Commit Graph

233 Commits

Author SHA1 Message Date
Miroslav Stampar
7314de3490 language update 2011-11-15 11:17:39 +00:00
Miroslav Stampar
eb240243ea minor update 2011-10-21 22:21:41 +00:00
Miroslav Stampar
05b9951a8b minor beautification 2011-10-21 09:19:31 +00:00
Miroslav Stampar
a31a0aa8d4 minor update 2011-10-06 22:29:49 +00:00
Miroslav Stampar
d95ff4350d bug fix 2011-09-20 13:08:35 +00:00
Miroslav Stampar
08e0eb9b61 minor lower/upper case fix 2011-08-29 13:47:32 +00:00
Miroslav Stampar
9be89422da implemented parameter --skip 2011-08-29 13:29:42 +00:00
Miroslav Stampar
ac00014c4a implemented --randomize switch by request 2011-08-29 12:50:52 +00:00
Miroslav Stampar
f7562da754 from now on proper union column count should be displayed in injection info output 2011-08-03 10:34:50 +00:00
Miroslav Stampar
07c3d4fb18 minor adjustment 2011-08-02 17:35:43 +00:00
Miroslav Stampar
0d6afca7db adding new switch '--smart' by request 2011-07-10 15:16:58 +00:00
Bernardo Damele
aedcf8c8d7 Changed homepage address 2011-07-07 20:10:03 +00:00
Miroslav Stampar
93b296e02c few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation") 2011-07-06 05:44:47 +00:00
Miroslav Stampar
b8ffcf9495 few fixes here and there and multi-core processing for dictionary based hash attack 2011-07-04 19:58:41 +00:00
Miroslav Stampar
eaa2a4202f changing to: --crawl=CRAWLDEPTH 2011-06-24 05:40:03 +00:00
Miroslav Stampar
29314f425e minor fix 2011-06-20 13:42:31 +00:00
Miroslav Stampar
07e2c72943 adding Beautifulsoup (BSD) into extras; adding --crawl to options 2011-06-20 11:32:30 +00:00
Miroslav Stampar
a0129dcbcb this is confusing for normal users (i've just get a mail where dude thinks that he needs to use tamper script because of this :) 2011-06-17 16:52:39 +00:00
Miroslav Stampar
6b1d5a0ab8 minor fix 2011-06-16 14:11:30 +00:00
Miroslav Stampar
4d51fa8155 minor update planned for a long time (in case of heuristic test was positive warn the user properly at the end if program fails) 2011-06-15 17:37:28 +00:00
Miroslav Stampar
71093b1cad adding one more user friendly message 2011-06-09 09:58:42 +00:00
Bernardo Damele
70cac24909 Cosmetics 2011-06-08 15:31:27 +00:00
Bernardo Damele
cce3208b35 Cleanup 2011-06-08 14:15:34 +00:00
Miroslav Stampar
b7088440c2 better sentence 2011-05-30 22:47:17 +00:00
Miroslav Stampar
a8b58afdb2 minor update 2011-05-27 08:21:02 +00:00
Miroslav Stampar
48f52d7697 minor beautification 2011-05-27 08:16:14 +00:00
Miroslav Stampar
5d56e89cf5 minor update 2011-05-26 21:08:46 +00:00
Miroslav Stampar
06108b6da6 minor update related to the last commit 2011-05-26 20:58:24 +00:00
Miroslav Stampar
4f46a5ab63 minor usability enhancement regarding warning for --text-only switch 2011-05-26 20:48:18 +00:00
Miroslav Stampar
a1fd2898a0 added friendly tip message for url encoding GET and POST payloads 2011-05-25 11:10:52 +00:00
Miroslav Stampar
bec2c04671 helping dummy users 2011-05-24 17:15:25 +00:00
Miroslav Stampar
faa74cd2bc introducing results file for multiple target mode 2011-05-15 22:21:38 +00:00
Miroslav Stampar
120b0d756e unfix 2011-05-10 21:33:06 +00:00
Miroslav Stampar
deae534ee7 minor refactoring 2011-05-10 20:44:36 +00:00
Bernardo Damele
8179fd63c0 Minor fix 2011-05-07 23:48:03 +00:00
Bernardo Damele
1151af52bb More fix for save/resume of --technique 2011-05-07 21:08:14 +00:00
Bernardo Damele
2d8408c885 More fix for --technique resume 2011-05-05 16:38:46 +00:00
Bernardo Damele
955dbc85e7 Minor variable rename 2011-04-30 15:29:59 +00:00
Bernardo Damele
f56d135438 Minor code restyling 2011-04-30 13:20:05 +00:00
Miroslav Stampar
7b3b9e6a87 it seems that this was indeed not meant to be here 2011-04-22 15:07:09 +00:00
Bernardo Damele
eabb5a2ba7 More adjustments to the error message when no sql injections are detected 2011-04-21 22:04:20 +00:00
Bernardo Damele
6d07dddf60 updated doc and minor layout adjustments 2011-04-21 21:53:35 +00:00
Bernardo Damele
770b1523ff More verbose output when no SQL injections are detected 2011-04-21 21:31:16 +00:00
Bernardo Damele
edc2d75702 Cosmetics and major bug fix 2011-04-21 21:15:23 +00:00
Miroslav Stampar
0387654166 update of copyright string (until year) 2011-04-15 12:33:18 +00:00
Miroslav Stampar
21114d1748 added IGNORE_PARAMETERS to skip testing of state/session web server parameters 2011-04-13 19:01:02 +00:00
Miroslav Stampar
2db2e9b6a2 now GET forms are also prone to "do you want to fill with random values" 2011-04-11 11:38:41 +00:00
Bernardo Damele
5b21352656 cosmeticados ;) 2011-04-08 10:39:07 +00:00
Bernardo Damele
05d12790f1 closes #219 - unhidden switch --technique and adapted code accordingly (renamed conf.technique to conf.tech to fit properly in the -h help message) 2011-04-06 14:41:44 +00:00
Miroslav Stampar
bbd4c128b0 minor update related to the last commit 2011-04-01 22:19:42 +00:00
Miroslav Stampar
4d78eac938 revert of that thingy as requested by Bernardo 2011-03-29 10:06:35 +00:00
Miroslav Stampar
e8debbe724 minor cosmetics and one minor fix (|= is a nono with None) 2011-03-29 06:38:19 +00:00
Miroslav Stampar
86f93713d3 fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update 2011-03-29 06:25:17 +00:00
Miroslav Stampar
bf0e3c4662 improvement for --forms with empty fields 2011-03-28 22:48:00 +00:00
Miroslav Stampar
1e22ff45de minor update regarding testing of GET parameters if --data and/or --forms is used 2011-03-28 16:14:08 +00:00
Miroslav Stampar
bd75fd26e9 implementing a --page-rank switch as requested by l0rda@l0rda.biz 2011-03-23 11:57:57 +00:00
Miroslav Stampar
8edc3b3302 further update regarding last commit 2011-03-03 10:39:04 +00:00
Miroslav Stampar
50d25c3b4d update regarding explicit testing of ua and referer when using -p 2011-02-13 21:58:48 +00:00
Bernardo Damele
45a005737d Minor adjustment so that User-Agent and Referer headers are tests only when --level >= 3 and Cookie is tested only when --level >= 2 2011-02-13 21:08:42 +00:00
Miroslav Stampar
b56a77e573 removing obsolete switches (--threshold, --excl-reg, --excl-str) 2011-02-03 15:55:19 +00:00
Bernardo Damele
6761933f75 Just.. cosmetics ;) 2011-01-31 22:51:14 +00:00
Miroslav Stampar
fa58a9c86b update (now URIs like www.site.com/id82 are automatically treated as possible URI injectable) 2011-01-31 20:36:01 +00:00
Miroslav Stampar
496a84c356 minor update 2011-01-20 18:32:04 +00:00
Miroslav Stampar
718eef8753 minor fix 2011-01-16 18:11:35 +00:00
Bernardo Damele
d3a28124b1 More code cleanup 2011-01-15 23:11:36 +00:00
Miroslav Stampar
5bdb50c224 code review part 3 2011-01-15 13:15:10 +00:00
Miroslav Stampar
6a0e0cde3c code review of modules in lib/core directory 2011-01-15 12:13:45 +00:00
Miroslav Stampar
05b2a338fe cosmetics 2011-01-14 16:12:44 +00:00
Bernardo Damele
300128042c First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e Code refactoring and cosmetics 2011-01-07 15:41:09 +00:00
Miroslav Stampar
6aa616bd0d minor minor fix 2011-01-03 14:28:20 +00:00
