sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-16 19:40:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Patch for an Issue #1285

Browse Source
This commit is contained in:
Miroslav Stampar 2015-07-06 11:50:59 +02:00
parent 96327b6701
commit 6a1b3895f9
1 changed files with 55 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
lib/core/target.py
View File

@ -80,6 +80,7 @@ def _setRequestParams():
return return
testableParameters = False testableParameters = False
skipHeaders = False
# Perform checks on GET parameters # Perform checks on GET parameters
if conf.parameters.get(PLACE.GET): if conf.parameters.get(PLACE.GET):
@ -123,11 +124,17 @@ def _setRequestParams():
else: else:
kb.processUserMarks = not test or test[0] not in ("n", "N") kb.processUserMarks = not test or test[0] not in ("n", "N")
if kb.processUserMarks and "=%s" % CUSTOM_INJECTION_MARK_CHAR in conf.data: if kb.processUserMarks:
warnMsg = "it seems that you've provided empty parameter value(s) " skipHeaders = True
warnMsg += "for testing. Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to run properly" conf.parameters.clear()
logger.warn(warnMsg) conf.paramDict.clear()
if "=%s" % CUSTOM_INJECTION_MARK_CHAR in conf.data:
warnMsg = "it seems that you've provided empty parameter value(s) "
warnMsg += "for testing. Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to run properly"
logger.warn(warnMsg)
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data):
if re.search(JSON_RECOGNITION_REGEX, conf.data): if re.search(JSON_RECOGNITION_REGEX, conf.data):
@ -241,11 +248,17 @@ def _setRequestParams():
else: else:
kb.processUserMarks = not test or test[0] not in ("n", "N") kb.processUserMarks = not test or test[0] not in ("n", "N")
if kb.processUserMarks and "=%s" % CUSTOM_INJECTION_MARK_CHAR in _: if kb.processUserMarks:
warnMsg = "it seems that you've provided empty parameter value(s) " skipHeaders = True
warnMsg += "for testing. Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to run properly" conf.parameters.clear()
logger.warn(warnMsg) conf.paramDict.clear()
if "=%s" % CUSTOM_INJECTION_MARK_CHAR in _:
warnMsg = "it seems that you've provided empty parameter value(s) "
warnMsg += "for testing. Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to run properly"
logger.warn(warnMsg)
if not kb.processUserMarks: if not kb.processUserMarks:
if place == PLACE.URI: if place == PLACE.URI:
@ -304,49 +317,50 @@ def _setRequestParams():
if conf.get(item): if conf.get(item):
conf[item] = conf[item].replace(CUSTOM_INJECTION_MARK_CHAR, "") conf[item] = conf[item].replace(CUSTOM_INJECTION_MARK_CHAR, "")
# Perform checks on Cookie parameters if not skipHeaders:
if conf.cookie: # Perform checks on Cookie parameters
conf.parameters[PLACE.COOKIE] = conf.cookie if conf.cookie:
paramDict = paramToDict(PLACE.COOKIE, conf.cookie) conf.parameters[PLACE.COOKIE] = conf.cookie
paramDict = paramToDict(PLACE.COOKIE, conf.cookie)
if paramDict: if paramDict:
conf.paramDict[PLACE.COOKIE] = paramDict conf.paramDict[PLACE.COOKIE] = paramDict
testableParameters = True testableParameters = True
# Perform checks on header values # Perform checks on header values
if conf.httpHeaders: if conf.httpHeaders:
for httpHeader, headerValue in conf.httpHeaders: for httpHeader, headerValue in conf.httpHeaders:
# Url encoding of the header values should be avoided # Url encoding of the header values should be avoided
# Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value # Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value
httpHeader = httpHeader.title() httpHeader = httpHeader.title()
if httpHeader == HTTP_HEADER.USER_AGENT: if httpHeader == HTTP_HEADER.USER_AGENT:
conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue) conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES))) condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES)))
if condition: if condition:
conf.paramDict[PLACE.USER_AGENT] = {PLACE.USER_AGENT: headerValue} conf.paramDict[PLACE.USER_AGENT] = {PLACE.USER_AGENT: headerValue}
testableParameters = True testableParameters = True
elif httpHeader == HTTP_HEADER.REFERER: elif httpHeader == HTTP_HEADER.REFERER:
conf.parameters[PLACE.REFERER] = urldecode(headerValue) conf.parameters[PLACE.REFERER] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES))) condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES)))
if condition: if condition:
conf.paramDict[PLACE.REFERER] = {PLACE.REFERER: headerValue} conf.paramDict[PLACE.REFERER] = {PLACE.REFERER: headerValue}
testableParameters = True testableParameters = True
elif httpHeader == HTTP_HEADER.HOST: elif httpHeader == HTTP_HEADER.HOST:
conf.parameters[PLACE.HOST] = urldecode(headerValue) conf.parameters[PLACE.HOST] = urldecode(headerValue)
condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES))) condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES)))
if condition: if condition:
conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue} conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue}
testableParameters = True testableParameters = True
if not conf.parameters: if not conf.parameters:
errMsg = "you did not provide any GET, POST and Cookie " errMsg = "you did not provide any GET, POST and Cookie "