adding support for scanning Host header values (-p host)

lib/core/agent.py

@@ -116,7 +116,7 @@ class Agent:
             retValue = ET.tostring(root)
         elif place == PLACE.URI:
             retValue = paramString.replace("%s%s" % (origValue, URI_INJECTION_MARK_CHAR), self.addPayloadDelimiters(newValue))
-        elif place in (PLACE.UA, PLACE.REFERER):
+        elif place in (PLACE.UA, PLACE.REFERER, PLACE.HOST):
             retValue = paramString.replace(origValue, self.addPayloadDelimiters(newValue))
         else:
             retValue = paramString.replace("%s=%s" % (parameter, origValue),

lib/core/common.py

@@ -88,6 +88,9 @@ from lib.core.settings import VERSION
 from lib.core.settings import REVISION
 from lib.core.settings import VERSION_STRING
 from lib.core.settings import SITE
+from lib.core.settings import HOST_ALIASES
+from lib.core.settings import REFERER_ALIASES
+from lib.core.settings import USER_AGENT_ALIASES
 from lib.core.settings import ERROR_PARSING_REGEXES
 from lib.core.settings import PRINTABLE_CHAR_REGEX
 from lib.core.settings import SQL_STATEMENTS
@@ -706,13 +709,14 @@ def paramToDict(place, parameters=None):
         if len(conf.testParameter) > 1:
             warnMsg = "provided parameters '%s' " % paramStr
             warnMsg += "are not inside the %s" % place
+            logger.warn(warnMsg)
         else:
             parameter = conf.testParameter[0]
 
-            warnMsg = "provided parameter '%s' " % paramStr
-            warnMsg += "is not inside the %s" % place
-
-        logger.warn(warnMsg)
+            if not intersect(USER_AGENT_ALIASES + REFERER_ALIASES + HOST_ALIASES, parameter, True):
+                warnMsg = "provided parameter '%s' " % paramStr
+                warnMsg += "is not inside the %s" % place
+                logger.warn(warnMsg)
 
     elif len(conf.testParameter) != len(testableParameters.keys()):
         for parameter in conf.testParameter:
@@ -1277,12 +1281,18 @@ def parseTargetUrl():
     conf.url = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, conf.path)
     conf.url = conf.url.replace(URI_QUESTION_MARKER, '?')
 
-    if not conf.referer and conf.level >= 3:
+    if not conf.referer and (conf.level >= 3 or intersect(REFERER_ALIASES, conf.testParameter, True)):
         debugMsg = "setting the HTTP Referer header to the target url"
         logger.debug(debugMsg)
         conf.httpHeaders = filter(lambda (key, value): key != HTTPHEADER.REFERER, conf.httpHeaders)
         conf.httpHeaders.append((HTTPHEADER.REFERER, conf.url))
 
+    if not conf.host and (conf.level >= 5 or intersect(HOST_ALIASES, conf.testParameter, True)):
+        debugMsg = "setting the HTTP Host header to the target url"
+        logger.debug(debugMsg)
+        conf.httpHeaders = filter(lambda (key, value): key != HTTPHEADER.HOST, conf.httpHeaders)
+        conf.httpHeaders.append((HTTPHEADER.HOST, getHostHeader(conf.url)))
+
 def expandAsteriskForColumns(expression):
     # If the user provided an asterisk rather than the column(s)
     # name, sqlmap will retrieve the columns itself and reprocess

lib/core/enums.py

@@ -48,6 +48,7 @@ class PLACE:
     COOKIE = "Cookie"
     UA = "User-Agent"
     REFERER = "Referer"
+    HOST = "Host"
 
 class HTTPMETHOD:
     GET = "GET"

lib/core/optiondict.py

@@ -31,6 +31,7 @@ optDict = {
                                "agent":             "string",
                                "randomAgent":       "boolean",
                                "rParam":            "string",
+                               "host":              "string",
                                "referer":           "string",
                                "headers":           "string",
                                "aType":             "string",

lib/core/settings.py

@@ -178,8 +178,9 @@ DBMS_DICT = { DBMS.MSSQL: (MSSQL_ALIASES, "python-pymssql", "http://pymssql.sour
               DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/")
             }
 
-REFERER_ALIASES = ( "ref", "referer", "referrer" )
 USER_AGENT_ALIASES = ( "ua", "useragent", "user-agent" )
+REFERER_ALIASES = ( "ref", "referer", "referrer" )
+HOST_ALIASES = ( "host", )
 
 FROM_TABLE = {
                         DBMS.ORACLE: " FROM DUAL",

lib/core/target.py

@@ -34,6 +34,7 @@ from lib.core.exception import sqlmapUserQuitException
 from lib.core.option import __setDBMS
 from lib.core.option import __setKnowledgeBaseAttributes
 from lib.core.session import resumeConfKb
+from lib.core.settings import HOST_ALIASES
 from lib.core.settings import REFERER_ALIASES
 from lib.core.settings import RESULTS_FILE_FORMAT
 from lib.core.settings import SOAP_REGEX
@@ -141,7 +142,7 @@ def __setRequestParams():
             conf.paramDict[PLACE.COOKIE] = __paramDict
             __testableParameters = True
 
-    # Perform checks on User-Agent header value
+    # Perform checks on header values
     if conf.httpHeaders:
         for httpHeader, headerValue in conf.httpHeaders:
             if httpHeader == PLACE.UA:
@@ -164,9 +165,19 @@ def __setRequestParams():
                     conf.paramDict[PLACE.REFERER] = { PLACE.REFERER: headerValue }
                     __testableParameters = True
 
+            elif httpHeader == PLACE.HOST:
+                # No need for url encoding/decoding the host
+                conf.parameters[PLACE.HOST] = urldecode(headerValue)
+
+                condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES)))
+
+                if condition:
+                    conf.paramDict[PLACE.HOST] = { PLACE.HOST: headerValue }
+                    __testableParameters = True
+
     if not conf.parameters:
         errMsg = "you did not provide any GET, POST and Cookie "
-        errMsg += "parameter, neither an User-Agent or Referer header"
+        errMsg += "parameter, neither an User-Agent, Referer or Host header value"
         raise sqlmapGenericException, errMsg
 
     elif not __testableParameters: