From fff4c34e33cba41f30a50271e4bb43e74f16ce92 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 12 Aug 2011 15:33:37 +0000 Subject: [PATCH] Search for --string and --regexp matches also in HTTP response headers --- lib/controller/checks.py | 17 +++++++++-------- lib/request/comparison.py | 24 ++++++++++++------------ lib/request/connect.py | 4 ++-- lib/techniques/union/test.py | 4 ++-- 4 files changed, 25 insertions(+), 24 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index bfd5cc6ef..b049afca7 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -804,13 +804,13 @@ def checkString(): infoMsg += "target URL page content" logger.info(infoMsg) - page, _ = Request.queryPage(content=True) + page, headers = Request.queryPage(content=True) + rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page) - if conf.string not in page: + if conf.string not in rawResponse: warnMsg = "you provided '%s' as the string to " % conf.string warnMsg += "match, but such a string is not within the target " - warnMsg += "URL page content original request, sqlmap will " - warnMsg += "keep going anyway" + warnMsg += "URL raw response, sqlmap will carry on anyway" logger.warn(warnMsg) return True @@ -823,13 +823,14 @@ def checkRegexp(): infoMsg += "the target URL page content" logger.info(infoMsg) - page, _ = Request.queryPage(content=True) + page, headers = Request.queryPage(content=True) + rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page) - if not re.search(conf.regexp, page, re.I | re.M): + if not re.search(conf.regexp, rawResponse, re.I | re.M): warnMsg = "you provided '%s' as the regular expression to " % conf.regexp warnMsg += "match, but such a regular expression does not have any " - warnMsg += "match within the target URL page content, sqlmap " - warnMsg += "will keep going anyway" + warnMsg += "match within the target URL raw response, sqlmap " + warnMsg += "will carry on anyway" logger.warn(warnMsg) return True diff --git a/lib/request/comparison.py b/lib/request/comparison.py index ad626cfc3..f31ffbf92 100644 --- a/lib/request/comparison.py +++ b/lib/request/comparison.py @@ -11,6 +11,7 @@ import re from lib.core.common import extractRegexResult from lib.core.common import getFilteredPageContent +from lib.core.common import listToStrValue from lib.core.common import removeDynamicContent from lib.core.common import wasLastRequestDBMSError from lib.core.common import wasLastRequestHTTPError @@ -27,7 +28,7 @@ from lib.core.settings import LOWER_RATIO_BOUND from lib.core.settings import UPPER_RATIO_BOUND from lib.core.threads import getCurrentThreadData -def comparison(page, getRatioValue=False, pageLength=None): +def comparison(page, headers, getRatioValue=False, pageLength=None): if page is None and pageLength is None: return None @@ -37,18 +38,17 @@ def comparison(page, getRatioValue=False, pageLength=None): seqMatcher.set_seq1(kb.pageTemplate) if any([conf.string, conf.regexp]): - if page: - # String to match in page when the query is valid - if conf.string: - condition = conf.string in page - return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) + rawResponse = "%s%s" % (listToStrValue(headers.headers if headers else ""), page) - # Regular expression to match in page when the query is valid - if conf.regexp: - condition = re.search(conf.regexp, page, re.I | re.M) is not None - return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) - else: - return None + # String to match in page when the query is valid + if conf.string: + condition = conf.string in rawResponse + return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) + + # Regular expression to match in page when the query is valid + if conf.regexp: + condition = re.search(conf.regexp, rawResponse, re.I | re.M) is not None + return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) if page: # In case of an DBMS error page return None diff --git a/lib/request/connect.py b/lib/request/connect.py index 6451b6209..49424cf14 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -643,8 +643,8 @@ class Connect: page = removeReflectiveValues(page, payload) if getRatioValue: - return comparison(page, getRatioValue=False, pageLength=pageLength), comparison(page, getRatioValue=True, pageLength=pageLength) + return comparison(page, headers, getRatioValue=False, pageLength=pageLength), comparison(page, headers, getRatioValue=True, pageLength=pageLength) elif pageLength or page: - return comparison(page, getRatioValue, pageLength) + return comparison(page, headers, getRatioValue, pageLength) else: return False diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py index 87c0ce920..22bbb261d 100644 --- a/lib/techniques/union/test.py +++ b/lib/techniques/union/test.py @@ -108,8 +108,8 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where for count in range(lowerCount, upperCount+1): query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) - page, _ = Request.queryPage(payload, place=place, content=True, raise404=False) - ratio = comparison(page, True) or MIN_RATIO + page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) + ratio = comparison(page, headers, True) or MIN_RATIO ratios.append(ratio) min_, max_ = min(min_, ratio), max(max_, ratio) items.append((count, ratio))