Updated to sqlmap 0.7 release candidate 1

2025-12-06 20:51:31 +00:00 · 2009-04-22 11:48:07 +00:00
parent b997df740a
commit 8c0ac767f4
129 changed files with 8386 additions and 1388 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -5,8 +5,8 @@ $Id$

 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

-Copyright (c) 2006-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -65,7 +65,7 @@ def __selectInjection(injData):

        message += "\n"

-    message += "[q] Quit\nChoice: "
+    message += "[q] Quit"
    select   = readInput(message, default="0")

    if not select:
@@ -126,7 +126,7 @@ def start():
            if conf.data:
                message += "\nPOST data: %s" % conf.data

-            message += "\ndo you want to test this url? [Y/n/q] "
+            message += "\ndo you want to test this url? [Y/n/q]"
            test = readInput(message, default="Y")

            if not test:
@@ -186,13 +186,23 @@ def start():
                paramDict = conf.paramDict[place]

                for parameter, value in paramDict.items():
-                    if not checkDynParam(place, parameter, value):
+                    testSqlInj = True
+
+                    # Avoid dinamicity test if the user provided the
+                    # parameter manually
+                    if parameter in conf.testParameter:
+                        pass
+
+                    elif not checkDynParam(place, parameter, value):
                        warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
                        logger.warn(warnMsg)
+                        testSqlInj = False
+
                    else:
                        logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
                        logger.info(logMsg)

+                    if testSqlInj == True:
                        for parenthesis in range(0, 4):
                            logMsg  = "testing sql injection on %s " % place
                            logMsg += "parameter '%s' with " % parameter