Skip to content

Commit 162d01a

Browse files
stamparmstamparm
committed
commit of all sorts (bug fix for heuristics and URI injections, fine tunning of tampering modules with SQL keywords,...)
1 parent cf73d9c commit 162d01a

8 files changed

Lines changed: 328 additions & 23 deletions

File tree

lib/controller/checks.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
from lib.core.common import showStaticWords
3939
from lib.core.common import DynamicContentItem
4040
from lib.core.convert import md5hash
41+
from lib.core.convert import urlencode
4142
from lib.core.data import conf
4243
from lib.core.data import kb
4344
from lib.core.data import logger
@@ -105,9 +106,6 @@ def heuristicCheckSqlInjection(place, parameter, value):
105106
prefix = ""
106107
postfix = ""
107108

108-
if place == "URI":
109-
return
110-
111109
if conf.prefix or conf.postfix:
112110
if conf.prefix:
113111
prefix = conf.prefix
@@ -116,9 +114,11 @@ def heuristicCheckSqlInjection(place, parameter, value):
116114
postfix = conf.postfix
117115

118116
payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
117+
if place == "URI":
118+
payload = conf.paramDict[place][parameter].replace('*', payload)
119119
Request.queryPage(payload, place)
120120
result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
121-
infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter)
121+
infoMsg = "(error based) heuristics show that %s parameter '%s' is " % (place, parameter)
122122
if result:
123123
infoMsg += "injectable"
124124
logger.info(infoMsg)

lib/core/common.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -663,6 +663,7 @@ def setPaths():
663663
paths.SQLMAP_CONFIG = os.path.join(paths.SQLMAP_ROOT_PATH, "sqlmap-%s.conf" % randomStr())
664664
paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
665665
paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
666+
paths.SQLKEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
666667
paths.FUZZ_VECTORS = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
667668
paths.DETECTION_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
668669
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")

lib/core/option.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
from extra.keepalive import keepalive
3737
from extra.xmlobject import xmlobject
3838
from lib.core.common import getConsoleWidth
39+
from lib.core.common import getFileItems
3940
from lib.core.common import getFileType
4041
from lib.core.common import normalizePath
4142
from lib.core.common import ntToPosixSlashes
@@ -1057,12 +1058,13 @@ def __setKnowledgeBaseAttributes():
10571058
kb.lastErrorPage = None
10581059
kb.headersCount = 0
10591060
kb.headersFp = {}
1061+
kb.hintValue = None
10601062
kb.htmlFp = []
10611063
kb.injParameter = None
10621064
kb.injPlace = None
10631065
kb.injType = None
10641066
kb.injections = xmlobject.XMLFile(path=paths.INJECTIONS_XML)
1065-
kb.hintValue = None
1067+
kb.keywords = getFileItems(paths.SQLKEYWORDS)
10661068
kb.nullConnection = None
10671069

10681070
# Back-end DBMS underlying operating system fingerprint via banner (-b)

lib/request/connect.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -307,13 +307,13 @@ def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent
307307

308308
if not place:
309309
place = kb.injPlace
310-
310+
311311
if kb.tamperFunctions:
312312
for function in kb.tamperFunctions:
313313
value = function(place, value)
314314

315315
if "GET" in conf.parameters:
316-
get = conf.parameters["GET"] if place != "GET" or not value else value
316+
get = conf.parameters["GET"] if place != "GET" or not value else value
317317

318318
if "POST" in conf.parameters:
319319
post = conf.parameters["POST"] if place != "POST" or not value else value

tamper/randomblanks.py

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,32 @@
22
import string
33

44
from lib.core.common import randomRange
5-
from lib.core.exception import sqlmapUnsupportedFeatureException
5+
from lib.core.convert import urldecode
6+
from lib.core.convert import urlencode
7+
from lib.core.data import kb
68

79
"""
810
value -> value with inserted random blanks (e.g., INSERT->IN/**/S/**/ERT)
911
"""
10-
#TODO: all
11-
#TODO: only do it for deepness = 0 regarding '"
1212
def tamper(place, value):
13-
return value
13+
retVal = value
14+
if value:
15+
if place != "URI":
16+
retVal = urldecode(retVal)
17+
18+
for match in re.finditer(r"[A-Za-z_]+", retVal):
19+
word = match.group()
20+
21+
if len(word) < 2:
22+
continue
23+
24+
if word.upper() in kb.keywords:
25+
newWord = word[0]
26+
for i in xrange(1, len(word) - 1):
27+
newWord += "%s%s" % ("/**/" if randomRange(0,1) else "", word[i])
28+
newWord += word[-1]
29+
retVal = retVal.replace(word, newWord)
30+
31+
if place != "URI":
32+
retVal = urlencode(retVal)
33+
return retVal

tamper/randomcase.py

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,19 +2,28 @@
22
import string
33

44
from lib.core.common import randomRange
5-
from lib.core.exception import sqlmapUnsupportedFeatureException
5+
from lib.core.convert import urldecode
6+
from lib.core.convert import urlencode
7+
from lib.core.data import kb
68

79
"""
810
value -> chars from value with random case (e.g., INSERT->InsERt)
911
"""
10-
#TODO: only do it for deepness = 0 regarding '"
1112
def tamper(place, value):
1213
retVal = value
1314
if value:
14-
retVal = ""
15-
for i in xrange(len(value)):
16-
if value[i].isalpha():
17-
retVal += value[i].upper() if randomRange(0,1) else value[i].lower()
18-
else:
19-
retVal += value[i]
15+
if place != "URI":
16+
retVal = urldecode(retVal)
17+
18+
for match in re.finditer(r"[A-Za-z_]+", retVal):
19+
word = match.group()
20+
if word.upper() in kb.keywords:
21+
newWord = str()
22+
for i in xrange(len(word)):
23+
newWord += word[i].upper() if randomRange(0,1) else word[i].lower()
24+
retVal = retVal.replace(word, newWord)
25+
26+
if place != "URI":
27+
retVal = urlencode(retVal)
28+
2029
return retVal

tamper/space2comment.py

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,28 @@
66
"""
77
' ' -> /**/ (e.g., SELECT id FROM users->SELECT/**/id/**/FROM users)
88
"""
9-
#TODO: only do it for deepness = 0 regarding '"
109
def tamper(place, value):
10+
retVal = value
1111
if value:
1212
if place != "URI":
1313
value = urldecode(value)
14-
value = value.replace(" ", "/**/")
14+
15+
retVal = ""
16+
qoute, doublequote, firstspace = False, False, False
17+
18+
for i in xrange(len(value)):
19+
if not firstspace:
20+
firstspace = value[i].isspace()
21+
elif value[i] == '\'':
22+
qoute = not qoute
23+
elif value[i] == '"':
24+
doublequote = not doublequote
25+
elif value[i]==" " and not doublequote and not qoute:
26+
retVal += "/**/"
27+
continue
28+
retVal += value[i]
29+
1530
if place != "URI":
16-
value = urlencode(value)
17-
return value
31+
retVal = urlencode(retVal)
32+
return retVal
33+

0 commit comments

Comments
 (0)