From d3bfe59401d0b756d4faf8093e732d7233358847 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Tue, 7 Feb 2023 09:40:42 +0100 Subject: [PATCH] Fixes #5308 --- lib/controller/controller.py | 18 ++++++++++++++++++ lib/core/option.py | 1 + lib/core/settings.py | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 2ea81d9c2..22cd58161 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -568,6 +568,24 @@ def start(): infoMsg = "%sparameter '%s' appears to be dynamic" % ("%s " % paramType if paramType != parameter else "", parameter) logger.info(infoMsg) + if kb.processUserMarks: + if testSqlInj and place not in (PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER): + if kb.processNonCustom is None: + message = "other non-custom parameters found. " + message += "Do you want to process them too? [Y/n/q] " + choice = readInput(message, default='Y').upper() + + if choice == 'Q': + raise SqlmapUserQuitException + else: + kb.processNonCustom = choice == 'Y' + + if not kb.processNonCustom: + infoMsg = "skipping %sparameter '%s'" % ("%s " % paramType if paramType != parameter else "", parameter) + logger.info(infoMsg) + + testSqlInj = False + kb.testedParams.add(paramKey) if testSqlInj: diff --git a/lib/core/option.py b/lib/core/option.py index 72d834d07..2d50d84f9 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -2145,6 +2145,7 @@ def _setKnowledgeBaseAttributes(flushAll=True): kb.prependFlag = False kb.processResponseCounter = 0 kb.previousMethod = None + kb.processNonCustom = None kb.processUserMarks = None kb.proxyAuthHeader = None kb.queryCounter = 0 diff --git a/lib/core/settings.py b/lib/core/settings.py index 9b6a74fac..e37f909ab 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.7.2.5" +VERSION = "1.7.2.6" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)