update

2024-11-25 11:03:47 +03:00 · 2010-03-05 14:06:03 +00:00 · 2010-03-05 14:06:03 +00:00 · 6fd1f7f77c
commit 6fd1f7f77c
parent 20d8275f0e
3 changed files with 57 additions and 8 deletions
--- a/doc/README.sgml
+++ b/doc/README.sgml
@ -1578,7 +1578,16 @@ connection timeouts. By default it retries up to three times.

 <p>
 Option: <tt>-</tt><tt>-scope</tt>
-#TODO
+
+<p>
+Rather than using all hosts parsed from provided logs with option 
+<tt>-l</tt>, in combination with this option you can specify valid 
+python regular expression to be used for filtering desired ones.
+
+Example usage:
+
+<tscreen><verb>
+$ python sqlmap.py -l /tmp/webscarab.log/conversations/ --scope="(www)?\.target\.(com|net|org)"


 <sect1>Injection
@ -1588,6 +1597,7 @@ These options can be used to specify which parameters to test for, provide
 custom injection payloads and how to parse and compare HTTP responses page
 content when using the blind SQL injection technique.

+
 <sect2>Testable parameter(s)

 <p>
@ -5358,11 +5368,11 @@ back-end DBMS:	Microsoft SQL Server 2000
 [hh:mm:57] [INFO] fetching number of database users
 [hh:mm:57] [INFO] retrieved: 3
 [hh:mm:57] [INFO] retrieved the length of query output: 22
-100% [====================================================] 22/22              
+100% [====================================================] 22/22
 [hh:mm:58] [INFO] retrieved the length of query output: 2
-100% [====================================================] 2/2                
+100% [====================================================] 2/2
 [hh:mm:59] [INFO] retrieved the length of query output: 25
-100% [====================================================] 25/25              
+100% [====================================================] 25/25
 [hh:mm:00] [DEBUG] performed 181 queries in 1 seconds
 database management system users [3]:
 [*] BUILTIN\Administrators
@ -5380,7 +5390,42 @@ counts the number of retrieved query output characters.

 <p>
 Option: <tt>-</tt><tt>-gpage</tt>
-#TODO
+
+<p>
+Default sqlmap behavior with option <tt>-g</tt> is to do a google
+search and use resulting urls from first (100) result page for further 
+sql injection testing. In combination with this option you can specify
+some other page other than the first one for retrieving target urls.
+
+<p>
+Example of Google dorking with expression <tt>login ext:php</tt> 
+and resulting page set to 3:
+
+<tscreen><verb>
+$ python sqlmap.py -g "login ext:php" --gpage=3 -v 1
+
+[14:11:12] [INFO] first request to Google to get the session cookie
+[14:11:12] [INFO] using search result page #3
+[14:11:12] [INFO] sqlmap got 100 results for your Google dork expression, 5 of them are testable targets
+[14:11:12] [INFO] sqlmap got a total of 5 targets
+url 1:
+GET http://myjobstreet-beta.jobstreet.com/home/login.php?site=in
+do you want to test this url? [Y/n/q]
+> 
+[14:11:14] [INFO] testing url http://myjobstreet-beta.jobstreet.com/home/login.php?site=in
+[14:11:14] [INFO] using '/home/stamparm/Work/sqlmap/sqlmap/output/None/session' as session file
+[14:11:14] [INFO] testing connection to the target url
+[14:11:15] [INFO] testing if the url is stable, wait a few seconds
+[14:11:19] [INFO] url is stable
+[14:11:19] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
+[14:11:21] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
+[14:11:21] [INFO] testing if Cookie parameter 'REFERP' is dynamic
+[14:11:22] [WARNING] Cookie parameter 'REFERP' is not dynamic
+[14:11:22] [INFO] testing if Cookie parameter 'PHPSESSID' is dynamic
+[14:11:24] [INFO] confirming that Cookie parameter 'PHPSESSID' is dynamic
+[14:11:27] [INFO] Cookie parameter 'PHPSESSID' is dynamic
+[...]
+</verb></tscreen>


 <sect2>Update <tt>sqlmap</tt>
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -104,6 +104,9 @@ def __feedTargetsDict(reqFile, addedTargetUrls):
    port   = None
    scheme = None

+    if conf.scope:
+        logger.info("using regex: '%s' for filtering targets" % conf.scope)
+
    for request in reqResList:
        if scheme is None:
            schemePort = re.search("\d\d[\:|\.]\d\d[\:|\.]\d\d\s+(http[\w]*)\:\/\/.*?\:([\d]+)", request, re.I)
@ -163,10 +166,10 @@ def __feedTargetsDict(reqFile, addedTargetUrls):
            elif method is not None and method == "POST" and "=" in line:
                data   = line
                params = True
-        
+
        if conf.scope:
            getPostReq &= re.search(conf.scope, host) is not None
-            
+
        if getPostReq and params:
            if not url.startswith("http"):
                url    = "%s://%s:%s%s" % (scheme or "http", host, port or "80", url)
--- a/lib/utils/google.py
+++ b/lib/utils/google.py
@ -93,7 +93,8 @@ class Google:
        """

        gpage = conf.googlePage if conf.googlePage > 1 else 1
-
+        logger.info("using search result page #%d" % gpage)
+        
        if not googleDork:
            return None