implemented --randomize switch by request

2024-11-22 01:26:42 +03:00 · 2011-08-29 12:50:52 +00:00 · 2011-08-29 12:50:52 +00:00 · ac00014c4a
commit ac00014c4a
parent d283e3eb3c
7 changed files with 55 additions and 2 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -1,5 +1,8 @@
 == Individuals ==

+Andres Tarasco Acuna <atarasco@gmail.com>
+    for suggesting a feature
+
 Santiago Accurso <saccurso@skygear.com.ar>
    for reporting a bug

--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -419,6 +419,12 @@ def start():
                            infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
                            logger.info(infoMsg)

+                        elif parameter == conf.rParam:
+                            testSqlInj = False
+
+                            infoMsg = "skipping randomizing %s parameter '%s'" % (place, parameter)
+                            logger.info(infoMsg)
+
                        elif parameter in conf.testParameter:
                            pass

--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -2924,3 +2924,17 @@ def filterPairValues(values):
        retVal = filter(lambda x: isinstance(x, (tuple, list, set)) and len(x) == 2, values)

    return retVal
+
+def randomizeParameterValue(value):
+    retVal = value
+
+    for match in re.finditer('[A-Z]+', value):
+        retVal = retVal.replace(match.group(), randomStr(len(match.group())).upper())
+
+    for match in re.finditer('[a-z]+', value):
+        retVal = retVal.replace(match.group(), randomStr(len(match.group())).lower())
+
+    for match in re.finditer('[0-9]+', value):
+        retVal = retVal.replace(match.group(), str(randomInt(len(match.group()))))
+
+    return retVal
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -30,6 +30,7 @@ optDict = {
                               "dropSetCookie":     "boolean",
                               "agent":             "string",
                               "randomAgent":       "boolean",
+                               "rParam":            "string",
                               "referer":           "string",
                               "headers":           "string",
                               "aType":             "string",
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -89,6 +89,9 @@ def cmdLineParser():
                           action="store_true",
                           help="Use randomly selected HTTP User-Agent header")

+        request.add_option("--randomize", dest="rParam",
+                           help="Randomly change value for the given parameter")
+
        request.add_option("--referer", dest="referer",
                           help="HTTP Referer header")

--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -27,6 +27,7 @@ from lib.core.common import getFilteredPageContent
 from lib.core.common import getUnicode
 from lib.core.common import logHTTPTraffic
 from lib.core.common import parseTargetUrl
+from lib.core.common import randomizeParameterValue
 from lib.core.common import readInput
 from lib.core.common import removeReflectiveValues
 from lib.core.common import singleTimeWarnMessage
@ -548,10 +549,10 @@ class Connect:
            checkPayload(value)

        if PLACE.GET in conf.parameters:
-            get = urlencode(conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value, limit=True)
+            get = conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value

        if PLACE.POST in conf.parameters:
-            post = urlencode(conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value)
+            post = conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value

        if PLACE.SOAP in conf.parameters:
            post = conf.parameters[PLACE.SOAP] if place != PLACE.SOAP or not value else value
@ -570,6 +571,28 @@ class Connect:
        else:
            uri = conf.url

+        if conf.rParam:
+            def _randomizeParameter(paramString, randomParameter):
+                retVal = paramString
+                match = re.search("%s=(?P<value>[^&;]+)" % randomParameter, paramString)
+                if match:
+                    origValue = match.group("value")
+                    retVal = re.sub("%s=[^&;]+" % randomParameter, "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
+                return retVal
+
+            for item in [PLACE.GET, PLACE.POST, PLACE.COOKIE]:                
+                if item in conf.parameters:
+                    origValue = conf.parameters[item]
+                    if item == PLACE.GET and get:
+                        get = _randomizeParameter(get, conf.rParam)
+                    elif item == PLACE.POST and post:
+                        post = _randomizeParameter(post, conf.rParam)
+                    elif item == PLACE.COOKIE and cookie:
+                        cookie = _randomizeParameter(cookie, conf.rParam)
+
+        get = urlencode(get, limit=True)
+        post = urlencode(post)
+
        if timeBasedCompare:
            if len(kb.responseTimes) < MIN_TIME_RESPONSES:
                clearConsoleLine()
--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -59,6 +59,9 @@ agent =
 # Valid: True or False
 randomAgent = False

+# Randomly change value for the given parameter
+rParam = 
+

 # HTTP Referer header. Useful to fake the HTTP Referer header value at
 # each HTTP request.