Implementation of an Issue #161

2024-11-25 19:13:48 +03:00 · 2012-08-22 11:27:58 +02:00 · 2012-08-22 11:27:58 +02:00 · 61151447fe
commit 61151447fe
parent 6210ddfbd6
3 changed files with 21 additions and 5 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -627,21 +627,27 @@ def heuristicCheckSqlInjection(place, parameter):
    page, _ = Request.queryPage(payload, place, content=True, raise404=False)

    parseFilePaths(page)
-
    result = wasLastRequestDBMSError()

    infoMsg = "heuristic test shows that %s " % place
    infoMsg += "parameter '%s' might " % parameter

+    casting = False
    if not result and kb.dynamicParameter:
-        _ = conf.paramDict[place][parameter]
+        origValue = conf.paramDict[place][parameter]

-        if _ and _.isdigit():
+        if origValue and origValue.isdigit():
            randInt = int(randomInt())
-            payload = "%s%s%s" % (prefix, "%d-%d" % (int(_) + randInt, randInt), suffix)
+            payload = "%s%s%s" % (prefix, "%d-%d" % (int(origValue) + randInt, randInt), suffix)
            payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)
            result = Request.queryPage(payload, place, raise404=False)

+            if not result:
+                randStr = randomStr()
+                payload = "%s%s%s" % (prefix, "%s%s" % (origValue, randStr), suffix)
+                payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)
+                casting = Request.queryPage(payload, place, raise404=False)
+
    kb.heuristicTest = result

    if result:
@ -651,6 +657,15 @@ def heuristicCheckSqlInjection(place, parameter):
        infoMsg += "not be injectable"
        logger.warn(infoMsg)

+    if casting:
+        errMsg = "possible integer casting "
+        errMsg += "detected (e.g. %s=(int)$_REQUEST('%s')) " % (parameter, parameter)
+        errMsg += "at the back-end web application"
+        logger.error(errMsg)
+
+        message = "do you want to skip those kind of cases? [Y/n] "
+        kb.ignoreCasted = readInput(message, default='Y').upper() != 'N'
+
    return result

 def checkDynParam(place, parameter, value):
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -454,7 +454,7 @@ def start():
                            check = heuristicCheckSqlInjection(place, parameter)

                            if not check:
-                                if conf.smart:
+                                if conf.smart or kb.ignoreCasted:
                                    infoMsg = "skipping %s parameter '%s'" % (place, parameter)
                                    logger.info(infoMsg)
                                    continue
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1496,6 +1496,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.htmlFp = []
    kb.httpErrorCodes = {}
    kb.inferenceMode = False
+    kb.ignoreCasted = False
    kb.ignoreNotFound = False
    kb.ignoreTimeout = False
    kb.injection = InjectionDict()