Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase.

Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2025-12-09 06:01:29 +00:00 · 2010-11-30 22:40:25 +00:00
parent fcdebbd55f
commit c8f943f5e4
17 changed files with 210 additions and 118 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -126,20 +126,6 @@ class Agent:

        return payload

-    def cleanupPayload(self, payload):
-        randInt = randomInt()
-        randInt1 = randomInt()
-        randStr = randomStr()
-
-        payload = payload.replace("[RANDNUM]", str(randInt))
-        payload = payload.replace("[RANDNUM1]", str(randInt1))
-        payload = payload.replace("[RANDSTR]", randStr)
-        payload = payload.replace("[ERROR_START_CHAR]", ERROR_START_CHAR)
-        payload = payload.replace("[ERROR_END_CHAR]", ERROR_END_CHAR)
-        payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
-
-        return payload
-
    def prefixQuery(self, string):
        """
        This method defines how the input string has to be escaped
@@ -173,6 +159,28 @@ class Agent:

        return string

+    def cleanupPayload(self, payload):
+        randInt = randomInt()
+        randInt1 = randomInt()
+        randStr = randomStr()
+
+        payload = payload.replace("[RANDNUM]", str(randInt))
+        payload = payload.replace("[RANDNUM1]", str(randInt1))
+        payload = payload.replace("[RANDSTR]", randStr)
+        payload = payload.replace("[ERROR_START_CHAR]", ERROR_START_CHAR)
+        payload = payload.replace("[ERROR_END_CHAR]", ERROR_END_CHAR)
+        payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
+
+        return payload
+
+    def getComment(self, reqObj):
+        if "comment" in reqObj:
+            comment = reqObj.comment
+        else:
+            comment = ""
+
+        return comment
+
    def nullAndCastField(self, field):
        """
        Take in input a field string and return its processed nulled and
--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -98,8 +98,10 @@ def setInjection(inj):

        for stype, sdata in inj.data.items():
            dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
-            dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
-            dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
+            dataToSessionFile("[%s][%s][%s][Injection title][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
+            dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
+            dataToSessionFile("[%s][%s][%s][Injection where][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[2]))
+            dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[3]))

 def setDbms(dbms):
    """
@@ -371,7 +373,7 @@ def resumeConfKb(expression, url, value):
            warnMsg += "injectable point"
            logger.warn(warnMsg)
        else:
-            if kb.injection.place is not None:
+            if kb.injection.place is not None and kb.injection.parameter is not None:
                kb.injections.append(kb.injection)
                kb.injection = injectionDict()

@@ -422,6 +424,13 @@ def resumeConfKb(expression, url, value):
        logMsg = "resuming injection type '%s' from session file" % stype
        logger.info(logMsg)

+    elif expression == "Injection title" and url == conf.url:
+        title = unSafeFormatString(value[:-1])
+        kb.injection.data[kb.injection.data.keys()[0]].append(title)
+
+        logMsg = "resuming injection title '%s' from session file" % title
+        logger.info(logMsg)
+
    elif expression == "Injection payload" and url == conf.url:
        payload = unSafeFormatString(value[:-1])
        kb.injection.data[kb.injection.data.keys()[0]].append(payload)
@@ -429,6 +438,13 @@ def resumeConfKb(expression, url, value):
        logMsg = "resuming injection payload '%s' from session file" % payload
        logger.info(logMsg)

+    elif expression == "Injection where" and url == conf.url:
+        where = unSafeFormatString(value[:-1])
+        kb.injection.data[kb.injection.data.keys()[0]].append(where)
+
+        logMsg = "resuming injection where '%s' from session file" % where
+        logger.info(logMsg)
+
    elif expression == "Injection comment" and url == conf.url:
        comment = unSafeFormatString(value[:-1])
        kb.injection.data[kb.injection.data.keys()[0]].append(comment)
@@ -492,10 +508,10 @@ def resumeConfKb(expression, url, value):
            test = readInput(message, default="N")

            if not test or test[0] in ("n", "N"):
-                conf.dbms      = dbms
+                kb.dbms = dbms
                kb.dbmsVersion = dbmsVersion
        else:
-            conf.dbms      = dbms
+            kb.dbms = dbms
            kb.dbmsVersion = dbmsVersion

    elif expression == "OS" and url == conf.url:
--- a/lib/core/target.py
+++ b/lib/core/target.py
@@ -173,7 +173,9 @@ def __setOutputResume():
                    elif len(value) >= len(kb.resumedQueries[url][expression]):
                        kb.resumedQueries[url][expression] = value

-            kb.injections.append(kb.injection)
+            if kb.injection.place is not None and kb.injection.parameter is not None:
+                kb.injections.append(kb.injection)
+
            readSessionFP.close()
        else:
            try: