doing all the work for the users so they wouldn't strain their little hands

This commit is contained in:
Miroslav Stampar 2012-05-08 15:00:23 +00:00
parent 524dd75ff2
commit 938d9ff23e

View File

@ -19,6 +19,7 @@ from lib.core.common import popValue
from lib.core.common import pushValue from lib.core.common import pushValue
from lib.core.common import randomInt from lib.core.common import randomInt
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.common import removeReflectiveValues from lib.core.common import removeReflectiveValues
from lib.core.common import singleTimeLogMessage from lib.core.common import singleTimeLogMessage
from lib.core.common import singleTimeWarnMessage from lib.core.common import singleTimeWarnMessage
@ -254,15 +255,25 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
if not all([validPayload, vector]) and not all([conf.uChar, conf.dbms]): if not all([validPayload, vector]) and not all([conf.uChar, conf.dbms]):
warnMsg = "if UNION based SQL injection is not detected, " warnMsg = "if UNION based SQL injection is not detected, "
warnMsg += "please consider " warnMsg += "please consider "
if not conf.uChar: if not conf.uChar:
message = "injection not exploitable with NULL values. Do you want to try with a random integer value for '--union-char'? [Y/n] "
test = readInput(message, default="Y")
if test[0] not in ("y", "Y"):
warnMsg += "usage of option '--union-char' " warnMsg += "usage of option '--union-char' "
warnMsg += "(e.g. --union-char=1) " warnMsg += "(e.g. --union-char=1) "
else:
conf.uChar = str(randomInt(2))
validPayload, vector = __unionConfirm(comment, place, parameter, prefix, suffix, count)
if not conf.dbms: if not conf.dbms:
if not conf.uChar: if not conf.uChar:
warnMsg += "and/or try to force the " warnMsg += "and/or try to force the "
else: else:
warnMsg += "forcing the " warnMsg += "forcing the "
warnMsg += "back-end DBMS (e.g. --dbms=mysql) " warnMsg += "back-end DBMS (e.g. --dbms=mysql) "
if not all([validPayload, vector]):
singleTimeWarnMessage(warnMsg) singleTimeWarnMessage(warnMsg)
return validPayload, vector return validPayload, vector