From 8ef47307db1b90116ce060a0b6fdad3630d26e7a Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 31 Jan 2011 12:21:17 +0000 Subject: [PATCH] added checking of header values for GREP (error); still UNION to do --- lib/controller/checks.py | 6 ++++-- lib/core/common.py | 13 +++++++++++++ lib/techniques/error/use.py | 8 +++++--- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index af68d1733..1ffb4ddde 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -22,6 +22,7 @@ from lib.core.common import getComparePageRatio from lib.core.common import getCompiledRegex from lib.core.common import getSortedInjectionTests from lib.core.common import getUnicode +from lib.core.common import listToStrValue from lib.core.common import popValue from lib.core.common import pushValue from lib.core.common import randomInt @@ -320,8 +321,9 @@ def checkSqlInjection(place, parameter, value): elif method == PAYLOAD.METHOD.GREP: # Perform the test's request and grep the response # body for the test's regular expression - reqBody, _ = Request.queryPage(reqPayload, place, content=True, raise404=False) - output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE) + page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False) + output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)\ + or extractRegexResult(check, listToStrValue(headers.headers if headers else None), re.DOTALL | re.IGNORECASE) if output: result = output.replace(kb.misc.space, " ") == "1" diff --git a/lib/core/common.py b/lib/core/common.py index 40a0fbec3..6da19dfd9 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -2292,3 +2292,16 @@ def unhandledExceptionMessage(): errMsg += "Technique: %s\n" % (enumValueToNameLookup(PAYLOAD.TECHNIQUE, kb.technique) if kb.technique else None) errMsg += "Back-end DBMS: %s" % kb.dbms return errMsg + +def listToStrValue(value): + """ + Flattens list to a string value + >>> listToStrValue([1,2,3]) + '1, 2, 3' + """ + if isinstance(value, list): + retValue = value.__str__().lstrip('[').rstrip(']') + else: + retValue = value + + return retValue diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 1b72832db..02ee45a32 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -11,12 +11,13 @@ import re import time from lib.core.agent import agent +from lib.core.common import Backend from lib.core.common import calculateDeltaSeconds from lib.core.common import dataToSessionFile from lib.core.common import extractRegexResult -from lib.core.common import Backend from lib.core.common import initTechnique from lib.core.common import isNumPosStrValue +from lib.core.common import listToStrValue from lib.core.common import randomInt from lib.core.common import replaceNewlineTabs from lib.core.common import safeStringFormat @@ -55,12 +56,13 @@ def __oneShotErrorUse(expression, field): payload = agent.payload(newValue=injExpression) # Perform the request - page, _ = Request.queryPage(payload, content=True) + page, headers = Request.queryPage(payload, content=True) reqCount += 1 # Parse the returned page to get the exact error-based # sql injection output - output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) + output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)\ + or extractRegexResult(check, listToStrValue(headers.headers if headers else None), re.DOTALL | re.IGNORECASE) dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(output)))