Miroslav Stampar
8625494ff2 added one new quick check for multiple target(s) mode 2011-01-03 08:32:06 +00:00
Miroslav Stampar
5c6c870db4 removed some problematic user agents (google won't work with them) and added page rank next to tested item in multi target mode 2011-01-02 08:43:38 +00:00
Miroslav Stampar
da138c46c1 added support for displaying HTTP error codes (particularly interesting ones are 403 and 406 which screw up data retrieval and DBMS fingerprinting badly) 2011-01-02 07:37:47 +00:00
Miroslav Stampar
8a93cfd975 minor update 2011-01-01 22:43:15 +00:00
Miroslav Stampar
52e44df86c minor update 2011-01-01 21:11:29 +00:00
Miroslav Stampar
15e6911fd8 fix for a bug reported by ragos@joker.ms (AttributeError: 'NoneType' object has no attribute 'write') 2011-01-01 12:23:02 +00:00
Miroslav Stampar
91f665aaaa bug fix for Ctrl+C 2010-12-31 15:00:19 +00:00
Miroslav Stampar
5db8ebbfa9 update of mysql comment versions 2010-12-31 12:42:12 +00:00
Miroslav Stampar
017ea9e686 update 2010-12-23 14:06:22 +00:00
Miroslav Stampar
73f33c1999 bug fix of re-introduced bug (in multiple target mode sites with similar URI weren't skipped) 2010-12-23 11:28:13 +00:00
Bernardo Damele
5228f336da Minor fix for ctrl+c during detection phase 2010-12-22 13:15:44 +00:00
Miroslav Stampar
d974a966b8 minor fix for end phase (Ctrl+C) 2010-12-21 23:55:55 +00:00
Miroslav Stampar
416755c0b7 minor adjustments 2010-12-21 00:25:03 +00:00
Miroslav Stampar
eaf8929085 more minor updates 2010-12-20 10:48:53 +00:00
Miroslav Stampar
e9f1ecb9e7 minor update 2010-12-20 10:32:58 +00:00
Miroslav Stampar
10a7a2dfb2 kids, don't use this at home 2010-12-20 10:13:14 +00:00
Miroslav Stampar
fe67d3827c code refactoring and some fixes 2010-12-18 09:51:34 +00:00
Miroslav Stampar
f8a01ddaf8 minor update 2010-12-15 11:21:47 +00:00
Miroslav Stampar
63f5c35c23 bug fix 2010-12-15 10:02:58 +00:00
Miroslav Stampar
0dc630203f code refactoring 2010-12-07 13:34:06 +00:00
Bernardo Damele
8e78057ac8 Added counter of total HTTP(s) requests done during detection phase 2010-12-07 12:33:47 +00:00
Bernardo Damele
0e6359ab6e Minor layout adjustment 2010-12-03 16:11:35 +00:00
Miroslav Stampar
612ee08a0b added response time kb attribute 2010-12-03 13:19:34 +00:00
Bernardo Damele
089c16a1b8 Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
Removed some useless tests.
Moved <error> from queries.xml to payloads.xml as it makes more sense.
Beeps at sql inj found only if --beep is provided.
Minor fix in order to be able to pickle advancedDict() objects.
Minor code refactoring.
Removed useless folders.
2010-12-01 17:09:52 +00:00
Bernardo Damele
c8f943f5e4 Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase.
Major code refactoring and commenting to detection engine.
Ask user whether or not to proceed to test remaining parameters after an injection point has been identified.
Restore beep at SQL injection find.
Avoid reuse of same variable in DBMS handler code.
Minor adjustment of payloads XML file.
2010-11-30 22:40:25 +00:00
Miroslav Stampar
fcdebbd55f cosmeticados 2010-11-30 14:48:13 +00:00
Bernardo Damele
8b9706656e Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now.
Minor code refactoring too.
2010-11-29 17:18:38 +00:00
Bernardo Damele
e9291932e5 Apply --level also to User-Agent (level >= 4) and Cookie (level >= 3).
GET and POST parameters are always tested.
2010-11-29 16:33:20 +00:00
Bernardo Damele
c76d740a25 just a precaution 2010-11-29 15:21:56 +00:00