 or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _))\ and not parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX): warnMsg = "it appears that you have provided tainted parameter values " diff --git a/lib/core/settings.py b/lib/core/settings.py index 002bec0ad..5adfade0a 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -412,7 +412,7 @@ ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" DUMMY_SQL_INJECTION_CHARS = ";()'" # Simple check against dummy users -DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\A-\d+\Z" +DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY)\b" # Extensions skipped by crawler CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jpeg", "image", "jar", "tif", "bmp", "war", "ear", "mpg", "mpeg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "mkv", "bin", "iso", "tar", "png", "pdf", "ps", "wav", "mp3", "mp4", "au", "aiff", "aac", "zip", "rar", "7z", "gz", "flv", "mov", "doc", "docx", "xls", "dot", "dotx", "xlt", "xlsx", "ppt", "pps", "pptx") diff --git a/xml/errors.xml b/xml/errors.xml index 498a234de..c1530e27c 100644 --- a/xml/errors.xml +++ b/xml/errors.xml @@ -5,6 +5,7 @@ +