Commit Graph

853 Commits

Author SHA1 Message Date
Miroslav Stampar
4f2c999146 fix for a bug reported by mail@8dh.de (UnicodeDecodeError: requestMsg += "\n%s" % requestHeaders) 2011-05-26 13:47:20 +00:00
Miroslav Stampar
f774d8fea0 proper Tor settings (reverted r3915 and implemented it the right way) 2011-05-24 11:06:58 +00:00
Miroslav Stampar
915c206e3d minor fix for socks proxy issues 2011-05-24 09:47:10 +00:00
Miroslav Stampar
ad25bcc2be better way for dealing with relative paths 2011-05-24 05:26:51 +00:00
Miroslav Stampar
a536bf210f improved redirection mechanism 2011-05-23 23:20:03 +00:00
Miroslav Stampar
40971aca94 fixing nasty bug caused by retrying counter 2011-05-22 10:59:56 +00:00
Miroslav Stampar
712e238f33 another minor fix 2011-05-22 10:29:25 +00:00
Miroslav Stampar
2795aeff34 minor fix 2011-05-22 10:27:45 +00:00
Miroslav Stampar
806e898694 no more CRITICAL drop outs in test mode - lots of reports were related to this 2011-05-22 10:21:49 +00:00
Miroslav Stampar
9b2623514a one bug fix for Host header (value should be without port number); one improvement for --tables - when no tables ask user if he wants to brute force them; one tweak - adding kb.ignoreTimeout for --tables 2011-05-22 09:48:46 +00:00
Miroslav Stampar
2ea613b170 type correction and adding global flag kb.ignoreTimeout which could be useful 2011-05-22 08:24:13 +00:00
Miroslav Stampar
27f0e73cc9 refactoring of 'target' flag in connect.py 2011-05-22 07:46:09 +00:00
Miroslav Stampar
25fff8c135 changes in handling --tor (using SOCKS instead of HTTP for handling Tor - more standard way; doesn't require proxy bundle; fixes problems with default proxy ports on Win/Linux) 2011-05-21 11:46:57 +00:00
Miroslav Stampar
053c245114 few minor fixes 2011-05-13 09:56:12 +00:00
Miroslav Stampar
a7d7be5ce0 bug fix ('Host' header was being set to the conf.hostname for all getPages causing problems in some cases when retrieved page was not coming from that same Host) 2011-05-13 01:01:53 +00:00
Miroslav Stampar
0b2da2f9f5 minor beautification for --tor switch 2011-05-12 05:46:17 +00:00
Miroslav Stampar
1dea609019 fix for a bug reported by David (UnicodeDecodeError: url = url + '?' + query) 2011-05-10 12:51:37 +00:00
Miroslav Stampar
a64407d9db minor bug fix for multithreading and lots of connection retries 2011-05-10 12:40:01 +00:00
Miroslav Stampar
22a1870c2c adding some constraining to number of used threads on brute force switches together with a warning in case of connection exception(s) with --threads>1 2011-05-10 12:32:07 +00:00
Miroslav Stampar
b324b99f6e minor update of warning message 2011-05-04 10:41:08 +00:00
Miroslav Stampar
1e6c2fea74 update regarding warning for --random-agent during connection timeout in connection test phase 2011-05-03 10:05:42 +00:00
Bernardo Damele
f56d135438 Minor code restyling 2011-04-30 13:20:05 +00:00
Miroslav Stampar
b299912de4 fix for a bug reported by ahmed@isecur1ty.org (UnicodeDecodeError: 'ascii' codec can't decode byte 0x84 in position 396: ordinal not in range(128)) for multipartpost 2011-04-29 16:56:02 +00:00
Miroslav Stampar
6bb4dce3aa minor refactoring 2011-04-29 15:22:32 +00:00
Bernardo Damele
11ecd16099 cosmetics 2011-04-21 10:08:38 +00:00
Miroslav Stampar
fc90974940 revert of last commit because of the situation in detection phase where payload is made at the starting point (can't change conf.timeSec in that phase) 2011-04-19 14:50:09 +00:00
Miroslav Stampar
7abbd0c029 removing a leftover 2011-04-19 14:29:51 +00:00
Miroslav Stampar
96b5fede5a automatic increasing of time delay on lagging connections 2011-04-19 14:28:51 +00:00
Miroslav Stampar
7a06af9a92 added "lagging" critical message 2011-04-19 10:37:20 +00:00
Miroslav Stampar
6463cad8c5 minor update for SOAP payloads 2011-04-18 14:29:52 +00:00
Miroslav Stampar
a7366bf710 SOAP refactoring 2011-04-17 21:39:00 +00:00
Miroslav Stampar
0387654166 update of copyright string (until year) 2011-04-15 12:33:18 +00:00
Miroslav Stampar
83feb097ef greater flexibility for --batch when default is None 2011-04-08 22:29:50 +00:00
Miroslav Stampar
e957c4400c minor revisit of tampering script(s) functionality (urlencode one is removed as it's currently obsolete regarding the whole process of automatic urlencoding) 2011-04-04 08:04:47 +00:00
Miroslav Stampar
305115a68b important improvement of data handling (POST data and header values) 2011-04-03 15:02:52 +00:00
Miroslav Stampar
dd01d66f13 proper update regarding last commit 2011-03-29 22:10:08 +00:00
Miroslav Stampar
850328df6c minor cosmetics 2011-03-29 22:03:48 +00:00
Miroslav Stampar
9f707febf5 minor update 2011-03-29 15:43:17 +00:00
Miroslav Stampar
d28ca5809b adding support for meta HTML header 'refresh' - popular one amongst login pages (stumbled when tested blind injections on Mutillidae login page) 2011-03-29 14:16:28 +00:00
Miroslav Stampar
ae53ad4c30 making an update for special case of timed out response 2011-03-28 21:05:04 +00:00
Miroslav Stampar
b53c9a2599 minor fix and some refactoring 2011-03-18 00:24:02 +00:00
Bernardo Damele
9526f0c4c2 Minor layout adjustments 2011-03-17 12:35:40 +00:00
Miroslav Stampar
e64f225e65 minor refactoring 2011-03-11 20:16:34 +00:00
Miroslav Stampar
2fd3f0d7b2 minor update (added comment) 2011-03-11 20:07:52 +00:00
Miroslav Stampar
5eae525010 this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 19:57:44 +00:00
Miroslav Stampar
5c97f9a496 improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 09:36:56 +00:00
Miroslav Stampar
9856cb71de redo of the last commit with comments added 2011-02-28 18:58:05 +00:00
Miroslav Stampar
ade31b2cb0 removal of obsolete item 2011-02-28 18:49:25 +00:00
Miroslav Stampar
21041f8b90 further reflective value handling improvement 2011-02-27 17:43:41 +00:00
Miroslav Stampar
63b8156c00 some update (if header key is non-unicode comformant) 2011-02-25 09:43:04 +00:00
Miroslav Stampar
aa88361ab1 incorporation of method for neutralization of reflective values 2011-02-25 09:22:44 +00:00
Miroslav Stampar
3f8eadf4fe minor refactoring 2011-02-22 13:00:58 +00:00
Miroslav Stampar
dcad5410fe minor refactoring 2011-02-22 12:54:22 +00:00
Miroslav Stampar
17c39fe231 fix for that non-HTML stuff 2011-02-22 11:32:55 +00:00
Bernardo Damele
60b05ff49f Reflect new switch name 2011-02-19 21:05:15 +00:00
Miroslav Stampar
535eb9f3eb implementation of referer feature 2011-02-11 23:07:03 +00:00
Bernardo Damele
156d8cd99b Directory restyling 2011-02-08 00:15:02 +00:00
Miroslav Stampar
e4933f0c92 refactoring 2011-02-03 23:25:56 +00:00
Miroslav Stampar
402c1b622e removing urlencode from UA 2011-02-02 15:18:06 +00:00
Bernardo Damele
6761933f75 Just.. cosmetics ;) 2011-01-31 22:51:14 +00:00
Miroslav Stampar
35b6d7278a minor update 2011-01-31 22:50:54 +00:00
Miroslav Stampar
60a2364f2b now union technique parses headers too 2011-01-31 12:41:39 +00:00
Miroslav Stampar
fc9c626f9e minor refactoring (removed URL_ENCODE_PAYLOAD) 2011-01-30 17:03:06 +00:00
Miroslav Stampar
8e74c571bc centralization of urlencoding should be (only) in connect.py and we are from now on handling non-urlencoded data at other levels 2011-01-27 19:44:24 +00:00
Miroslav Stampar
81722b6881 major bug fix reported by Ahmed Shawky (there was a possibility of double url encoding of parameter values) 2011-01-27 18:36:28 +00:00
Miroslav Stampar
03413bd5e0 minor refactoring before a huge bug fix reported by Ahmed Shawky (we are falsely urlencoding ORIGINAL part of the injection payload) 2011-01-27 16:55:58 +00:00
Miroslav Stampar
430fd5cd63 minor fixes 2011-01-25 16:05:06 +00:00
Miroslav Stampar
cab86871fe fix for a bug reported by mhackmail@gmail.com (local variable 'code' referenced before assignment) 2011-01-25 11:02:41 +00:00
Miroslav Stampar
4093599f38 added parseTargetUrl to redirect choice 2011-01-24 14:45:35 +00:00
Miroslav Stampar
1fa8f0cba7 code reviewing part 2 2011-01-15 12:53:40 +00:00
Miroslav Stampar
fb9d7cdfaa refactoring, code clearing and removal of obsolete switch --longest-common 2011-01-14 14:37:03 +00:00
Bernardo Damele
06230e4d92 Minor code refactoring and cosmetics 2011-01-11 21:46:21 +00:00
Bernardo Damele
1c86ec374e Code refactoring and cosmetics 2011-01-07 15:41:09 +00:00
Miroslav Stampar
709a7d156b fix for a bug reported by shaohua pan (UnicodeDecodeError: 'ascii' codec can't decode...) 2011-01-04 12:51:51 +00:00
Miroslav Stampar
d288c6d6e3 minor update 2011-01-04 08:40:41 +00:00
Miroslav Stampar
08ccbf2c1e important fix for a bug reported by x <deep_freeze@mail.ru> (along with normal fixes, getUnicode now uses kb.pageEncoding) 2011-01-03 22:02:58 +00:00
Miroslav Stampar
07129371bf bug fix for time based injections with keepalive (keepalive module has timeout argument which screwed tbMsg); also, bug fix for cases when remote hosts forcefully disconnects the user on some tests (instead of retrying and critically going out, continue with further tests) 2011-01-03 13:04:20 +00:00
Miroslav Stampar
da138c46c1 added support for displaying HTTP error codes (particularly interesting ones are 403 and 406 which screw up data retrieval and DBMS fingerprinting badly) 2011-01-02 07:37:47 +00:00
Miroslav Stampar
ef27fd5ea1 there is a huge problem with urllib2 connections that sockets are left opened causing problems with lots of disposable connections used (like in --threads) (http://mail.python.org/pipermail/python-bugs-list/2007-January/036873.html, http://mail.python.org/pipermail/python-bugs-list/2007-January/036873.html) 2011-01-01 15:20:29 +00:00
Miroslav Stampar
93838fb155 "patch" for a problem reported by black zero (v = self._sslobj.write(data)...UnicodeError) 2010-12-28 14:40:34 +00:00
Miroslav Stampar
f2373121d0 noticed little DoS behavior and lots of connections in netstat (best way to deal with zombie connections is to explicitly close them if not needed any more) 2010-12-26 14:36:51 +00:00
Miroslav Stampar
569e060aab important improvement 2010-12-26 13:20:52 +00:00
Miroslav Stampar
b472b96f92 bug fix, refactoring and improved extractErrorMessage capabilities 2010-12-25 10:16:20 +00:00
Miroslav Stampar
2c23a59ba5 fix for one of those more complex bugs (comparison was returning None while original page and/or page template were already had already DBMS error inside) 2010-12-24 12:13:48 +00:00
Miroslav Stampar
a09716a701 minor update 2010-12-24 10:07:56 +00:00
Miroslav Stampar
cb17e61f35 bug fix (UnicodeDecodeError: 'ascii' codec can't decode byte 0xa9 in position 959) 2010-12-24 02:54:26 +00:00
Miroslav Stampar
017ea9e686 update 2010-12-23 14:06:22 +00:00
Miroslav Stampar
8fc60215ed lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called. 2010-12-22 19:12:46 +00:00
Bernardo Damele
250608660d Minor bug fix to always show HTTP request and response when verbose is set accordingly to 4, 5 or 6 regardless of the HTTP response code (error or not) 2010-12-22 13:41:36 +00:00
Miroslav Stampar
385e208f38 code refactoring regarding standard output suppression and some threading issues 2010-12-21 14:21:24 +00:00
Miroslav Stampar
6b37ddada4 removed some blank trailing spaces (with extra/shutils/blanks.sh) 2010-12-21 10:31:56 +00:00
