From d78a3e977b78c682c53df357286ce05bb3b7e333 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 13 Feb 2013 12:24:42 +0100 Subject: [PATCH] Update (allowing regular char * to be inside SOAP/JSON/XML) --- lib/core/agent.py | 6 +++--- lib/core/settings.py | 1 + lib/core/target.py | 14 +++++++++----- lib/request/connect.py | 2 ++ 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index 60490c971..4440e929f 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -30,10 +30,10 @@ from lib.core.enums import PAYLOAD from lib.core.enums import PLACE from lib.core.enums import POST_HINT from lib.core.exception import SqlmapNoneDataException -from lib.core.settings import ASTERISK_MARKER from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR from lib.core.settings import GENERIC_SQL_COMMENT from lib.core.settings import PAYLOAD_DELIMITER +from lib.core.settings import REPLACEMENT_MARKER from lib.core.unescaper import unescaper class Agent(object): @@ -128,9 +128,9 @@ class Agent(object): _ = "%s%s" % (origValue, CUSTOM_INJECTION_MARK_CHAR) if kb.postHint == POST_HINT.JSON and not isNumber(newValue) and not '"%s"' % _ in paramString: newValue = '"%s"' % newValue - newValue = newValue.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) + newValue = newValue.replace(CUSTOM_INJECTION_MARK_CHAR, REPLACEMENT_MARKER) retVal = paramString.replace(_, self.addPayloadDelimiters(newValue)) - retVal = retVal.replace(CUSTOM_INJECTION_MARK_CHAR, "").replace(ASTERISK_MARKER, CUSTOM_INJECTION_MARK_CHAR) + retVal = retVal.replace(CUSTOM_INJECTION_MARK_CHAR, "").replace(REPLACEMENT_MARKER, CUSTOM_INJECTION_MARK_CHAR) elif place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST): retVal = paramString.replace(origValue, self.addPayloadDelimiters(newValue)) else: diff --git a/lib/core/settings.py b/lib/core/settings.py index eff5545ef..78c6ab128 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -40,6 +40,7 @@ PARTIAL_VALUE_MARKER = "__PARTIAL_VALUE__" PARTIAL_HEX_VALUE_MARKER = "__PARTIAL_HEX_VALUE__" URI_QUESTION_MARKER = "__QUESTION_MARK__" ASTERISK_MARKER = "__ASTERISK_MARK__" +REPLACEMENT_MARKER = "__REPLACEMENT_MARK__" PAYLOAD_DELIMITER = "\x00" CHAR_INFERENCE_MARK = "%c" diff --git a/lib/core/target.py b/lib/core/target.py index 2ccfa0a3a..026cccc0c 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -39,6 +39,7 @@ from lib.core.exception import SqlmapUserQuitException from lib.core.option import _setDBMS from lib.core.option import _setKnowledgeBaseAttributes from lib.core.option import _setAuthCred +from lib.core.settings import ASTERISK_MARKER from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR from lib.core.settings import HOST_ALIASES from lib.core.settings import JSON_RECOGNITION_REGEX @@ -85,16 +86,14 @@ def _setRequestParams(): if conf.data is not None: conf.method = HTTPMETHOD.POST - if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed - pass - - elif re.search(JSON_RECOGNITION_REGEX, conf.data): + if re.search(JSON_RECOGNITION_REGEX, conf.data): message = "JSON like data found in POST data. " message += "Do you want to process it? [Y/n/q] " test = readInput(message, default="Y") if test and test[0] in ("q", "Q"): raise SqlmapUserQuitException elif test[0] not in ("n", "N"): + conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r'("[^"]+"\s*:\s*"[^"]+)"', r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, conf.data) conf.data = re.sub(r'("[^"]+"\s*:\s*)(-?\d[\d\.]*\b)', r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, conf.data) kb.postHint = POST_HINT.JSON @@ -106,6 +105,7 @@ def _setRequestParams(): if test and test[0] in ("q", "Q"): raise SqlmapUserQuitException elif test[0] not in ("n", "N"): + conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r"(<([^>]+)( [^<]*)?>)([^<]+)(\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR, conf.data) kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML @@ -116,9 +116,13 @@ def _setRequestParams(): if test and test[0] in ("q", "Q"): raise SqlmapUserQuitException elif test[0] not in ("n", "N"): + conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r"(?si)(Content-Disposition.+?)((\r)?\n--)", r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, conf.data) kb.postHint = POST_HINT.MULTIPART + elif CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed + pass + else: place = PLACE.POST @@ -149,7 +153,7 @@ def _setRequestParams(): raise SqlmapUserQuitException for place, value in ((PLACE.URI, conf.url), (PLACE.CUSTOM_POST, conf.data), (PLACE.CUSTOM_HEADER, str(conf.httpHeaders))): - _ = re.sub(r"\bq=[^;']+", "", value or "") + _ = re.sub(r"\bq=[^;']+", "", value or "") if place == PLACE.CUSTOM_HEADER else value or "" if CUSTOM_INJECTION_MARK_CHAR in _: if kb.processUserMarks is None: lut = {PLACE.URI: '-u', PLACE.CUSTOM_POST: '--data', PLACE.CUSTOM_HEADER: '--headers/--user-agent/--referer/--cookie'} diff --git a/lib/request/connect.py b/lib/request/connect.py index a35cf8b95..14e5c31dd 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -56,6 +56,7 @@ from lib.core.exception import SqlmapCompressionException from lib.core.exception import SqlmapConnectionException from lib.core.exception import SqlmapSyntaxException from lib.core.exception import SqlmapValueException +from lib.core.settings import ASTERISK_MARKER from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR from lib.core.settings import DEFAULT_CONTENT_TYPE from lib.core.settings import DEFAULT_GET_POST_DELIMITER @@ -666,6 +667,7 @@ class Connect(object): if PLACE.CUSTOM_POST in conf.parameters: post = conf.parameters[PLACE.CUSTOM_POST].replace(CUSTOM_INJECTION_MARK_CHAR, "") if place != PLACE.CUSTOM_POST or not value else value + post = post.replace(ASTERISK_MARKER, '*') if post else post if PLACE.COOKIE in conf.parameters: cookie = conf.parameters[PLACE.COOKIE] if place != PLACE.COOKIE or not value else value