Miroslav Stampar
034e123b0c
Minor fix (to accept -p cookie without need for raising --level / as it's already done for referer and user_agent)
2013-05-12 16:24:13 +02:00
Miroslav Stampar
840ee26a14
If SQLAlchemy is available and it has problems while connecting then it should be smarter to not force the other (standard) method - if available
2013-04-15 18:42:26 +02:00
stamparm
1c2197e8de
Minor bug fix for an Issue #361 (removal of that ugly garbage clean warning message after sqlmap ends)
2013-04-15 16:18:40 +02:00
stamparm
a3d36fcb73
Minor update
2013-04-15 16:07:27 +02:00
stamparm
aed738d6e6
Update for an Issue #361
2013-04-15 14:20:21 +02:00
stamparm
3e65037a05
Introducing lib/utils/sqlalchemy.py (Issue #361 )
2013-04-15 10:33:25 +02:00
stamparm
661b44135d
Minor bug fix
2013-04-10 11:59:07 +02:00
stamparm
8c9da95343
Style and consistency update (url -> URL)
2013-04-09 11:48:42 +02:00
Miroslav Stampar
153aa10b77
Minor cosmetic update
2013-04-03 19:00:54 +02:00
stamparm
5dd2529b02
Minor language update
2013-03-26 14:18:37 +01:00
stamparm
4d2b77dde3
Minor language update
2013-03-26 14:15:40 +01:00
stamparm
3f8dafedae
Minor text update
2013-03-26 14:08:35 +01:00
stamparm
7447773237
Update for consistency (all other enums are using _ in between words)
2013-03-20 11:10:24 +01:00
Miroslav Stampar
8acf033715
Code refactoring
2013-03-19 19:24:14 +01:00
Miroslav Stampar
a3d9a7b1ff
Minor fix
2013-03-19 19:06:51 +01:00
Martin Bjerregaard Jepsen
d7a77c79ad
Fixed incorrect call to checkBooleanExpression when testing for false positives
2013-03-01 22:51:34 +01:00
stamparm
3a3f9c5ea1
Trivial commit related to the last one
2013-03-01 12:09:03 +01:00
stamparm
440b484bf6
Minor update (one more just in case dummy request in false positive check for time-based injections - when DBMS could be unresponsive a bit due to previous heavy-queries)
2013-03-01 10:59:04 +01:00
Miroslav Stampar
e42350ddce
Minor style update
2013-02-28 20:28:34 +01:00
Miroslav Stampar
0e89cc62a2
Adding a hidden switch --dummy used for dummy runs (getPage() returns random data) - usefull for testing purposes for skipping connections
2013-02-28 20:20:08 +01:00
stamparm
af4762ace2
Minor style update
2013-02-26 11:16:09 +01:00
stamparm
f6b43b4b13
Minor update for an Issue #290
2013-02-26 11:08:06 +01:00
stamparm
68ce51bfd4
Changing from warn to info for no WAF found
2013-02-22 12:15:38 +01:00
stamparm
0bbbfc2eac
Adding a small warning message (related to the Issue #407 )
2013-02-22 11:12:41 +01:00
Miroslav Stampar
229e4e167b
Minor cosmetics
2013-02-21 21:06:31 +01:00
stamparm
3a8c0cd3a2
Minor style update
2013-02-21 14:52:56 +01:00
stamparm
29ba43ee6c
Unhidding switch '--identify-waf' (Issue #290 )
2013-02-21 14:48:19 +01:00
stamparm
08f0670aca
Minor refactoring for an Issue #290
2013-02-21 14:39:22 +01:00
stamparm
8e49872d7c
Finalizing implementation for an Issue #290
2013-02-21 14:33:12 +01:00
stamparm
6b2981ef4e
Update for an Issue #290 (adding tamper-like scripts into (new) directory waf)
2013-02-21 11:14:57 +01:00
Miroslav Stampar
5c099efccc
Fix for an Issue #401
2013-02-18 11:38:18 +01:00
Bernardo Damele
4b9d8ed673
reverted a previous commit as not all distributions create a link file /usr/bin/python2 to the Python interpreter
2013-02-14 11:32:17 +00:00
Bernardo Damele
a67ef4117f
make sure to use Python 2 interpreter when default system Python is version 3
2013-02-14 11:25:04 +00:00
Miroslav Stampar
1618086027
Minor fix
2013-02-05 10:58:02 +01:00
Miroslav Stampar
44579120b5
Cosmetics
2013-02-05 10:02:11 +01:00
Miroslav Stampar
e7b93b5b66
Implementation for an Issue #363
2013-02-01 17:24:04 +01:00
Miroslav Stampar
993372aae4
Bug fix (causing search problems)
2013-02-01 11:24:17 +01:00
Bernardo Damele
103045d284
variable renamed
2013-01-30 15:30:34 +00:00
Miroslav Stampar
f41460f8d8
Better naming
2013-01-29 20:53:11 +01:00
Bernardo Damele
a56f4ec15c
techniques has to go too to the API (issue #297 )
2013-01-29 15:34:53 +00:00
Bernardo Damele
bfce7210e6
improvements to the dump library to output to the API data fetched properly formatted (issue #297 )
2013-01-29 15:34:20 +00:00
Miroslav Stampar
8c84a16cb7
Minor style update for an Issue #377
2013-01-25 12:52:31 +01:00
Miroslav Stampar
194a9e7b88
Implementation for an Issue #377
2013-01-25 12:34:57 +01:00
Miroslav Stampar
b4a55a809e
Refactoring DBMS string escaping functions
2013-01-20 13:45:58 +01:00
Miroslav Stampar
ac7709204a
Better fix for that page/headers/comparison --string candidate problem
2013-01-18 17:00:11 +01:00
Miroslav Stampar
8141d17985
Revert of previous commit (more care has to be done regarding headers dynamicity)
2013-01-18 16:49:35 +01:00
Miroslav Stampar
33094a118c
Fix for an Issue where '--string' is being automatically picked not looking properly in headers too
2013-01-18 16:35:09 +01:00
Bernardo Damele
a43202f3c0
updated copyright
2013-01-18 14:07:51 +00:00
Bernardo Damele
542f6de72e
typo fix
2013-01-16 01:31:03 +00:00
Bernardo Damele
8125fe90a7
code refactoring
2013-01-14 10:22:38 +00:00
Miroslav Stampar
03dd958d96
Implementation for an Issue #48
2013-01-13 16:22:43 +01:00
Miroslav Stampar
934d41dac2
Minor style update (PEP8)
2013-01-10 15:02:28 +01:00
Miroslav Stampar
ca3d35a878
Some PEP8 related style cleaning
2013-01-10 13:18:44 +01:00
Miroslav Stampar
25f01a419f
Minor style update (for the sake of consistency over the code and our PEP8 adaptation)
2013-01-09 15:38:41 +01:00