Miroslav Stampar
d554460aec minor fix 2010-12-21 01:09:39 +00:00
Miroslav Stampar
416755c0b7 minor adjustments 2010-12-21 00:25:03 +00:00
Miroslav Stampar
29001a4fce minor update 2010-12-20 23:21:01 +00:00
Miroslav Stampar
8fd3e7ba1f thread based data added 2010-12-20 22:45:01 +00:00
Miroslav Stampar
c948bced61 should solve the problem with timeout problems in time-based payloads 2010-12-20 16:45:41 +00:00
Miroslav Stampar
eaf8929085 more minor updates 2010-12-20 10:48:53 +00:00
Miroslav Stampar
108a96c6b4 some fixes 2010-12-17 21:45:20 +00:00
Miroslav Stampar
f7344a5fc3 update 2010-12-11 21:28:11 +00:00
Miroslav Stampar
435f48b8cc polite cosmetics 2010-12-10 15:28:56 +00:00
Bernardo Damele
9230877d98 cosmetics 2010-12-09 13:57:38 +00:00
Miroslav Stampar
196131bbca minor cosmetics 2010-12-09 10:42:00 +00:00
Miroslav Stampar
3fd1c37d53 update 2010-12-09 07:49:18 +00:00
Miroslav Stampar
40fadf2f35 minor update 2010-12-08 14:33:10 +00:00
Miroslav Stampar
01cf1394a4 code refactoring 2010-12-08 14:26:40 +00:00
Miroslav Stampar
47bb31fb47 code refactoring 2010-12-08 11:30:25 +00:00
Miroslav Stampar
1ae2fa7f1a update regarding time based payloads 2010-12-08 11:26:54 +00:00
Miroslav Stampar
a4a63f5b1e minor update 2010-12-07 23:49:00 +00:00
Miroslav Stampar
293ce18fed two major bug fixes regarding time calculation (previously comparison was also a part of "delta", which screwed results in cases with large pages; other was a standard distribution based one) 2010-12-07 23:32:33 +00:00
Miroslav Stampar
dc651d59ec little mathematics here and there (used "Rules for normally distributed data") 2010-12-07 19:19:12 +00:00
Miroslav Stampar
294119d2ec more advanced time technique(s) 2010-12-07 16:04:53 +00:00
Miroslav Stampar
0dc630203f code refactoring 2010-12-07 13:34:06 +00:00
Miroslav Stampar
9e5f933ace some updates 2010-12-04 15:47:02 +00:00
Bernardo Damele
5d37df6104 Ugly code to set the cookies when got them from a 302 redirect too 2010-12-03 17:41:10 +00:00
Miroslav Stampar
e735f2960a minor update 2010-11-29 15:25:45 +00:00
Bernardo Damele
7e3b24afe6 Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own.
All (hopefully) functionalities should still be working.
Added two switches, --level and --risk to specify which injection tests and boundaries to use.
The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 18:10:54 +00:00
Bernardo Damele
253eafb643 paranoid cosmetics 2010-11-24 12:03:01 +00:00
Miroslav Stampar
3d25071d06 another minor improvement regarding logging of http traffic 2010-11-17 12:16:48 +00:00
Miroslav Stampar
3e569a1693 minor update 2010-11-17 12:04:33 +00:00
Miroslav Stampar
3487429eac minor cosmetics 2010-11-16 14:41:46 +00:00
Miroslav Stampar
3640dbf745 fix for --parse-errors (on IIS HTTP error is raised which need to be processed) 2010-11-16 14:33:30 +00:00
Miroslav Stampar
6232397129 minor update 2010-11-16 10:52:49 +00:00
Miroslav Stampar
6ef3846400 update regarding error parsing (and reporting) 2010-11-16 10:42:42 +00:00
Bernardo Damele
71cb982039 Another bug fix to --union-test 2010-11-15 21:42:56 +00:00
Miroslav Stampar
06a872fc99 update/fix for an issue reported by nightman (IncompleteRead: IncompleteRead(1284 bytes read)) 2010-11-12 22:57:33 +00:00
Miroslav Stampar
697b32554c fix for a bug "ordinal not in range(128)" reported by bugtrace 2010-11-12 11:48:25 +00:00
Bernardo Damele
a14e4d9668 Referer does not have to be static, it's already a switch (--referer) so that user can specify it manually. 2010-11-12 10:16:39 +00:00
Miroslav Stampar
fda8752dca revert of some HTTP headers handling 2010-11-08 13:26:45 +00:00
Bernardo Damele
78d7b17483 More replacements for refactoring.
Minor layout adjustments.
Alignment of conffile/optiondict/cmdline parameters.
2010-11-08 12:36:48 +00:00
Miroslav Stampar
875781bf97 another minor fix 2010-11-08 11:55:56 +00:00
Miroslav Stampar
4a4a3051e5 fix 2010-11-08 11:39:07 +00:00
Miroslav Stampar
a3de10e3a2 new option -t 2010-11-08 11:22:47 +00:00
Miroslav Stampar
0d0e2a2228 minor update 2010-11-08 09:49:57 +00:00
Miroslav Stampar
d551423379 further enum refactoring 2010-11-08 09:44:32 +00:00
Miroslav Stampar
862395ced1 further refactoring (all enumerations are now put into enums.py) 2010-11-08 09:20:02 +00:00
Miroslav Stampar
8e44aa605a refactoring regarding injection place (more left) 2010-11-08 08:02:36 +00:00
Bernardo Damele
b6da946883 Added one new verbose level, -v 3 now shows the full injected payload.
Fixed also -d verbose output.
2010-11-07 22:34:29 +00:00
Bernardo Damele
a96467b3e2 Refactoring 2010-11-07 21:55:24 +00:00
Miroslav Stampar
d3e7e89e60 major improvement with display of payloads (all payloads are displayed now) and removal of "pesky" spaces 2010-11-07 21:18:09 +00:00
Miroslav Stampar
508b9cc763 dynamicity engine update 2010-11-07 00:12:00 +00:00
Miroslav Stampar
ef1809464d bug fix for that BadStatusLine (http://bugs.python.org/issue8450) 2010-11-05 11:58:20 +00:00
Miroslav Stampar
6295a59a30 minor update/fix 2010-11-05 11:39:35 +00:00
Miroslav Stampar
5f7f4bf15b minor debug update (probably temporary) 2010-11-05 11:04:00 +00:00
Bernardo Damele
b152b1a04d Cosmetics 2010-11-03 22:07:13 +00:00
Miroslav Stampar
71d0b1bcd7 several bug fixes 2010-11-03 21:51:36 +00:00
Bernardo Damele
3eda4510e2 Properly encode the cookie 2010-10-31 11:26:33 +00:00
Bernardo Damele
3a48bee9b0 Minor code refactoring 2010-10-31 11:03:59 +00:00
Bernardo Damele
8cf0ebde1e Cosmetics 2010-10-29 23:00:48 +00:00
Miroslav Stampar
cbf38436f2 minor update 2010-10-29 16:15:23 +00:00
Miroslav Stampar
5a38ac7ea9 important update regarding (Bug #209) - probably more will be needed 2010-10-29 16:11:50 +00:00
Miroslav Stampar
895efd28a6 one more update regarding Bug #205 2010-10-28 23:22:13 +00:00
Miroslav Stampar
788eb8fb50 update regarding Bug #205 2010-10-28 22:59:51 +00:00
Miroslav Stampar
228ac0cde5 refactoring regarding --check-payload 2010-10-25 18:38:54 +00:00
Miroslav Stampar
378653a1ec added IDS payload testing 2010-10-25 15:37:43 +00:00
Miroslav Stampar
2668c95ef4 added default HTTP version used by httplib and urllib2 2010-10-21 09:10:07 +00:00
Miroslav Stampar
8b8fff41fe cosmetics (adding html parsed DBMS) regarding heuristic check 2010-10-18 12:11:16 +00:00
Bernardo Damele
36bc410333 Minor bug fix 2010-10-18 09:50:23 +00:00
Miroslav Stampar
149837ebf5 added the same for proxy authorization header 2010-10-18 09:02:56 +00:00
Miroslav Stampar
aaebb4336e fix for Bug #202 2010-10-18 08:54:08 +00:00
Miroslav Stampar
dcb9c2103a just in case update 2010-10-15 11:20:19 +00:00
Bernardo Damele
5f6d88a418 Minor comment 2010-10-15 11:17:17 +00:00
Miroslav Stampar
4f7f20b94f sorry, cosmetics 2010-10-14 23:18:29 +00:00
Miroslav Stampar
8b48833136 large commit with copyright header modifications 2010-10-14 14:41:14 +00:00
Miroslav Stampar
162d01abed commit of all sorts (bug fix for heuristics and URI injections, fine tunning of tampering modules with SQL keywords,...) 2010-10-14 11:06:28 +00:00
Miroslav Stampar
dc50543ea4 major bug fix for --keep-alive option in multithreading mode (that 'shitty' _headers = {} made a one shared object for all connection objects) 2010-10-13 23:01:23 +00:00
