Commit Graph

843 Commits

Author SHA1 Message Date
stamparm
d0e79a4d15 Minor text update 2013-07-08 12:38:36 +02:00
stamparm
a530817727 Minor typo fix 2013-07-08 11:52:46 +02:00
stamparm
8d3435ab0b Removing reflective warning for parsing heuristic test 2013-07-08 11:48:33 +02:00
stamparm
04046f38eb Minor update (Issue #475) 2013-07-01 12:26:57 +02:00
stamparm
f7d15cb465 Official naming is HSQLDB (and/or HyperSQL) 2013-07-01 11:57:47 +02:00
Miroslav Stampar
aeb83ba651 Merge pull request #475 from Meatballs1/hsql_clean
HSQL Payloads and Query Support
2013-07-01 02:38:04 -07:00
stamparm
fd5b665f7d Removing arithmetic operations from false positive checking to minimize affect of character filtering ('>' and '=' have to stay because those are minimal requirements) 2013-06-26 10:55:34 +02:00
Meatballs
62000c6406 Remaining files 2013-06-24 14:42:58 +01:00
stamparm
690645f6c7 Cosmetic fix 2013-06-19 10:50:00 +02:00
stamparm
f4ca4cd6c5 Minor update 2013-05-29 15:49:09 +02:00
Miroslav Stampar
d3ad408a21 Minor cosmetics 2013-05-19 22:17:53 +02:00
Miroslav Stampar
980a0e3adb Trivial update 2013-05-18 21:00:53 +02:00
Miroslav Stampar
1ff98c2ff9 Another minor text update 2013-05-18 21:00:11 +02:00
Miroslav Stampar
967513e1bb Minor message update 2013-05-18 20:59:23 +02:00
Miroslav Stampar
caa4ee96cd Minor cosmetic update 2013-05-18 18:28:44 +02:00
Miroslav Stampar
6608410320 Adding a question after WAF has been identified 2013-05-18 18:26:40 +02:00
stamparm
03732d2592 Minor fix 2013-05-17 16:04:05 +02:00
stamparm
76b4e1ccb9 Implementation for an Issue #450 2013-05-17 15:04:25 +02:00
stamparm
f1f34a65a2 Minor update 2013-05-15 13:38:26 +02:00
Miroslav Stampar
034e123b0c Minor fix (to accept -p cookie without need for raising --level / as it's already done for referer and user_agent) 2013-05-12 16:24:13 +02:00
Miroslav Stampar
840ee26a14 If SQLAlchemy is available and it has problems while connecting then it should be smarter to not force the other (standard) method - if available 2013-04-15 18:42:26 +02:00
stamparm
1c2197e8de Minor bug fix for an Issue #361 (removal of that ugly garbage clean warning message after sqlmap ends) 2013-04-15 16:18:40 +02:00
stamparm
a3d36fcb73 Minor update 2013-04-15 16:07:27 +02:00
stamparm
aed738d6e6 Update for an Issue #361 2013-04-15 14:20:21 +02:00
stamparm
3e65037a05 Introducing lib/utils/sqlalchemy.py (Issue #361) 2013-04-15 10:33:25 +02:00
stamparm
661b44135d Minor bug fix 2013-04-10 11:59:07 +02:00
stamparm
8c9da95343 Style and consistency update (url -> URL) 2013-04-09 11:48:42 +02:00
Miroslav Stampar
153aa10b77 Minor cosmetic update 2013-04-03 19:00:54 +02:00
stamparm
5dd2529b02 Minor language update 2013-03-26 14:18:37 +01:00
stamparm
4d2b77dde3 Minor language update 2013-03-26 14:15:40 +01:00
stamparm
3f8dafedae Minor text update 2013-03-26 14:08:35 +01:00
stamparm
7447773237 Update for consistency (all other enums are using _ in between words) 2013-03-20 11:10:24 +01:00
Miroslav Stampar
8acf033715 Code refactoring 2013-03-19 19:24:14 +01:00
Miroslav Stampar
a3d9a7b1ff Minor fix 2013-03-19 19:06:51 +01:00
Martin Bjerregaard Jepsen
d7a77c79ad Fixed incorrect call to checkBooleanExpression when testing for false positives 2013-03-01 22:51:34 +01:00
stamparm
3a3f9c5ea1 Trivial commit related to the last one 2013-03-01 12:09:03 +01:00
stamparm
440b484bf6 Minor update (one more just in case dummy request in false positive check for time-based injections - when DBMS could be unresponsive a bit due to previous heavy-queries) 2013-03-01 10:59:04 +01:00
Miroslav Stampar
e42350ddce Minor style update 2013-02-28 20:28:34 +01:00
Miroslav Stampar
0e89cc62a2 Adding a hidden switch --dummy used for dummy runs (getPage() returns random data) - usefull for testing purposes for skipping connections 2013-02-28 20:20:08 +01:00
stamparm
af4762ace2 Minor style update 2013-02-26 11:16:09 +01:00
stamparm
f6b43b4b13 Minor update for an Issue #290 2013-02-26 11:08:06 +01:00
stamparm
68ce51bfd4 Changing from warn to info for no WAF found 2013-02-22 12:15:38 +01:00
stamparm
0bbbfc2eac Adding a small warning message (related to the Issue #407) 2013-02-22 11:12:41 +01:00
Miroslav Stampar
229e4e167b Minor cosmetics 2013-02-21 21:06:31 +01:00
stamparm
3a8c0cd3a2 Minor style update 2013-02-21 14:52:56 +01:00
stamparm
29ba43ee6c Unhidding switch '--identify-waf' (Issue #290) 2013-02-21 14:48:19 +01:00
stamparm
08f0670aca Minor refactoring for an Issue #290 2013-02-21 14:39:22 +01:00
stamparm
8e49872d7c Finalizing implementation for an Issue #290 2013-02-21 14:33:12 +01:00
stamparm
6b2981ef4e Update for an Issue #290 (adding tamper-like scripts into (new) directory waf) 2013-02-21 11:14:57 +01:00
Miroslav Stampar
5c099efccc Fix for an Issue #401 2013-02-18 11:38:18 +01:00
Bernardo Damele
4b9d8ed673 reverted a previous commit as not all distributions create a link file /usr/bin/python2 to the Python interpreter 2013-02-14 11:32:17 +00:00
Bernardo Damele
a67ef4117f make sure to use Python 2 interpreter when default system Python is version 3 2013-02-14 11:25:04 +00:00
Miroslav Stampar
1618086027 Minor fix 2013-02-05 10:58:02 +01:00
Miroslav Stampar
44579120b5 Cosmetics 2013-02-05 10:02:11 +01:00
Miroslav Stampar
e7b93b5b66 Implementation for an Issue #363 2013-02-01 17:24:04 +01:00
Miroslav Stampar
993372aae4 Bug fix (causing search problems) 2013-02-01 11:24:17 +01:00
Bernardo Damele
103045d284 variable renamed 2013-01-30 15:30:34 +00:00
Miroslav Stampar
f41460f8d8 Better naming 2013-01-29 20:53:11 +01:00
Bernardo Damele
a56f4ec15c techniques has to go too to the API (issue #297) 2013-01-29 15:34:53 +00:00
Bernardo Damele
bfce7210e6 improvements to the dump library to output to the API data fetched properly formatted (issue #297) 2013-01-29 15:34:20 +00:00
Miroslav Stampar
8c84a16cb7 Minor style update for an Issue #377 2013-01-25 12:52:31 +01:00
Miroslav Stampar
194a9e7b88 Implementation for an Issue #377 2013-01-25 12:34:57 +01:00
Miroslav Stampar
b4a55a809e Refactoring DBMS string escaping functions 2013-01-20 13:45:58 +01:00
Miroslav Stampar
ac7709204a Better fix for that page/headers/comparison --string candidate problem 2013-01-18 17:00:11 +01:00
Miroslav Stampar
8141d17985 Revert of previous commit (more care has to be done regarding headers dynamicity) 2013-01-18 16:49:35 +01:00
Miroslav Stampar
33094a118c Fix for an Issue where '--string' is being automatically picked not looking properly in headers too 2013-01-18 16:35:09 +01:00
Bernardo Damele
a43202f3c0 updated copyright 2013-01-18 14:07:51 +00:00
Bernardo Damele
542f6de72e typo fix 2013-01-16 01:31:03 +00:00
Bernardo Damele
8125fe90a7 code refactoring 2013-01-14 10:22:38 +00:00
Miroslav Stampar
03dd958d96 Implementation for an Issue #48 2013-01-13 16:22:43 +01:00
Miroslav Stampar
934d41dac2 Minor style update (PEP8) 2013-01-10 15:02:28 +01:00
Miroslav Stampar
ca3d35a878 Some PEP8 related style cleaning 2013-01-10 13:18:44 +01:00
Miroslav Stampar
25f01a419f Minor style update (for the sake of consistency over the code and our PEP8 adaptation) 2013-01-09 15:38:41 +01:00
Miroslav Stampar
87e923613f Minor adjustment (URI (marked with custom injection char) has precedence over GET/POST) 2013-01-05 21:16:47 +01:00
Miroslav Stampar
5b77b20e2e Removing trailing whitespaces (PEP8) 2013-01-03 23:57:07 +01:00
Miroslav Stampar
e4a3c015e5 Replacing old and deprecated raise Exception style (PEP8) 2013-01-03 23:20:55 +01:00
Bernardo Damele
3a11d36c66 minor bug fix 2013-01-02 21:49:15 +00:00
Miroslav Stampar
3d01890147 Patch for an Issue #56 (full target url is now being written to a output .CSV file in multi target mode) 2012-12-27 21:15:44 +01:00
Miroslav Stampar
0d5d84edc7 Minor cleanup 2012-12-20 21:03:41 +01:00
Bernardo Damele
3be90c97aa forgot these 2012-12-19 14:12:45 +00:00
Bernardo Damele
ac44cf3ec0 minor fix: add also back-end DBMS and web app fingerprint output to log file 2012-12-17 13:02:09 +00:00
Bernardo Damele
2442a58884 minor leftover of deprecated XMLRPC service 2012-12-17 11:26:31 +00:00
Miroslav Stampar
df0f08bc6a Cleaning some (web upload based) garbage 2012-12-13 13:19:47 +01:00
Miroslav Stampar
c3f20a136f Minor update for an Issue #287 2012-12-12 14:03:03 +01:00
Miroslav Stampar
760519dbe9 Removing redundant piece of code 2012-12-11 15:21:27 +01:00
Miroslav Stampar
a54c261496 Minor update for Issues #292 & #293 (only single alert per target) 2012-12-11 14:44:43 +01:00
Miroslav Stampar
5c2451d83c Implementation for an Issue #293 2012-12-11 12:48:58 +01:00
Miroslav Stampar
562044577b Implementation for an Issue #292 2012-12-11 12:02:06 +01:00
Miroslav Stampar
5677db02b7 Minor update 2012-12-10 12:40:28 +01:00
Miroslav Stampar
42f4c2bac9 Minor fix when --dbms is enforced 2012-12-10 11:42:10 +01:00
Miroslav Stampar
974407396e Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 14:14:19 +01:00
Miroslav Stampar
ab67344448 Removed unused imports and variables (pyflake-ing) 2012-12-06 11:15:05 +01:00
Miroslav Stampar
775e0df04b Update for an Issue #278 2012-12-05 10:45:17 +01:00
Miroslav Stampar
949fcb77cf Minor style update 2012-12-05 10:22:16 +01:00
Miroslav Stampar
a52dbc575b Patch for an Issue #246 2012-11-13 10:21:11 +01:00
Miroslav Stampar
2de52927f3 Code refactoring (epecially Google search code) 2012-10-30 18:38:10 +01:00
Miroslav Stampar
ca427af8b3 Minor refactoring/improvement 2012-10-28 01:42:08 +02:00
Miroslav Stampar
bcdba7b7bb Dealing with rare cases when getIdentifiedDbms is needed prior to DBMS isfingerprinted and there are multiples of dbmses inside details 2012-10-28 01:11:50 +02:00
Miroslav Stampar
c1b8226329 Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery) 2012-10-28 00:36:09 +02:00
Miroslav Stampar
235cc656b9 Fix for an Issue #224 2012-10-25 15:25:31 +02:00
Miroslav Stampar
bcf708f4b1 Minor update 2012-10-25 13:37:33 +02:00
Miroslav Stampar
fdcdd11cb9 Minor update for an Issue #222 2012-10-25 13:35:44 +02:00
Miroslav Stampar
8a5844a364 Implementation for an Issue #222 2012-10-25 13:21:32 +02:00
Miroslav Stampar
d65d9e25cd Implementation for an Issue #2 2012-10-19 11:02:14 +02:00
Miroslav Stampar
9ad58cb531 Implementation for an Issue #204 2012-10-16 10:24:05 +02:00
Miroslav Stampar
cc3f387551 Patch for an Issue #127 2012-10-05 10:49:31 +02:00
Miroslav Stampar
f71b937add Minor language cleanup 2012-10-04 18:28:36 +02:00
Miroslav Stampar
2fbd05c98f Minor language update 2012-10-04 18:04:55 +02:00
Miroslav Stampar
dee6d2f9ff Minor language update 2012-10-04 11:34:14 +02:00
Miroslav Stampar
6eae7013b6 Minor cosmetics 2012-09-26 15:03:12 +02:00
Miroslav Stampar
687f3991de Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g. 2012-09-26 11:27:43 +02:00
Miroslav Stampar
9ca7b3e20e Implementation for an Issue #194 2012-09-25 09:25:35 +02:00
Miroslav Stampar
c3d191e626 Minor update for an Issue #2 2012-09-06 14:13:54 +02:00
Miroslav Stampar
c1c65a7167 Fix for an Issue #166 2012-08-29 20:21:45 +02:00
Miroslav Stampar
e9ae44c6fc Implementation for an #162 2012-08-22 16:50:01 +02:00
Miroslav Stampar
0ad3846451 Minor language update 2012-08-22 16:10:56 +02:00
Miroslav Stampar
a62a874d59 Update for an Issue #161 (changing default readInput value regarding the conf.multipleTargets) 2012-08-22 16:06:09 +02:00
Miroslav Stampar
4ab4fd1cb4 Minor update 2012-08-22 15:53:40 +02:00
Miroslav Stampar
52351e5d81 Update for an Issue #161 (now detecting format error messages too) 2012-08-22 15:51:47 +02:00
Miroslav Stampar
7b93108e7d Favoring non-string specific boundaries in case of digit-like parameter values 2012-08-22 13:58:52 +02:00
Miroslav Stampar
25ee333e66 Minor language update 2012-08-22 12:00:17 +02:00
Miroslav Stampar
8a5042b6a4 Update for an #161 (preventing further skipping of non-heuristic parameters in ignore casted case) 2012-08-22 11:56:30 +02:00
Miroslav Stampar
7d0662da23 Update for an #161 2012-08-22 11:42:06 +02:00
Miroslav Stampar
61151447fe Implementation of an Issue #161 2012-08-22 11:27:58 +02:00
Miroslav Stampar
6210ddfbd6 Minor refactoring 2012-08-22 11:00:39 +02:00
Miroslav Stampar
a927d94d39 Update for an Issue #155 2012-08-22 10:57:31 +02:00
Miroslav Stampar
6f450ac8bf Implementation for an Issue #155 2012-08-20 12:14:01 +02:00
Miroslav Stampar
823dde73ab Minor cleanup 2012-08-20 11:40:49 +02:00
Miroslav Stampar
2b6123c4f8 Minor style update 2012-08-20 11:29:23 +02:00
Miroslav Stampar
e0d9fa8666 Minor style update 2012-08-20 11:28:41 +02:00
Miroslav Stampar
76338add17 Fix for an Issue #152 2012-08-20 10:41:43 +02:00
Miroslav Stampar
f358ab2e73 Implementation of an Issue #147 2012-08-15 16:37:18 +02:00
Miroslav Stampar
6f529542e3 Making those --string tips (containing escaped characters) decodable by sqlmap 2012-07-31 11:32:53 +02:00
Miroslav Stampar
142fc887f1 Fix for an Issue #129 2012-07-31 11:03:44 +02:00
Miroslav Stampar
b3552494c4 Minor preparation for an Issue #48 2012-07-26 12:26:57 +02:00
Miroslav Stampar
