diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 958c9e694..88da289d7 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -302,10 +302,12 @@ def checkSqlInjection(place, parameter, value): # Use different page template than the original # one as we are changing parameters value, which # will likely result in a different content - if not conf.logicalNegate: - origValue = "-%s" % randomInt() - else: + if conf.invalidLogical: origValue = "%s AND %s=%s" % (origValue, randomInt(), randomInt()) + elif conf.invalidBignum: + origValue = "%d.%d" % (randomInt(6), randomInt(1)) + else: + origValue = "-%s" % randomInt() templatePayload = agent.payload(place, parameter, newValue=origValue, where=where) elif where == PAYLOAD.WHERE.REPLACE: origValue = "" diff --git a/lib/core/agent.py b/lib/core/agent.py index 210b7fba0..699ef9afb 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -87,15 +87,17 @@ class Agent: if where == PAYLOAD.WHERE.ORIGINAL: value = origValue elif where == PAYLOAD.WHERE.NEGATIVE: - if not conf.logicalNegate: + if conf.invalidLogical: + match = re.search(r'\A[^ ]+', newValue) + newValue = newValue[len(match.group() if match else ""):] + value = "%s%s AND %s=%s" % (origValue, match.group() if match else "", randomInt(2), randomInt(2)) + elif conf.invalidBignum: + value = "%d.%d" % (randomInt(6), randomInt(1)) + else: if newValue.startswith("-"): value = "" else: value = "-%s" % randomInt() - else: - match = re.search(r'\A[^ ]+', newValue) - newValue = newValue[len(match.group() if match else ""):] - value = "%s%s AND %s=%s" % (origValue, match.group() if match else "", randomInt(2), randomInt(2)) elif where == PAYLOAD.WHERE.REPLACE: value = "" else: diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index c47d84e78..d823f6a6d 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -63,9 +63,10 @@ optDict = { "testParameter": "string", "dbms": "string", "os": "string", + "invalidBignum": "boolean", + "invalidLogical": "boolean", "prefix": "string", "suffix": "string", - "logicalNegate": "boolean", "skip": "string", "tamper": "string" }, diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index d8b31a00f..8d61604f3 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -190,20 +190,24 @@ def cmdLineParser(): help="Force back-end DBMS operating system " "to this value") + injection.add_option("--invalid-bignum", dest="invalidBignum", + action="store_true", + help="Use big numbers for invalidating values") + + injection.add_option("--invalid-logical", dest="invalidLogical", + action="store_true", + help="Use logical operations for invalidating values") + + injection.add_option("--no-cast", dest="noCast", + action="store_true", + help="Turn off payload casting mechanism") + injection.add_option("--prefix", dest="prefix", help="Injection payload prefix string") injection.add_option("--suffix", dest="suffix", help="Injection payload suffix string") - injection.add_option("--logical-negate", dest="logicalNegate", - action="store_true", - help="Use logic operation(s) for negating values") - - injection.add_option("--no-cast", dest="noCast", - action="store_true", - help="Turn off payload casting mechanism") - injection.add_option("--skip", dest="skip", help="Skip testing for given parameter(s)") diff --git a/sqlmap.conf b/sqlmap.conf index 58c9f4b07..9093cf887 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -191,20 +191,24 @@ dbms = # Valid: linux, windows os = +# Use big numbers for invalidating values. +# Valid: True or False +invalidBignum = False + +# Use logical operations for invalidating values. +# Valid: True or False +invalidLogical = False + +# Turn off payload casting mechanism +# Valid: True or False +noCast = False + # Injection payload prefix string. prefix = # Injection payload suffix string. suffix = -# Use logic operation(s) for negating values. -# Valid: True or False -logicalNegate = False - -# Turn off payload casting mechanism -# Valid: True or False -noCast = False - # Skip testing for given parameter(s). skip =