mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-25 21:21:03 +03:00 
			
		
		
		
	incorporation of method for neutralization of reflective values
This commit is contained in:
		
							parent
							
								
									708ddf5608
								
							
						
					
					
						commit
						aa88361ab1
					
				|  | @ -81,6 +81,8 @@ from lib.core.settings import DUMP_TAB_MARKER | ||||||
| from lib.core.settings import DUMP_START_MARKER | from lib.core.settings import DUMP_START_MARKER | ||||||
| from lib.core.settings import DUMP_STOP_MARKER | from lib.core.settings import DUMP_STOP_MARKER | ||||||
| from lib.core.settings import MIN_TIME_RESPONSES | from lib.core.settings import MIN_TIME_RESPONSES | ||||||
|  | from lib.core.settings import PAYLOAD_DELIMITER | ||||||
|  | from lib.core.settings import REFLECTED_VALUE_MARKER | ||||||
| from lib.core.settings import TIME_DEFAULT_DELAY | from lib.core.settings import TIME_DEFAULT_DELAY | ||||||
| from lib.core.settings import TIME_STDEV_COEFF | from lib.core.settings import TIME_STDEV_COEFF | ||||||
| from lib.core.settings import DYNAMICITY_MARK_LENGTH | from lib.core.settings import DYNAMICITY_MARK_LENGTH | ||||||
|  | @ -2386,3 +2388,20 @@ def cpuThrottle(value): | ||||||
|     """ |     """ | ||||||
|     delay = 0.00001 * (value ** 2) |     delay = 0.00001 * (value ** 2) | ||||||
|     time.sleep(delay) |     time.sleep(delay) | ||||||
|  | 
 | ||||||
|  | def removeReflectiveValues(content, payload): | ||||||
|  |     """ | ||||||
|  |     Neutralizes (static/marked) reflective values in a given content based on a payload | ||||||
|  |     (e.g. ?search=sql injection ---> ...value="sql%20injection") | ||||||
|  |     """ | ||||||
|  | 
 | ||||||
|  |     payload = payload.replace(PAYLOAD_DELIMITER, '') | ||||||
|  | 
 | ||||||
|  |     regex = filterStringValue(payload, r'[A-Za-z0-9]', r'[^\s]+') | ||||||
|  |     retVal = re.sub(regex, REFLECTED_VALUE_MARKER, content) | ||||||
|  | 
 | ||||||
|  |     if retVal != content: | ||||||
|  |         warnMsg = "reflective value found and filtered out" | ||||||
|  |         logger.warn(warnMsg) | ||||||
|  | 
 | ||||||
|  |     return retVal | ||||||
|  |  | ||||||
|  | @ -28,6 +28,7 @@ from lib.core.common import getUnicode | ||||||
| from lib.core.common import logHTTPTraffic | from lib.core.common import logHTTPTraffic | ||||||
| from lib.core.common import parseTargetUrl | from lib.core.common import parseTargetUrl | ||||||
| from lib.core.common import readInput | from lib.core.common import readInput | ||||||
|  | from lib.core.common import removeReflectiveValues | ||||||
| from lib.core.common import stdev | from lib.core.common import stdev | ||||||
| from lib.core.common import wasLastRequestDelayed | from lib.core.common import wasLastRequestDelayed | ||||||
| from lib.core.convert import urlencode | from lib.core.convert import urlencode | ||||||
|  | @ -487,7 +488,10 @@ class Connect: | ||||||
| 
 | 
 | ||||||
|         if content or response: |         if content or response: | ||||||
|             return page, headers |             return page, headers | ||||||
|         elif getRatioValue: | 
 | ||||||
|  |         page = removeReflectiveValues(page, value) | ||||||
|  | 
 | ||||||
|  |         if getRatioValue: | ||||||
|             return comparison(page, getRatioValue=False, pageLength=pageLength), comparison(page, getRatioValue=True, pageLength=pageLength) |             return comparison(page, getRatioValue=False, pageLength=pageLength), comparison(page, getRatioValue=True, pageLength=pageLength) | ||||||
|         elif pageLength or page: |         elif pageLength or page: | ||||||
|             return comparison(page, getRatioValue, pageLength) |             return comparison(page, getRatioValue, pageLength) | ||||||
|  |  | ||||||
|  | @ -23,6 +23,7 @@ from lib.core.common import parseUnionPage | ||||||
| from lib.core.common import popValue | from lib.core.common import popValue | ||||||
| from lib.core.common import pushValue | from lib.core.common import pushValue | ||||||
| from lib.core.common import randomStr | from lib.core.common import randomStr | ||||||
|  | from lib.core.common import removeReflectiveValues | ||||||
| from lib.core.common import stdev | from lib.core.common import stdev | ||||||
| from lib.core.data import conf | from lib.core.data import conf | ||||||
| from lib.core.data import kb | from lib.core.data import kb | ||||||
|  | @ -122,6 +123,9 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe | ||||||
|         page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) |         page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) | ||||||
|         content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "") |         content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "") | ||||||
| 
 | 
 | ||||||
|  |         # Remove possible reflective values from content (especially headers part) | ||||||
