diff --git a/lib/controller/checks.py b/lib/controller/checks.py index fa118f556..29f4ffda3 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -85,6 +85,8 @@ def checkSqlInjection(place, parameter, value): # Set the flag for SQL injection test mode kb.testMode = True + paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place + tests = getSortedInjectionTests() while tests: @@ -403,7 +405,7 @@ def checkSqlInjection(place, parameter, value): # Perform the test's False request if not falseResult: - infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (place, parameter, title) + infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (paramType, parameter, title) logger.info(infoMsg) injectable = True @@ -414,7 +416,7 @@ def checkSqlInjection(place, parameter, value): candidates = filter(None, (_.strip() if _.strip() in (kb.pageTemplate or "") and _.strip() not in falsePage and _.strip() not in threadData.lastComparisonHeaders else None for _ in (trueSet - falseSet))) if candidates: conf.string = candidates[0] - infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (place, parameter, title, repr(conf.string).lstrip('u').strip("'")) + infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (paramType, parameter, title, repr(conf.string).lstrip('u').strip("'")) logger.info(infoMsg) injectable = True @@ -437,7 +439,7 @@ def checkSqlInjection(place, parameter, value): result = output == "1" if result: - infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) + infoMsg = "%s parameter '%s' is '%s' injectable " % (paramType, parameter, title) logger.info(infoMsg) injectable = True @@ -459,7 +461,7 @@ def checkSqlInjection(place, parameter, value): trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False) if trueResult: - infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (place, parameter, title) + infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (paramType, parameter, title) logger.info(infoMsg) injectable = True @@ -495,7 +497,7 @@ def checkSqlInjection(place, parameter, value): reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix) if isinstance(reqPayload, basestring): - infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title) + infoMsg = "%s parameter '%s' is '%s' injectable" % (paramType, parameter, title) logger.info(infoMsg) injectable = True @@ -787,6 +789,8 @@ def heuristicCheckSqlInjection(place, parameter): origValue = conf.paramDict[place][parameter] + paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place + prefix = "" suffix = "" @@ -812,8 +816,8 @@ def heuristicCheckSqlInjection(place, parameter): parseFilePaths(page) result = wasLastResponseDBMSError() - infoMsg = "heuristic (basic) test shows that %s " % place - infoMsg += "parameter '%s' might " % parameter + infoMsg = "heuristic (basic) test shows that %s parameter " % paramType + infoMsg += "'%s' might " % parameter def _(page): return any(_ in (page or "") for _ in FORMAT_EXCEPTION_STRINGS) @@ -861,9 +865,11 @@ def heuristicCheckSqlInjection(place, parameter): payload = agent.payload(place, parameter, newValue=payload) page, _ = Request.queryPage(payload, place, content=True, raise404=False) + paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place + if value in (page or ""): - infoMsg = "heuristic (XSS) test shows that %s " % place - infoMsg += "parameter '%s' might " % parameter + infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType + infoMsg += "'%s' might " % parameter infoMsg += "be vulnerable to XSS attacks" logger.info(infoMsg) @@ -885,7 +891,9 @@ def checkDynParam(place, parameter, value): dynResult = None randInt = randomInt() - infoMsg = "testing if %s parameter '%s' is dynamic" % (place, parameter) + paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place + + infoMsg = "testing if %s parameter '%s' is dynamic" % (paramType, parameter) logger.info(infoMsg) try: @@ -893,7 +901,7 @@ def checkDynParam(place, parameter, value): dynResult = Request.queryPage(payload, place, raise404=False) if not dynResult: - infoMsg = "confirming that %s parameter '%s' is dynamic" % (place, parameter) + infoMsg = "confirming that %s parameter '%s' is dynamic" % (paramType, parameter) logger.info(infoMsg) randInt = randomInt() diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 0955230fd..a6d89e6ca 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -311,13 +311,13 @@ def start(): if conf.forms: message = "[#%d] form:\n%s %s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl) else: - message = "URL %d:\n%s %s%s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl, " (PageRank: %s)" % get_pagerank(targetUrl) if conf.googleDork and conf.pageRank else "") + message = "URL %d:\n%s %s%s" % (hostCount, HTTPMETHOD.GET, targetUrl, " (PageRank: %s)" % get_pagerank(targetUrl) if conf.googleDork and conf.pageRank else "") if conf.cookie: message += "\nCookie: %s" % conf.cookie if conf.data is not None: - message += "\nPOST data: %s" % urlencode(conf.data) if conf.data else "" + message += "\n%s data: %s" % ((conf.method if conf.method != HTTPMETHOD.GET else conf.method) or HTTPMETHOD.POST, urlencode(conf.data) if conf.data else "") if conf.forms: if conf.method == HTTPMETHOD.GET and targetUrl.find("?") == -1: @@ -327,13 +327,13 @@ def start(): test = readInput(message, default="Y") if not test or test[0] in ("y", "Y"): - if conf.method == HTTPMETHOD.POST: - message = "Edit POST data [default: %s]%s: " % (urlencode(conf.data) if conf.data else "None", " (Warning: blank fields detected)" if conf.data and extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) else "") + if conf.method != HTTPMETHOD.GET: + message = "Edit %s data [default: %s]%s: " % (conf.method, urlencode(conf.data) if conf.data else "None", " (Warning: blank fields detected)" if conf.data and extractRegexResult(EMPTY_FORM_FIELDS_REGEX, conf.data) else "") conf.data = readInput(message, default=conf.data) conf.data = _randomFillBlankFields(conf.data) conf.data = urldecode(conf.data) if conf.data and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in conf.data else conf.data - elif conf.method == HTTPMETHOD.GET: + else: if targetUrl.find("?") > -1: firstPart = targetUrl[:targetUrl.find("?")] secondPart = targetUrl[targetUrl.find("?") + 1:] @@ -428,6 +428,8 @@ def start(): paramDict = conf.paramDict[place] + paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place + for parameter, value in paramDict.items(): if not proceed: break @@ -439,7 +441,7 @@ def start(): if paramKey in kb.testedParams: testSqlInj = False - infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter) + infoMsg = "skipping previously processed %s parameter '%s'" % (paramType, parameter) logger.info(infoMsg) elif parameter in conf.testParameter: @@ -448,13 +450,13 @@ def start(): elif parameter == conf.rParam: testSqlInj = False - infoMsg = "skipping randomizing %s parameter '%s'" % (place, parameter) + infoMsg = "skipping randomizing %s parameter '%s'" % (paramType, parameter) logger.info(infoMsg) elif parameter in conf.skip: testSqlInj = False - infoMsg = "skipping %s parameter '%s'" % (place, parameter) + infoMsg = "skipping %s parameter '%s'" % (paramType, parameter) logger.info(infoMsg) elif parameter == conf.csrfToken: @@ -467,18 +469,18 @@ def start(): elif conf.level < 4 and (parameter.upper() in IGNORE_PARAMETERS or parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX)): testSqlInj = False - infoMsg = "ignoring %s parameter '%s'" % (place, parameter) + infoMsg = "ignoring %s parameter '%s'" % (paramType, parameter) logger.info(infoMsg) elif PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech: check = checkDynParam(place, parameter, value) if not check: - warnMsg = "%s parameter '%s' does not appear dynamic" % (place, parameter) + warnMsg = "%s parameter '%s' does not appear dynamic" % (paramType, parameter) logger.warn(warnMsg) else: - infoMsg = "%s parameter '%s' is dynamic" % (place, parameter) + infoMsg = "%s parameter '%s' is dynamic" % (paramType, parameter) logger.info(infoMsg) kb.testedParams.add(paramKey) @@ -488,11 +490,11 @@ def start(): if check != HEURISTIC_TEST.POSITIVE: if conf.smart or (kb.ignoreCasted and check == HEURISTIC_TEST.CASTED): - infoMsg = "skipping %s parameter '%s'" % (place, parameter) + infoMsg = "skipping %s parameter '%s'" % (paramType, parameter) logger.info(infoMsg) continue - infoMsg = "testing for SQL injection on %s " % place + infoMsg = "testing for SQL injection on %s " % paramType infoMsg += "parameter '%s'" % parameter logger.info(infoMsg) @@ -515,7 +517,7 @@ def start(): paramKey = (conf.hostname, conf.path, None, None) kb.testedParams.add(paramKey) else: - warnMsg = "%s parameter '%s' is not " % (place, parameter) + warnMsg = "%s parameter '%s' is not " % (paramType, parameter) warnMsg += "injectable" logger.warn(warnMsg) diff --git a/lib/core/option.py b/lib/core/option.py index a96b49bf5..d0a3af309 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -285,7 +285,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls): line = line.strip('\r') match = re.search(r"\A(%s) (.+) HTTP/[\d.]+\Z" % "|".join(getPublicTypeMembers(HTTPMETHOD, True)), line) if not method else None - if len(line) == 0 and method in (HTTPMETHOD.POST, HTTPMETHOD.PUT) and data is None: + if len(line) == 0 and method and method != HTTPMETHOD.GET and data is None: data = "" params = True @@ -1780,11 +1780,11 @@ def _useWizardInterface(): message = "Please enter full target URL (-u): " conf.url = readInput(message, default=None) - message = "POST data (--data) [Enter for None]: " + message = "%s data (--data) [Enter for None]: " % ((conf.method if conf.method != HTTPMETHOD.GET else conf.method) or HTTPMETHOD.POST) conf.data = readInput(message, default=None) if not (filter(lambda _: '=' in unicode(_), (conf.url, conf.data)) or '*' in conf.url): - warnMsg = "no GET and/or POST parameter(s) found for testing " + warnMsg = "no GET and/or %s parameter(s) found for testing " % ((conf.method if conf.method != HTTPMETHOD.GET else conf.method) or HTTPMETHOD.POST) warnMsg += "(e.g. GET parameter 'id' in 'http://www.site.com/vuln.php?id=1'). " if not conf.crawlDepth and not conf.forms: warnMsg += "Will search for forms"