From 5380e8174b93caede72123250ad9d6b676e5a60c Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Sun, 11 Mar 2018 03:20:33 +0100 Subject: [PATCH] Safer WAF heuristics in case of URI injections --- lib/controller/checks.py | 11 ++++++++--- lib/core/settings.py | 2 +- txt/checksum.md5 | 4 ++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 96f8908e0..26fcb4f3c 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -1332,14 +1332,19 @@ def checkWaf(): retVal = False payload = "%d %s" % (randomInt(), IDS_WAF_CHECK_PAYLOAD) - value = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + DEFAULT_GET_POST_DELIMITER - value += "%s=%s" % (randomStr(), agent.addPayloadDelimiters(payload)) + if PLACE.URI in conf.parameters: + place = PLACE.POST + value = "%s=%s" % (randomStr(), agent.addPayloadDelimiters(payload)) + else: + place = PLACE.GET + value = "" if not conf.parameters.get(PLACE.GET) else conf.parameters[PLACE.GET] + DEFAULT_GET_POST_DELIMITER + value += "%s=%s" % (randomStr(), agent.addPayloadDelimiters(payload)) pushValue(conf.timeout) conf.timeout = IDS_WAF_CHECK_TIMEOUT try: - retVal = Request.queryPage(place=PLACE.GET, value=value, getRatioValue=True, noteResponseTime=False, silent=True)[1] < IDS_WAF_CHECK_RATIO + retVal = Request.queryPage(place=place, value=value, getRatioValue=True, noteResponseTime=False, silent=True)[1] < IDS_WAF_CHECK_RATIO except SqlmapConnectionException: retVal = True finally: diff --git a/lib/core/settings.py b/lib/core/settings.py index 72bbce430..3207eb04f 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.3.14" +VERSION = "1.2.3.15" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/txt/checksum.md5 b/txt/checksum.md5 index 6e21bf0e1..b94c0dd07 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -21,7 +21,7 @@ c88d66597f4aab719bde4542b0a1a6e0 extra/shutils/regressiontest.py 1e5532ede194ac9c083891c2f02bca93 extra/sqlharvest/__init__.py b3e60ea4e18a65c48515d04aab28ff68 extra/sqlharvest/sqlharvest.py 0f581182871148b0456a691ae85b04c0 lib/controller/action.py -5132e59761d8bb617412d2aaaf987716 lib/controller/checks.py +e8533a8a406fe58cc610337639ed4bb1 lib/controller/checks.py 9fbd66da9b5cf58bbb8474ccf9252bb7 lib/controller/controller.py a7b0c8e5a18a3abe8803999dcfc4664f lib/controller/handler.py 1e5532ede194ac9c083891c2f02bca93 lib/controller/__init__.py @@ -46,7 +46,7 @@ ffa5f01f39b17c8d73423acca6cfe86a lib/core/readlineng.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -b7e3ed2ba524c6b532fcc13025bd7dc3 lib/core/settings.py +32680252839964d1ff2c62207f64b3b0 lib/core/settings.py d0adc28a38e43a787df4471f7f027413 lib/core/shell.py 63491be462c515a1a3880c27c2acc4a2 lib/core/subprocessng.py 3cc852f927833895361973fbcfd156d2 lib/core/target.py