| 
							
							
								 Miroslav Stampar | cab86871fe | fix for a bug reported by mhackmail@gmail.com (local variable 'code' referenced before assignment) | 2011-01-25 11:02:41 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 5692506131 | this was bad thing to have | 2011-01-25 01:08:38 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 5aa958a146 | ASCII & CHR is quite common, so removing this one | 2011-01-24 22:51:15 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | a1619f84b6 | changing level of last payload | 2011-01-24 22:31:26 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 8155f95b82 | new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted") | 2011-01-24 22:28:54 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 9f76468005 | another premiere, yeeej. IDSes, watch yourself :) | 2011-01-24 21:30:46 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 2fb0c946d2 | minor update | 2011-01-24 21:21:47 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 15645f50d4 | world premiere :) | 2011-01-24 21:21:11 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 50969d238b | minor update | 2011-01-24 17:51:56 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 440264341c | minor update | 2011-01-24 17:43:25 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 0eea5665b2 | minor update | 2011-01-24 17:41:36 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | b0dc6c24eb | Moved | 2011-01-24 17:04:49 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 6cc69f5e16 | now --technique is appliable also after the injections have been identified | 2011-01-24 16:47:24 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | c188996627 | patch for possible query optimization (avoid precalculation of 1/0) | 2011-01-24 16:21:27 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 81011be0d7 | minor update of parseTargetUrl method | 2011-01-24 14:52:50 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | ceca64193b | Updated | 2011-01-24 14:46:41 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 4093599f38 | added parseTargetUrl to redirect choice | 2011-01-24 14:45:35 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | e1db2700f0 | Minor bug fix to properly deal --prefix and --suffix and parameter replace payloads | 2011-01-24 12:25:45 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 8d0c2efbe2 | unescaping of char marked payloads | 2011-01-24 12:00:16 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 4441e11f68 | fix for case -r with no params and cookie available | 2011-01-24 11:26:51 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 47fa600c04 | Minor fix and cosmetics | 2011-01-24 11:12:33 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | a3e3387113 | fix for proper Firebird resume of version | 2011-01-24 11:04:32 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | eb33612736 | fix | 2011-01-24 10:20:17 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | c1145c244e | fix for user-agent injections | 2011-01-23 23:23:30 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 818c9787b2 | minor update | 2011-01-23 21:20:16 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | b18397fbc7 | major revisit of --os-shell methods | 2011-01-23 20:47:06 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | ff7707579f | minor improvement | 2011-01-23 11:35:24 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | f5ff78d40c | revert | 2011-01-23 11:21:27 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | db76bcb327 | fix for cases when mixing ingres dbms with spanish word "ingresa" | 2011-01-23 11:19:10 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 97f66a87c5 | minor improvement over last version - case insensitive and takes in count cases like " UNION ALL selects " from MySQL error message | 2011-01-23 10:51:57 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 3a5f0760f6 | minor optimization (only way to prematurely stop SAX parser) | 2011-01-23 10:12:01 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 30cd877c4a | fix for URI based injections | 2011-01-22 16:23:33 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 7bf05bf2cb | minor update | 2011-01-22 00:12:03 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | d6d8d54eda | implemented Johannes Dahse / Reiners' technique | 2011-01-22 00:06:27 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 0743202879 | minor update | 2011-01-21 23:54:25 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | cb0e7080c5 | more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked) | 2011-01-21 23:47:45 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 7c4c79477d | world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql) | 2011-01-21 18:32:10 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | 79e4b1efd5 | added new signature for SQLite error messages | 2011-01-20 22:47:03 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 03a880c6f1 | Got rid of progression log message as it overlaps with WARNINGS (like "Got 500") and with --parse-errors | 2011-01-20 22:02:20 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 0f2634c4b0 | Minor bug fix to properly cast to string also the COUNT() query in error-based technique (as it's concatenated to random strings for identification in page response) and int-string concatenation is not supported in all DBMS (like Oracle) | 2011-01-20 22:01:21 +00:00 |  | 
			
				
					| 
							
							
								 Miroslav Stampar | bd2e036412 | minor fix | 2011-01-20 22:00:16 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 97573693be | Minor bug fix to properly handle in -d data retrieval statement not starting with SELECT | 2011-01-20 21:59:47 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | f1b402b103 | Proper handling of CASE in Oracle, finally | 2011-01-20 21:58:50 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 4128b2c87f | Enforce that when --prefix is provided, --suffix is too and viceversa. | 2011-01-20 21:57:54 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 1d06c64149 | Indentation fix | 2011-01-20 21:56:38 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 7d1c704575 | Moved little precaution from checks.py to common.py. Initial refactoring of kb.os* get/set. | 2011-01-20 21:56:10 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 9770db597e | Centralization of unescape() | 2011-01-20 21:55:13 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | e734efcda7 | Removed deprecated code | 2011-01-20 21:50:58 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | aa8a20d241 | Minor bug fix for a traceback | 2011-01-20 21:50:21 +00:00 |  | 
			
				
					| 
							
							
								 Bernardo Damele | 1d5050d577 | Aligned comment | 2011-01-20 21:49:34 +00:00 |  |