sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-07-29 17:39:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

implementing custom injection char

Browse Source
This commit is contained in:
Steven van der Baan 2017-07-18 14:57:26 +01:00
parent 591a60bbde
commit 8f7b8b0ba2
6 changed files with 70 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/core/agent.py
View File

@ -101,7 +101,7 @@ class Agent(object):
if place == PLACE.URI or BOUNDED_INJECTION_MARKER in origValue: if place == PLACE.URI or BOUNDED_INJECTION_MARKER in origValue:
paramString = origValue paramString = origValue
if place == PLACE.URI: if place == PLACE.URI:
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0] origValue = origValue.split(conf.customInjectionChar)[0]
else: else:
origValue = filter(None, (re.search(_, origValue.split(BOUNDED_INJECTION_MARKER)[0]) for _ in (r"\w+\Z", r"[^\"'><]+\Z", r"[^ ]+\Z")))[0].group(0) origValue = filter(None, (re.search(_, origValue.split(BOUNDED_INJECTION_MARKER)[0]) for _ in (r"\w+\Z", r"[^\"'><]+\Z", r"[^ ]+\Z")))[0].group(0)
origValue = origValue[origValue.rfind('/') + 1:] origValue = origValue[origValue.rfind('/') + 1:]
@ -110,7 +110,7 @@ class Agent(object):
origValue = origValue[origValue.rfind(char) + 1:] origValue = origValue[origValue.rfind(char) + 1:]
elif place == PLACE.CUSTOM_POST: elif place == PLACE.CUSTOM_POST:
paramString = origValue paramString = origValue
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0] origValue = origValue.split(conf.customInjectionChar)[0]
if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML): if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):
origValue = origValue.split('>')[-1] origValue = origValue.split('>')[-1]
elif kb.postHint in (POST_HINT.JSON, POST_HINT.JSON_LIKE): elif kb.postHint in (POST_HINT.JSON, POST_HINT.JSON_LIKE):
@ -120,7 +120,7 @@ class Agent(object):
origValue = _.split('=', 1)[1] if '=' in _ else "" origValue = _.split('=', 1)[1] if '=' in _ else ""
elif place == PLACE.CUSTOM_HEADER: elif place == PLACE.CUSTOM_HEADER:
paramString = origValue paramString = origValue
origValue = origValue.split(CUSTOM_INJECTION_MARK_CHAR)[0] origValue = origValue.split(conf.customInjectionChar)[0]
origValue = origValue[origValue.find(',') + 1:] origValue = origValue[origValue.find(',') + 1:]
match = re.search(r"([^;]+)=(?P<value>[^;]+);?\Z", origValue) match = re.search(r"([^;]+)=(?P<value>[^;]+);?\Z", origValue)
if match: if match:
@ -159,14 +159,14 @@ class Agent(object):
newValue = self.cleanupPayload(newValue, origValue) newValue = self.cleanupPayload(newValue, origValue)
if place in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER): if place in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER):
_ = "%s%s" % (origValue, CUSTOM_INJECTION_MARK_CHAR) _ = "%s%s" % (origValue, conf.customInjectionChar)
if kb.postHint == POST_HINT.JSON and not isNumber(newValue) and not '"%s"' % _ in paramString: if kb.postHint == POST_HINT.JSON and not isNumber(newValue) and not '"%s"' % _ in paramString:
newValue = '"%s"' % newValue newValue = '"%s"' % newValue
elif kb.postHint == POST_HINT.JSON_LIKE and not isNumber(newValue) and not "'%s'" % _ in paramString: elif kb.postHint == POST_HINT.JSON_LIKE and not isNumber(newValue) and not "'%s'" % _ in paramString:
newValue = "'%s'" % newValue newValue = "'%s'" % newValue
newValue = newValue.replace(CUSTOM_INJECTION_MARK_CHAR, REPLACEMENT_MARKER) newValue = newValue.replace(conf.customInjectionChar, REPLACEMENT_MARKER)
retVal = paramString.replace(_, self.addPayloadDelimiters(newValue)) retVal = paramString.replace(_, self.addPayloadDelimiters(newValue))
retVal = retVal.replace(CUSTOM_INJECTION_MARK_CHAR, "").replace(REPLACEMENT_MARKER, CUSTOM_INJECTION_MARK_CHAR) retVal = retVal.replace(conf.customInjectionChar, "").replace(REPLACEMENT_MARKER, conf.customInjectionChar)
elif BOUNDED_INJECTION_MARKER in paramDict[parameter]: elif BOUNDED_INJECTION_MARKER in paramDict[parameter]:
_ = "%s%s" % (origValue, BOUNDED_INJECTION_MARKER) _ = "%s%s" % (origValue, BOUNDED_INJECTION_MARKER)
retVal = "%s=%s" % (re.sub(r" (\#\d\*|\(.+\))\Z", "", parameter), paramString.replace(_, self.addPayloadDelimiters(newValue))) retVal = "%s=%s" % (re.sub(r" (\#\d\*|\(.+\))\Z", "", parameter), paramString.replace(_, self.addPayloadDelimiters(newValue)))

14
lib/core/common.py
View File

@ -654,7 +654,8 @@ def paramToDict(place, parameters=None):
except Exception: except Exception:
pass pass
_ = re.sub(regex, "\g<1>%s\g<%d>" % (CUSTOM_INJECTION_MARK_CHAR, len(match.groups())), testableParameters[parameter]) print "Testing injection char %c"%conf.customInjectionChar
_ = re.sub(regex, "\g<1>%s\g<%d>" % (conf.customInjectionChar, len(match.groups())), testableParameters[parameter])
message = "it appears that provided value for %s parameter '%s' " % (place, parameter) message = "it appears that provided value for %s parameter '%s' " % (place, parameter)
message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % getUnicode(_) message += "has boundaries. Do you want to inject inside? ('%s') [y/N] " % getUnicode(_)
@ -1394,7 +1395,7 @@ def parseTargetUrl():
else: else:
conf.url = "http://" + conf.url conf.url = "http://" + conf.url
if CUSTOM_INJECTION_MARK_CHAR in conf.url: if conf.customInjectionChar in conf.url:
conf.url = conf.url.replace('?', URI_QUESTION_MARKER) conf.url = conf.url.replace('?', URI_QUESTION_MARKER)
try: try:
@ -1412,7 +1413,7 @@ def parseTargetUrl():
conf.hostname = hostnamePort[0].strip() conf.hostname = hostnamePort[0].strip()
conf.ipv6 = conf.hostname != conf.hostname.strip("[]") conf.ipv6 = conf.hostname != conf.hostname.strip("[]")
conf.hostname = conf.hostname.strip("[]").replace(CUSTOM_INJECTION_MARK_CHAR, "") conf.hostname = conf.hostname.strip("[]").replace(conf.customInjectionChar, "")
try: try:
_ = conf.hostname.encode("idna") _ = conf.hostname.encode("idna")
@ -1453,7 +1454,7 @@ def parseTargetUrl():
debugMsg = "setting the HTTP Referer header to the target URL" debugMsg = "setting the HTTP Referer header to the target URL"
logger.debug(debugMsg) logger.debug(debugMsg)
conf.httpHeaders = [_ for _ in conf.httpHeaders if _[0] != HTTP_HEADER.REFERER] conf.httpHeaders = [_ for _ in conf.httpHeaders if _[0] != HTTP_HEADER.REFERER]
conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.url.replace(CUSTOM_INJECTION_MARK_CHAR, ""))) conf.httpHeaders.append((HTTP_HEADER.REFERER, conf.url.replace(conf.customInjectionChar, "")))
if not conf.host and (intersect(HOST_ALIASES, conf.testParameter, True) or conf.level >= 5): if not conf.host and (intersect(HOST_ALIASES, conf.testParameter, True) or conf.level >= 5):
debugMsg = "setting the HTTP Host header to the target URL" debugMsg = "setting the HTTP Host header to the target URL"
@ -2498,7 +2499,8 @@ def findMultipartPostBoundary(post):
return retVal return retVal
def urldecode(value, encoding=None, unsafe="%%&=;+%s" % CUSTOM_INJECTION_MARK_CHAR, convall=False, plusspace=True): # def urldecode(value, encoding=None, unsafe="%%&=;+%s" % CUSTOM_INJECTION_MARK_CHAR, convall=False, plusspace=True):
def urldecode(value, encoding=None, unsafe="UNSAFE_IDENTIFIER", convall=False, plusspace=True):
""" """
URL decodes given value URL decodes given value
@ -2506,6 +2508,8 @@ def urldecode(value, encoding=None, unsafe="%%&=;+%s" % CUSTOM_INJECTION_MARK_CH
u'AND 1>(2+3)#' u'AND 1>(2+3)#'
""" """
if unsafe == "UNSAFE_IDENTIFIER":
unsafe = "%%&=;+%s"%conf.customInjectionChar
result = value result = value
if value: if value:

13
lib/core/option.py
View File

@ -280,7 +280,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
method = match.group(1) method = match.group(1)
url = match.group(2) url = match.group(2)
if any(_ in line for _ in ('?', '=', CUSTOM_INJECTION_MARK_CHAR)): if any(_ in line for _ in ('?', '=', conf.customInjectionChar)):
params = True params = True
getPostReq = True getPostReq = True
@ -320,7 +320,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
elif key not in (HTTP_HEADER.PROXY_CONNECTION, HTTP_HEADER.CONNECTION): elif key not in (HTTP_HEADER.PROXY_CONNECTION, HTTP_HEADER.CONNECTION):
headers.append((getUnicode(key), getUnicode(value))) headers.append((getUnicode(key), getUnicode(value)))
if CUSTOM_INJECTION_MARK_CHAR in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or ""): if conf.customInjectionChar in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or ""):
params = True params = True
data = data.rstrip("\r\n") if data else data data = data.rstrip("\r\n") if data else data
@ -539,9 +539,10 @@ def _doSearch():
for link in links: for link in links:
link = urldecode(link) link = urldecode(link)
_URI_INJECTABLE_REGEX = _URI_INJECTABLE_REGEX.replace('*',conf.customInjectionChar)
if re.search(r"(.*?)\?(.+)", link): if re.search(r"(.*?)\?(.+)", link):
kb.targets.add((link, conf.method, conf.data, conf.cookie, None)) kb.targets.add((link, conf.method, conf.data, conf.cookie, None))
elif re.search(URI_INJECTABLE_REGEX, link, re.I): elif re.search(_URI_INJECTABLE_REGEX, link, re.I):
if kb.data.onlyGETs is None and conf.data is None and not conf.googleDork: if kb.data.onlyGETs is None and conf.data is None and not conf.googleDork:
message = "do you want to scan only results containing GET parameters? [Y/n] " message = "do you want to scan only results containing GET parameters? [Y/n] "
kb.data.onlyGETs = readInput(message, default='Y', boolean=True) kb.data.onlyGETs = readInput(message, default='Y', boolean=True)
@ -593,7 +594,7 @@ def _setBulkMultipleTargets():
found = False found = False
for line in getFileItems(conf.bulkFile): for line in getFileItems(conf.bulkFile):
if re.match(r"[^ ]+\?(.+)", line, re.I) or CUSTOM_INJECTION_MARK_CHAR in line: if re.match(r"[^ ]+\?(.+)", line, re.I) or conf.customInjectionChar in line:
found = True found = True
kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None)) kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None))
@ -1686,10 +1687,10 @@ def _cleanupOptions():
setOptimize() setOptimize()
if conf.data: if conf.data:
conf.data = re.sub("(?i)%s" % INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.data) conf.data = re.sub("(?i)%s" % INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), conf.customInjectionChar, conf.data)
if conf.url: if conf.url:
conf.url = re.sub("(?i)%s" % INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), CUSTOM_INJECTION_MARK_CHAR, conf.url) conf.url = re.sub("(?i)%s" % INJECT_HERE_MARK.replace(" ", r"[^A-Za-z]*"), conf.customInjectionChar, conf.url)
if conf.os: if conf.os:
conf.os = conf.os.capitalize() conf.os = conf.os.capitalize()

