Proper saving and resuming when more than a parameter are injectable.

Minor bug fix to --stacked-test
Minor code refactoring.

lib/controller/checks.py

@@ -288,7 +288,7 @@ def checkSqlInjection(place, parameter, value):
                 injection.prefix = prefix
                 injection.suffix = suffix
 
-                injection.data[stype] = (title, where, comment, boundPayload)
+                injection.data[stype] = (boundPayload, comment)
 
                 if "details" in test:
                     for detailKey, detailValue in test.details.items():

lib/controller/controller.py

@@ -47,11 +47,13 @@ from lib.core.target import setupTargetEnv
 
 def __saveToSessionFile():
     for inj in kb.injections:
+        setInjection(inj)
+
         place = inj.place
         parameter = inj.parameter
 
         for stype, sdata in inj.data.items():
-            payload = sdata[3]
+            payload = sdata[0]
 
             if stype == 1:
                 kb.booleanTest = payload
@@ -66,15 +68,11 @@ def __saveToSessionFile():
                 kb.timeTest = payload
                 setTimeBased(place, parameter, payload)
 
-        setInjection(inj)
-
 def __selectInjection():
     """
     Selection function for injection place, parameters and type.
     """
 
-    # TODO: when resume from session file, feed kb.injections and call
-    # __selectInjection()
     points = []
 
     for i in xrange(0, len(kb.injections)):
@@ -103,9 +101,10 @@ def __selectInjection():
 
             if point not in points:
                 points.append(point)
+                ptype = PAYLOAD.PARAMETER[ptype] if isinstance(ptype, int) else ptype
 
                 message += "[%d] place: %s, parameter: " % (i, place)
-                message += "%s, type: %s" % (parameter, PAYLOAD.PARAMETER[ptype])
+                message += "%s, type: %s" % (parameter, ptype)
 
                 if i == 0:
                     message += " (default)"
@@ -130,8 +129,9 @@ def __formatInjection(inj):
     data += "Parameter: %s\n" % inj.parameter
 
     for stype, sdata in inj.data.items():
-        data += "    Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
-        data += "    Payload: %s\n\n" % sdata[3]
+        stype = PAYLOAD.SQLINJECTION[stype] if isinstance(stype, int) else stype
+        data += "    Type: %s\n" % stype
+        data += "    Payload: %s\n\n" % sdata[0]
 
     return data
 

lib/core/option.py

@@ -44,6 +44,7 @@ from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.data import queries
 from lib.core.datatype import advancedDict
+from lib.core.datatype import injectionDict
 from lib.core.enums import HTTPMETHOD
 from lib.core.enums import PRIORITY
 from lib.core.exception import sqlmapFilePathException
@@ -1146,7 +1147,7 @@ def __setKnowledgeBaseAttributes():
     kb.headersFp       = {}
     kb.hintValue       = None
     kb.htmlFp          = []
-    kb.injection       = advancedDict()
+    kb.injection       = injectionDict()
     kb.injection.parameter = None
     kb.injection.place = None
     kb.injections      = []

lib/core/session.py

@@ -15,6 +15,7 @@ from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
+from lib.core.datatype import injectionDict
 from lib.core.enums import PAYLOAD
 from lib.core.enums import PLACE
 from lib.core.settings import MSSQL_ALIASES
@@ -89,14 +90,17 @@ def setInjection(inj):
                 )
 
     if condition:
-        for stype in inj.data.keys():
-            dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
         dataToSessionFile("[%s][%s][%s][Injection point][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.place))
         dataToSessionFile("[%s][%s][%s][Injection parameter][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.parameter))
         dataToSessionFile("[%s][%s][%s][Injection parameter type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.PARAMETER[inj.ptype]))
         dataToSessionFile("[%s][%s][%s][Injection prefix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.prefix))
         dataToSessionFile("[%s][%s][%s][Injection suffix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.suffix))
 
+        for stype, sdata in inj.data.items():
+            dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
+            dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
+            dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
+
 def setDbms(dbms):
     """
     @param dbms: database management system to be set into the knowledge
@@ -354,12 +358,6 @@ def resumeConfKb(expression, url, value):
         except ValueError:
             pass
 
-    elif expression == "Injection type" and url == conf.url:
-        kb.injection.stype = unSafeFormatString(value[:-1])
-
-        logMsg  = "resuming injection type '%s' from session file" % kb.injection.stype
-        logger.info(logMsg)
-
     elif expression == "Injection point" and url == conf.url:
         injPlace = value[:-1]
 
@@ -373,6 +371,10 @@ def resumeConfKb(expression, url, value):
             warnMsg += "injectable point"
             logger.warn(warnMsg)
         else:
+            if kb.injection.place is not None:
+                kb.injections.append(kb.injection)
+                kb.injection = injectionDict()
+
             kb.injection.place = injPlace
 
     elif expression == "Injection parameter" and url == conf.url:
@@ -413,6 +415,55 @@ def resumeConfKb(expression, url, value):
         logMsg = "resuming injection suffix '%s' from session file" % kb.injection.suffix
         logger.info(logMsg)
 
+    elif expression == "Injection type" and url == conf.url:
+        stype = unSafeFormatString(value[:-1])
+        kb.injection.data[stype] = []
+
+        logMsg = "resuming injection type '%s' from session file" % stype
+        logger.info(logMsg)
+
+    elif expression == "Injection payload" and url == conf.url:
+        payload = unSafeFormatString(value[:-1])
+        kb.injection.data[kb.injection.data.keys()[0]].append(payload)
+
+        logMsg = "resuming injection payload '%s' from session file" % payload
+        logger.info(logMsg)
+
+    elif expression == "Injection comment" and url == conf.url:
+        comment = unSafeFormatString(value[:-1])
+        kb.injection.data[kb.injection.data.keys()[0]].append(comment)
+
+        logMsg = "resuming injection comment '%s' from session file" % comment
+        logger.info(logMsg)
+
+    elif expression == "Boolean-based blind injection" and url == conf.url:
+        kb.booleanTest = unSafeFormatString(value[:-1])
+
+        logMsg = "resuming boolean-based blind injection "
+        logMsg += "'%s' from session file" % kb.booleanTest
+        logger.info(logMsg)
+
+    elif expression == "Error-based injection" and url == conf.url:
+        kb.errorTest = unSafeFormatString(value[:-1])
+
+        logMsg = "resuming error-based injection "
+        logMsg += "'%s' from session file" % kb.errorTest
+        logger.info(logMsg)
+
+    elif expression == "Stacked queries" and url == conf.url:
+        kb.stackedTest = unSafeFormatString(value[:-1])
+
+        logMsg = "resuming stacked queries syntax "
+        logMsg += "'%s' from session file" % kb.stackedTest
+        logger.info(logMsg)
+
+    elif expression == "Time-based blind injection" and url == conf.url:
+        kb.timeTest = unSafeFormatString(value[:-1])
+
+        logMsg = "resuming time-based blind injection "
+        logMsg += "'%s' from session file" % kb.timeTest
+        logger.info(logMsg)
+
     elif expression == "DBMS" and url == conf.url:
         dbms        = unSafeFormatString(value[:-1])
         dbms        = dbms.lower()
@@ -468,34 +519,6 @@ def resumeConfKb(expression, url, value):
         else:
             conf.os = os
 
-    elif expression == "Boolean-based blind injection" and url == conf.url:
-        kb.booleanTest = unSafeFormatString(value[:-1])
-
-        logMsg  = "resuming boolean-based blind injection "
-        logMsg += "'%s' from session file" % kb.booleanTest
-        logger.info(logMsg)
-
-    elif expression == "Error-based injection" and url == conf.url:
-        kb.errorTest = unSafeFormatString(value[:-1])
-
-        logMsg  = "resuming error-based injection "
-        logMsg += "'%s' from session file" % kb.errorTest
-        logger.info(logMsg)
-
-    elif expression == "Stacked queries" and url == conf.url:
-        kb.stackedTest = unSafeFormatString(value[:-1])
-
-        logMsg  = "resuming stacked queries syntax "
-        logMsg += "'%s' from session file" % kb.stackedTest
-        logger.info(logMsg)
-
-    elif expression == "Time-based blind injection" and url == conf.url:
-        kb.timeTest = unSafeFormatString(value[:-1])
-
-        logMsg  = "resuming time-based blind injection "
-        logMsg += "'%s' from session file" % kb.timeTest
-        logger.info(logMsg)
-
     elif expression == "Union comment" and url == conf.url:
         kb.unionComment = unSafeFormatString(value[:-1])
 

lib/core/target.py

@@ -173,6 +173,7 @@ def __setOutputResume():
                     elif len(value) >= len(kb.resumedQueries[url][expression]):
                         kb.resumedQueries[url][expression] = value
 
+            kb.injections.append(kb.injection)
             readSessionFP.close()
         else:
             try:

lib/techniques/outband/stacked.py

@@ -47,6 +47,7 @@ def stackedTest():
 
         kb.stackedTest = False
 
-    setStacked()
+    if kb.stackedTest:
+        setStacked(kb.injection.place, kb.injection.parameter, payload)
 
     return kb.stackedTest