Implementation for an Issue #70

2026-02-08 14:36:35 +00:00 · 2012-07-26 12:06:02 +02:00
parent 57f2fccc24
commit 30f8d09651
8 changed files with 31 additions and 8 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -359,7 +359,7 @@ def checkSqlInjection(place, parameter, value):

                                    injectable = True

-                            if not injectable and not conf.string and kb.pageStable:
+                            if not injectable and not any((conf.string, conf.notString, conf.regexp)) and kb.pageStable:
                                trueSet = set(extractTextTagContent(truePage))
                                falseSet = set(extractTextTagContent(falsePage))
                                candidates = filter(None, (_.strip() if _.strip() in (kb.pageTemplate or "") and _.strip() not in falsePage else None for _ in (trueSet - falseSet)))
@@ -499,6 +499,7 @@ def checkSqlInjection(place, parameter, value):
                        injection.conf.textOnly = conf.textOnly
                        injection.conf.titles = conf.titles
                        injection.conf.string = conf.string
+                        injection.conf.notString = conf.notString
                        injection.conf.regexp = conf.regexp
                        injection.conf.optimize = conf.optimize

--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -357,7 +357,7 @@ def start():
            if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
                and (kb.injection.place is None or kb.injection.parameter is None):

-                if not conf.string and not conf.regexp and PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech:
+                if not any((conf.string, conf.notString, conf.regexp)) and PAYLOAD.TECHNIQUE.BOOLEAN in conf.tech:
                    # NOTE: this is not needed anymore, leaving only to display
                    # a warning message to the user in case the page is not stable
                    checkStability()
@@ -527,7 +527,7 @@ def start():
                        errMsg += "Please, consider usage of tampering scripts as "
                        errMsg += "your target might filter the queries."

-                    if not conf.string and not conf.regexp:
+                    if not conf.string and not conf.notString and not conf.regexp:
                        errMsg += " Also, you can try to rerun by providing "
                        errMsg += "either a valid value for option '--string' "
                        errMsg += "(or '--regexp')"