From d9e540e8b28c46abb466375de4d09c80b670505b Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 4 Mar 2020 22:43:50 +0100 Subject: [PATCH] Couple of minor patches --- lib/controller/controller.py | 17 ++++++++++------- lib/core/option.py | 3 +++ lib/core/testing.py | 16 ++++++++++++---- lib/parse/cmdline.py | 2 +- lib/techniques/blind/inference.py | 4 ++-- 5 files changed, 28 insertions(+), 14 deletions(-) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 57414dcfb..57ed869c7 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -413,14 +413,17 @@ def start(): parseTargetUrl() else: - message += "\ndo you want to test this URL? [Y/n/q]" - choice = readInput(message, default='Y').upper() + if not conf.scope: + message += "\ndo you want to test this URL? [Y/n/q]" + choice = readInput(message, default='Y').upper() - if choice == 'N': - dataToStdout(os.linesep) - continue - elif choice == 'Q': - break + if choice == 'N': + dataToStdout(os.linesep) + continue + elif choice == 'Q': + break + else: + pass infoMsg = "testing URL '%s'" % targetUrl logger.info(infoMsg) diff --git a/lib/core/option.py b/lib/core/option.py index 5c81a1e1d..fdf288f61 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -425,6 +425,9 @@ def _setBulkMultipleTargets(): found = False for line in getFileItems(conf.bulkFile): + if conf.scope and not re.search(conf.scope, line, re.I): + continue + if re.match(r"[^ ]+\?(.+)", line, re.I) or kb.customInjectionMark in line: found = True kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None)) diff --git a/lib/core/testing.py b/lib/core/testing.py index 6f406ce38..731fcbe0d 100644 --- a/lib/core/testing.py +++ b/lib/core/testing.py @@ -41,18 +41,20 @@ def vulnTest(): TESTS = ( ("-h", ("to see full list of options run with '-hh'",)), ("-u --flush-session --wizard --check-internet", ("Please choose:", "back-end DBMS: SQLite", "current user is DBA: True", "banner: '3.", "~no connection detected")), + ("--dependencies", ("sqlmap requires", "third-party library")), (u"-c --flush-session --sql-query=\"SELECT '\u0161u\u0107uraj'\" --technique=U", (u": '\u0161u\u0107uraj'",)), (u"-u --flush-session --sql-query=\"SELECT '\u0161u\u0107uraj'\" --technique=B --no-escape --string=luther --unstable", (u": '\u0161u\u0107uraj'",)), ("--dummy", ("all tested parameters do not appear to be injectable", "does not seem to be injectable", "there is not at least one", "~might be injectable")), ("--list-tampers", ("between", "MySQL", "xforwardedfor")), - ("-r --flush-session -v 5", ("CloudFlare", "possible DBMS: 'SQLite'", "User-agent: foobar")), + ("-r --flush-session -v 5 --test-skip='heavy' --save=", ("CloudFlare", "possible DBMS: 'SQLite'", "User-agent: foobar", "~Type: time-based blind")), ("-l --flush-session --keep-alive --skip-waf -v 5 --technique=U --union-from=users --banner --parse-errors", ("banner: '3.", "ORDER BY term out of range", "~xp_cmdshell", "Connection: keep-alive")), ("-l --offline --banner -v 5", ("banner: '3.", "~[TRAFFIC OUT]")), + ("-u --flush-session --banner --technique=B --first=1 --last=2", ("banner: '3.'",)), ("-u --flush-session --encoding=ascii --forms --crawl=2 --threads=2 --banner", ("total of 2 targets", "might be injectable", "Type: UNION query", "banner: '3.")), ("-u --flush-session --data='{\"id\": 1}' --banner", ("might be injectable", "3 columns", "Payload: {\"id\"", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3.")), ("-u --flush-session -H 'Foo: Bar' -H 'Sna: Fu' --data='' --union-char=1 --mobile --answers='smartphone=3' --banner --smart -v 5", ("might be injectable", "Payload: --flush-session --method=PUT --data='a=1&b=2&c=3&id=1' --skip-static --dump -T users --start=1 --stop=2", ("might be injectable", "Parameter: id (PUT)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "2 entries")), - ("-u --flush-session -H 'id: 1*' --tables", ("might be injectable", "Parameter: id #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")), + ("-u --flush-session --method=PUT --data='a=1&b=2&c=3&id=1' --skip-static --har= --dump -T users --start=1 --stop=2", ("might be injectable", "Parameter: id (PUT)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "2 entries")), + ("-u --flush-session -H 'id: 1*' --tables -t ", ("might be injectable", "Parameter: id #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")), ("-u --flush-session --banner --invalid-logical --technique=B --predict-output --test-filter='OR boolean' --tamper=space2dash", ("banner: '3.", " LIKE ")), ("-u --flush-session --cookie=\"PHPSESSID=d41d8cd98f00b204e9800998ecf8427e; id=1*; id2=2\" --tables --union-cols=3", ("might be injectable", "Cookie #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")), ("-u --flush-session --null-connection --technique=B --tamper=between,randomcase --banner", ("NULL connection is supported with HEAD method", "banner: '3.")), @@ -120,9 +122,15 @@ def vulnTest(): dataToStdout("\r[%s] [INFO] complete: %s" % (time.strftime("%X"), status)) cmd = "%s %s %s --batch --non-interactive" % (sys.executable, os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..", "sqlmap.py")), options.replace("", url).replace("", direct).replace("", request).replace("", log).replace("", config)) + + if "" in cmd: + handle, tmp = tempfile.mkstemp() + os.close(handle) + cmd = cmd.replace("", tmp) + output = shellExec(cmd) - if not all((check in output if not check.startswith('~') else check[1:] not in output) for check in checks): + if not all((check in output if not check.startswith('~') else check[1:] not in output) for check in checks) or "unhandled exception" in output: dataToStdout("---\n\n$ %s\n" % cmd) dataToStdout("%s---\n" % clearColors(output)) retVal = False diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 0c41c14d8..69d95d892 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -683,7 +683,7 @@ def cmdLineParser(argv=None): help="Save options to a configuration INI file") general.add_argument("--scope", dest="scope", - help="Regexp to filter targets from provided proxy log") + help="Regexp for filtering targets") general.add_argument("--skip-waf", dest="skipWaf", action="store_true", help="Skip heuristic detection of WAF/IPS protection") diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index 96b74a297..60efd1aec 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -139,7 +139,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None firstChar = len(partialValue) elif re.search(r"(?i)(\b|CHAR_)(LENGTH|LEN)\(", expression): firstChar = 0 - elif (kb.fileReadMode or dump) and conf.firstChar is not None and (isinstance(conf.firstChar, int) or (hasattr(conf.firstChar, "isdigit") and conf.firstChar.isdigit())): + elif conf.firstChar is not None and (isinstance(conf.firstChar, int) or (hasattr(conf.firstChar, "isdigit") and conf.firstChar.isdigit())): firstChar = int(conf.firstChar) - 1 if kb.fileReadMode: firstChar <<= 1 @@ -150,7 +150,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None if re.search(r"(?i)(\b|CHAR_)(LENGTH|LEN)\(", expression): lastChar = 0 - elif dump and conf.lastChar is not None and (isinstance(conf.lastChar, int) or (hasattr(conf.lastChar, "isdigit") and conf.lastChar.isdigit())): + elif conf.lastChar is not None and (isinstance(conf.lastChar, int) or (hasattr(conf.lastChar, "isdigit") and conf.lastChar.isdigit())): lastChar = int(conf.lastChar) elif hasattr(lastChar, "isdigit") and lastChar.isdigit() or isinstance(lastChar, int): lastChar = int(lastChar)