From 5044894928b66310ca5cb7e28d381bf199000ee3 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 18 Nov 2019 12:08:26 +0100 Subject: [PATCH] Minor update of vuln tests --- extra/vulnserver/vulnserver.py | 7 +++++-- lib/core/settings.py | 2 +- lib/core/testing.py | 3 ++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/extra/vulnserver/vulnserver.py b/extra/vulnserver/vulnserver.py index 61174a350..1896c27dd 100644 --- a/extra/vulnserver/vulnserver.py +++ b/extra/vulnserver/vulnserver.py @@ -126,7 +126,7 @@ class ReqHandler(BaseHTTPRequestHandler): if self.url == '/': self.send_response(OK) - if "id" not in params: + if not any(_ in self.params for _ in ("id", "query")): self.send_header("Content-type", "text/html") self.send_header("Connection", "close") self.end_headers() @@ -145,7 +145,10 @@ class ReqHandler(BaseHTTPRequestHandler): output += "%s
" % self.params["echo"] with _lock: - _cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % self.params.get("id", "")) + if "query" in self.params: + _cursor.execute(self.params["query"]) + elif "id" in self.params: + _cursor.execute("SELECT * FROM users WHERE id=%s LIMIT 0, 1" % self.params["id"]) results = _cursor.fetchall() output += "SQL results:\n" diff --git a/lib/core/settings.py b/lib/core/settings.py index 2238079c5..e67a87cf8 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.3.11.77" +VERSION = "1.3.11.78" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/core/testing.py b/lib/core/testing.py index 42981fc11..99a280dce 100644 --- a/lib/core/testing.py +++ b/lib/core/testing.py @@ -65,7 +65,6 @@ def vulnTest(): TESTS = ( ("-r --flush-session", ("CloudFlare",)), - ("-u '&echo=foobar*' --flush-session", ("might be vulnerable to cross-site scripting",)), ("-u --flush-session --forms --crawl=2 --banner", ("total of 2 targets", "might be injectable", "Type: UNION query", "banner: '3")), ("-u --flush-session --data='{\"id\": 1}' --banner", ("might be injectable", "3 columns", "Payload: {\"id\"", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3")), ("-u --flush-session --data='' --union-char=1 --mobile --banner --smart", ("might be injectable", "Payload: --banner --schema --dump -T users --binary-fields=surname --where \"id>3\"", ("banner: '3", "INTEGER", "TEXT", "id", "name", "surname", "2 entries", "6E616D6569736E756C6C")), ("-u --flush-session --all", ("5 entries", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "luther", "blisset", "fluffy", "179ad45c6ce2cb97cf1029e212046e81", "NULL", "nameisnull", "testpass")), ("-u -z \"tec=B\" --hex --fresh-queries --threads=4 --sql-query=\"SELECT * FROM users\"", ("SELECT * FROM users [5]", "nameisnull")), + ("-u '&echo=foobar*' --flush-session", ("might be vulnerable to cross-site scripting",)), + ("-u '&query=*' --flush-session --technique=Q --banner", ("Title: SQLite inline queries", "banner: '3")), ("-d --flush-session --dump -T users --binary-fields=name --where \"id=3\"", ("7775", "179ad45c6ce2cb97cf1029e212046e81 (testpass)",)), ("-d --flush-session --banner --schema --sql-query=\"SELECT 987654321\"", ("banner: '3", "INTEGER", "TEXT", "id", "name", "surname", "[*] 987654321",)), )