Miroslav Stampar
|
30f8d09651
|
Implementation for an Issue #70
|
2012-07-26 12:06:02 +02:00 |
|
Miroslav Stampar
|
0e21cb54de
|
Minor fix related to Issue #94
|
2012-07-16 16:06:39 +02:00 |
|
Bernardo Damele
|
162da75a04
|
modified homepage address
|
2012-07-12 18:38:03 +01:00 |
|
jekil
|
c39e5a85ba
|
Removed $id$ tags
|
2012-06-27 20:56:43 +02:00 |
|
Miroslav Stampar
|
119eec3598
|
improving "boolean detection" by automatic recognition of convenient --string candidate
|
2012-04-10 21:48:34 +00:00 |
|
Miroslav Stampar
|
6acf6b193a
|
minor update regarding boolean logic comparison mechanism
|
2012-03-30 09:42:58 +00:00 |
|
Miroslav Stampar
|
5469186540
|
minor comment update
|
2012-03-29 14:35:47 +00:00 |
|
Miroslav Stampar
|
637a8d8273
|
improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism
|
2012-03-29 14:33:27 +00:00 |
|
Miroslav Stampar
|
ce4c697bbd
|
disabling "negative logic" as it's not half done (it was "luckily" working for --string/--regex/--code but it was a sheer luck); removing "dirty fix" from checks.py; proof that this was not ready for the release is that there was not check for negative logic anywhere for anything more then --string/--regex/--code
|
2012-03-29 13:39:12 +00:00 |
|
Miroslav Stampar
|
da7f4eeffd
|
removing left over
|
2012-03-18 17:33:14 +00:00 |
|
Miroslav Stampar
|
0fc4288a7c
|
modifying redirection code for only two choices
|
2012-03-18 17:27:08 +00:00 |
|
Bernardo Damele
|
c03d0e24fb
|
it must stay as is
|
2012-03-16 17:42:00 +00:00 |
|
Bernardo Damele
|
942d9e4fa8
|
code cleanup
|
2012-03-16 17:27:24 +00:00 |
|
Bernardo Damele
|
a1c943fc79
|
Major bug fix to comparison algorithm with OR based boolean-based injections
|
2012-03-16 17:22:55 +00:00 |
|
Bernardo Damele
|
86c4650058
|
Minor bug fix - revert
|
2012-03-15 17:12:24 +00:00 |
|
Bernardo Damele
|
cc15373769
|
More explicit function name also getRatioValue parameter has nothing to do with comparison at this stage as far as I can see (that might have fixed another "bug", to be checked later)
|
2012-03-15 16:29:28 +00:00 |
|
Bernardo Damele
|
4520744b4d
|
second step toward negative logic support (ported to detection phase too) - works well with --string, --regexp and --code now
|
2012-03-15 16:25:26 +00:00 |
|
Miroslav Stampar
|
19beb912fa
|
first step toward negative logic support
|
2012-03-15 15:52:12 +00:00 |
|
Miroslav Stampar
|
95f89ab63a
|
updating copyright date
|
2012-01-11 14:59:46 +00:00 |
|
Miroslav Stampar
|
526aacb640
|
code cleanup
|
2011-12-21 22:59:23 +00:00 |
|
Bernardo Damele
|
702ed73a65
|
Added --code switch to match in boolean-based tests against the HTTP response code
|
2011-08-12 16:48:11 +00:00 |
|
Bernardo Damele
|
fff4c34e33
|
Search for --string and --regexp matches also in HTTP response headers
|
2011-08-12 15:33:37 +00:00 |
|
Bernardo Damele
|
aedcf8c8d7
|
Changed homepage address
|
2011-07-07 20:10:03 +00:00 |
|
Miroslav Stampar
|
0c9fa5c550
|
fix
|
2011-06-17 17:12:47 +00:00 |
|
Miroslav Stampar
|
043f2f92c1
|
minor update
|
2011-06-17 17:10:52 +00:00 |
|
Miroslav Stampar
|
c9a6aad5c3
|
minor fix by request
|
2011-06-17 16:58:50 +00:00 |
|
Miroslav Stampar
|
f8dde2c23b
|
adding --titles switch (killer switch for pages with lots of dynamicity and/or international ones)
|
2011-06-10 23:18:43 +00:00 |
|
Miroslav Stampar
|
15d72ec566
|
minor improvement for special cases with --string/--regexp
|
2011-06-10 23:05:47 +00:00 |
|
Miroslav Stampar
|
5f7858455d
|
fix for a bug reported by l0rda@l0rda.biz
|
2011-06-07 05:57:21 +00:00 |
|
Miroslav Stampar
|
5369657cd5
|
fix for cases with retrieved binary files (preventing difflib nagging around comparison)
|
2011-05-25 20:54:30 +00:00 |
|
Miroslav Stampar
|
0072c3af8e
|
fix for a bug reported by aboynes@gmail.com (for elt in self.a)
|
2011-05-24 15:03:21 +00:00 |
|
Bernardo Damele
|
f3088079c0
|
error message adjustment
|
2011-04-21 22:31:02 +00:00 |
|
Miroslav Stampar
|
4fa00121e4
|
that CONSTANT_RATIO was a pure black magic for dynamic pages. now we have better injection detection workflow than before (False, True, False) and it was just a matter of time for removing this one
|
2011-04-17 21:58:34 +00:00 |
|
Miroslav Stampar
|
0387654166
|
update of copyright string (until year)
|
2011-04-15 12:33:18 +00:00 |
|
Miroslav Stampar
|
12ede1e5de
|
minor JIC (just-in-case) update
|
2011-02-22 13:18:47 +00:00 |
|
Miroslav Stampar
|
3badf92ceb
|
not doing "basic" filtering in default cases because of a bug reported by Kazim
|
2011-02-18 07:38:13 +00:00 |
|
Miroslav Stampar
|
1af418d444
|
huge bug fix
|
2011-02-04 10:18:26 +00:00 |
|
Miroslav Stampar
|
e4933f0c92
|
refactoring
|
2011-02-03 23:25:56 +00:00 |
|
Miroslav Stampar
|
1aecbe6b08
|
minor refactoring (now at the most basic level at least junky <script> and <style> tags are removed for the sake of better blind based detection)
|
2011-02-03 22:59:26 +00:00 |
|
Miroslav Stampar
|
b56a77e573
|
removing obsolete switches (--threshold, --excl-reg, --excl-str)
|
2011-02-03 15:55:19 +00:00 |
|
Miroslav Stampar
|
71391874eb
|
slightly faster and thread safer inference
|
2011-01-16 10:52:42 +00:00 |
|
Miroslav Stampar
|
1fa8f0cba7
|
code reviewing part 2
|
2011-01-15 12:53:40 +00:00 |
|
Miroslav Stampar
|
fb9d7cdfaa
|
refactoring, code clearing and removal of obsolete switch --longest-common
|
2011-01-14 14:37:03 +00:00 |
|
Miroslav Stampar
|
c0423761e8
|
minor update
|
2010-12-27 18:27:42 +00:00 |
|
Miroslav Stampar
|
569e060aab
|
important improvement
|
2010-12-26 13:20:52 +00:00 |
|
Miroslav Stampar
|
2c23a59ba5
|
fix for one of those more complex bugs (comparison was returning None while original page and/or page template were already had already DBMS error inside)
|
2010-12-24 12:13:48 +00:00 |
|
Miroslav Stampar
|
aab14fa2d3
|
minor refactoring/cosmetics
|
2010-12-24 11:06:57 +00:00 |
|
Miroslav Stampar
|
d5eebb1cbf
|
fix for a fundamentally bad presumtion (ratio should be > 0.6 in stable pages), especially today when we have stuff like where=2; also, just imagine 500s which could just say something like FALSE, while on ratio level it would be far below 0.6
|
2010-12-24 09:49:19 +00:00 |
|
Miroslav Stampar
|
fe67d3827c
|
code refactoring and some fixes
|
2010-12-18 09:51:34 +00:00 |
|
Miroslav Stampar
|
03447acc1d
|
avoiding some trashy match ratios
|
2010-12-11 17:12:19 +00:00 |
|
Miroslav Stampar
|
bdff4aba6a
|
switching to quick_ratio
|
2010-12-07 23:57:43 +00:00 |
|
Miroslav Stampar
|
c1b82cf09c
|
ratio() gives a considerable lag on real life cases, as real_quick_ratio() gives almost as good results
|
2010-12-07 23:53:44 +00:00 |
|
Miroslav Stampar
|
eeb199375b
|
usage of compiled regexes in case of dynamic markings and other refactoring
|
2010-12-04 13:23:28 +00:00 |
|
Miroslav Stampar
|
0fc7a8f9e8
|
code refactoring
|
2010-12-04 10:13:18 +00:00 |
|
Miroslav Stampar
|
04714374f9
|
now you can use kb.pageTemplate to set a page which will be used as a template in comparison process (at least in '-[RANDNUM] OR' cases we'll need to use different template(s))
|
2010-12-04 10:05:18 +00:00 |
|
Bernardo Damele
|
17486e472a
|
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
|
2010-11-17 22:00:09 +00:00 |
|
Miroslav Stampar
|
6ef3846400
|
update regarding error parsing (and reporting)
|
2010-11-16 10:42:42 +00:00 |
|
Miroslav Stampar
|
27735b14df
|
update (--string and --regex should be done regardless of wasLastRequestError)
|
2010-11-12 22:44:15 +00:00 |
|
Miroslav Stampar
|
19c1bfa368
|
just a precaution (now i really need to go for a sleep)
|
2010-11-09 23:38:29 +00:00 |
|
Miroslav Stampar
|
88c00e61d3
|
another update
|
2010-11-09 23:35:37 +00:00 |
|
Miroslav Stampar
|
47720a43dd
|
minor fix (while we've calculated conf.matchRation for stable pages, we've put a constant value (0.900) for dynamic ones - so putting (ratio - conf.matchRatio) > DIFF_TOLERANCE for dynamic pages too would just effectively increase it's value to 0.900 + DIFF_TOLERANCE (in our case to 0.950) which is too narrow space for True result)
|
2010-11-09 23:21:21 +00:00 |
|
Miroslav Stampar
|
5ebd5d935c
|
another name change
|
2010-11-09 22:49:31 +00:00 |
|
Miroslav Stampar
|
06f00cf8c1
|
name change
|
2010-11-09 22:48:22 +00:00 |
|
Miroslav Stampar
|
fef60d5cb7
|
some fixes :)
|
2010-11-09 22:32:05 +00:00 |
|
Bernardo Damele
|
1cc99e2247
|
Possible quick fix for missing of True/False comparison of stable-but-not-really pages
|
2010-11-09 21:39:58 +00:00 |
|
Miroslav Stampar
|
620fa1c8fb
|
trust me, i know what i am doing :)
|
2010-11-07 20:33:33 +00:00 |
|
Bernardo Damele
|
4d81da6bc8
|
Cosmetics
|
2010-11-07 16:23:03 +00:00 |
|
Miroslav Stampar
|
00dfd55830
|
added powerful switch --longest-common for dealing with heavy dynamicity
|
2010-11-07 08:52:09 +00:00 |
|
Miroslav Stampar
|
508b9cc763
|
dynamicity engine update
|
2010-11-07 00:12:00 +00:00 |
|
Miroslav Stampar
|
3619fc5127
|
minor update
|
2010-11-06 08:31:11 +00:00 |
|
Miroslav Stampar
|
0e895fa512
|
update of dynamicity testing and few misc fixes
|
2010-11-05 13:14:12 +00:00 |
|
Miroslav Stampar
|
29b7c5366c
|
cosmetics
|
2010-11-04 17:22:33 +00:00 |
|
Miroslav Stampar
|
e1cec8c02b
|
fix for all that stable, dynamic mambo jambo :)
|
2010-11-04 16:44:34 +00:00 |
|
Miroslav Stampar
|
71d0b1bcd7
|
several bug fixes
|
2010-11-03 21:51:36 +00:00 |
|
Miroslav Stampar
|
44678fa320
|
fix for a bug reported by ToR (TypeError: unsupported operand type(s) for *: 'float' and 'NoneType')
|
2010-11-03 12:40:11 +00:00 |
|
Miroslav Stampar
|
5269cb8c08
|
some code refactoring and beautification
|
2010-11-02 09:06:38 +00:00 |
|
Miroslav Stampar
|
13e93f564a
|
one bug fix in dynamic content engine and some code refactoring
|
2010-11-02 07:32:08 +00:00 |
|
Miroslav Stampar
|
24c5d7b313
|
code refactoring
|
2010-10-25 14:06:56 +00:00 |
|
Miroslav Stampar
|
9c94a233a1
|
conf.md5hash thrown out
|
2010-10-25 13:52:21 +00:00 |
|
Miroslav Stampar
|
71543092b7
|
update regarding comparison engine
|
2010-10-25 12:00:59 +00:00 |
|
Miroslav Stampar
|
8df7c88174
|
implementation of a new dynamic content removal engine
|
2010-10-25 10:41:37 +00:00 |
|
Miroslav Stampar
|
4f7f20b94f
|
sorry, cosmetics
|
2010-10-14 23:18:29 +00:00 |
|
Miroslav Stampar
|
8b48833136
|
large commit with copyright header modifications
|
2010-10-14 14:41:14 +00:00 |
|
Miroslav Stampar
|
d2ec132469
|
added --text-only switch
|
2010-10-12 19:41:29 +00:00 |
|
Miroslav Stampar
|
1741801ade
|
implementation of HEAD/Range methods
|
2010-09-16 09:32:09 +00:00 |
|
Miroslav Stampar
|
798ab4989b
|
fix for a Bug #200
|
2010-09-14 10:35:01 +00:00 |
|
Miroslav Stampar
|
19fb2e3dcf
|
fix for Bug #165
|
2010-09-13 13:31:01 +00:00 |
|
Miroslav Stampar
|
057ec8a6b2
|
added --ratio option for direct manipulation of conf.matchRatio parameter
|
2010-08-10 19:53:29 +00:00 |
|
Miroslav Stampar
|
131789a6e4
|
some code refactoring
|
2010-05-14 14:21:13 +00:00 |
|
Miroslav Stampar
|
91dd609e26
|
fixed threading bug (difflib :)
|
2010-03-10 14:14:27 +00:00 |
|
Bernardo Damele
|
156fdd96ef
|
Updated copyright
|
2010-03-03 15:26:27 +00:00 |
|
Bernardo Damele
|
ce022a3b6e
|
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
|
2010-01-02 02:02:12 +00:00 |
|
Bernardo Damele
|
16b4530bbe
|
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed).
Minor common library code refactoring.
Code cleanup.
Set back the default User-Agent to sqlmap for comparison algorithm reasons.
Updated THANKS.
|
2009-04-27 23:05:11 +00:00 |
|
Bernardo Damele
|
8c0ac767f4
|
Updated to sqlmap 0.7 release candidate 1
|
2009-04-22 11:48:07 +00:00 |
|
Bernardo Damele
|
2efee058ea
|
Major enhancement in comparison algorithm
|
2009-02-12 00:17:44 +00:00 |
|
Bernardo Damele
|
ba00a17205
|
Minor layout adjustment
|
2009-02-09 10:58:44 +00:00 |
|
Bernardo Damele
|
207e96e2b2
|
Major bug fix in the comparison algorithm to correctly handle also the
case that the url is stable and the False response changes the page
content very little.
|
2009-02-09 10:28:03 +00:00 |
|
Bernardo Damele
|
5560f0b68a
|
Updated the copyright
|
2009-01-12 21:35:38 +00:00 |
|
Bernardo Damele
|
35708a0b97
|
Minor adjustment to UNION query SQL injection detection function.
Updated command line help message based upon recent developments.
Updated copyright note of lib/contrib/multipartpost.py.
|
2008-12-21 16:35:03 +00:00 |
|
Bernardo Damele
|
c18efe5084
|
Minor adjustments
|
2008-12-20 13:21:47 +00:00 |
|