Miroslav Stampar
87e923613f
Minor adjustment (URI (marked with custom injection char) has precedence over GET/POST)
2013-01-05 21:16:47 +01:00
Miroslav Stampar
5b77b20e2e
Removing trailing whitespaces (PEP8)
2013-01-03 23:57:07 +01:00
Miroslav Stampar
e4a3c015e5
Replacing old and deprecated raise Exception style (PEP8)
2013-01-03 23:20:55 +01:00
Bernardo Damele
3a11d36c66
minor bug fix
2013-01-02 21:49:15 +00:00
Miroslav Stampar
3d01890147
Patch for an Issue #56 (full target url is now being written to a output .CSV file in multi target mode)
2012-12-27 21:15:44 +01:00
Miroslav Stampar
0d5d84edc7
Minor cleanup
2012-12-20 21:03:41 +01:00
Bernardo Damele
3be90c97aa
forgot these
2012-12-19 14:12:45 +00:00
Bernardo Damele
ac44cf3ec0
minor fix: add also back-end DBMS and web app fingerprint output to log file
2012-12-17 13:02:09 +00:00
Bernardo Damele
2442a58884
minor leftover of deprecated XMLRPC service
2012-12-17 11:26:31 +00:00
Miroslav Stampar
df0f08bc6a
Cleaning some (web upload based) garbage
2012-12-13 13:19:47 +01:00
Miroslav Stampar
c3f20a136f
Minor update for an Issue #287
2012-12-12 14:03:03 +01:00
Miroslav Stampar
760519dbe9
Removing redundant piece of code
2012-12-11 15:21:27 +01:00
Miroslav Stampar
a54c261496
Minor update for Issues #292 & #293 (only single alert per target)
2012-12-11 14:44:43 +01:00
Miroslav Stampar
5c2451d83c
Implementation for an Issue #293
2012-12-11 12:48:58 +01:00
Miroslav Stampar
562044577b
Implementation for an Issue #292
2012-12-11 12:02:06 +01:00
Miroslav Stampar
5677db02b7
Minor update
2012-12-10 12:40:28 +01:00
Miroslav Stampar
42f4c2bac9
Minor fix when --dbms is enforced
2012-12-10 11:42:10 +01:00
Miroslav Stampar
974407396e
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
Miroslav Stampar
ab67344448
Removed unused imports and variables (pyflake-ing)
2012-12-06 11:15:05 +01:00
Miroslav Stampar
775e0df04b
Update for an Issue #278
2012-12-05 10:45:17 +01:00
Miroslav Stampar
949fcb77cf
Minor style update
2012-12-05 10:22:16 +01:00
Miroslav Stampar
a52dbc575b
Patch for an Issue #246
2012-11-13 10:21:11 +01:00
Miroslav Stampar
2de52927f3
Code refactoring (epecially Google search code)
2012-10-30 18:38:10 +01:00
Miroslav Stampar
ca427af8b3
Minor refactoring/improvement
2012-10-28 01:42:08 +02:00
Miroslav Stampar
bcdba7b7bb
Dealing with rare cases when getIdentifiedDbms is needed prior to DBMS isfingerprinted and there are multiples of dbmses inside details
2012-10-28 01:11:50 +02:00
Miroslav Stampar
c1b8226329
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
2012-10-28 00:36:09 +02:00
Miroslav Stampar
235cc656b9
Fix for an Issue #224
2012-10-25 15:25:31 +02:00
Miroslav Stampar
bcf708f4b1
Minor update
2012-10-25 13:37:33 +02:00
Miroslav Stampar
fdcdd11cb9
Minor update for an Issue #222
2012-10-25 13:35:44 +02:00
Miroslav Stampar
8a5844a364
Implementation for an Issue #222
2012-10-25 13:21:32 +02:00
Miroslav Stampar
d65d9e25cd
Implementation for an Issue #2
2012-10-19 11:02:14 +02:00
Miroslav Stampar
9ad58cb531
Implementation for an Issue #204
2012-10-16 10:24:05 +02:00
Miroslav Stampar
cc3f387551
Patch for an Issue #127
2012-10-05 10:49:31 +02:00
Miroslav Stampar
f71b937add
Minor language cleanup
2012-10-04 18:28:36 +02:00
Miroslav Stampar
2fbd05c98f
Minor language update
2012-10-04 18:04:55 +02:00
Miroslav Stampar
dee6d2f9ff
Minor language update
2012-10-04 11:34:14 +02:00
Miroslav Stampar
6eae7013b6
Minor cosmetics
2012-09-26 15:03:12 +02:00
Miroslav Stampar
687f3991de
Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g.
2012-09-26 11:27:43 +02:00
Miroslav Stampar
9ca7b3e20e
Implementation for an Issue #194
2012-09-25 09:25:35 +02:00
Miroslav Stampar
c3d191e626
Minor update for an Issue #2
2012-09-06 14:13:54 +02:00
Miroslav Stampar
c1c65a7167
Fix for an Issue #166
2012-08-29 20:21:45 +02:00
Miroslav Stampar
e9ae44c6fc
Implementation for an #162
2012-08-22 16:50:01 +02:00
Miroslav Stampar
0ad3846451
Minor language update
2012-08-22 16:10:56 +02:00
Miroslav Stampar
a62a874d59
Update for an Issue #161 (changing default readInput value regarding the conf.multipleTargets)
2012-08-22 16:06:09 +02:00
Miroslav Stampar
4ab4fd1cb4
Minor update
2012-08-22 15:53:40 +02:00
Miroslav Stampar
52351e5d81
Update for an Issue #161 (now detecting format error messages too)
2012-08-22 15:51:47 +02:00
Miroslav Stampar
7b93108e7d
Favoring non-string specific boundaries in case of digit-like parameter values
2012-08-22 13:58:52 +02:00
Miroslav Stampar
25ee333e66
Minor language update
2012-08-22 12:00:17 +02:00
Miroslav Stampar
8a5042b6a4
Update for an #161 (preventing further skipping of non-heuristic parameters in ignore casted case)
2012-08-22 11:56:30 +02:00
Miroslav Stampar
7d0662da23
Update for an #161
2012-08-22 11:42:06 +02:00
Miroslav Stampar
61151447fe
Implementation of an Issue #161
2012-08-22 11:27:58 +02:00
Miroslav Stampar
6210ddfbd6
Minor refactoring
2012-08-22 11:00:39 +02:00
Miroslav Stampar
a927d94d39
Update for an Issue #155
2012-08-22 10:57:31 +02:00
Miroslav Stampar
6f450ac8bf
Implementation for an Issue #155
2012-08-20 12:14:01 +02:00
Miroslav Stampar
823dde73ab
Minor cleanup
2012-08-20 11:40:49 +02:00
Miroslav Stampar
2b6123c4f8
Minor style update
2012-08-20 11:29:23 +02:00
Miroslav Stampar
e0d9fa8666
Minor style update
2012-08-20 11:28:41 +02:00
Miroslav Stampar
76338add17
Fix for an Issue #152
2012-08-20 10:41:43 +02:00
Miroslav Stampar
f358ab2e73
Implementation of an Issue #147
2012-08-15 16:37:18 +02:00
Miroslav Stampar
6f529542e3
Making those --string tips (containing escaped characters) decodable by sqlmap
2012-07-31 11:32:53 +02:00
Miroslav Stampar
142fc887f1
Fix for an Issue #129
2012-07-31 11:03:44 +02:00
Miroslav Stampar
b3552494c4
Minor preparation for an Issue #48
2012-07-26 12:26:57 +02:00
Miroslav Stampar
30f8d09651
Implementation for an Issue #70
2012-07-26 12:06:02 +02:00
Miroslav Stampar
2b60e61d54
Minor update for #119
2012-07-25 10:57:19 +02:00
Miroslav Stampar
922ea9d1f4
Update for Issue #118
2012-07-24 15:43:29 +02:00
Miroslav Stampar
3279ce53a8
Minor style update
2012-07-23 13:57:38 +02:00
Bernardo Damele
318a01b867
minor typo fixes
2012-07-17 00:25:02 +01:00
Miroslav Stampar
87ecf205cb
More work for Issue #66
2012-07-14 17:01:04 +02:00
Miroslav Stampar
805120ac52
Minor refactoring
2012-07-14 11:01:30 +02:00
Bernardo Damele
162da75a04
modified homepage address
2012-07-12 18:38:03 +01:00
Bernardo Damele
53c0336b48
added --hostname switch to retrieve DBMS server hostname - closes issue #69
2012-07-12 00:01:57 +01:00
Bernardo Damele
c4af7b9aa0
initial work for issue #33
2012-07-10 00:27:08 +01:00
Miroslav Stampar
e948e4d45b
Some more refactoring
2012-07-06 17:18:22 +02:00
Miroslav Stampar
7ad6697446
Fix for Issue #57
2012-07-04 20:21:44 +02:00
jekil
c39e5a85ba
Removed $id$ tags
2012-06-27 20:56:43 +02:00
Miroslav Stampar
302d782a0f
minor style update
2012-06-19 08:33:51 +00:00
Miroslav Stampar
3da8f86e97
minor fix
2012-06-15 21:01:27 +00:00
Miroslav Stampar
76584ff0fa
unhidding --test-filter
2012-06-14 14:36:53 +00:00
Miroslav Stampar
d2bbfa4aad
minor style update
2012-05-28 14:04:17 +00:00
Miroslav Stampar
dc20bff1d0
minor update
2012-05-25 08:30:24 +00:00
Miroslav Stampar
7657bbeaf9
minor update
2012-05-24 22:32:06 +00:00
Miroslav Stampar
86fdad2bfa
minor update
2012-05-24 22:07:50 +00:00
Miroslav Stampar
1e18168cc8
fix for one silent bug and small language update
2012-05-23 16:35:40 +00:00
Miroslav Stampar
2538e2d5b4
fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring
2012-05-22 09:33:22 +00:00
Miroslav Stampar
7fb1f3fc70
minor renaming
2012-05-09 18:26:02 +00:00
Miroslav Stampar
11d9859199
making nice code
2012-05-09 18:25:04 +00:00
Miroslav Stampar
b0a8238774
minor fixes
2012-05-09 14:58:16 +00:00
Miroslav Stampar
6177317a17
minor update
2012-05-09 10:06:23 +00:00
Miroslav Stampar
deec97dfe3
adding Frontbase to error message regexes
2012-05-08 17:02:58 +00:00
Miroslav Stampar
80ee687b41
minor beauty patch
2012-05-07 13:51:31 +00:00
Miroslav Stampar
6f67dc85ee
adding --invalid-bignum (Havij like bignum style for invalidating/negating values); renaming --logical-negate to --invalid-logical
2012-04-25 20:29:07 +00:00
Miroslav Stampar
3532d23933
automatically extending ranges for UNION tests in case where at least one other injection technique is usable (boundaries has been established)
2012-04-23 13:41:36 +00:00
Miroslav Stampar
6ebb621228
adding support for (custom) POST injection (marking injection point with '*' in conf.data)
2012-04-17 14:23:00 +00:00
Miroslav Stampar
54576ab3a6
making a random choice from candidates
2012-04-13 10:54:30 +00:00
Miroslav Stampar
bbbcc95fe5
use it only if page is stable
2012-04-13 10:19:26 +00:00
Miroslav Stampar
052d9455fe
warning user in cases of "User xyz already has more than 'max_user_connections' active connections"
2012-04-12 09:44:54 +00:00
Miroslav Stampar
b45ae10da4
minor fixes
2012-04-11 21:36:37 +00:00
Miroslav Stampar
e33ea7c33a
minor fix
2012-04-10 22:29:39 +00:00
Miroslav Stampar
a82206cec4
minor cosmetics
2012-04-10 21:57:00 +00:00
Miroslav Stampar
119eec3598
improving "boolean detection" by automatic recognition of convenient --string candidate
2012-04-10 21:48:34 +00:00
Miroslav Stampar
56638f9e95
making --no-cast unhidden and renaming --negative-logic to --logical-negate to prevent confusion with stuff used in OR boolean based injection
2012-03-30 10:50:01 +00:00
Miroslav Stampar
637a8d8273
improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism
2012-03-29 14:33:27 +00:00
Miroslav Stampar
ce4c697bbd
disabling "negative logic" as it's not half done (it was "luckily" working for --string/--regex/--code but it was a sheer luck); removing "dirty fix" from checks.py; proof that this was not ready for the release is that there was not check for negative logic anywhere for anything more then --string/--regex/--code
2012-03-29 13:39:12 +00:00
Miroslav Stampar
c9cac957bb
adding one more case for false positive check (Generic tests without any DBMS knowledge)
2012-03-29 09:56:09 +00:00
Miroslav Stampar
3abcd6910a
strange combination of "Set-Cookie" and interleaved pattern of True/False like responses can result in bypassing of the ABAB test
2012-03-22 00:06:50 +00:00
Miroslav Stampar
0fc4288a7c
modifying redirection code for only two choices
2012-03-18 17:27:08 +00:00
Miroslav Stampar
577caac4de
putting kb.negativeLogic setting to the safe place
2012-03-16 09:17:11 +00:00
Miroslav Stampar
7d313ac911
few more fixes for proper redirecting mechanism
2012-03-15 19:47:59 +00:00
Bernardo Damele
4520744b4d
second step toward negative logic support (ported to detection phase too) - works well with --string, --regexp and --code now
2012-03-15 16:25:26 +00:00
Miroslav Stampar
a7fbc55748
grammar fix
2012-03-13 22:03:23 +00:00
Miroslav Stampar
c878dd3e5a
doing a dummy test for --os-shell in case of xp_cmdshell
2012-03-09 14:21:41 +00:00
Miroslav Stampar
a0b46963cb
minor fix for some special "unusable" cases (seen on Access/ODBC/Linux setup)
2012-03-09 10:28:19 +00:00
Miroslav Stampar
0ead1fd87e
minor update
2012-03-05 09:42:52 +00:00
Miroslav Stampar
1ec56f93ec
minor update
2012-03-01 10:10:19 +00:00
Miroslav Stampar
f142c0f782
minor update
2012-02-28 14:04:13 +00:00
Miroslav Stampar
22b3fa0749
minor update
2012-02-27 15:28:36 +00:00
Miroslav Stampar
a9bf0297f6
moving injection data to HashDB
2012-02-27 13:44:07 +00:00
Miroslav Stampar
f94b91ad87
added helper function for HashDB data storing/retrieval
2012-02-24 13:07:20 +00:00
Miroslav Stampar
6e54cb171f
minor code restyling
2012-02-22 15:53:36 +00:00
Miroslav Stampar
b3bd4144f5
removing of unused imports together with some general code refactoring
2012-02-22 10:40:11 +00:00
Miroslav Stampar
386e98a0e3
using UNION SELECT for where=..NEGATIVE
2012-02-22 09:41:58 +00:00
Miroslav Stampar
844fc8addb
minor cleanup
2012-02-16 10:19:36 +00:00
Miroslav Stampar
23cc8b6974
minor fix for special cases when parameter value contains html encoded characters
2012-02-14 14:08:10 +00:00
Miroslav Stampar
2604e73d88
minor change in workflow
2012-02-13 11:18:47 +00:00
Miroslav Stampar
96f589fc89
minor fix
2012-02-12 19:22:33 +00:00
Miroslav Stampar
249cb48b0b
minor fix
2012-02-10 15:59:11 +00:00
Miroslav Stampar
6be95194a7
matter of concision
2012-02-10 15:37:43 +00:00
Miroslav Stampar
eab7a54e03
cosmetics
2012-02-10 15:34:04 +00:00
Miroslav Stampar
92590d0d59
minor fix
2012-02-10 15:26:55 +00:00
Miroslav Stampar
e36e9de57e
minor update by request
2012-02-10 15:12:23 +00:00
Miroslav Stampar
11af0b1bbc
minor fix
2012-02-07 11:16:03 +00:00
Miroslav Stampar
8405ef59ac
some estetic updates
2012-02-01 14:49:42 +00:00
Miroslav Stampar
23117e72ca
minor improvement
2012-01-13 20:56:06 +00:00
Miroslav Stampar
95f89ab63a
updating copyright date
2012-01-11 14:59:46 +00:00
Miroslav Stampar
1d0b43b1a2
implemented mechanism for merging cookies by request
2012-01-11 14:28:08 +00:00
Miroslav Stampar
1f085a0241
now [SLEEPTIME] is changeable properly in vivo
2012-01-05 14:45:05 +00:00
Miroslav Stampar
94d43a4135
minor bug fix
2011-12-30 14:20:06 +00:00
Miroslav Stampar
22c3fe49bb
some refactoring
2011-12-28 13:50:03 +00:00
Miroslav Stampar
f622995a29
compatibility with partial union and error technique resumed data
2011-12-22 12:20:21 +00:00
Miroslav Stampar
6f8d8a15aa
minor update
2011-12-22 11:55:02 +00:00
Miroslav Stampar
95cd9e2af3
adding support for scanning Host header values (-p host)
2011-12-20 12:52:41 +00:00
Miroslav Stampar
c57941c102
minor beautification
2011-12-15 23:33:44 +00:00
Miroslav Stampar
27d244b326
minor update
2011-12-15 23:29:11 +00:00
Miroslav Stampar
563c0c1066
adding switch --tor-type
2011-12-15 23:19:55 +00:00
Miroslav Stampar
0f5d48ff20
minor update
2011-12-05 09:25:56 +00:00
Miroslav Stampar
872a73f631
minor refactoring
2011-11-29 19:17:07 +00:00
Miroslav Stampar
2842c13d75
minor update
2011-11-29 16:59:06 +00:00
Miroslav Stampar
2ed3efba12
speed optimization and bug fix (kb.absFilePaths were not stored previously; also, they are now extracted only in heuristic phase)
2011-11-22 08:39:13 +00:00
Miroslav Stampar
eee03871d7
minor refactoring
2011-11-21 21:31:08 +00:00
Miroslav Stampar
49fddaf668
minor update (for cases with 404 original page - e.g. time based injections in some cases)
2011-11-20 23:11:18 +00:00
Miroslav Stampar
8c32b3653b
minor update of false positive check (in considerable amount of cases minus char is filtered/used for other means)
2011-11-20 20:27:30 +00:00
Miroslav Stampar
7314de3490
language update
2011-11-15 11:17:39 +00:00
Miroslav Stampar
20ae1c2187
added switch --logic-negative
2011-10-24 00:40:06 +00:00
Miroslav Stampar
eb240243ea
minor update
2011-10-21 22:21:41 +00:00
Miroslav Stampar
05b9951a8b
minor beautification
2011-10-21 09:19:31 +00:00
Miroslav Stampar
4989e8e6d3
minor update
2011-10-10 17:29:54 +00:00
Miroslav Stampar
a31a0aa8d4
minor update
2011-10-06 22:29:49 +00:00
Miroslav Stampar
b888a84764
minor update
2011-09-27 14:31:58 +00:00
Miroslav Stampar
88f1110c44
adding a new (for now) hidden switch --test-filter for filtering tests by their name
2011-09-27 14:09:25 +00:00
Miroslav Stampar
7e80274fac
refactoring
2011-09-25 21:10:45 +00:00
Miroslav Stampar
d95ff4350d
bug fix
2011-09-20 13:08:35 +00:00
Miroslav Stampar
08e0eb9b61
minor lower/upper case fix
2011-08-29 13:47:32 +00:00
Miroslav Stampar
9be89422da
implemented parameter --skip
2011-08-29 13:29:42 +00:00
Miroslav Stampar
ac00014c4a
implemented --randomize switch by request
2011-08-29 12:50:52 +00:00
Miroslav Stampar
f46baac70b
bug fix (when comment is None this was errornous)
2011-08-17 10:58:29 +00:00
Bernardo Damele
702ed73a65
Added --code switch to match in boolean-based tests against the HTTP response code
2011-08-12 16:48:11 +00:00
Bernardo Damele
fff4c34e33
Search for --string and --regexp matches also in HTTP response headers
2011-08-12 15:33:37 +00:00
Miroslav Stampar
2ad267132a
minor update for empty normal responses (like AJAX requests)
2011-08-05 10:55:21 +00:00
Miroslav Stampar
f7562da754
from now on proper union column count should be displayed in injection info output
2011-08-03 10:34:50 +00:00
Miroslav Stampar
07afcd5440
fix for a bug reported by Ahmed Shawky (when user uses --suffix intermixing test default comments with the provided suffix is a big no no)
2011-08-02 18:20:21 +00:00
Miroslav Stampar
07c3d4fb18
minor adjustment
2011-08-02 17:35:43 +00:00
Bernardo Damele
6cbb927012
Partial fix for -o not resumed at following runs if missing from command line
2011-07-25 11:05:49 +00:00
Miroslav Stampar
0d6afca7db
adding new switch '--smart' by request
2011-07-10 15:16:58 +00:00
Miroslav Stampar
c517e97a44
few fixes and minor cosmetics
2011-07-08 06:02:31 +00:00
Bernardo Damele
aedcf8c8d7
Changed homepage address
2011-07-07 20:10:03 +00:00
Bernardo Damele
0d28c1e9e7
cosmetics
2011-07-06 20:41:13 +00:00
Miroslav Stampar
93b296e02c
few bug fixes (NTLM credential parsing was wrong), some switch reordering (few Misc to General), implemented --check-waf switch (irony is that this will also be called highly experimental/unstable while other things will be called "major/turbo/super bug fix/implementation")
2011-07-06 05:44:47 +00:00
Miroslav Stampar
b8ffcf9495
few fixes here and there and multi-core processing for dictionary based hash attack
2011-07-04 19:58:41 +00:00
Miroslav Stampar
8a8b94883b
minor update (that default quit in --batch was bothering me - my original idea and it was bad :)
2011-06-27 14:14:49 +00:00
Bernardo Damele
36c96ef796
Added DB2 support - patch provided by Sebastian Bittig
2011-06-25 09:44:24 +00:00
Miroslav Stampar
c4cb367e65
looks nicer (though --tor is implicitly converted into --proxy)
2011-06-24 19:00:53 +00:00
Miroslav Stampar
2de88bd90b
minor update
2011-06-24 17:19:24 +00:00
Miroslav Stampar
eaa2a4202f
changing to: --crawl=CRAWLDEPTH
2011-06-24 05:40:03 +00:00
Miroslav Stampar
29314f425e
minor fix
2011-06-20 13:42:31 +00:00
Miroslav Stampar
07e2c72943
adding Beautifulsoup (BSD) into extras; adding --crawl to options
2011-06-20 11:32:30 +00:00
Bernardo Damele
f8c32cf6b9
Moved folder
2011-06-18 12:34:41 +00:00
Miroslav Stampar
a0129dcbcb
this is confusing for normal users (i've just get a mail where dude thinks that he needs to use tamper script because of this :)
2011-06-17 16:52:39 +00:00
Miroslav Stampar
6b1d5a0ab8
minor fix
2011-06-16 14:11:30 +00:00
Miroslav Stampar
25b923bbc3
minor fixes and minor updates
2011-06-16 12:12:30 +00:00
Miroslav Stampar
4d51fa8155
minor update planned for a long time (in case of heuristic test was positive warn the user properly at the end if program fails)
2011-06-15 17:37:28 +00:00
Miroslav Stampar
9331abb96f
minor update
2011-06-11 08:33:36 +00:00
Miroslav Stampar
71093b1cad
adding one more user friendly message
2011-06-09 09:58:42 +00:00
Bernardo Damele
d217cf71b2
Minor bug fix
2011-06-08 23:32:44 +00:00
Bernardo Damele
70cac24909
Cosmetics
2011-06-08 15:31:27 +00:00
Miroslav Stampar
d8155dfae9
change by request
2011-06-08 14:44:11 +00:00
Bernardo Damele
0d3e8a76d8
Cosmetics and a missing param
2011-06-08 14:40:42 +00:00
Miroslav Stampar
4a9640160e
more concise
2011-06-08 14:35:23 +00:00
Bernardo Damele
cce3208b35
Cleanup
2011-06-08 14:15:34 +00:00
Miroslav Stampar
1c633b7351
i am tired of pressing hundred times Ctrl+C in testing phase if --batch is specified
2011-06-07 22:14:18 +00:00
Miroslav Stampar
97d8c60c3f
better language
2011-06-03 15:58:19 +00:00
Miroslav Stampar
0a620bf322
more info to the user
2011-06-03 15:43:50 +00:00
Miroslav Stampar
8aa5625cd0
proper fix related to the last commit
2011-06-01 23:00:18 +00:00
Miroslav Stampar
fd57aae779
bug fix (until this moment we had UNION unfunctional for MSSQL)
2011-06-01 22:47:54 +00:00
Miroslav Stampar
b7088440c2
better sentence
2011-05-30 22:47:17 +00:00
Miroslav Stampar
a8b58afdb2
minor update
2011-05-27 08:21:02 +00:00
Miroslav Stampar
48f52d7697
minor beautification
2011-05-27 08:16:14 +00:00
Miroslav Stampar
45caadbd4a
important update - finally found what was causing headache for UNION payloads in noticeable number of cases
2011-05-26 21:54:19 +00:00
Miroslav Stampar
97bd5355dd
minor update
2011-05-26 21:18:55 +00:00
Miroslav Stampar
5d56e89cf5
minor update
2011-05-26 21:08:46 +00:00
Miroslav Stampar
06108b6da6
minor update related to the last commit
2011-05-26 20:58:24 +00:00
Miroslav Stampar
4f46a5ab63
minor usability enhancement regarding warning for --text-only switch
2011-05-26 20:48:18 +00:00
Miroslav Stampar
a1fd2898a0
added friendly tip message for url encoding GET and POST payloads
2011-05-25 11:10:52 +00:00
Miroslav Stampar
bec2c04671
helping dummy users
2011-05-24 17:15:25 +00:00
Miroslav Stampar
faa74cd2bc
introducing results file for multiple target mode
2011-05-15 22:21:38 +00:00
Miroslav Stampar
f11d5c91e3
minor update so that only one DNS request per scan is being done (before this commit there were two)
2011-05-12 14:32:39 +00:00
Miroslav Stampar
120b0d756e
unfix
2011-05-10 21:33:06 +00:00
Miroslav Stampar
deae534ee7
minor refactoring
2011-05-10 20:44:36 +00:00
Bernardo Damele
3a8309c4b0
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 15:34:54 +00:00
Bernardo Damele
9955483052
Major improvement for --dump.
...
Minor improvement for --dump-all.
Minor bug fix for infinite loop
2011-05-08 02:08:18 +00:00
Bernardo Damele
8179fd63c0
Minor fix
2011-05-07 23:48:03 +00:00
Bernardo Damele
1151af52bb
More fix for save/resume of --technique
2011-05-07 21:08:14 +00:00
Bernardo Damele
aae140080e
SVN roll back, DB2 patch will be recommitted after testing:
...
$ svn merge https://svn.sqlmap.org/sqlmap/trunk/sqlmap@HEAD https://svn.sqlmap.org/sqlmap/trunk/sqlmap@3847 .
2011-05-06 10:27:43 +00:00
Miroslav Stampar
6e392b6054
applying contributed patch for DB2
2011-05-06 09:30:39 +00:00
Bernardo Damele
2d8408c885
More fix for --technique resume
2011-05-05 16:38:46 +00:00
Bernardo Damele
6cff3e97f4
cosmetics
2011-05-02 21:48:08 +00:00
Miroslav Stampar
06498796b9
minor cosmetics
2011-05-02 20:51:53 +00:00
Bernardo Damele
955dbc85e7
Minor variable rename
2011-04-30 15:29:59 +00:00
Bernardo Damele
f56d135438
Minor code restyling
2011-04-30 13:20:05 +00:00
Bernardo Damele
a5968fff3e
Added --count switch to count the number of entries for a specific table (when -T is provided), all database's tables (when only -D is provided) or all databases' tables when neither -D nor -T are provided
2011-04-30 00:22:22 +00:00
Bernardo Damele
a23ca952e4
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason
2011-04-29 21:09:07 +00:00
Bernardo Damele
edac0b2558
Added switch --schema to enumerate DBMS schema and now --columns does not require a mandatory table (-T) anymore, instead it will act as an alias for --schema
2011-04-28 23:59:00 +00:00
Bernardo Damele
441c288dd9
cosmeticados
2011-04-25 00:36:09 +00:00
Miroslav Stampar
7b3b9e6a87
it seems that this was indeed not meant to be here
2011-04-22 15:07:09 +00:00
Miroslav Stampar
304500a2e8
implemented checkFalsePositives method (simple Turing like tests)
2011-04-22 12:24:16 +00:00
Bernardo Damele
eabb5a2ba7
More adjustments to the error message when no sql injections are detected
2011-04-21 22:04:20 +00:00
Bernardo Damele
6d07dddf60
updated doc and minor layout adjustments
2011-04-21 21:53:35 +00:00
Bernardo Damele
770b1523ff
More verbose output when no SQL injections are detected
2011-04-21 21:31:16 +00:00
Bernardo Damele
edc2d75702
Cosmetics and major bug fix
2011-04-21 21:15:23 +00:00
Miroslav Stampar
df0331fe9b
some more refactoring
2011-04-19 23:04:10 +00:00
Miroslav Stampar
9b0db33cc5
initial page request can result in unwanted lag (e.g. slow DNS response,...), hence it's response time shouldn't be a part of response time statistical model
2011-04-19 08:55:38 +00:00
Miroslav Stampar
0387654166
update of copyright string (until year)
2011-04-15 12:33:18 +00:00
Miroslav Stampar
21114d1748
added IGNORE_PARAMETERS to skip testing of state/session web server parameters
2011-04-13 19:01:02 +00:00
Miroslav Stampar
2db2e9b6a2
now GET forms are also prone to "do you want to fill with random values"
2011-04-11 11:38:41 +00:00
Bernardo Damele
5b21352656
cosmeticados ;)
2011-04-08 10:39:07 +00:00
Bernardo Damele
c6b9d89d31
Accept [RANDNUM] as <char> in payloads.xml and handle it accordingly
2011-04-07 11:10:35 +00:00
Bernardo Damele
05d12790f1
closes #219 - unhidden switch --technique and adapted code accordingly (renamed conf.technique to conf.tech to fit properly in the -h help message)
2011-04-06 14:41:44 +00:00
Miroslav Stampar
bbd4c128b0
minor update related to the last commit
2011-04-01 22:19:42 +00:00
Miroslav Stampar
0916117447
improvement of error-based testing (no more sqlmap aborting on error-based payloads which happens very often on MySQL servers); also, minor improvement on brute forcing of column names
2011-03-30 18:32:10 +00:00
Miroslav Stampar
dd01d66f13
proper update regarding last commit
2011-03-29 22:10:08 +00:00
Miroslav Stampar
4d78eac938
revert of that thingy as requested by Bernardo
2011-03-29 10:06:35 +00:00
Miroslav Stampar
e8debbe724
minor cosmetics and one minor fix (|= is a nono with None)
2011-03-29 06:38:19 +00:00
Miroslav Stampar
86f93713d3
fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update
2011-03-29 06:25:17 +00:00
Miroslav Stampar
bf0e3c4662
improvement for --forms with empty fields
2011-03-28 22:48:00 +00:00
Miroslav Stampar
1e22ff45de
minor update regarding testing of GET parameters if --data and/or --forms is used
2011-03-28 16:14:08 +00:00
Miroslav Stampar
bd75fd26e9
implementing a --page-rank switch as requested by l0rda@l0rda.biz
2011-03-23 11:57:57 +00:00
Miroslav Stampar
b5c9ccb755
Oracle XML based error payload has problems with char $ as with space
2011-03-21 13:13:12 +00:00
Miroslav Stampar
970cde5a8a
minor update regarding last commit
2011-03-17 09:23:46 +00:00
Miroslav Stampar
e64f225e65
minor refactoring
2011-03-11 20:16:34 +00:00
Miroslav Stampar
8edc3b3302
further update regarding last commit
2011-03-03 10:39:04 +00:00
Miroslav Stampar
90582ed7dc
minor change
2011-02-21 11:35:21 +00:00
Miroslav Stampar
6cdf08b81c
minor fix
2011-02-17 21:51:40 +00:00
Miroslav Stampar
22cd49a217
--technique can now be something like 123 which includes both techniques 1, 2 and 3
2011-02-17 21:39:16 +00:00
Miroslav Stampar
7ebc1ab90a
minor cosmetics
2011-02-17 08:59:14 +00:00
Miroslav Stampar
50d25c3b4d
update regarding explicit testing of ua and referer when using -p
2011-02-13 21:58:48 +00:00
Miroslav Stampar
5fb11fd173
update regarding multiple DBMS payloads
2011-02-13 21:20:21 +00:00
Bernardo Damele
45a005737d
Minor adjustment so that User-Agent and Referer headers are tests only when --level >= 3 and Cookie is tested only when --level >= 2
2011-02-13 21:08:42 +00:00
Miroslav Stampar
521635c84d
quick fix for UA and Referer
2011-02-11 23:36:23 +00:00
Miroslav Stampar
535eb9f3eb
implementation of referer feature
2011-02-11 23:07:03 +00:00
Miroslav Stampar
a6ab24e0b5
just a minor fix to stop nagging with "Do you want to skip test payloads specific for other DBMSes?" if n is pressed
2011-02-10 22:47:43 +00:00
Bernardo Damele
0a81415f2f
Minor code cleanup
2011-02-08 00:02:54 +00:00
Miroslav Stampar
2c4f6d2e99
fix (lol. we were using same comparison payload through the all test. it's a nono :) p.s. this way we are dealing with "reflective" problem too
2011-02-07 21:53:05 +00:00
Miroslav Stampar
a577d0e9a5
restraining "using unescaped version of the test because of zero knowledge of the back-end DBMS" once per test (before was once per boundary)
2011-02-07 21:18:01 +00:00
Bernardo Damele
061f56daf9
More adjustments related to unescape() and cleanupPayload().
...
Minor code cleanup related to error-based payload.
2011-02-06 23:27:56 +00:00
Bernardo Damele
0800d9e49b
Major bug fix for semi-centralize unescape() and cleanupPayload() into prefixQuery() and suffixQuery()
2011-02-06 22:58:12 +00:00
Miroslav Stampar
078a2207cc
few reverts
2011-02-06 22:10:28 +00:00
Miroslav Stampar
b9b2fe0e7c
little cleanup
2011-02-06 21:52:39 +00:00
Miroslav Stampar
d2b96a66a2
one more update regarding last few "unescape" related commits
2011-02-06 20:23:23 +00:00
Bernardo Damele
c44978862e
Minor reordering of what gets saved into the injection object
2011-02-06 15:20:44 +00:00
Miroslav Stampar
b56a77e573
removing obsolete switches (--threshold, --excl-reg, --excl-str)
2011-02-03 15:55:19 +00:00
Miroslav Stampar
8134c2154a
adding WHERE enum for payloads
2011-02-02 13:34:09 +00:00
Bernardo Damele
d875d848ce
Better sort
2011-02-01 22:04:48 +00:00
Bernardo Damele
6761933f75
Just.. cosmetics ;)
2011-01-31 22:51:14 +00:00
Miroslav Stampar
fa58a9c86b
update (now URIs like www.site.com/id82 are automatically treated as possible URI injectable)
2011-01-31 20:36:01 +00:00
Miroslav Stampar
8ef47307db
added checking of header values for GREP (error); still UNION to do
2011-01-31 12:21:17 +00:00
Bernardo Damele
8278d821ac
Another layout adjustment
2011-01-30 16:23:19 +00:00
Miroslav Stampar
367d0639f0
refactoring (class names should always be Capital cased)
2011-01-28 16:36:09 +00:00
Miroslav Stampar
8e74c571bc
centralization of urlencoding should be (only) in connect.py and we are from now on handling non-urlencoded data at other levels
2011-01-27 19:44:24 +00:00
Miroslav Stampar
10b723f196
minor fix for a bug reported by yonnym@googlemail.com
2011-01-25 22:26:28 +00:00
Bernardo Damele
e1db2700f0
Minor bug fix to properly deal --prefix and --suffix and parameter replace payloads
2011-01-24 12:25:45 +00:00
Miroslav Stampar
7c4c79477d
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 18:32:10 +00:00
Bernardo Damele
9770db597e
Centralization of unescape()
2011-01-20 21:55:13 +00:00
Miroslav Stampar
496a84c356
minor update
2011-01-20 18:32:04 +00:00
Bernardo Damele
bade0e3124
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
Bernardo Damele
eda0b41859
Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase.
...
Adapted UNION tests' titles when --union-char is provided.
Lots of comment adjustments.
Code cleanup
2011-01-18 23:03:50 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Bernardo Damele
47565f9459
Minor code refactoring
2011-01-17 21:13:59 +00:00
Miroslav Stampar
f5e36876e7
removing --text-only from that "dynamicity" warning selection (other two are more preferable) and minor cosmetics/consistency
2011-01-16 19:29:06 +00:00
Miroslav Stampar
718eef8753
minor fix
2011-01-16 18:11:35 +00:00
Miroslav Stampar
ec1ab3cd2a
removing timeSec from injection configuration attributes as it highly depends on current connection "variables"
2011-01-16 12:12:01 +00:00
Miroslav Stampar
71391874eb
slightly faster and thread safer inference
2011-01-16 10:52:42 +00:00
Bernardo Damele
0fc4ebdc1b
Major bug fix.
...
Minor code refactoring.
2011-01-16 01:17:09 +00:00
Bernardo Damele
c0d5daee99
More refactoring and cleanup
2011-01-16 00:15:30 +00:00
Bernardo Damele
d3a28124b1
More code cleanup
2011-01-15 23:11:36 +00:00
Bernardo Damele
4a35f598b8
Minor refactoring
2011-01-15 22:09:53 +00:00
Miroslav Stampar
0f565c941e
bug fix and proper warning message
2011-01-15 16:59:53 +00:00
Miroslav Stampar
5bdb50c224
code review part 3
2011-01-15 13:15:10 +00:00
Miroslav Stampar
6a0e0cde3c
code review of modules in lib/core directory
2011-01-15 12:13:45 +00:00
Miroslav Stampar
05b2a338fe
cosmetics
2011-01-14 16:12:44 +00:00
Miroslav Stampar
bff989d348
minor update
2011-01-14 15:43:53 +00:00
Miroslav Stampar
daf5662eab
update
2011-01-14 15:33:49 +00:00
Miroslav Stampar
08f7e20c51
minor code refactoring
2011-01-14 14:55:59 +00:00
Miroslav Stampar
fb9d7cdfaa
refactoring, code clearing and removal of obsolete switch --longest-common
2011-01-14 14:37:03 +00:00
Bernardo Damele
e4e9b11b79
Minor code refactoring and adjustments - kb.dbms is needed in fingerprint.py, not getIdentifiedDBMS because when checkDbms() method is called, it's within the fingerprint phase and at that stage, getIdentifiedDBMS() would always return kb.misc.fpDbms.
2011-01-14 12:47:07 +00:00
Bernardo Damele
3c95d71ea5
Minor bug fix - restored of so called kb.misc.testedDbms (now kb.misc.fpDbms) to force the DBMS (only) during the fingerprint phase
2011-01-14 11:55:20 +00:00
Miroslav Stampar
676b95b30a
minor code refactoring
2011-01-14 09:44:56 +00:00
Bernardo Damele
f8c04ce020
Minor bug fix
2011-01-13 20:59:13 +00:00
Bernardo Damele
2ac8debea0
Major code refactoring - moved to one location only (getIdentifiedDBMS() in common.py) the retrieval of identified/fingerprinted DBMS.
...
Minor bug fixes thanks to previous refactoring too.
2011-01-13 17:36:54 +00:00
Miroslav Stampar
ece2eb31ca
minor update
2011-01-13 11:08:29 +00:00
Bernardo Damele
be6e2d6a31
Important bug fix.
...
Minor code restyling.
2011-01-13 09:41:55 +00:00
Bernardo Damele
af9725214a
Properly deal with partial (single entry) UNION injections.
...
Got rid of kb.union*, now it's all stored/used from kb.injection.
Minor bug fix with where=2 detection phase.
2011-01-12 12:01:32 +00:00
Bernardo Damele
8bdb7ec58c
Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.
2011-01-12 00:47:39 +00:00
Bernardo Damele
5c7c3c76c3
Fixed previous bug in getErrorParsedDBMSes() call in detection phase.
...
Added minor support to escape quotes in UNION payloads during detection phase.
