From 7587528ebd2ffcc51e877b5cfea4a190416d9675 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 26 Mar 2015 11:40:19 +0100 Subject: [PATCH] Fixes #1202 --- lib/controller/controller.py | 9 +++++++++ lib/request/basic.py | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 1f47d0890..b217438a9 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -30,6 +30,8 @@ from lib.core.common import hashDBWrite from lib.core.common import intersect from lib.core.common import isListLike from lib.core.common import parseTargetUrl +from lib.core.common import popValue +from lib.core.common import pushValue from lib.core.common import randomStr from lib.core.common import readInput from lib.core.common import safeCSValue @@ -488,6 +490,10 @@ def start(): kb.testedParams.add(paramKey) if testSqlInj: + if place == PLACE.COOKIE: + pushValue(kb.mergeCookies) + kb.mergeCookies = False + check = heuristicCheckSqlInjection(place, parameter) if check != HEURISTIC_TEST.POSITIVE: @@ -523,6 +529,9 @@ def start(): warnMsg += "injectable" logger.warn(warnMsg) + if place == PLACE.COOKIE: + kb.mergeCookies = popValue() + if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None): if kb.vainRun and not conf.multipleTargets: errMsg = "no parameter(s) found for testing in the provided data " diff --git a/lib/request/basic.py b/lib/request/basic.py index fa6dd8cee..9815b59ed 100755 --- a/lib/request/basic.py +++ b/lib/request/basic.py @@ -94,7 +94,7 @@ def forgeHeaders(items=None): _ = readInput(message, default="Y") kb.mergeCookies = not _ or _[0] in ("y", "Y") - if kb.mergeCookies: + if kb.mergeCookies and kb.injection.place != PLACE.COOKIE: _ = lambda x: re.sub(r"(?i)\b%s=[^%s]+" % (re.escape(cookie.name), conf.cookieDel or DEFAULT_COOKIE_DELIMITER), "%s=%s" % (cookie.name, getUnicode(cookie.value)), x) headers[HTTP_HEADER.COOKIE] = _(headers[HTTP_HEADER.COOKIE])