From ac00014c4ae22b7fbb1aa2251ac8b7b359505ab9 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 29 Aug 2011 12:50:52 +0000
Subject: [PATCH] implemented --randomize switch by request

---
 doc/THANKS                   |  3 +++
 lib/controller/controller.py |  6 ++++++
 lib/core/common.py           | 14 ++++++++++++++
 lib/core/optiondict.py       |  1 +
 lib/parse/cmdline.py         |  3 +++
 lib/request/connect.py       | 27 +++++++++++++++++++++++++--
 sqlmap.conf                  |  3 +++
 7 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/doc/THANKS b/doc/THANKS
index 1eb8e33d4..1ccf013db 100644
--- a/doc/THANKS
+++ b/doc/THANKS
@@ -1,5 +1,8 @@
 == Individuals ==
 
+Andres Tarasco Acuna <atarasco@gmail.com>
+    for suggesting a feature
+
 Santiago Accurso <saccurso@skygear.com.ar>
     for reporting a bug
 
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
index 3def4e7b6..d475e344e 100644
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -419,6 +419,12 @@ def start():
                             infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
                             logger.info(infoMsg)
 
+                        elif parameter == conf.rParam:
+                            testSqlInj = False
+
+                            infoMsg = "skipping randomizing %s parameter '%s'" % (place, parameter)
+                            logger.info(infoMsg)
+
                         elif parameter in conf.testParameter:
                             pass
 
diff --git a/lib/core/common.py b/lib/core/common.py
index 53f2e2ea8..320c35af0 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -2924,3 +2924,17 @@ def filterPairValues(values):
         retVal = filter(lambda x: isinstance(x, (tuple, list, set)) and len(x) == 2, values)
 
     return retVal
+
+def randomizeParameterValue(value):
+    retVal = value
+
+    for match in re.finditer('[A-Z]+', value):
+        retVal = retVal.replace(match.group(), randomStr(len(match.group())).upper())
+
+    for match in re.finditer('[a-z]+', value):
+        retVal = retVal.replace(match.group(), randomStr(len(match.group())).lower())
+
+    for match in re.finditer('[0-9]+', value):
+        retVal = retVal.replace(match.group(), str(randomInt(len(match.group()))))
+
+    return retVal
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
index 052d4a672..e47a7f6f5 100644
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -30,6 +30,7 @@ optDict = {
                                "dropSetCookie":     "boolean",
                                "agent":             "string",
                                "randomAgent":       "boolean",
+                               "rParam":            "string",
                                "referer":           "string",
                                "headers":           "string",
                                "aType":             "string",
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index c612c2054..7e604646b 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -89,6 +89,9 @@ def cmdLineParser():
                            action="store_true",
                            help="Use randomly selected HTTP User-Agent header")
 
+        request.add_option("--randomize", dest="rParam",
+                           help="Randomly change value for the given parameter")
+
         request.add_option("--referer", dest="referer",
                            help="HTTP Referer header")
 
diff --git a/lib/request/connect.py b/lib/request/connect.py
index f26be8c23..e78ab88ed 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -27,6 +27,7 @@ from lib.core.common import getFilteredPageContent
 from lib.core.common import getUnicode
 from lib.core.common import logHTTPTraffic
 from lib.core.common import parseTargetUrl
+from lib.core.common import randomizeParameterValue
 from lib.core.common import readInput
 from lib.core.common import removeReflectiveValues
 from lib.core.common import singleTimeWarnMessage
@@ -548,10 +549,10 @@ class Connect:
             checkPayload(value)
 
         if PLACE.GET in conf.parameters:
-            get = urlencode(conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value, limit=True)
+            get = conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value
 
         if PLACE.POST in conf.parameters:
-            post = urlencode(conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value)
+            post = conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value
 
         if PLACE.SOAP in conf.parameters:
             post = conf.parameters[PLACE.SOAP] if place != PLACE.SOAP or not value else value
@@ -570,6 +571,28 @@ class Connect:
         else:
             uri = conf.url
 
+        if conf.rParam:
+            def _randomizeParameter(paramString, randomParameter):
+                retVal = paramString
+                match = re.search("%s=(?P<value>[^&;]+)" % randomParameter, paramString)
+                if match:
+                    origValue = match.group("value")
+                    retVal = re.sub("%s=[^&;]+" % randomParameter, "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
+                return retVal
+
+            for item in [PLACE.GET, PLACE.POST, PLACE.COOKIE]:                
+                if item in conf.parameters:
+                    origValue = conf.parameters[item]
+                    if item == PLACE.GET and get:
+                        get = _randomizeParameter(get, conf.rParam)
+                    elif item == PLACE.POST and post:
+                        post = _randomizeParameter(post, conf.rParam)
+                    elif item == PLACE.COOKIE and cookie:
+                        cookie = _randomizeParameter(cookie, conf.rParam)
+
+        get = urlencode(get, limit=True)
+        post = urlencode(post)
+
         if timeBasedCompare:
             if len(kb.responseTimes) < MIN_TIME_RESPONSES:
                 clearConsoleLine()
diff --git a/sqlmap.conf b/sqlmap.conf
index 77d097d1e..3dd881988 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -59,6 +59,9 @@ agent =
 # Valid: True or False
 randomAgent = False
 
+# Randomly change value for the given parameter
+rParam = 
+
 
 # HTTP Referer header. Useful to fake the HTTP Referer header value at
 # each HTTP request.