From 519538a1d387d285022dc644f37addb2939d3f86 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 17 May 2019 11:00:51 +0200 Subject: [PATCH] Implements #3549 --- lib/controller/controller.py | 2 ++ lib/core/option.py | 5 +++++ lib/core/optiondict.py | 1 + lib/core/settings.py | 2 +- lib/parse/cmdline.py | 3 +++ sqlmap.conf | 3 +++ 6 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 2cb71f3d0..c35dd5679 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -466,6 +466,8 @@ def start(): skip |= (place == PLACE.COOKIE and intersect(PLACE.COOKIE, conf.skip, True) not in ([], None)) skip |= (place == PLACE.HOST and intersect(PLACE.HOST, conf.skip, True) not in ([], None)) + skip |= (conf.paramFilter and place.upper() not in conf.paramFilter) + skip &= not (place == PLACE.USER_AGENT and intersect(USER_AGENT_ALIASES, conf.testParameter, True)) skip &= not (place == PLACE.REFERER and intersect(REFERER_ALIASES, conf.testParameter, True)) skip &= not (place == PLACE.HOST and intersect(HOST_ALIASES, conf.testParameter, True)) diff --git a/lib/core/option.py b/lib/core/option.py index ff7c599b9..7228ba0bf 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1590,6 +1590,11 @@ def _cleanupOptions(): else: conf.testParameter = [] + if conf.paramFilter: + conf.paramFilter = [_.strip() for _ in re.split(PARAMETER_SPLITTING_REGEX, conf.paramFilter.upper())] + else: + conf.paramFilter = [] + if conf.base64Parameter: conf.base64Parameter = urldecode(conf.base64Parameter) conf.base64Parameter = conf.base64Parameter.replace(" ", "") diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index 8a93de733..cce6cc1cf 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -79,6 +79,7 @@ optDict = { "skip": "string", "skipStatic": "boolean", "paramExclude": "string", + "paramFilter": "string", "dbms": "string", "dbmsCred": "string", "os": "string", diff --git a/lib/core/settings.py b/lib/core/settings.py index 0859a0fa5..9204094af 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.3.5.102" +VERSION = "1.3.5.103" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index c928ed96c..582715874 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -261,6 +261,9 @@ def cmdLineParser(argv=None): injection.add_option("--param-exclude", dest="paramExclude", help="Regexp to exclude parameters from testing (e.g. \"ses\")") + injection.add_option("--param-filter", dest="paramFilter", + help="Select testable parameter(s) by place (e.g. \"POST\")") + injection.add_option("--dbms", dest="dbms", help="Force back-end DBMS to provided value") diff --git a/sqlmap.conf b/sqlmap.conf index a44604bc2..772b94ad6 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -245,6 +245,9 @@ skipStatic = False # Regexp to exclude parameters from testing (e.g. "ses"). paramExclude = +# Select testable parameter(s) by place (e.g. "POST"). +paramFilter = + # Force back-end DBMS to provided value. If this option is set, the back-end # DBMS identification process will be minimized as needed. # If not set, sqlmap will detect back-end DBMS automatically by default.