Miroslav Stampar
36ef8ca575 bug fix 2010-10-13 22:42:48 +00:00
Miroslav Stampar
02a14d4c45 added Referer (part of Feature #37) 2010-10-13 22:08:09 +00:00
Miroslav Stampar
34580f56fc added --tamper option 2010-10-12 22:45:25 +00:00
Miroslav Stampar
43892cddbb some updates 2010-10-11 12:26:35 +00:00
Miroslav Stampar
8fcad29bbf new feature --forms (still unfinished) 2010-10-10 18:56:43 +00:00
Miroslav Stampar
adf2231edb minor update 2010-10-06 13:38:03 +00:00
Miroslav Stampar
cf17debf79 changed connection message priority to critical (when verbose=0 it's displayed too) 2010-09-27 13:34:52 +00:00
Miroslav Stampar
13bb3a6212 minor update 2010-09-23 14:07:23 +00:00
Miroslav Stampar
da8ae5578b first commit regarding Feature #144 2010-09-22 11:56:35 +00:00
Miroslav Stampar
975b96ae28 minor refactoring 2010-09-16 09:47:33 +00:00
Miroslav Stampar
1741801ade implementation of HEAD/Range methods 2010-09-16 09:32:09 +00:00
Miroslav Stampar
b745331974 added null connection check 2010-09-16 08:43:10 +00:00
Miroslav Stampar
ecd6b573f7 added method parameter to the queryPage function 2010-09-15 14:17:17 +00:00
Miroslav Stampar
34a8cd75e3 added support for setting HTTP method manualy 2010-09-15 12:45:41 +00:00
Miroslav Stampar
436b7d82fb fixed a bug reported by Marek Sarvas 2010-08-22 08:52:15 +00:00
Bernardo Damele
fea2414759 Display HTTP request in -v>=3 even if connection failed 2010-06-10 14:42:17 +00:00
Bernardo Damele
5bb8e154eb Minor code improvements 2010-06-10 14:15:32 +00:00
Miroslav Stampar
36953221f8 few quick changes 2010-06-10 11:34:17 +00:00
Miroslav Stampar
eaef068c90 major bug fix (different HTTP content charsets are now properly handled) 2010-06-09 14:40:36 +00:00
Bernardo Damele
e811101dce Minor bug fix 2010-05-28 23:39:52 +00:00
Miroslav Stampar
a3db3c03c1 str() -> unicode() 2010-05-28 13:05:02 +00:00
Bernardo Damele
cda8da288c Minor adjustment 2010-05-21 12:18:43 +00:00
Miroslav Stampar
f6bffb61d3 minor adjustment 2010-05-21 11:51:43 +00:00
Miroslav Stampar
460a1ba872 fix for my imperfect calculations :) 2010-05-21 11:41:49 +00:00
Miroslav Stampar
68e13c3872 periodical commit 2010-05-21 09:35:36 +00:00
Miroslav Stampar
b8a5a54395 minor update 2010-05-15 20:44:08 +00:00
Miroslav Stampar
4984ceac49 some code refactoring and minor speed up (jump prediction rule) 2010-05-14 15:20:34 +00:00
Miroslav Stampar
5396f13bab added CPU throttling for lowering sqlmap's CPU intensivity 2010-05-13 15:19:28 +00:00
Bernardo Damele
44ea8f1861 Minor adjustment 2010-05-06 11:00:58 +00:00
Bernardo Damele
147e14356d Major bug fix (reported by Thierry Zoller) 2010-05-06 10:52:40 +00:00
Miroslav Stampar
4928c684b3 one more thing 2010-05-04 08:45:10 +00:00
Miroslav Stampar
789dd6c66f more quick fixes 2010-05-04 08:43:14 +00:00
Miroslav Stampar
af701cdaa2 better way to handle that last commit problem 2010-05-04 08:36:35 +00:00
Miroslav Stampar
5bc07426e0 added exception handler around block reported by Thierry Zoller 2010-05-04 08:03:48 +00:00
Bernardo Damele
a1b1f960cc Finally fixed and adapted all code around to the new isWindowsDriveLetterPath() function 2010-04-23 16:34:20 +00:00
Miroslav Stampar
1aeaa5db47 implementation of Feature #176 (Safe URL: avoid being kicked out after N unsuccessful requests) 2010-04-16 12:44:47 +00:00
Miroslav Stampar
63c70018ca fix for that update (conf.cj) problem mentioned by shiftzwei@gmail.com 2010-04-09 10:16:15 +00:00
Bernardo Damele
5fdebb5d5b Added support to directly connect also to Microsoft SQL Server database.
Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output).
Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods.
Forced conf.timeout to 10 seconds when directly connecting to database.
Slightly improved regular expression to parse -d parameter.
Added import check for all connectors' third-party libraries.
Code refactoring:
* Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed).
* Back-delegated to generic connector close() and other methods.
2010-03-31 10:50:47 +00:00
Miroslav Stampar
bfc12e93c5 ms access returns -1 for True 2010-03-30 11:33:51 +00:00
Bernardo Damele
a0290a257b Added support to connect directly also to Oracle - see #158 2010-03-27 21:50:19 +00:00
Bernardo Damele
1416cd0d86 Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module).
Minor layout adjustments.
2010-03-26 23:23:25 +00:00
Bernardo Damele
8e57767c48 Fixes #180 - properly url encode sqlmap payload in POST/Cookie too, like for GET 2010-03-23 10:27:39 +00:00
Bernardo Damele
466df89c4a Fixes #178 and #179 - proper handling of custom redirects 2010-03-16 14:30:57 +00:00
Bernardo Damele
3b3353e05b Revert last commit 2010-03-16 13:56:36 +00:00
Miroslav Stampar
1dfe558d3d Fix for Issue #177 2010-03-16 13:11:44 +00:00
Bernardo Damele
323cf2b7f2 Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g) 2010-03-16 12:14:02 +00:00
Bernardo Damele
6d0ea86414 Fixes #59 - proper customizable redirect (302 and 301) 2010-03-15 14:24:43 +00:00
Bernardo Damele
156fdd96ef Updated copyright 2010-03-03 15:26:27 +00:00
Miroslav Stampar
a0f5c3d885 minor update 2010-02-25 13:45:28 +00:00
Miroslav Stampar
3e152f8b20 minor code refactoring 2010-02-25 13:33:52 +00:00
Miroslav Stampar
28d5248c04 one more fix regarding localhost/global proxy issue 2010-02-25 13:30:22 +00:00
Miroslav Stampar
542b01993e minor fix regarding exception handling of multi-part post handler 2010-02-09 14:02:47 +00:00
Miroslav Stampar
7c88e32f9d bug fix for 404 program termination during shell upload attempt 2010-02-03 16:16:34 +00:00
Miroslav Stampar
98205cc488 another fix for Bug #148 2010-01-23 23:29:34 +00:00
Miroslav Stampar
39652bfbf4 update regarding Unicode char logging (Bug #148) 2010-01-23 15:36:55 +00:00
Bernardo Damele
574880ba73 Warn user of HTTP error codes in HTTP responses 2010-01-19 10:27:54 +00:00
Bernardo Damele
c18a5cb92f Fixed a minor bug when displaying requested page in -v >= 3 2010-01-16 21:47:52 +00:00
Miroslav Stampar
26c7b74e65 changes regarding Data (GET/POST/Cookie) encoding (Bug #129) 2010-01-14 18:05:03 +00:00
Bernardo Damele
ce022a3b6e sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 02:02:12 +00:00
Bernardo Damele
9c620da0a5 Minor fix 2009-12-31 12:34:18 +00:00
Bernardo Damele
c1c14dabd9 Minor bug fix 2009-12-21 11:21:18 +00:00
Bernardo Damele
e4e081cdc6 sqlmap 0.8-rc2: minor enhancement based on msfencode 3.3.3-dev -t exe-small so that also PostgreSQL supports again the out-of-band via Metasploit payload stager optionally to shellcode execution in-memory via sys_bineval() UDF. Speed up OOB connect back. Cleanup target file system after --os-pwn too. Minor bug fix to correctly forge file system paths with os.path.join() all around. Minor code refactoring and user's manual update. 2009-12-17 22:04:01 +00:00
Bernardo Damele
c5d20b8a86 Initial support for ASP web backdoor functionality 2009-05-06 12:14:38 +00:00
Bernardo Damele
58f3eee390 Updated Microsoft SQL Server XML signatures file and minor bug fix in connection library 2009-04-28 11:11:35 +00:00
Bernardo Damele
1d7de719b9 Almost done with web backdoor functionality 2009-04-28 11:05:07 +00:00
Bernardo Damele
16b4530bbe Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed).
