diff --git a/lib/core/common.py b/lib/core/common.py index a185a40cd..5d4cc68cc 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -568,16 +568,16 @@ def paramToDict(place, parameters=None): parameter = conf.testParameter[0] if not intersect(USER_AGENT_ALIASES + REFERER_ALIASES + HOST_ALIASES, parameter, True): - warnMsg = "provided parameter '%s' " % paramStr - warnMsg += "is not inside the %s" % place - logger.warn(warnMsg) + debugMsg = "provided parameter '%s' " % paramStr + debugMsg += "is not inside the %s" % place + logger.debug(debugMsg) elif len(conf.testParameter) != len(testableParameters.keys()): for parameter in conf.testParameter: if parameter not in testableParameters: - warnMsg = "provided parameter '%s' " % parameter - warnMsg += "is not inside the %s" % place - logger.warn(warnMsg) + debugMsg = "provided parameter '%s' " % parameter + debugMsg += "is not inside the %s" % place + logger.debug(debugMsg) if testableParameters: for parameter, value in testableParameters.items(): diff --git a/lib/core/target.py b/lib/core/target.py index 026cccc0c..73a968950 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -6,6 +6,7 @@ See the file 'doc/COPYING' for copying permission """ import codecs +import functools import os import re import tempfile @@ -86,6 +87,19 @@ def _setRequestParams(): if conf.data is not None: conf.method = HTTPMETHOD.POST + def process(match, repl): + if conf.testParameter and match.group("name") not in conf.testParameter: + retVal = match.group(0) + else: + retVal = repl + while True: + _ = re.search(r"\\g<([^>]+)>", retVal) + if _: + retVal = retVal.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1))) + else: + break + return retVal + if re.search(JSON_RECOGNITION_REGEX, conf.data): message = "JSON like data found in POST data. " message += "Do you want to process it? [Y/n/q] " @@ -94,8 +108,8 @@ def _setRequestParams(): raise SqlmapUserQuitException elif test[0] not in ("n", "N"): conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) - conf.data = re.sub(r'("[^"]+"\s*:\s*"[^"]+)"', r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, conf.data) - conf.data = re.sub(r'("[^"]+"\s*:\s*)(-?\d[\d\.]*\b)', r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, conf.data) + conf.data = re.sub(r'("(?P[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data) + conf.data = re.sub(r'("(?P[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data) kb.postHint = POST_HINT.JSON elif re.search(SOAP_RECOGNITION_REGEX, conf.data): @@ -106,7 +120,7 @@ def _setRequestParams(): raise SqlmapUserQuitException elif test[0] not in ("n", "N"): conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) - conf.data = re.sub(r"(<([^>]+)( [^<]*)?>)([^<]+)(\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR, conf.data) + conf.data = re.sub(r"(<(?P[^>]+)( [^<]*)?>)([^<]+)(\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data) kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):