new feature --forms (still unfinished)

lib/controller/controller.py

@@ -43,6 +43,7 @@ from lib.core.exception import sqlmapUserQuitException
 from lib.core.session import setInjection
 from lib.core.target import initTargetEnv
 from lib.core.target import setupTargetEnv
+from lib.core.target import __setPageForms
 from lib.utils.parenthesis import checkForParenthesis
 
 def __selectInjection(injData):
@@ -105,7 +106,10 @@ def start():
         return True
 
     if conf.url:
-        kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))
+        if conf.forms:
+            __setPageForms()
+        else:
+            kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))
 
     if conf.configFile and not kb.targetUrls:
         errMsg  = "you did not edit the configuration file properly, set "

lib/core/target.py

@@ -27,8 +27,10 @@ import os
 import re
 import time
 
+from extra.clientform.clientform import ParseResponse
 from lib.core.common import dataToSessionFile
 from lib.core.common import paramToDict
+from lib.core.common import readInput
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -39,6 +41,7 @@ from lib.core.exception import sqlmapGenericException
 from lib.core.exception import sqlmapSyntaxException
 from lib.core.session import resumeConfKb
 from lib.core.xmldump import dumper as xmldumper
+from lib.request.connect import Connect as Request
 
 def __setRequestParams():
     """
@@ -133,6 +136,20 @@ def __setRequestParams():
         errMsg += "within the GET, POST and Cookie parameters"
         raise sqlmapGenericException, errMsg
 
+def __setPageForms():
+    response, _ = Request.queryPage(response=True)
+    forms = ParseResponse(response, backwards_compat=False)
+    count = 1
+    for form in forms:
+        request = form.click()
+        url = request.get_full_url()
+        method = request.get_method()
+        data = request.get_data() if request.has_data() else None
+        message = "Form #%d (%s) [default: '%s'] " % (count, form.name, data)
+        test = readInput(message, default=data)
+        count +=1
+        kb.targetUrls.add((url, method, data, conf.cookie))
+
 def __setOutputResume():
     """
     Check and set the output text file and the resume functionality.

lib/parse/cmdline.py

@@ -455,6 +455,10 @@ def cmdLineParser():
                                  action="store_true", default=False,
                                  help="Flush session file for current target")
 
+        miscellaneous.add_option("--forms", dest="forms",
+                                 action="store_true", default=False,
+                                 help="Parse and test forms on target url")
+
         miscellaneous.add_option("--eta", dest="eta",
                                  action="store_true", default=False,
                                  help="Display for each output the "

lib/request/connect.py

@@ -80,6 +80,7 @@ class Connect:
         silent          = kwargs.get('silent',     False)
         raise404        = kwargs.get('raise404',   True)
         auxHeaders      = kwargs.get('auxHeaders', None)
+        response        = kwargs.get('response',   False)
 
         page            = ""
         cookieStr       = ""
@@ -197,6 +198,10 @@ class Connect:
 
             # Reset the number of connection retries
             conf.retriesCount = 0
+            
+            # Return response object
+            if response:
+                return conn, None
 
             # Get HTTP response
             page = conn.read()
@@ -279,7 +284,7 @@ class Connect:
         return page, responseHeaders
 
     @staticmethod
-    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False, method=None, auxHeaders=None):
+    def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent=False, method=None, auxHeaders=None, response=False):
         """
         This method calls a function to get the target url page content
         and returns its page MD5 hash or a boolean value in case of
@@ -323,23 +328,25 @@ class Connect:
             if kb.queryCounter % conf.saFreq == 0:
                 Connect.getPage(url=conf.safUrl, cookie=cookie, direct=True, silent=True, ua=ua)
 
-        if not content and kb.nullConnection:
+        if not content and not response and kb.nullConnection:
             if kb.nullConnection == "HEAD":
-                _, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method="HEAD", auxHeaders=auxHeaders, raise404=raise404)
-                pageLength = int(headers['Content-Length'])
+                method = "HEAD"
             elif kb.nullConnection == "Range":
                 if not auxHeaders:
                     auxHeaders = {}
                 auxHeaders["Range"] = "bytes=-1"
-                _, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, raise404=raise404)
+
+            _, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, raise404=raise404)
+
+            if kb.nullConnection == "HEAD":
+                pageLength = int(headers['Content-Length'])
+            elif kb.nullConnection == "Range":
                 pageLength = int(headers['Content-Range'][headers['Content-Range'].find('/') + 1:])
-            else:
-                kb.nullConnection = None
 
         if not pageLength:
-            page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, raise404=raise404)
+            page, headers = Connect.getPage(url=uri, get=get, post=post, cookie=cookie, ua=ua, silent=silent, method=method, auxHeaders=auxHeaders, response=response, raise404=raise404)
 
-        if content:
+        if content or response:
             return page, headers
         elif pageLength or page:
             return comparison(page, headers, getSeqMatcher, pageLength)