sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-26 03:23:48 +03:00
Code Issues Packages Projects Releases Wiki Activity

Patch for an Issue #452

Browse Source
This commit is contained in:
Miroslav Stampar 2013-05-25 18:52:59 +02:00
parent a85a0e53de
commit f3f752d85c
2 changed files with 47 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/core/option.py
View File

@ -258,15 +258,19 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
newline = None newline = None
lines = request.split('\n') lines = request.split('\n')
for line in lines: for index in xrange(len(lines)):
line = lines[index]
if not line.strip() and index == len(lines) - 1:
break
newline = "\r\n" if line.endswith('\r') else '\n' newline = "\r\n" if line.endswith('\r') else '\n'
line = line.strip('\r') line = line.strip('\r')
match = re.search(r"\A(%s) (.+) HTTP/[\d.]+\Z" % "|".join(getPublicTypeMembers(HTTPMETHOD, True)), line) if not method else None match = re.search(r"\A(%s) (.+) HTTP/[\d.]+\Z" % "|".join(getPublicTypeMembers(HTTPMETHOD, True)), line) if not method else None
if len(line) == 0: if len(line) == 0 and method in (HTTPMETHOD.POST, HTTPMETHOD.PUT) and data is None:
if method in (HTTPMETHOD.POST, HTTPMETHOD.PUT) and data is None: data = ""
data = "" params = True
params = True
elif match: elif match:
method = match.group(1) method = match.group(1)

66
lib/core/target.py
View File

@ -103,39 +103,49 @@ def _setRequestParams():
return retVal return retVal
if re.search(JSON_RECOGNITION_REGEX, conf.data): if kb.processUserMarks is None:
message = "JSON like data found in %s data. " % conf.method message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "Do you want to process it? [Y/n/q] " message += "'--data'. Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y") test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"): if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif test[0] not in ("n", "N"): else:
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) kb.processUserMarks = not test or test[0] not in ("n", "N")
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
kb.postHint = POST_HINT.JSON
elif re.search(SOAP_RECOGNITION_REGEX, conf.data): if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data):
message = "SOAP/XML like data found in %s data. " % conf.method if re.search(JSON_RECOGNITION_REGEX, conf.data):
message += "Do you want to process it? [Y/n/q] " message = "JSON like data found in %s data. " % conf.method
test = readInput(message, default="Y") message += "Do you want to process it? [Y/n/q] "
if test and test[0] in ("q", "Q"): test = readInput(message, default="Y")
raise SqlmapUserQuitException if test and test[0] in ("q", "Q"):
elif test[0] not in ("n", "N"): raise SqlmapUserQuitException
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) elif test[0] not in ("n", "N"):
conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
conf.data = re.sub(r'("(?P<name>[^"]+)"\s*:\s*)(-?\d[\d\.]*\b)', functools.partial(process, repl=r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR), conf.data)
kb.postHint = POST_HINT.JSON
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data): elif re.search(SOAP_RECOGNITION_REGEX, conf.data):
message = "Multipart like data found in %s data. " % conf.method message = "SOAP/XML like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] " message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y") test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"): if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException raise SqlmapUserQuitException
elif test[0] not in ("n", "N"): elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r"(?si)(Content-Disposition.+?)((\r)?\n--)", r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, conf.data) conf.data = re.sub(r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)", functools.partial(process, repl=r"\g<1>\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data)
kb.postHint = POST_HINT.MULTIPART kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML
elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data):
message = "Multipart like data found in %s data. " % conf.method
message += "Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
elif test[0] not in ("n", "N"):
conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER)
conf.data = re.sub(r"(?si)(Content-Disposition.+?)((\r)?\n--)", r"\g<1>%s\g<2>" % CUSTOM_INJECTION_MARK_CHAR, conf.data)
kb.postHint = POST_HINT.MULTIPART
if not kb.postHint: if not kb.postHint:
if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed