sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-09 08:00:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Cosmetic fixes

Browse Source
This commit is contained in:
Bernardo Damele 2010-10-16 15:10:48 +00:00
parent 1336b97c2c
commit 84ed7f192a
2 changed files with 37 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/controller/checks.py
View File

@ -99,11 +99,15 @@ def heuristicCheckSqlInjection(place, parameter, value):
postfix = conf.postfix postfix = conf.postfix
payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix) payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
if place == "URI": if place == "URI":
payload = conf.paramDict[place][parameter].replace('*', payload) payload = conf.paramDict[place][parameter].replace('*', payload)
Request.queryPage(payload, place) Request.queryPage(payload, place)
result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
infoMsg = "(error based) heuristics show that %s parameter '%s' is " % (place, parameter) infoMsg = "(error based) heuristics show that %s parameter '%s' is " % (place, parameter)
if result: if result:
infoMsg += "injectable" infoMsg += "injectable"
logger.info(infoMsg) logger.info(infoMsg)
@ -147,6 +151,7 @@ def checkDynamicContent(*pages):
This function checks if the provided pages have dynamic content. If they This function checks if the provided pages have dynamic content. If they
are dynamic, their content differs at specific lines. are dynamic, their content differs at specific lines.
""" """
infoMsg = "searching for dynamic content" infoMsg = "searching for dynamic content"
logger.info(infoMsg) logger.info(infoMsg)
@ -170,6 +175,7 @@ def checkDynamicContent(*pages):
for other in kb.dynamicContent: for other in kb.dynamicContent:
found = True found = True
if other.pageTotal == item.pageTotal: if other.pageTotal == item.pageTotal:
if isinstance(other.lineNumber, int): if isinstance(other.lineNumber, int):
if other.lineNumber == item.lineNumber - 1: if other.lineNumber == item.lineNumber - 1:
@ -235,28 +241,34 @@ def checkStability():
elif not condition: elif not condition:
warnMsg = "url is not stable, sqlmap will base the page " warnMsg = "url is not stable, sqlmap will base the page "
warnMsg += "comparison on a sequence matcher. if no dynamic nor " warnMsg += "comparison on a sequence matcher. If no dynamic nor "
warnMsg += "injectable parameters are detected, or in case of junk " warnMsg += "injectable parameters are detected, or in case of "
warnMsg += "results, refer to user's " warnMsg += "junk results, refer to user's manual paragraph "
warnMsg += "manual paragraph 'Page comparison' and provide a " warnMsg += "'Page comparison' and provide a string or regular "
warnMsg += "string or regular expression to match on" warnMsg += "expression to match on"
logger.warn(warnMsg) logger.warn(warnMsg)
message = "how do you want to proceed? [C(ontinue)/s(tring)/r(egex)/q(uit)] " message = "how do you want to proceed? [C(ontinue)/s(tring)/r(egex)/q(uit)] "
test = readInput(message, default="C") test = readInput(message, default="C")
if test and test[0] in ("q", "Q"): if test and test[0] in ("q", "Q"):
raise sqlmapUserQuitException raise sqlmapUserQuitException
elif test and test[0] in ("s", "S"): elif test and test[0] in ("s", "S"):
showStaticWords(firstPage, secondPage) showStaticWords(firstPage, secondPage)
message = "please enter value for parameter 'string': " message = "please enter value for parameter 'string': "
test = readInput(message) test = readInput(message)
if test: if test:
conf.string = test conf.string = test
else: else:
raise sqlmapSilentQuitException raise sqlmapSilentQuitException
elif test and test[0] in ("r", "R"): elif test and test[0] in ("r", "R"):
message = "please enter value for parameter 'regex': " message = "please enter value for parameter 'regex': "
test = readInput(message) test = readInput(message)
if test: if test:
conf.regex = test conf.regex = test
else: else:

22
lib/core/common.py
View File

@ -1107,33 +1107,42 @@ def sanitizeAsciiString(subject):
def preparePageForLineComparison(page): def preparePageForLineComparison(page):
retVal = page retVal = page
if isinstance(page, basestring): if isinstance(page, basestring):
return page.replace("><", ">\n<").replace("<br>", "\n").splitlines() return page.replace("><", ">\n<").replace("<br>", "\n").splitlines()
return retVal return retVal
def getFilteredPageContent(page): def getFilteredPageContent(page):
retVal = page retVal = page
if isinstance(page, basestring): if isinstance(page, basestring):
retVal = re.sub(r"(?s)<script.+?</script>|<style.+?</style>|<[^>]+>|\t|\n|\r", " ", page) retVal = re.sub(r"(?s)<script.+?</script>|<style.+?</style>|<[^>]+>|\t|\n|\r", " ", page)
while retVal.find(" ") != -1: while retVal.find(" ") != -1:
retVal = retVal.replace(" ", " ") retVal = retVal.replace(" ", " ")
return retVal return retVal
def getPageTextWordsSet(page): def getPageTextWordsSet(page):
retVal = None retVal = None
if isinstance(page, basestring): if isinstance(page, basestring):
page = getFilteredPageContent(page) page = getFilteredPageContent(page)
retVal = set(re.findall(r"\w+", page)) retVal = set(re.findall(r"\w+", page))
return retVal return retVal
def showStaticWords(firstPage, secondPage): def showStaticWords(firstPage, secondPage):
infoMsg = "finding static words in longest matching part of dynamic page content" infoMsg = "finding static words in longest matching part of dynamic page content"
logger.info(infoMsg) logger.info(infoMsg)
firstPage = getFilteredPageContent(firstPage) firstPage = getFilteredPageContent(firstPage)
secondPage = getFilteredPageContent(secondPage) secondPage = getFilteredPageContent(secondPage)
match = SequenceMatcher(None, firstPage, secondPage).find_longest_match(0, len(firstPage), 0, len(secondPage)) match = SequenceMatcher(None, firstPage, secondPage).find_longest_match(0, len(firstPage), 0, len(secondPage))
commonText = firstPage[match[0]:match[0]+match[2]] commonText = firstPage[match[0]:match[0]+match[2]]
commonWords = getPageTextWordsSet(commonText) commonWords = getPageTextWordsSet(commonText)
infoMsg = "static words: " infoMsg = "static words: "
if commonWords: if commonWords:
@ -1190,6 +1199,7 @@ def posixToNtSlashes(filepath):
>>> posixToNtSlashes('C:/Windows') >>> posixToNtSlashes('C:/Windows')
'C:\\\\Windows' 'C:\\\\Windows'
""" """
return filepath.replace('/', '\\') return filepath.replace('/', '\\')
def ntToPosixSlashes(filepath): def ntToPosixSlashes(filepath):
@ -1199,6 +1209,7 @@ def ntToPosixSlashes(filepath):
>>> ntToPosixSlashes('C:\\Windows') >>> ntToPosixSlashes('C:\\Windows')
'C:/Windows' 'C:/Windows'
""" """
return filepath.replace('\\', '/') return filepath.replace('\\', '/')
def isBase64EncodedString(subject): def isBase64EncodedString(subject):
@ -1209,6 +1220,7 @@ def isBase64EncodedString(subject):
>>> isBase64EncodedString('123456') >>> isBase64EncodedString('123456')
False False
""" """
return re.match(r"\A(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z", subject) is not None return re.match(r"\A(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\Z", subject) is not None
def isHexEncodedString(subject): def isHexEncodedString(subject):
@ -1219,6 +1231,7 @@ def isHexEncodedString(subject):
>>> isHexEncodedString('test') >>> isHexEncodedString('test')
False False
""" """
return re.match(r"\A[0-9a-fA-F]+\Z", subject) is not None return re.match(r"\A[0-9a-fA-F]+\Z", subject) is not None
def getConsoleWidth(default=80): def getConsoleWidth(default=80):
@ -1229,12 +1242,14 @@ def getConsoleWidth(default=80):
else: else:
output=subprocess.Popen('stty size', shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read() output=subprocess.Popen('stty size', shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE).stdout.read()
items = output.split() items = output.split()
if len(items) == 2 and items[1].isdigit(): if len(items) == 2 and items[1].isdigit():
width = int(items[1]) width = int(items[1])
if width is None: if width is None:
try: try:
import curses import curses
stdscr = curses.initscr() stdscr = curses.initscr()
_, width = stdscr.getmaxyx() _, width = stdscr.getmaxyx()
curses.endwin() curses.endwin()
@ -1268,10 +1283,13 @@ def calculateDeltaSeconds(start, epsilon=0.05):
def getInjectionCase(name): def getInjectionCase(name):
retVal = None retVal = None
for case in kb.injections.root.case: for case in kb.injections.root.case:
if case.name == name: if case.name == name:
retVal = case retVal = case
break break
return retVal return retVal
def initCommonOutputs(): def initCommonOutputs():
@ -1302,9 +1320,9 @@ def getFileItems(filename):
retVal = [] retVal = []
checkFile(filename) checkFile(filename)
file = codecs.open(filename, 'r', conf.dataEncoding) ifile = codecs.open(filename, 'r', conf.dataEncoding)
for line in file.readlines(): # xreadlines doesn't return unicode strings when codec.open() is used for line in ifile.readlines(): # xreadlines doesn't return unicode strings when codec.open() is used
if line.find('#') != -1: if line.find('#') != -1:
line = line[:line.find('#')] line = line[:line.find('#')]
line = line.strip() line = line.strip()