Bug fix (error heuristics not working in heavy dynamicity cases)

data/xml/errors.xml

@@ -42,7 +42,7 @@
         <error regexp="\bSQL Server[^&lt;&quot;]+Driver"/>
         <error regexp="Warning.*?\W(mssql|sqlsrv)_"/>
         <error regexp="\bSQL Server[^&lt;&quot;]+[0-9a-fA-F]{8}"/>
-        <error regexp="System\.Data\.SqlClient\.SqlException"/>
+        <error regexp="System\.Data\.SqlClient\.(SqlException|SqlConnection\.OnError)"/>
         <error regexp="(?s)Exception.*?\bRoadhouse\.Cms\."/>
         <error regexp="Microsoft SQL Native Client error '[0-9a-fA-F]{8}"/>
         <error regexp="\[SQL Server\]"/>
@@ -55,6 +55,7 @@
         <error regexp="com\.microsoft\.sqlserver\.jdbc"/>
         <error regexp="Pdo[./_\\](Mssql|SqlSrv)"/>
         <error regexp="SQL(Srv|Server)Exception"/>
+        <error regexp="Unclosed quotation mark after the character string"/>
     </dbms>
 
     <dbms value="Microsoft Access">

lib/controller/checks.py

@@ -157,6 +157,7 @@ def checkSqlInjection(place, parameter, value):
                 # error message, simple heuristic check or via DBMS-specific
                 # payload), ask the user to limit the tests to the fingerprinted
                 # DBMS
+
                 if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):
                     msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or joinValue(injection.dbms, '/'))
                     msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"
@@ -1041,11 +1042,6 @@ def heuristicCheckSqlInjection(place, parameter):
     if conf.skipHeuristics:
         return None
 
-    if kb.heavilyDynamic:
-        debugMsg = "heuristic check skipped because of heavy dynamicity"
-        logger.debug(debugMsg)
-        return None
-
     origValue = conf.paramDict[place][parameter]
     paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
 
@@ -1082,7 +1078,7 @@ def heuristicCheckSqlInjection(place, parameter):
 
     casting = _(page) and not _(kb.originalPage)
 
-    if not casting and not result and kb.dynamicParameter and origValue.isdigit():
+    if not casting and not result and kb.dynamicParameter and origValue.isdigit() and not kb.heavilyDynamic:
         randInt = int(randomInt())
         payload = "%s%s%s" % (prefix, "%d-%d" % (int(origValue) + randInt, randInt), suffix)
         payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)
@@ -1096,6 +1092,11 @@ def heuristicCheckSqlInjection(place, parameter):
 
     kb.heuristicTest = HEURISTIC_TEST.CASTED if casting else HEURISTIC_TEST.NEGATIVE if not result else HEURISTIC_TEST.POSITIVE
 
+    if kb.heavilyDynamic:
+        debugMsg = "heuristic check stopped because of heavy dynamicity"
+        logger.debug(debugMsg)
+        return kb.heuristicTest
+
     if casting:
         errMsg = "possible %s casting detected (e.g. '" % ("integer" if origValue.isdigit() else "type")
 

lib/core/settings.py

@@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.5.1.28"
+VERSION = "1.5.1.29"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)