Implements #3549

2024-11-22 01:26:42 +03:00 · 2019-05-17 11:00:51 +02:00 · 2019-05-17 11:00:51 +02:00 · 519538a1d3
commit 519538a1d3
parent aa5645c71a
6 changed files with 15 additions and 1 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -466,6 +466,8 @@ def start():
                    skip |= (place == PLACE.COOKIE and intersect(PLACE.COOKIE, conf.skip, True) not in ([], None))
                    skip |= (place == PLACE.HOST and intersect(PLACE.HOST, conf.skip, True) not in ([], None))

+                    skip |= (conf.paramFilter and place.upper() not in conf.paramFilter)
+
                    skip &= not (place == PLACE.USER_AGENT and intersect(USER_AGENT_ALIASES, conf.testParameter, True))
                    skip &= not (place == PLACE.REFERER and intersect(REFERER_ALIASES, conf.testParameter, True))
                    skip &= not (place == PLACE.HOST and intersect(HOST_ALIASES, conf.testParameter, True))
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1590,6 +1590,11 @@ def _cleanupOptions():
    else:
        conf.testParameter = []

+    if conf.paramFilter:
+        conf.paramFilter = [_.strip() for _ in re.split(PARAMETER_SPLITTING_REGEX, conf.paramFilter.upper())]
+    else:
+        conf.paramFilter = []
+
    if conf.base64Parameter:
        conf.base64Parameter = urldecode(conf.base64Parameter)
        conf.base64Parameter = conf.base64Parameter.replace(" ", "")
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -79,6 +79,7 @@ optDict = {
        "skip": "string",
        "skipStatic": "boolean",
        "paramExclude": "string",
+        "paramFilter": "string",
        "dbms": "string",
        "dbmsCred": "string",
        "os": "string",
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.5.102"
+VERSION = "1.3.5.103"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -261,6 +261,9 @@ def cmdLineParser(argv=None):
        injection.add_option("--param-exclude", dest="paramExclude",
                             help="Regexp to exclude parameters from testing (e.g. \"ses\")")

+        injection.add_option("--param-filter", dest="paramFilter",
+                             help="Select testable parameter(s) by place (e.g. \"POST\")")
+
        injection.add_option("--dbms", dest="dbms",
                             help="Force back-end DBMS to provided value")

--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -245,6 +245,9 @@ skipStatic = False
 # Regexp to exclude parameters from testing (e.g. "ses").
 paramExclude =

+# Select testable parameter(s) by place (e.g. "POST").
+paramFilter =
+
 # Force back-end DBMS to provided value. If this option is set, the back-end
 # DBMS identification process will be minimized as needed.
 # If not set, sqlmap will detect back-end DBMS automatically by default.