85
lib/core/target.py
View File

@ -52,7 +52,7 @@ from lib.core.option import _setKnowledgeBaseAttributes
from lib.core.option import _setAuthCred from lib.core.option import _setAuthCred
from lib.core.settings import ASTERISK_MARKER from lib.core.settings import ASTERISK_MARKER
from lib.core.settings import CSRF_TOKEN_PARAMETER_INFIXES from lib.core.settings import CSRF_TOKEN_PARAMETER_INFIXES
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR # from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_GET_POST_DELIMITER from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import HOST_ALIASES from lib.core.settings import HOST_ALIASES
from lib.core.settings import ARRAY_LIKE_RECOGNITION_REGEX from lib.core.settings import ARRAY_LIKE_RECOGNITION_REGEX
@ -114,12 +114,12 @@ def _setRequestParams():
retVal = retVal.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1))) retVal = retVal.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1)))
else: else:
break break
if CUSTOM_INJECTION_MARK_CHAR in retVal: if conf.customInjectionChar in retVal:
hintNames.append((retVal.split(CUSTOM_INJECTION_MARK_CHAR)[0], match.group("name"))) hintNames.append((retVal.split(conf.customInjectionChar)[0], match.group("name")))
return retVal return retVal
if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data: if kb.processUserMarks is None and conf.customInjectionChar in conf.data:
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR message = "custom injection marking character ('%s') found in option " % conf.customInjectionChar
message += "'--data'. Do you want to process it? [Y/n/q] " message += "'--data'. Do you want to process it? [Y/n/q] "
choice = readInput(message, default='Y') choice = readInput(message, default='Y')
@ -139,16 +139,16 @@ def _setRequestParams():
if choice == 'Q': if choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif choice == 'Y': elif choice == 'Y':
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if not (kb.processUserMarks and conf.customInjectionChar in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = conf.data.replace(conf.customInjectionChar, ASTERISK_MARKER)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % conf.customInjectionChar), conf.data)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % conf.customInjectionChar), conf.data)
match = re.search(r'(?P<name>[^"]+)"\s*:\s*\[([^\]]+)\]', conf.data) match = re.search(r'(?P<name>[^"]+)"\s*:\s*\[([^\]]+)\]', conf.data)
if match and not (conf.testParameter and match.group("name") not in conf.testParameter): if match and not (conf.testParameter and match.group("name") not in conf.testParameter):
_ = match.group(2) _ = match.group(2)
_ = re.sub(r'("[^"]+)"', '\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, _) _ = re.sub(r'("[^"]+)"', '\g<1>%s"' % conf.customInjectionChar, _)
_ = re.sub(r'(\A|,|\s+)(-?\d[\d\.]*\b)', '\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, _) _ = re.sub(r'(\A|,|\s+)(-?\d[\d\.]*\b)', '\g<0>%s' % conf.customInjectionChar, _)
conf.data = conf.data.replace(match.group(0), match.group(0).replace(match.group(2), _)) conf.data = conf.data.replace(match.group(0), match.group(0).replace(match.group(2), _))
kb.postHint = POST_HINT.JSON kb.postHint = POST_HINT.JSON
@ -161,11 +161,11 @@ def _setRequestParams():
if choice == 'Q': if choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif choice == 'Y': elif choice == 'Y':
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if not (kb.processUserMarks and conf.customInjectionChar in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = conf.data.replace(conf.customInjectionChar, ASTERISK_MARKER)
conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*'[^']+)'", functools.partial(process, repl=r"\g<1>%s'" % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*'[^']+)'", functools.partial(process, repl=r"\g<1>%s'" % conf.customInjectionChar), conf.data)
conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*)(-?\d[\d\.]*\b)", functools.partial(process, repl=r"\g<0>%s" % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r"('(?P<name>[^']+)'\s*:\s*)(-?\d[\d\.]*\b)", functools.partial(process, repl=r"\g<0>%s" % conf.customInjectionChar), conf.data)
kb.postHint = POST_HINT.JSON_LIKE kb.postHint = POST_HINT.JSON_LIKE
@ -177,9 +177,9 @@ def _setRequestParams():
if choice == 'Q': if choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif choice == 'Y': elif choice == 'Y':
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if not (kb.processUserMarks and conf.customInjectionChar in conf.data):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = conf.data.replace(conf.customInjectionChar, ASTERISK_MARKER)
conf.data = re.sub(r"(=[^%s]+)" % DEFAULT_GET_POST_DELIMITER, r"\g<1>%s" % CUSTOM_INJECTION_MARK_CHAR, conf.data) conf.data = re.sub(r"(=[^%s]+)" % DEFAULT_GET_POST_DELIMITER, r"\g<1>%s" % conf.customInjectionChar, conf.data)
kb.postHint = POST_HINT.ARRAY_LIKE kb.postHint = POST_HINT.ARRAY_LIKE
@ -191,10 +191,10 @@ def _setRequestParams():
if choice == 'Q': if choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif choice == 'Y': elif choice == 'Y':
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if not (kb.processUserMarks and conf.customInjectionChar in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = conf.data.replace(conf.customInjectionChar, ASTERISK_MARKER)
conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % conf.customInjectionChar), conf.data)
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
@ -206,15 +206,15 @@ def _setRequestParams():
if choice == 'Q': if choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif choice == 'Y': elif choice == 'Y':
if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): if not (kb.processUserMarks and conf.customInjectionChar in conf.data):
conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = conf.data.replace(conf.customInjectionChar, ASTERISK_MARKER)
conf.data = re.sub(r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"'](?P<name>[^\n]+?)[\"']).+?)(((\r)?\n)+--)", functools.partial(process, repl=r"\g<1>%s\g<4>" % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"'](?P<name>[^\n]+?)[\"']).+?)(((\r)?\n)+--)", functools.partial(process, repl=r"\g<1>%s\g<4>" % conf.customInjectionChar), conf.data)
kb.postHint = POST_HINT.MULTIPART kb.postHint = POST_HINT.MULTIPART
if not kb.postHint: if not kb.postHint:
if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed if conf.customInjectionChar in conf.data: # later processed
pass pass
else: else:
place = PLACE.POST place = PLACE.POST
@ -226,12 +226,13 @@ def _setRequestParams():
conf.paramDict[place] = paramDict conf.paramDict[place] = paramDict
testableParameters = True testableParameters = True
else: else:
if CUSTOM_INJECTION_MARK_CHAR not in conf.data: # in case that no usable parameter values has been found if conf.customInjectionChar not in conf.data: # in case that no usable parameter values has been found
conf.parameters[PLACE.POST] = conf.data conf.parameters[PLACE.POST] = conf.data
kb.processUserMarks = True if (kb.postHint and CUSTOM_INJECTION_MARK_CHAR in conf.data) else kb.processUserMarks kb.processUserMarks = True if (kb.postHint and conf.customInjectionChar in conf.data) else kb.processUserMarks
if re.search(URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not CUSTOM_INJECTION_MARK_CHAR in (conf.data or "") and conf.url.startswith("http"): _URI_INJECTABLE_REGEX = URI_INJECTABLE_REGEX.replace('*',conf.customInjectionChar)
if re.search(_URI_INJECTABLE_REGEX, conf.url, re.I) and not any(place in conf.parameters for place in (PLACE.GET, PLACE.POST)) and not kb.postHint and not conf.customInjectionChar in (conf.data or "") and conf.url.startswith("http"):
warnMsg = "you've provided target URL without any GET " warnMsg = "you've provided target URL without any GET "
warnMsg += "parameters (e.g. 'http://www.site.com/article.php?id=1') " warnMsg += "parameters (e.g. 'http://www.site.com/article.php?id=1') "
warnMsg += "and without providing any POST parameters " warnMsg += "and without providing any POST parameters "
@ -245,15 +246,15 @@ def _setRequestParams():
if choice == 'Q': if choice == 'Q':
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif choice == 'Y': elif choice == 'Y':
conf.url = "%s%s" % (conf.url, CUSTOM_INJECTION_MARK_CHAR) conf.url = "%s%s" % (conf.url, conf.customInjectionChar)
kb.processUserMarks = True kb.processUserMarks = True
for place, value in ((PLACE.URI, conf.url), (PLACE.CUSTOM_POST, conf.data), (PLACE.CUSTOM_HEADER, str(conf.httpHeaders))): for place, value in ((PLACE.URI, conf.url), (PLACE.CUSTOM_POST, conf.data), (PLACE.CUSTOM_HEADER, str(conf.httpHeaders))):
_ = re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or "") if place == PLACE.CUSTOM_HEADER else value or "" _ = re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value or "") if place == PLACE.CUSTOM_HEADER else value or ""
if CUSTOM_INJECTION_MARK_CHAR in _: if conf.customInjectionChar in _:
if kb.processUserMarks is None: if kb.processUserMarks is None:
lut = {PLACE.URI: '-u', PLACE.CUSTOM_POST: '--data', PLACE.CUSTOM_HEADER: '--headers/--user-agent/--referer/--cookie'} lut = {PLACE.URI: '-u', PLACE.CUSTOM_POST: '--data', PLACE.CUSTOM_HEADER: '--headers/--user-agent/--referer/--cookie'}
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR message = "custom injection marking character ('%s') found in option " % conf.customInjectionChar
message += "'%s'. Do you want to process it? [Y/n/q] " % lut[place] message += "'%s'. Do you want to process it? [Y/n/q] " % lut[place]
choice = readInput(message, default='Y').upper() choice = readInput(message, default='Y').upper()
@ -265,7 +266,7 @@ def _setRequestParams():
if kb.processUserMarks: if kb.processUserMarks:
kb.testOnlyCustom = True kb.testOnlyCustom = True
if "=%s" % CUSTOM_INJECTION_MARK_CHAR in _: if "=%s" % conf.customInjectionChar in _:
warnMsg = "it seems that you've provided empty parameter value(s) " warnMsg = "it seems that you've provided empty parameter value(s) "
warnMsg += "for testing. Please, always use only valid parameter values " warnMsg += "for testing. Please, always use only valid parameter values "
warnMsg += "so sqlmap could be able to run properly" warnMsg += "so sqlmap could be able to run properly"
@ -297,13 +298,13 @@ def _setRequestParams():
if place == PLACE.CUSTOM_HEADER: if place == PLACE.CUSTOM_HEADER:
for index in xrange(len(conf.httpHeaders)): for index in xrange(len(conf.httpHeaders)):
header, value = conf.httpHeaders[index] header, value = conf.httpHeaders[index]
if CUSTOM_INJECTION_MARK_CHAR in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value): if conf.customInjectionChar in re.sub(PROBLEMATIC_CUSTOM_INJECTION_PATTERNS, "", value):
parts = value.split(CUSTOM_INJECTION_MARK_CHAR) parts = value.split(conf.customInjectionChar)
for i in xrange(len(parts) - 1): for i in xrange(len(parts) - 1):
conf.paramDict[place]["%s #%d%s" % (header, i + 1, CUSTOM_INJECTION_MARK_CHAR)] = "%s,%s" % (header, "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts)))) conf.paramDict[place]["%s #%d%s" % (header, i + 1, conf.customInjectionChar)] = "%s,%s" % (header, "".join("%s%s" % (parts[j], conf.customInjectionChar if i == j else "") for j in xrange(len(parts))))
conf.httpHeaders[index] = (header, value.replace(CUSTOM_INJECTION_MARK_CHAR, "")) conf.httpHeaders[index] = (header, value.replace(conf.customInjectionChar, ""))
else: else:
parts = value.split(CUSTOM_INJECTION_MARK_CHAR) parts = value.split(conf.customInjectionChar)
for i in xrange(len(parts) - 1): for i in xrange(len(parts) - 1):
name = None name = None
@ -313,8 +314,8 @@ def _setRequestParams():
name = "%s %s" % (kb.postHint, _) name = "%s %s" % (kb.postHint, _)
break break
if name is None: if name is None:
name = "%s#%s%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, CUSTOM_INJECTION_MARK_CHAR) name = "%s#%s%s" % (("%s " % kb.postHint) if kb.postHint else "", i + 1, conf.customInjectionChar)
conf.paramDict[place][name] = "".join("%s%s" % (parts[j], CUSTOM_INJECTION_MARK_CHAR if i == j else "") for j in xrange(len(parts))) conf.paramDict[place][name] = "".join("%s%s" % (parts[j], conf.customInjectionChar if i == j else "") for j in xrange(len(parts)))
if place == PLACE.URI and PLACE.GET in conf.paramDict: if place == PLACE.URI and PLACE.GET in conf.paramDict:
del conf.paramDict[PLACE.GET] del conf.paramDict[PLACE.GET]
@ -326,7 +327,7 @@ def _setRequestParams():
if kb.processUserMarks: if kb.processUserMarks:
for item in ("url", "data", "agent", "referer", "cookie"): for item in ("url", "data", "agent", "referer", "cookie"):
if conf.get(item): if conf.get(item):
conf[item] = conf[item].replace(CUSTOM_INJECTION_MARK_CHAR, "") conf[item] = conf[item].replace(conf.customInjectionChar, "")
# Perform checks on Cookie parameters # Perform checks on Cookie parameters
if conf.cookie: if conf.cookie:
@ -375,8 +376,8 @@ def _setRequestParams():
if condition: if condition:
conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders) conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders)
conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, CUSTOM_INJECTION_MARK_CHAR)} conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, conf.customInjectionChar)}
conf.httpHeaders = [(header, value.replace(CUSTOM_INJECTION_MARK_CHAR, "")) for header, value in conf.httpHeaders] conf.httpHeaders = [(header, value.replace(conf.customInjectionChar, "")) for header, value in conf.httpHeaders]
testableParameters = True testableParameters = True
if not conf.parameters: if not conf.parameters:

4
lib/parse/cmdline.py
View File

@ -232,6 +232,10 @@ def cmdLineParser(argv=None):
request.add_option("--eval", dest="evalCode", request.add_option("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")") help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Attempt to replace CUSTOM_INJECTION_MARK_CHAR with something dynamic
request.add_option("--custom-injection-char", dest="customInjectionChar", default='*',
help="Assign a different character to be used as injection identifier")
# Optimization options # Optimization options
optimization = OptionGroup(parser, "Optimization", "These " optimization = OptionGroup(parser, "Optimization", "These "
"options can be used to optimize the " "options can be used to optimize the "

2
lib/request/connect.py
View File

@ -901,7 +901,7 @@ class Connect(object):
post = value post = value
if PLACE.CUSTOM_POST in conf.parameters: if PLACE.CUSTOM_POST in conf.parameters:
post = conf.parameters[PLACE.CUSTOM_POST].replace(CUSTOM_INJECTION_MARK_CHAR, "") if place != PLACE.CUSTOM_POST or not value else value post = conf.parameters[PLACE.CUSTOM_POST].replace(conf.customInjectionChar, "") if place != PLACE.CUSTOM_POST or not value else value
post = post.replace(ASTERISK_MARKER, '*') if post else post post = post.replace(ASTERISK_MARKER, '*') if post else post
if PLACE.COOKIE in conf.parameters: if PLACE.COOKIE in conf.parameters: