some fixes :)

lib/controller/checks.py

@@ -63,6 +63,8 @@ def checkSqlInjection(place, parameter, value, parenthesis):
             postfix = conf.postfix
 
     for case in kb.injections.root.case:
+        conf.matchRatio = None
+
         positive = case.test.positive
         negative = case.test.negative
 
@@ -73,12 +75,22 @@ def checkSqlInjection(place, parameter, value, parenthesis):
         infoMsg += "on %s parameter '%s'" % (place, parameter)
         logger.info(infoMsg)
 
+        payload = agent.payload(place, parameter, value, negative.format % eval(negative.params))
+        _ = Request.queryPage(payload, place)
+
         payload = agent.payload(place, parameter, value, positive.format % eval(positive.params))
         trueResult = Request.queryPage(payload, place)
 
         if trueResult is True:
+            infoMsg  = "confirming %s (%s) injection " % (case.desc, logic)
+            infoMsg += "on %s parameter '%s'" % (place, parameter)
+            logger.info(infoMsg)
+
             payload = agent.payload(place, parameter, value, negative.format % eval(negative.params))
 
+            randInt = randomInt()
+            randStr = randomStr()
+
             falseResult = Request.queryPage(payload, place)
 
             if falseResult is False:

lib/controller/controller.py

@@ -254,8 +254,6 @@ def start():
                         if testSqlInj:
                             heuristicCheckSqlInjection(place, parameter, value)
 
-                            conf.matchRatio = None
-
                             for parenthesis in range(0, 4):
                                 logMsg  = "testing sql injection on %s " % place
                                 logMsg += "parameter '%s' with " % parameter

lib/core/settings.py

@@ -21,6 +21,9 @@ VERSION_STRING     = "sqlmap/%s" % VERSION
 DESCRIPTION        = "automatic SQL injection and database takeover tool"
 SITE               = "http://sqlmap.sourceforge.net"
 
+# minimum distance of ratio from conf.matchRatio to result in True
+ETA                = 0.05
+
 # sqlmap logger
 logging.addLevelName(9, "PAYLOAD")
 logging.addLevelName(8, "TRAFFIC OUT")

lib/request/comparison.py

@@ -15,6 +15,7 @@ from lib.core.common import wasLastRequestError
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
+from lib.core.settings import ETA
 
 def comparison(page, headers=None, getSeqMatcher=False, pageLength=None):
     if page is None and pageLength is None:
@@ -97,7 +98,7 @@ def comparison(page, headers=None, getSeqMatcher=False, pageLength=None):
             conf.matchRatio = conf.thold
 
         elif kb.pageStable and ratio > 0.6 and ratio < 1:
-            conf.matchRatio = min(ratio, 0.950)
+            conf.matchRatio = ratio
             logger.debug("setting match ratio for current parameter to %.3f" % conf.matchRatio)
 
         elif not kb.pageStable or ( kb.pageStable and ratio < 0.6 ):
@@ -115,4 +116,4 @@ def comparison(page, headers=None, getSeqMatcher=False, pageLength=None):
     # If the url is not stable it returns sequence matcher between the
     # first untouched HTTP response page content and this content
     else:
-        return ratio > conf.matchRatio
+        return (ratio - conf.matchRatio) > ETA