From a5b2366033d8827a9f0fe312d44d5aa8f764abfb Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Thu, 16 Oct 2008 15:31:02 +0000 Subject: [PATCH] Implemented a better way to deal with % characters in parameters' value. Minor code restyle. --- lib/controller/controller.py | 2 +- lib/core/common.py | 5 ++++- lib/core/session.py | 27 +++++++++++---------------- lib/core/target.py | 6 +++--- lib/request/connect.py | 6 +++--- lib/request/inject.py | 5 ++--- lib/techniques/inference/blind.py | 13 ++++--------- lib/utils/resume.py | 6 ++---- 8 files changed, 30 insertions(+), 40 deletions(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index cd9ef2ee0..fc8752833 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -149,7 +149,7 @@ def start(): if setCookieAsInjectable: conf.httpHeaders.append(("Cookie", cookieStr)) - conf.parameters["Cookie"] = cookieStr + conf.parameters["Cookie"] = cookieStr.replace("%", "%%") __paramDict = paramToDict("Cookie", cookieStr) if __paramDict: diff --git a/lib/core/common.py b/lib/core/common.py index 10ea00229..aba01041a 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -229,6 +229,9 @@ def dataToStdout(data): def dataToSessionFile(data): + if not conf.sessionFile: + return + conf.sessionFP.write(data) conf.sessionFP.flush() @@ -494,7 +497,7 @@ def parseTargetUrl(): conf.port = 80 if __urlSplit[3]: - conf.parameters["GET"] = __urlSplit[3] + conf.parameters["GET"] = __urlSplit[3].replace("%", "%%") conf.url = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, conf.path) diff --git a/lib/core/session.py b/lib/core/session.py index 3542dae19..2cb7aa359 100644 --- a/lib/core/session.py +++ b/lib/core/session.py @@ -40,9 +40,8 @@ def setString(): """ condition = ( - conf.sessionFile and ( not kb.resumedQueries - or ( kb.resumedQueries.has_key(conf.url) and - not kb.resumedQueries[conf.url].has_key("String") ) ) + not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and + not kb.resumedQueries[conf.url].has_key("String") ) ) if condition: @@ -59,8 +58,7 @@ def setInjection(): kb.injParameter = conf.agent condition = ( - kb.injPlace and kb.injParameter and - conf.sessionFile and ( not kb.resumedQueries + kb.injPlace and kb.injParameter and ( not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and ( not kb.resumedQueries[conf.url].has_key("Injection point") or not kb.resumedQueries[conf.url].has_key("Injection parameter") @@ -82,9 +80,8 @@ def setParenthesis(parenthesisCount): """ condition = ( - conf.sessionFile and ( not kb.resumedQueries - or ( kb.resumedQueries.has_key(conf.url) and - not kb.resumedQueries[conf.url].has_key("Parenthesis") ) ) + not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and + not kb.resumedQueries[conf.url].has_key("Parenthesis") ) ) if condition: @@ -101,9 +98,9 @@ def setDbms(dbms): """ condition = ( - conf.sessionFile and ( not kb.resumedQueries + not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and - not kb.resumedQueries[conf.url].has_key("DBMS") ) ) + not kb.resumedQueries[conf.url].has_key("DBMS") ) ) if condition: @@ -133,11 +130,10 @@ def setUnion(comment=None, count=None, position=None): if comment and count: condition = ( - conf.sessionFile and ( not kb.resumedQueries - or ( kb.resumedQueries.has_key(conf.url) and + not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and ( not kb.resumedQueries[conf.url].has_key("Union comment") or not kb.resumedQueries[conf.url].has_key("Union count") - ) ) ) + ) ) ) if condition: @@ -149,10 +145,9 @@ def setUnion(comment=None, count=None, position=None): elif position: condition = ( - conf.sessionFile and ( not kb.resumedQueries - or ( kb.resumedQueries.has_key(conf.url) and + not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and ( not kb.resumedQueries[conf.url].has_key("Union position") - ) ) ) + ) ) ) if condition: diff --git a/lib/core/target.py b/lib/core/target.py index 56e22fbf2..c94773ff6 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -66,7 +66,7 @@ def __setRequestParams(): raise sqlmapSyntaxException, errMsg if conf.data: - conf.parameters["POST"] = conf.data + conf.parameters["POST"] = conf.data.replace("%", "%%") __paramDict = paramToDict("POST", conf.data) if __paramDict: @@ -75,7 +75,7 @@ def __setRequestParams(): # Perform checks on Cookie parameters if conf.cookie: - conf.parameters["Cookie"] = conf.cookie + conf.parameters["Cookie"] = conf.cookie.replace("%", "%%") __paramDict = paramToDict("Cookie", conf.cookie) if __paramDict: @@ -86,7 +86,7 @@ def __setRequestParams(): if conf.httpHeaders: for httpHeader, headerValue in conf.httpHeaders: if httpHeader == "User-Agent": - conf.parameters["User-Agent"] = headerValue + conf.parameters["User-Agent"] = headerValue.replace("%", "%%") condition = not conf.testParameter condition |= "User-Agent" in conf.testParameter diff --git a/lib/request/connect.py b/lib/request/connect.py index 73d8b1aa4..5b10a4598 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -87,14 +87,14 @@ class Connect: get = conf.parameters["GET"] if get: - get = urlencode(get) + get = urlencode(get).replace("%%", "%") url = "%s?%s" % (url, get) requestMsg += "?%s" % get elif conf.method == "POST": if conf.parameters.has_key("POST") and not post: post = conf.parameters["POST"] - post = urlencode(post) + post = urlencode(post).replace("%%", "%") requestMsg += " HTTP/1.1" @@ -113,7 +113,7 @@ class Connect: if not cookieStr: cookieStr = "Cookie: " - cookie = str(cookie) + cookie = str(cookie).replace("%%", "%") index = cookie.index(" for ") cookieStr += "%s; " % cookie[8:index] diff --git a/lib/request/inject.py b/lib/request/inject.py index 337e3f6e3..102c970e9 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -55,8 +55,7 @@ def __getFieldsProxy(expression): def __goInference(payload, expression): start = time.time() - if conf.sessionFile: - dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression)) + dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression)) if ( conf.eta or conf.threads > 1 ) and kb.dbms: _, length, _ = queryOutputLength(expression, payload) @@ -326,7 +325,7 @@ def __goInband(expression): output = re.findall(regExpr, output, re.S) - if conf.sessionFile and ( partial or not condition ): + if partial or not condition: logOutput = "".join(["__START__%s__STOP__" % replaceNewlineTabs(value) for value in output]) dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, logOutput)) diff --git a/lib/techniques/inference/blind.py b/lib/techniques/inference/blind.py index 52ec6b514..8e327b2d9 100644 --- a/lib/techniques/inference/blind.py +++ b/lib/techniques/inference/blind.py @@ -92,9 +92,7 @@ def bisection(payload, expression, length=None): queriesCount[0] += 1 limit = ((maxValue + minValue) / 2) - # TODO: find a cleaner way to do this - forgedPayload = payload.replace("%", "%%", 1) % (expressionUnescaped, idx, limit) - forgedPayload = forgedPayload.replace("%%", "%") + forgedPayload = payload % (expressionUnescaped, idx, limit) result = Request.queryPage(forgedPayload) @@ -175,8 +173,7 @@ def bisection(payload, expression, length=None): assert index[0] == length - if conf.sessionFile: - dataToSessionFile(replaceNewlineTabs(value)) + dataToSessionFile(replaceNewlineTabs(value)) if conf.verbose in ( 1, 2 ) and not showEta: dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), value)) @@ -195,8 +192,7 @@ def bisection(payload, expression, length=None): value += val - if conf.sessionFile: - dataToSessionFile(replaceNewlineTabs(val)) + dataToSessionFile(replaceNewlineTabs(val)) if showEta: etaProgressUpdate(time.time() - charStart, index) @@ -210,7 +206,6 @@ def bisection(payload, expression, length=None): infoMsg = "retrieved: %s" % value logger.info(infoMsg) - if conf.sessionFile: - dataToSessionFile("]\n") + dataToSessionFile("]\n") return queriesCount[0], value diff --git a/lib/utils/resume.py b/lib/utils/resume.py index 8026c68ee..8e16d54c9 100644 --- a/lib/utils/resume.py +++ b/lib/utils/resume.py @@ -146,8 +146,7 @@ def resume(expression, payload): infoMsg += "%s" % resumedValue.split("\n")[0] logger.info(infoMsg) - if conf.sessionFile: - dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)) + dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)) return resumedValue elif len(resumedValue) < int(length): @@ -155,8 +154,7 @@ def resume(expression, payload): infoMsg += "%s..." % resumedValue.split("\n")[0] logger.info(infoMsg) - if conf.sessionFile: - dataToSessionFile("[%s][%s][%s][%s][%s" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)) + dataToSessionFile("[%s][%s][%s][%s][%s" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)) if select: newExpr = expressionUnescaped.replace(regExpr, substringQuery % (regExpr, len(resumedValue) + 1, int(length)), 1)