minor usability enhancement regarding warning for --text-only switch

This commit is contained in:
Miroslav Stampar 2011-05-26 20:48:18 +00:00
parent ff030e4d24
commit 4f46a5ab63
4 changed files with 24 additions and 7 deletions

View File

@ -502,7 +502,7 @@ def checkSqlInjection(place, parameter, value):
def checkFalsePositives(injection): def checkFalsePositives(injection):
""" """
Checks for false positives Checks for false positives (only in single special cases)
""" """
retVal = injection retVal = injection
@ -521,7 +521,8 @@ def checkFalsePositives(injection):
while randInt1 == randInt2: while randInt1 == randInt2:
randInt2 = int(randomInt(2)) + 1 randInt2 = int(randomInt(2)) + 1
# simple arithmetic operations like in Turing tests # simple arithmetic operations which should show basic
# arithmetic ability of the backend if it's really injectable
if not checkBooleanExpression("(%d+%d)=%d" % (randInt1, randInt2, randInt1 + randInt2)): if not checkBooleanExpression("(%d+%d)=%d" % (randInt1, randInt2, randInt1 + randInt2)):
retVal = None retVal = None
elif checkBooleanExpression("%d=%d" % (randInt1, randInt2)): elif checkBooleanExpression("%d=%d" % (randInt1, randInt2)):

View File

@ -48,6 +48,7 @@ from lib.core.exception import sqlmapUserQuitException
from lib.core.session import setInjection from lib.core.session import setInjection
from lib.core.settings import EMPTY_FORM_FIELDS_REGEX from lib.core.settings import EMPTY_FORM_FIELDS_REGEX
from lib.core.settings import IGNORE_PARAMETERS from lib.core.settings import IGNORE_PARAMETERS
from lib.core.settings import LOW_TEXT_PERCENT
from lib.core.settings import REFERER_ALIASES from lib.core.settings import REFERER_ALIASES
from lib.core.settings import USER_AGENT_ALIASES from lib.core.settings import USER_AGENT_ALIASES
from lib.core.target import initTargetEnv from lib.core.target import initTargetEnv
@ -424,6 +425,8 @@ def start():
logger.warn(warnMsg) logger.warn(warnMsg)
else: else:
kb.foundDynamicParameter = True
infoMsg = "%s parameter '%s' is dynamic" % (place, parameter) infoMsg = "%s parameter '%s' is dynamic" % (place, parameter)
logger.info(infoMsg) logger.info(infoMsg)
@ -469,7 +472,7 @@ def start():
errMsg += "(e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')" errMsg += "(e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')"
raise sqlmapNoneDataException, errMsg raise sqlmapNoneDataException, errMsg
elif not conf.realTest: elif not conf.realTest:
errMsg = "all parameters are not injectable." errMsg = "all parameters appear to be not injectable."
if conf.level < 5 or conf.risk < 3: if conf.level < 5 or conf.risk < 3:
errMsg += " Try to increase --level/--risk values " errMsg += " Try to increase --level/--risk values "
@ -480,10 +483,19 @@ def start():
if not conf.textOnly and kb.originalPage: if not conf.textOnly and kb.originalPage:
percent = (100.0 * len(getFilteredPageContent(kb.originalPage)) / len(kb.originalPage)) percent = (100.0 * len(getFilteredPageContent(kb.originalPage)) / len(kb.originalPage))
if kb.dynamicParameters:
errMsg += " Give it a go with the --text-only switch " errMsg += " Give it a go with the --text-only switch "
errMsg += "if the target page has a low percentage of " errMsg += "if the target page has a low percentage of "
errMsg += "textual content (~%.2f%% of " % percent errMsg += "textual content (~%.2f%% of " % percent
errMsg += "page content is text)." errMsg += "page content is text)."
elif percent < LOW_TEXT_PERCENT:
errMsg = " Please retry with the --text-only switch "
errMsg += "as this case looks like a perfect candidate "
errMsg += "(low textual content along with inability "
errMsg += "of comparison engine to detect at least "
errMsg += "one dynamic parameter)."
raise sqlmapNoneDataException, errMsg
if not conf.string and not conf.regexp: if not conf.string and not conf.regexp:
errMsg += " Rerun by providing either a valid --string " errMsg += " Rerun by providing either a valid --string "

View File

@ -1341,6 +1341,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
kb.dep = None kb.dep = None
kb.docRoot = None kb.docRoot = None
kb.dynamicMarkings = [] kb.dynamicMarkings = []
kb.dynamicParameters = False
kb.endDetection = False kb.endDetection = False
kb.httpErrorCodes = {} kb.httpErrorCodes = {}
kb.errorIsNone = True kb.errorIsNone = True

View File

@ -339,3 +339,6 @@ LOCALHOST = "127.0.0.1"
# Default ports used in Tor proxy bundles # Default ports used in Tor proxy bundles
DEFAULT_TOR_PORTS = (8118, 8123) DEFAULT_TOR_PORTS = (8118, 8123)
# Percentage below which comparison engine could have problems
LOW_TEXT_PERCENT = 20