|  |         content = removeReflectiveValues(content, payload) | ||||||
|  | 
 | ||||||
|         if content and phrase in content: |         if content and phrase in content: | ||||||
|             validPayload = payload |             validPayload = payload | ||||||
|             vector = (position, count, comment, prefix, suffix, conf.uChar, where) |             vector = (position, count, comment, prefix, suffix, conf.uChar, where) | ||||||
|  |  | ||||||
|  | @ -19,6 +19,7 @@ from lib.core.common import initTechnique | ||||||
| from lib.core.common import isNumPosStrValue | from lib.core.common import isNumPosStrValue | ||||||
| from lib.core.common import listToStrValue | from lib.core.common import listToStrValue | ||||||
| from lib.core.common import parseUnionPage | from lib.core.common import parseUnionPage | ||||||
|  | from lib.core.common import removeReflectiveValues | ||||||
| from lib.core.data import conf | from lib.core.data import conf | ||||||
| from lib.core.data import kb | from lib.core.data import kb | ||||||
| from lib.core.data import logger | from lib.core.data import logger | ||||||
|  | @ -27,7 +28,6 @@ from lib.core.enums import DBMS | ||||||
| from lib.core.enums import PAYLOAD | from lib.core.enums import PAYLOAD | ||||||
| from lib.core.exception import sqlmapSyntaxException | from lib.core.exception import sqlmapSyntaxException | ||||||
| from lib.core.settings import FROM_TABLE | from lib.core.settings import FROM_TABLE | ||||||
| from lib.core.settings import REFLECTED_VALUE_MARKER |  | ||||||
| from lib.core.unescaper import unescaper | from lib.core.unescaper import unescaper | ||||||
| from lib.request.connect import Connect as Request | from lib.request.connect import Connect as Request | ||||||
| from lib.utils.resume import resume | from lib.utils.resume import resume | ||||||
|  | @ -55,12 +55,8 @@ def __oneShotUnionUse(expression, unpack=True): | ||||||
|     page, headers = Request.queryPage(payload, content=True, raise404=False) |     page, headers = Request.queryPage(payload, content=True, raise404=False) | ||||||
|     content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "") |     content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "") | ||||||
| 
 | 
 | ||||||
|     reflective = filterStringValue(agent.removePayloadDelimiters(payload), r'[A-Za-z0-9]', r'[^\s]+') |     # Remove possible reflective values from content (especially headers part) | ||||||
|     filtered = re.sub(reflective, REFLECTED_VALUE_MARKER, content) |     content = removeReflectiveValues(content, payload) | ||||||
|     if filtered != content: |  | ||||||
|         warnMsg = "reflective value found and filtered" |  | ||||||
|         logger.warn(warnMsg) |  | ||||||
|         content = filtered |  | ||||||
| 
 | 
 | ||||||
|     reqCount += 1 |     reqCount += 1 | ||||||
| 
 | 
 | ||||||
|  | @ -168,6 +164,7 @@ def unionUse(expression, unpack=True, dump=False): | ||||||
| 
 | 
 | ||||||
|                     stopLimit = limitRegExp.group(int(limitGroupStop)) |                     stopLimit = limitRegExp.group(int(limitGroupStop)) | ||||||
|                     limitCond = int(stopLimit) > 1 |                     limitCond = int(stopLimit) > 1 | ||||||
|  | 
 | ||||||
|                 elif topLimit: |                 elif topLimit: | ||||||
|                     startLimit = 0 |                     startLimit = 0 | ||||||
|                     stopLimit = int(topLimit.group(1)) |                     stopLimit = int(topLimit.group(1)) | ||||||
|  | @ -225,6 +222,7 @@ def unionUse(expression, unpack=True, dump=False): | ||||||
|                 logger.warn(warnMsg) |                 logger.warn(warnMsg) | ||||||
| 
 | 
 | ||||||
|                 stopLimit = 1 |                 stopLimit = 1 | ||||||
|  | 
 | ||||||
|             elif isNumPosStrValue(count): |             elif isNumPosStrValue(count): | ||||||
|                 if isinstance(stopLimit, int) and stopLimit > 0: |                 if isinstance(stopLimit, int) and stopLimit > 0: | ||||||
|                     stopLimit = min(int(count), int(stopLimit)) |                     stopLimit = min(int(count), int(stopLimit)) | ||||||
|  | @ -234,6 +232,7 @@ def unionUse(expression, unpack=True, dump=False): | ||||||
|                     infoMsg = "the SQL query used returns " |                     infoMsg = "the SQL query used returns " | ||||||
|                     infoMsg += "%d entries" % stopLimit |                     infoMsg += "%d entries" % stopLimit | ||||||
|                     logger.info(infoMsg) |                     logger.info(infoMsg) | ||||||
|  | 
 | ||||||
|             try: |             try: | ||||||
|                 for num in xrange(startLimit, stopLimit): |                 for num in xrange(startLimit, stopLimit): | ||||||
|                     if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): |                     if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user