2011-01-11 23:47:32 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e
Code refactoring and cosmetics
2011-01-07 15:41:09 +00:00
Miroslav Stampar
cc9ca802bf
minor update
2011-01-06 08:54:50 +00:00
Miroslav Stampar
572f403069
update of one thing that was missing
2011-01-03 21:28:22 +00:00
Miroslav Stampar
6aa616bd0d
minor minor fix
2011-01-03 14:28:20 +00:00
Miroslav Stampar
92e4cdb241
raising critical when google detects strange traffic and also removing obsolete sqlmapSiteTooDynamic
2011-01-03 14:21:41 +00:00
Miroslav Stampar
3629c2737b
automatically turn on --text-only in case of heavily-dynamicity instead of critical exit
2011-01-03 11:06:49 +00:00
Miroslav Stampar
adc41181e6
some DBMSes (MS Access for example) don't play well with a simple query suffix OR 1>2 which should represent NOP one
2011-01-03 10:37:20 +00:00
Miroslav Stampar
5860b8942f
minor update
2011-01-03 09:16:42 +00:00
Miroslav Stampar
d19a8d53e4
minor update
2011-01-03 08:46:20 +00:00
Miroslav Stampar
8625494ff2
added one new quick check for multiple target(s) mode
2011-01-03 08:32:06 +00:00
Miroslav Stampar
5f9b6b2254
code refactoring
2011-01-02 16:51:21 +00:00
Miroslav Stampar
5c6c870db4
removed some problematic user agents (google won't work with them) and added page rank next to tested item in multi target mode
2011-01-02 08:43:38 +00:00
Miroslav Stampar
da138c46c1
added support for displaying HTTP error codes (particularly interesting ones are 403 and 406 which screw up data retrieval and DBMS fingerprinting badly)
2011-01-02 07:37:47 +00:00
Miroslav Stampar
ec4440108b
minor cosmetics
2011-01-02 07:09:04 +00:00
Miroslav Stampar
428e817a32
some refactoring
2011-01-01 23:57:27 +00:00
Miroslav Stampar
212035e64d
user can now choose if he wants to skip non-heuristic based DBMS tests
2011-01-01 23:38:11 +00:00
Miroslav Stampar
8a93cfd975
minor update
2011-01-01 22:43:15 +00:00
Miroslav Stampar
52e44df86c
minor update
2011-01-01 21:11:29 +00:00
Miroslav Stampar
942cbafba6
minor update
2011-01-01 20:19:55 +00:00
Miroslav Stampar
e4fd8b3f0c
(e) finally works as it should
2011-01-01 19:22:44 +00:00
Miroslav Stampar
15e6911fd8
fix for a bug reported by ragos@joker.ms (AttributeError: 'NoneType' object has no attribute 'write')
2011-01-01 12:23:02 +00:00
Miroslav Stampar
91f665aaaa
bug fix for Ctrl+C
2010-12-31 15:00:19 +00:00
Miroslav Stampar
5db8ebbfa9
update of mysql comment versions
2010-12-31 12:42:12 +00:00
Miroslav Stampar
613242e298
bug fix (dynamic markings were not restored in program rerun which potentially led to no data retrieved)
2010-12-29 19:48:19 +00:00
Miroslav Stampar
8f32c740ff
code refactoring
2010-12-29 19:39:32 +00:00
Miroslav Stampar
6700cabc36
minor optimization
2010-12-29 19:01:29 +00:00
Miroslav Stampar
569e060aab
important improvement
2010-12-26 13:20:52 +00:00
Miroslav Stampar
2d115e0350
one more fix
2010-12-24 18:44:13 +00:00
Miroslav Stampar
edcf1a0872
few bug fixes
2010-12-24 18:40:48 +00:00
Miroslav Stampar
96a06351a1
minor fix (in testing phase raise404 should be set to False)
2010-12-24 12:36:00 +00:00
Miroslav Stampar
2c23a59ba5
fix for one of those more complex bugs (comparison was returning None while original page and/or page template were already had already DBMS error inside)
2010-12-24 12:13:48 +00:00
Miroslav Stampar
aab14fa2d3
minor refactoring/cosmetics
2010-12-24 11:06:57 +00:00
Miroslav Stampar
23dc408901
prioritization of tests based on DBMS error messages and some comments in common.py
2010-12-24 10:55:41 +00:00
Miroslav Stampar
017ea9e686
update
2010-12-23 14:06:22 +00:00
Miroslav Stampar
73f33c1999
bug fix of re-introduced bug (in multiple target mode sites with similar URI weren't skipped)
2010-12-23 11:28:13 +00:00
Miroslav Stampar
8fc60215ed
lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called.
2010-12-22 19:12:46 +00:00
Bernardo Damele
5228f336da
Minor fix for ctrl+c during detection phase
2010-12-22 13:15:44 +00:00
Miroslav Stampar
08c88495d0
removed that ugly hack
2010-12-22 13:09:04 +00:00
Miroslav Stampar
d974a966b8
minor fix for end phase (Ctrl+C)
2010-12-21 23:55:55 +00:00
Miroslav Stampar
0e68248f60
minor update of heuristic check
2010-12-21 12:56:18 +00:00
Miroslav Stampar
16f1f4e13e
when doing dynamic checks there are cases when 404 can be raised (perfectly normal)
2010-12-21 11:04:49 +00:00
Bernardo Damele
ad6b528b33
Bit more verbose comment
2010-12-21 10:47:39 +00:00
Miroslav Stampar
416755c0b7
minor adjustments
2010-12-21 00:25:03 +00:00
Miroslav Stampar
e10670d9ac
added end detection phase choice into Ctrl+C list
2010-12-20 23:34:00 +00:00
Miroslav Stampar
b34fe5c334
no more need for such a huge timeout because any timeout exceptions will now be considered as a successful time-based attack (previously we wanted to get back to the program, hence there was such a huge timeout)
2010-12-20 22:49:48 +00:00
Miroslav Stampar
eaf8929085
more minor updates
2010-12-20 10:48:53 +00:00
Miroslav Stampar
fd00ff7a82
minor bug fix
2010-12-20 10:37:03 +00:00
Miroslav Stampar
e9f1ecb9e7
minor update
2010-12-20 10:32:58 +00:00
Miroslav Stampar
10a7a2dfb2
kids, don't use this at home
2010-12-20 10:13:14 +00:00
Miroslav Stampar
4cb83654dc
minor update
2010-12-18 16:28:21 +00:00
Miroslav Stampar
05c6d661e8
cosmetics
2010-12-18 10:49:49 +00:00
Miroslav Stampar
03220d34ba
added Ctrl+C check in detection phase
2010-12-18 10:42:09 +00:00
Miroslav Stampar
fe67d3827c
code refactoring and some fixes
2010-12-18 09:51:34 +00:00
Miroslav Stampar
323af45ce4
added one more time request payload to confirm test results
2010-12-17 07:53:58 +00:00
Miroslav Stampar
e3fa3b0e8e
fix for a minor bug reported by nightman (AttributeError: 'NoneType' object has no attribute 'getFingerprint')
2010-12-17 07:48:32 +00:00
Miroslav Stampar
f8a01ddaf8
minor update
2010-12-15 11:21:47 +00:00
Miroslav Stampar
63f5c35c23
bug fix
2010-12-15 10:02:58 +00:00
Miroslav Stampar
d5fb921154
removed debug print
2010-12-09 20:08:59 +00:00
Miroslav Stampar
0eb2c408a9
code refactoring
2010-12-09 16:49:02 +00:00
Bernardo Damele
df5f6bc1b7
Little precaution
2010-12-09 14:06:43 +00:00
Bernardo Damele
5fb04515d3
Added hidden (for the moment) switch --technique
2010-12-09 13:47:17 +00:00
Bernardo Damele
0c01be0eeb
Ugly work-around to avoid unescaping WAITFOR DELAY time between single quotes (unescaped CHAR(..) value does not work).
2010-12-09 00:34:02 +00:00
Bernardo Damele
9c61adb21d
Cosmetics
2010-12-09 00:26:06 +00:00
Bernardo Damele
10ef2b5de8
Minor bug fix
2010-12-08 23:09:42 +00:00
Miroslav Stampar
81c16926c1
code refactoring some more
2010-12-08 14:46:07 +00:00
Miroslav Stampar
ed09c53ee4
minor minor update
2010-12-08 14:27:37 +00:00
Miroslav Stampar
1ae2fa7f1a
update regarding time based payloads
2010-12-08 11:26:54 +00:00
Miroslav Stampar
a4a63f5b1e
minor update
2010-12-07 23:49:00 +00:00
Miroslav Stampar
293ce18fed
two major bug fixes regarding time calculation (previously comparison was also a part of "delta", which screwed results in cases with large pages; other was a standard distribution based one)
2010-12-07 23:32:33 +00:00
Miroslav Stampar
575e50673b
minor update
2010-12-07 19:27:01 +00:00
Miroslav Stampar
398b82644a
little explanation
2010-12-07 19:25:26 +00:00
Miroslav Stampar
dc651d59ec
little mathematics here and there (used "Rules for normally distributed data")
2010-12-07 19:19:12 +00:00