Adding new option --param-exclude on private request

2026-01-24 23:29:05 +00:00 · 2016-12-25 23:16:44 +01:00
parent 44b00d629d
commit 89bbf5284c
6 changed files with 19 additions and 6 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -470,6 +470,12 @@ def start():
                            infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
                            logger.info(infoMsg)

+                        elif re.search(conf.paramExclude or "", parameter, re.I) or kb.postHint and re.search(conf.paramExclude or "", parameter.split(' ')[-1], re.I):
+                            testSqlInj = False
+
+                            infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
+                            logger.info(infoMsg)
+
                        elif parameter == conf.csrfToken:
                            testSqlInj = False

--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -77,7 +77,8 @@ optDict = {
                               "testParameter":     "string",
                               "skip":              "string",
                               "skipStatic":        "boolean",
-                               "dbms":              "string",
+                               "skip":              "string",
+                               "paramExclude":      "string",
                               "dbmsCred":          "string",
                               "os":                "string",
                               "invalidBignum":     "boolean",
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.12.14"
+VERSION = "1.0.12.15"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -269,6 +269,9 @@ def cmdLineParser(argv=None):
        injection.add_option("--skip-static", dest="skipStatic", action="store_true",
                             help="Skip testing parameters that not appear to be dynamic")

+        injection.add_option("--param-exclude", dest="paramExclude",
+                           help="Regexp to exclude parameters from testing (e.g. \"ses\")")
+
        injection.add_option("--dbms", dest="dbms",
                             help="Force back-end DBMS to this value")