Minor common library code refactoring.
Code cleanup.
Set back the default User-Agent to sqlmap for comparison algorithm reasons.
Updated THANKS.
2009-04-27 23:05:11 +00:00
Bernardo Damele
8c0ac767f4 Updated to sqlmap 0.7 release candidate 1 2009-04-22 11:48:07 +00:00
Bernardo Damele
a8d57bb031 Avoid DeprecationWarning with Python 2.6+ 2009-01-22 23:53:01 +00:00
Bernardo Damele
5560f0b68a Updated the copyright 2009-01-12 21:35:38 +00:00
Bernardo Damele
8d06975142 Major enhancement to make the comparison algorithm work properly also
on url not stables automatically by using the difflib SequenceMatcher
object: this changed a lot into the structure of the code, has to be
extensively beta-tested!
Please, do report bugs on sqlmap-users mailing list if you scout them.
Cheers,
Bernardo
2008-12-20 01:54:08 +00:00
Bernardo Damele
d0d6632c22 Initial support to automatically work around the dynamic page at each refresh
(Major refactor to the comparison algorithm (True/False response))
2008-12-18 20:48:23 +00:00
Bernardo Damele
c32ef9d751 Major bug fix to avoid tracebacks when multiple targets are specified and one
of them is not reachable.
Minor bug fix to make the --postfix work even if --prefix is not provided.
2008-12-18 20:38:57 +00:00
Bernardo Damele
38c9627700 Minor enhancemet to support also --regexp, --excl-str and --excl-reg
options rather than only --string when comparing HTTP responses page
content
2008-12-05 15:34:13 +00:00
Bernardo Damele
7f055924a7 sqlmap 0.6.3-rc4:
Minor enhancement to be able to specify the number of seconds before
timeout the connection, default is set to 10 seconds.
Minor improvement to retry the HTTP request up to three times in case
an exception is raised during the connection to the target url.
Minor bug fix to correctly catch connection exceptions and notify to
the user also if they occur within a thread.
Minor code restyling.
Updated documentation.
2008-12-04 17:40:03 +00:00
Bernardo Damele
b700485a1b Minor adjustment, still to work on the cookie urlencoding/decoding 2008-12-02 21:57:12 +00:00
Bernardo Damele
428612b431 Comment and layout adjustments 2008-12-01 23:04:01 +00:00
Bernardo Damele
9be844cf3e Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l. 2008-11-20 17:56:09 +00:00
Bernardo Damele
654aecedfe Minor layout adjustments, minor fixes and updated changelog 2008-11-17 00:00:54 +00:00
Bernardo Damele
84cbc60659 Major bug fix to correctly handle httplib.BadStatusLine exception.
Minor improvement to set by default in all HTTP requests the standard HTTP headers (Accept, Accept-Encoding, etc.)
Updated user's manual.
2008-11-15 12:25:19 +00:00
Bernardo Damele
0c5d3df546 sqlmap 0.6.3-rc1:
* Minor enhancement to be able to specify the number of seconds to wait between each HTTP request.
* Minor bug fix to handle session.error and session.timeout in HTTP requests.
* Updated documentation.
2008-11-09 16:57:47 +00:00
Bernardo Damele
9895338630 Major bug fix following the last commit 2008-10-27 23:56:02 +00:00
Bernardo Damele
eb6e6f4d03 Major bug fix when the request is POST to also send the GET parameters in the request if they've been provided 2008-10-27 15:42:32 +00:00
Bernardo Damele
016118ce7a Some more fixes and adjustments before 0.6.1 release. 2008-10-17 15:26:43 +00:00
Bernardo Damele
1f3ffc8ef7 Minor layout adjustment 2008-10-17 13:23:24 +00:00
Bernardo Damele
66136b48c0 Minor fixes.. should work also for Cookie now the % parsing 2008-10-17 11:51:12 +00:00
Bernardo Damele
a5b2366033 Implemented a better way to deal with % characters in parameters' value. Minor code restyle. 2008-10-16 15:31:02 +00:00
Bernardo Damele
892a7b2f8a propsets.. 2008-10-15 15:56:32 +00:00
Bernardo Damele
8e3eb45510 After the storm, a restore.. 2008-10-15 15:38:22 +00:00