PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-06 12:41:30 +00:00
Code Issues Projects Releases Wiki Activity

improving "boolean detection" by automatic recognition of convenient --string candidate

Browse Source
This commit is contained in:
Miroslav Stampar
2012-04-10 21:48:34 +00:00
parent 698b7a15d9
commit 119eec3598
5 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/controller/checks.py
View File

@@ -17,6 +17,7 @@ from lib.core.common import arrayizeValue
from lib.core.common import Backend
from lib.core.common import beep
from lib.core.common import extractRegexResult
from lib.core.common import extractTextTagContent
from lib.core.common import findDynamicContent
from lib.core.common import Format
from lib.core.common import getComparePageRatio
@@ -329,9 +330,11 @@ def checkSqlInjection(place, parameter, value):
kb.matchRatio = None
kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)
Request.queryPage(genCmpPayload(), place, raise404=False)
falsePage = threadData.lastComparisonPage
# Perform the test's True request
trueResult = Request.queryPage(reqPayload, place, raise404=False)
truePage = threadData.lastComparisonPage
if trueResult:
falseResult = Request.queryPage(genCmpPayload(), place, raise404=False)
@@ -342,6 +345,15 @@ def checkSqlInjection(place, parameter, value):
logger.info(infoMsg)
injectable = True
else:
trueSet = set(extractTextTagContent(truePage))
falseSet = set(extractTextTagContent(falsePage))
candidate = reduce(lambda x, y: x or (y.strip() if y.strip() in (kb.pageTemplate or "") else None), (trueSet - falseSet), None)
if candidate:
conf.string = candidate
infoMsg = "%s parameter '%s' is '%s' injectable (with --string='%s')" % (place, parameter, title, candidate)
logger.info(infoMsg)
injectable = True
# In case of error-based SQL injection
elif method == PAYLOAD.METHOD.GREP: