diff --git a/lib/controller/checks.py b/lib/controller/checks.py index b65967386..004c53c51 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -72,11 +72,12 @@ from lib.request.templates import getPageTemplate from lib.techniques.union.test import unionTest from lib.techniques.union.use import configUnion -def checkSqlInjection(place, parameter, value): +def checkSqlInjection(place, parameter, value, targetUrl): # Store here the details about boundaries and payload used to # successfully inject injection = InjectionDict() + injection.target = targetUrl # Localized thread data needed for some methods threadData = getCurrentThreadData() diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 730c1003a..65eab8e25 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -124,7 +124,15 @@ def _selectInjection(): kb.injection = kb.injections[index] def _formatInjection(inj): - data = "Place: %s\n" % inj.place + if conf.detectAll: + data = 'Url: ' + inj.target + '\n' + else: + data = "" + if conf.detectAll: + data += " " + data += "Place: %s\n" % inj.place + if conf.detectAll: + data += " " data += "Parameter: %s\n" % inj.parameter for stype, sdata in inj.data.items(): @@ -142,9 +150,17 @@ def _formatInjection(inj): title = title.replace("columns", "column") elif comment: vector = "%s%s" % (vector, comment) + if conf.detectAll: + data += " " data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype] + if conf.detectAll: + data += " " data += " Title: %s\n" % title + if conf.detectAll: + data += " " data += " Payload: %s\n" % urldecode(payload, unsafe="&", plusspace=(inj.place == PLACE.POST and kb.postSpaceToPlus)) + if conf.detectAll: + data += " " data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n" return data @@ -295,7 +311,7 @@ def start(): kb.skipVulnHost = readInput(message, default="Y").upper() != 'N' testSqlInj = not kb.skipVulnHost - if not testSqlInj: + if not conf.detectAll and not testSqlInj: infoMsg = "skipping '%s'" % targetUrl logger.info(infoMsg) continue @@ -430,7 +446,7 @@ def start(): testSqlInj = True paramKey = (conf.hostname, conf.path, place, parameter) - if paramKey in kb.testedParams: + if paramKey in kb.testedParams and not conf.detectAll: testSqlInj = False infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter) @@ -484,7 +500,7 @@ def start(): infoMsg += "parameter '%s'" % parameter logger.info(infoMsg) - injection = checkSqlInjection(place, parameter, value) + injection = checkSqlInjection(place, parameter, value, targetUrl) proceed = not kb.endDetection if injection is not None and injection.place is not None: diff --git a/lib/core/datatype.py b/lib/core/datatype.py index 1e9d03e4b..324a813bb 100644 --- a/lib/core/datatype.py +++ b/lib/core/datatype.py @@ -93,6 +93,7 @@ class InjectionDict(AttribDict): self.prefix = None self.suffix = None self.clause = None + self.target = None # data is a dict with various stype, each which is a dict with # all the information specific for that stype diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index b74d66189..e48437f35 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -287,6 +287,11 @@ def cmdLineParser(): action="store_true", help="Compare pages based only on their titles") + + detection.add_option("--detect-all", dest="detectAll", + action="store_true", + help="Test all targets and all parameters even if a SQL injection was discovered") + # Techniques options techniques = OptionGroup(parser, "Techniques", "These options can be " "used to tweak testing of specific SQL "