diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt index 8999e7dc5..689950444 100644 --- a/data/txt/sha256sums.txt +++ b/data/txt/sha256sums.txt @@ -188,7 +188,7 @@ c1cb56f2a43e9f2f6b25d5f3d504e856ea21df6fc14af5e37b1000feef2bdb5a lib/core/optio 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3 lib/core/replication.py 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py -0e067da37caf0003900edd4d0dc63c96090c394f146494032e51d2a3f5cb6174 lib/core/settings.py +2b1e8fed26bc8d137fa39223435bc6f70c95ff057bb14d98b1565452519f8c2e lib/core/settings.py cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82 lib/core/shell.py bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725 lib/core/subprocessng.py 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6 lib/core/target.py @@ -208,7 +208,7 @@ c5b258be7485089fac9d9cd179960e774fbd85e62836dc67cce76cc028bb6aeb lib/parse/hand d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73 lib/parse/payloads.py 455ab0ec63e55cd56ce4a884b85bdc089223155008cab0f3696da5a33118f95b lib/parse/sitemap.py 1be3da334411657461421b8a26a0f2ff28e1af1e28f1e963c6c92768f9b0847c lib/request/basicauthhandler.py -a1c638493ecdc5194db7186bbfed815c6eed2344f2607cac8c9fa50534824266 lib/request/basic.py +b8ea3a2192014c66a9fe8e122769df974b88a3b2bcc32277814fcec3a1649c7f lib/request/basic.py bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e lib/request/chunkedhandler.py 2daf0ce19eacda64687f441c90ef8da51714c3e8947c993ba08fb4ecdc4f5287 lib/request/comparison.py c7ab9699f30b67fdee3ddafdc215981da21aa6820d8dcd620f5c2ca82ddde2f4 lib/request/connect.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 9b4b8e182..9fd3a502a 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from lib.core.enums import OS from thirdparty import six # sqlmap version (...) -VERSION = "1.10.2.9" +VERSION = "1.10.2.10" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) @@ -122,7 +122,10 @@ PRECONNECT_CANDIDATE_TIMEOUT = 10 PRECONNECT_INCOMPATIBLE_SERVERS = ("SimpleHTTP", "BaseHTTP") # Identify WAF/IPS inside limited number of responses (Note: for optimization purposes) -IDENTYWAF_PARSE_LIMIT = 10 +IDENTYWAF_PARSE_COUNT_LIMIT = 10 + +# Identify WAF/IPS inside limited size of responses +IDENTYWAF_PARSE_PAGE_LIMIT = 4 * 1024 # Maximum sleep time in "Murphy" (testing) mode MAX_MURPHY_SLEEP_TIME = 3 @@ -779,7 +782,7 @@ MAX_CONNECTION_TOTAL_SIZE = 100 * 1024 * 1024 # For preventing MemoryError exceptions (caused when using large sequences in difflib.SequenceMatcher) MAX_DIFFLIB_SEQUENCE_LENGTH = 10 * 1024 * 1024 -# Page size threshold used in heuristic checks (e.g. getHeuristicCharEncoding(), identYwaf, htmlParser, etc.) +# Page size threshold used in heuristic checks (e.g. getHeuristicCharEncoding(), htmlParser, etc.) HEURISTIC_PAGE_SIZE_THRESHOLD = 64 * 1024 # Maximum (multi-threaded) length of entry in bisection algorithm diff --git a/lib/request/basic.py b/lib/request/basic.py index 758f993ca..c18727b22 100644 --- a/lib/request/basic.py +++ b/lib/request/basic.py @@ -43,7 +43,8 @@ from lib.core.settings import BLOCKED_IP_REGEX from lib.core.settings import DEFAULT_COOKIE_DELIMITER from lib.core.settings import EVENTVALIDATION_REGEX from lib.core.settings import HEURISTIC_PAGE_SIZE_THRESHOLD -from lib.core.settings import IDENTYWAF_PARSE_LIMIT +from lib.core.settings import IDENTYWAF_PARSE_COUNT_LIMIT +from lib.core.settings import IDENTYWAF_PARSE_PAGE_LIMIT from lib.core.settings import MAX_CONNECTION_TOTAL_SIZE from lib.core.settings import META_CHARSET_REGEX from lib.core.settings import PARSE_HEADERS_LIMIT @@ -395,8 +396,8 @@ def processResponse(page, responseHeaders, code=None, status=None): if msg: logger.warning("parsed DBMS error message: '%s'" % msg.rstrip('.')) - if not conf.skipWaf and kb.processResponseCounter < IDENTYWAF_PARSE_LIMIT: - rawResponse = "%s %s %s\n%s\n%s" % (_http_client.HTTPConnection._http_vsn_str, code or "", status or "", "".join(getUnicode(responseHeaders.headers if responseHeaders else [])), page[:HEURISTIC_PAGE_SIZE_THRESHOLD]) + if not conf.skipWaf and kb.processResponseCounter < IDENTYWAF_PARSE_COUNT_LIMIT: + rawResponse = "%s %s %s\n%s\n%s" % (_http_client.HTTPConnection._http_vsn_str, code or "", status or "", "".join(getUnicode(responseHeaders.headers if responseHeaders else [])), page[:IDENTYWAF_PARSE_PAGE_LIMIT]) with kb.locks.identYwaf: identYwaf.non_blind.clear()