From b45ae10da40e9f2e15114e64e0721044948bb8da Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 11 Apr 2012 21:36:37 +0000 Subject: [PATCH] minor fixes --- lib/controller/checks.py | 2 +- lib/core/common.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 7150d0069..37a3c1c1d 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -349,7 +349,7 @@ def checkSqlInjection(place, parameter, value): if not injectable and not conf.string: trueSet = set(extractTextTagContent(truePage)) falseSet = set(extractTextTagContent(falsePage)) - candidate = reduce(lambda x, y: x or (y.strip() if y.strip() in (kb.pageTemplate or "") else None), (trueSet - falseSet), None) + candidate = reduce(lambda x, y: x or (y.strip() if y.strip() in (kb.pageTemplate or "") and y.strip() not in falsePage else None), (trueSet - falseSet), None) if candidate: conf.string = candidate infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=%s)" % (place, parameter, title, repr(candidate).lstrip('u')) diff --git a/lib/core/common.py b/lib/core/common.py index fc415de98..37da8547e 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -2161,8 +2161,8 @@ def extractTextTagContent(page): Returns list containing content from "textual" tags """ - page = re.sub(r"(?si)[^\s]*%s[^<]*" % REFLECTED_VALUE_MARKER, "", page or "") - return [_.group('result') for _ in re.finditer(TEXT_TAG_REGEX, page)] + page = re.sub(r"(?si)[^\s>]*%s[^<]*" % REFLECTED_VALUE_MARKER, "", page or "") + return filter(None, (_.group('result').strip() for _ in re.finditer(TEXT_TAG_REGEX, page))) def trimAlphaNum(value): """