diff --git a/extra/vulnserver/vulnserver.py b/extra/vulnserver/vulnserver.py index be07f4e7b..520652435 100644 --- a/extra/vulnserver/vulnserver.py +++ b/extra/vulnserver/vulnserver.py @@ -129,7 +129,6 @@ class ReqHandler(BaseHTTPRequestHandler): self.url, self.params = path, params if self.url == '/': - if not any(_ in self.params for _ in ("id", "query")): self.send_response(OK) self.send_header("Content-type", "text/html; charset=%s" % UNICODE_ENCODING) @@ -158,18 +157,22 @@ class ReqHandler(BaseHTTPRequestHandler): output += "SQL results:
\n" - if results: - output += "\n" - - for row in results: - output += "" - for value in row: - output += "" % value - output += "\n" - - output += "
%s
\n" + if self.params.get("code", ""): + if not results: + code = INTERNAL_SERVER_ERROR else: - output += "no results found" + if results: + output += "\n" + + for row in results: + output += "" + for value in row: + output += "" % value + output += "\n" + + output += "
%s
\n" + else: + output += "no results found" output += "" except Exception as ex: @@ -196,7 +199,7 @@ class ReqHandler(BaseHTTPRequestHandler): self.do_REQUEST() def do_PUT(self): - self.do_REQUEST() + self.do_POST() def do_HEAD(self): self.do_REQUEST() diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 2bc73f90c..8e553a958 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -529,7 +529,7 @@ def checkSqlInjection(place, parameter, value): truePage, trueHeaders, trueCode = threadData.lastComparisonPage or "", threadData.lastComparisonHeaders, threadData.lastComparisonCode trueRawResponse = "%s%s" % (trueHeaders, truePage) - if trueResult and not(truePage == falsePage and not kb.nullConnection): + if trueResult and not(truePage == falsePage and not any((kb.nullConnection, conf.code))): # Perform the test's False request falseResult = Request.queryPage(genCmpPayload(), place, raise404=False) diff --git a/lib/core/settings.py b/lib/core/settings.py index ca4a3a6e1..18c9726fb 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.5.2.2" +VERSION = "1.5.2.3" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/core/testing.py b/lib/core/testing.py index b38160605..a42fa5abf 100644 --- a/lib/core/testing.py +++ b/lib/core/testing.py @@ -41,6 +41,7 @@ def vulnTest(): ("-h", ("to see full list of options run with '-hh'",)), ("--dependencies --deprecations", ("sqlmap requires", "third-party library", "~DeprecationWarning:")), ("-u --data='reflect=1' --flush-session --wizard", ("Please choose:", "back-end DBMS: SQLite", "current user is DBA: True", "banner: '3.")), + ("-u --data='code=1' --code=200 --technique=B --banner --flush-session", ("back-end DBMS: SQLite", "banner: '3.")), (u"-c --flush-session --smart --roles --statements --hostname --privileges --sql-query=\"SELECT '\u0161u\u0107uraj'\" --technique=U", (u": '\u0161u\u0107uraj'", "on SQLite it is not possible")), (u"-u --flush-session --sql-query=\"SELECT '\u0161u\u0107uraj'\" --technique=B --no-escape --string=luther --unstable", (u": '\u0161u\u0107uraj'",)), ("--dummy", ("all tested parameters do not appear to be injectable", "does not seem to be injectable", "there is not at least one", "~might be injectable")), @@ -51,15 +52,15 @@ def vulnTest(): (" -r -l --flush-session --banner --technique=B", ("banner: '3.", "STDIN")), ("-l --flush-session --keep-alive --skip-waf -v 5 --technique=U --union-from=users --banner --parse-errors", ("banner: '3.", "ORDER BY term out of range", "~xp_cmdshell", "Connection: keep-alive")), ("-l --offline --banner -v 5", ("banner: '3.", "~[TRAFFIC OUT]")), - ("-u --flush-session --data='id=1&_=Eewef6oh' --chunked --randomize=_ --random-agent --banner", ("fetched random HTTP User-Agent header value", "Parameter: id (POST)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3.")), + ("-u --flush-session --data='id=1&_=Eewef6oh' --chunked --randomize=_ --random-agent --banner", ("fetched random HTTP User-Agent header value", "Parameter: id (POST)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3.")), ("-u -p id --base64=id --data='base64=true' --flush-session --banner --technique=B", ("banner: '3.",)), ("-u -p id --base64=id --data='base64=true' --flush-session --tables --technique=U", (" users ",)), ("-u --flush-session --banner --technique=B --not-string 'no results'", ("banner: '3.",)), ("-u --flush-session --banner --technique=B --first=1 --last=2", ("banner: '3.'",)), ("-u --flush-session --encoding=ascii --forms --crawl=2 --threads=2 --banner", ("total of 2 targets", "might be injectable", "Type: UNION query", "banner: '3.")), - ("-u --flush-session --data='{\"id\": 1}' --banner", ("might be injectable", "3 columns", "Payload: {\"id\"", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3.")), - ("-u --flush-session -H 'Foo: Bar' -H 'Sna: Fu' --data='' --union-char=1 --mobile --answers='smartphone=3' --banner --smart -v 5", ("might be injectable", "Payload: --flush-session --method=PUT --data='a=1&b=2&c=3&id=1' --skip-static --har= --dump -T users --start=1 --stop=2", ("might be injectable", "Parameter: id (PUT)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "2 entries")), + ("-u --flush-session --data='{\"id\": 1}' --banner", ("might be injectable", "3 columns", "Payload: {\"id\"", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "banner: '3.")), + ("-u --flush-session -H 'Foo: Bar' -H 'Sna: Fu' --data='' --union-char=1 --mobile --answers='smartphone=3' --banner --smart -v 5", ("might be injectable", "Payload: --flush-session --method=PUT --data='a=1;id=1;b=2' --param-del=';' --skip-static --har= --dump -T users --start=1 --stop=2", ("might be injectable", "Parameter: id (PUT)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", "2 entries")), ("-u --flush-session -H 'id: 1*' --tables -t ", ("might be injectable", "Parameter: id #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")), ("-u --flush-session --banner --invalid-logical --technique=B --predict-output --test-filter='OR boolean' --tamper=space2dash", ("banner: '3.", " LIKE ")), ("-u --flush-session --cookie=\"PHPSESSID=d41d8cd98f00b204e9800998ecf8427e; id=1*; id2=2\" --tables --union-cols=3", ("might be injectable", "Cookie #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")), @@ -121,7 +122,8 @@ def vulnTest(): open(request, "w+").write(content) open(log, "w+").write('%d' % (port, encodeBase64(content, binary=False))) - url = "http://%s:%d/?id=1" % (address, port) + base = "http://%s:%d/" % (address, port) + url = "%s?id=1" % base direct = "sqlite3://%s" % database content = open(os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..", "sqlmap.conf"))).read().replace("url =", "url = %s" % url) @@ -131,7 +133,7 @@ def vulnTest(): status = '%d/%d (%d%%) ' % (count, len(TESTS), round(100.0 * count / len(TESTS))) dataToStdout("\r[%s] [INFO] complete: %s" % (time.strftime("%X"), status)) - for tag, value in (("", url), ("", direct), ("", request), ("", log), ("", config), ("", url.replace("id=1", "id=MZ=%3d"))): + for tag, value in (("", url), ("", base), ("", direct), ("", request), ("", log), ("", config), ("", url.replace("id=1", "id=MZ=%3d"))): options = options.replace(tag, value) cmd = "%s \"%s\" %s --batch --non-interactive --debug" % (sys.executable, os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..", "sqlmap.py")), options)