30f8d09651 Implementation for an Issue #70 2012-07-26 12:06:02 +02:00
Miroslav Stampar
2b60e61d54 Minor update for #119 2012-07-25 10:57:19 +02:00
Miroslav Stampar
922ea9d1f4 Update for Issue #118 2012-07-24 15:43:29 +02:00
Miroslav Stampar
3279ce53a8 Minor style update 2012-07-23 13:57:38 +02:00
Bernardo Damele
318a01b867 minor typo fixes 2012-07-17 00:25:02 +01:00
Miroslav Stampar
87ecf205cb More work for Issue #66 2012-07-14 17:01:04 +02:00
Miroslav Stampar
805120ac52 Minor refactoring 2012-07-14 11:01:30 +02:00
Bernardo Damele
162da75a04 modified homepage address 2012-07-12 18:38:03 +01:00
Bernardo Damele
53c0336b48 added --hostname switch to retrieve DBMS server hostname - closes issue #69 2012-07-12 00:01:57 +01:00
Bernardo Damele
c4af7b9aa0 initial work for issue #33 2012-07-10 00:27:08 +01:00
Miroslav Stampar
e948e4d45b Some more refactoring 2012-07-06 17:18:22 +02:00
Miroslav Stampar
7ad6697446 Fix for Issue #57 2012-07-04 20:21:44 +02:00
jekil
c39e5a85ba Removed $id$ tags 2012-06-27 20:56:43 +02:00
Miroslav Stampar
302d782a0f minor style update 2012-06-19 08:33:51 +00:00
Miroslav Stampar
3da8f86e97 minor fix 2012-06-15 21:01:27 +00:00
Miroslav Stampar
76584ff0fa unhidding --test-filter 2012-06-14 14:36:53 +00:00
Miroslav Stampar
d2bbfa4aad minor style update 2012-05-28 14:04:17 +00:00
Miroslav Stampar
dc20bff1d0 minor update 2012-05-25 08:30:24 +00:00
Miroslav Stampar
7657bbeaf9 minor update 2012-05-24 22:32:06 +00:00
Miroslav Stampar
86fdad2bfa minor update 2012-05-24 22:07:50 +00:00
Miroslav Stampar
1e18168cc8 fix for one silent bug and small language update 2012-05-23 16:35:40 +00:00
Miroslav Stampar
2538e2d5b4 fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring 2012-05-22 09:33:22 +00:00
Miroslav Stampar
7fb1f3fc70 minor renaming 2012-05-09 18:26:02 +00:00
Miroslav Stampar
11d9859199 making nice code 2012-05-09 18:25:04 +00:00
Miroslav Stampar
b0a8238774 minor fixes 2012-05-09 14:58:16 +00:00
Miroslav Stampar
6177317a17 minor update 2012-05-09 10:06:23 +00:00
Miroslav Stampar
deec97dfe3 adding Frontbase to error message regexes 2012-05-08 17:02:58 +00:00
Miroslav Stampar
80ee687b41 minor beauty patch 2012-05-07 13:51:31 +00:00
Miroslav Stampar
6f67dc85ee adding --invalid-bignum (Havij like bignum style for invalidating/negating values); renaming --logical-negate to --invalid-logical 2012-04-25 20:29:07 +00:00
Miroslav Stampar
3532d23933 automatically extending ranges for UNION tests in case where at least one other injection technique is usable (boundaries has been established) 2012-04-23 13:41:36 +00:00
Miroslav Stampar
6ebb621228 adding support for (custom) POST injection (marking injection point with '*' in conf.data) 2012-04-17 14:23:00 +00:00
Miroslav Stampar
54576ab3a6 making a random choice from candidates 2012-04-13 10:54:30 +00:00
Miroslav Stampar
bbbcc95fe5 use it only if page is stable 2012-04-13 10:19:26 +00:00
Miroslav Stampar
052d9455fe warning user in cases of "User xyz already has more than 'max_user_connections' active connections" 2012-04-12 09:44:54 +00:00
Miroslav Stampar
b45ae10da4 minor fixes 2012-04-11 21:36:37 +00:00
Miroslav Stampar
e33ea7c33a minor fix 2012-04-10 22:29:39 +00:00
Miroslav Stampar
a82206cec4 minor cosmetics 2012-04-10 21:57:00 +00:00
Miroslav Stampar
119eec3598 improving "boolean detection" by automatic recognition of convenient --string candidate 2012-04-10 21:48:34 +00:00
Miroslav Stampar
56638f9e95 making --no-cast unhidden and renaming --negative-logic to --logical-negate to prevent confusion with stuff used in OR boolean based injection 2012-03-30 10:50:01 +00:00
Miroslav Stampar
637a8d8273 improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism 2012-03-29 14:33:27 +00:00
Miroslav Stampar
ce4c697bbd disabling "negative logic" as it's not half done (it was "luckily" working for --string/--regex/--code but it was a sheer luck); removing "dirty fix" from checks.py; proof that this was not ready for the release is that there was not check for negative logic anywhere for anything more then --string/--regex/--code 2012-03-29 13:39:12 +00:00
Miroslav Stampar
c9cac957bb adding one more case for false positive check (Generic tests without any DBMS knowledge) 2012-03-29 09:56:09 +00:00
Miroslav Stampar
3abcd6910a strange combination of "Set-Cookie" and interleaved pattern of True/False like responses can result in bypassing of the ABAB test 2012-03-22 00:06:50 +00:00
Miroslav Stampar
0fc4288a7c modifying redirection code for only two choices 2012-03-18 17:27:08 +00:00
Miroslav Stampar
577caac4de putting kb.negativeLogic setting to the safe place 2012-03-16 09:17:11 +00:00
Miroslav Stampar
7d313ac911 few more fixes for proper redirecting mechanism 2012-03-15 19:47:59 +00:00
Bernardo Damele
4520744b4d second step toward negative logic support (ported to detection phase too) - works well with --string, --regexp and --code now 2012-03-15 16:25:26 +00:00
Miroslav Stampar
a7fbc55748 grammar fix 2012-03-13 22:03:23 +00:00
Miroslav Stampar
c878dd3e5a doing a dummy test for --os-shell in case of xp_cmdshell 2012-03-09 14:21:41 +00:00
Miroslav Stampar
a0b46963cb minor fix for some special "unusable" cases (seen on Access/ODBC/Linux setup) 2012-03-09 10:28:19 +00:00
Miroslav Stampar
0ead1fd87e minor update 2012-03-05 09:42:52 +00:00
Miroslav Stampar
1ec56f93ec minor update 2012-03-01 10:10:19 +00:00
Miroslav Stampar
f142c0f782 minor update 2012-02-28 14:04:13 +00:00
Miroslav Stampar
22b3fa0749 minor update 2012-02-27 15:28:36 +00:00
Miroslav Stampar
a9bf0297f6 moving injection data to HashDB 2012-02-27 13:44:07 +00:00
Miroslav Stampar
f94b91ad87 added helper function for HashDB data storing/retrieval 2012-02-24 13:07:20 +00:00
Miroslav Stampar
6e54cb171f minor code restyling 2012-02-22 15:53:36 +00:00
Miroslav Stampar
b3bd4144f5 removing of unused imports together with some general code refactoring 2012-02-22 10:40:11 +00:00
Miroslav Stampar
386e98a0e3 using UNION SELECT for where=..NEGATIVE 2012-02-22 09:41:58 +00:00
Miroslav Stampar
844fc8addb minor cleanup 2012-02-16 10:19:36 +00:00
Miroslav Stampar
23cc8b6974 minor fix for special cases when parameter value contains html encoded characters 2012-02-14 14:08:10 +00:00
Miroslav Stampar
2604e73d88 minor change in workflow 2012-02-13 11:18:47 +00:00
Miroslav Stampar
96f589fc89 minor fix 2012-02-12 19:22:33 +00:00
Miroslav Stampar
249cb48b0b minor fix 2012-02-10 15:59:11 +00:00
Miroslav Stampar
6be95194a7 matter of concision 2012-02-10 15:37:43 +00:00