# Store here the details about boundaries and payload used to

# successfully inject

injection = InjectionDict()

# Localized thread data needed for some methods

threadData = getCurrentThreadData()

# Set the flag for SQL injection test mode

kb.testMode = True

paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place

tests = getSortedInjectionTests()

seenPayload = set()

while tests:

test = tests.pop(0)

try:

if kb.endDetection:

break

if conf.dbms is None:

# If the DBMS has not yet been fingerprinted (via simple heuristic check

# or via DBMS-specific payload) and boolean-based blind has been identified

# then attempt to identify with a simple DBMS specific boolean-based

# test what the DBMS may be

if not injection.dbms and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:

if not Backend.getIdentifiedDbms() and kb.heuristicDbms is False:

kb.heuristicDbms = heuristicCheckDbms(injection)

# If the DBMS has already been fingerprinted (via DBMS-specific

# error message, simple heuristic check or via DBMS-specific

# payload), ask the user to limit the tests to the fingerprinted

# DBMS

if kb.reduceTests is None and not conf.testFilter and (intersect(Backend.getErrorParsedDBMSes(), \

SUPPORTED_DBMS, True) or kb.heuristicDbms or injection.dbms):

msg = "it looks like the back-end DBMS is '%s'. " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)

msg += "Do you want to skip test payloads specific for other DBMSes? [Y/n]"

kb.reduceTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y').upper() == 'Y' else []

# If the DBMS has been fingerprinted (via DBMS-specific error

# message, via simple heuristic check or via DBMS-specific

# payload), ask the user to extend the tests to all DBMS-specific,

# regardless of --level and --risk values provided

if kb.extendTests is None and not conf.testFilter and (conf.level < 5 or conf.risk < 3) \

and (intersect(Backend.getErrorParsedDBMSes(), SUPPORTED_DBMS, True) or \

kb.heuristicDbms or injection.dbms):

msg = "for the remaining tests, do you want to include all tests "

msg += "for '%s' extending provided " % (Format.getErrorParsedDBMSes() or kb.heuristicDbms or injection.dbms)

msg += "level (%d)" % conf.level if conf.level < 5 else ""

msg += " and " if conf.level < 5 and conf.risk < 3 else ""

msg += "risk (%d)" % conf.risk if conf.risk < 3 else ""

msg += " values? [Y/n]" if conf.level < 5 and conf.risk < 3 else " value? [Y/n]"

kb.extendTests = (Backend.getErrorParsedDBMSes() or [kb.heuristicDbms]) if readInput(msg, default='Y').upper() == 'Y' else []

title = test.title

kb.testType = stype = test.stype

clause = test.clause

unionExtended = False

if stype == PAYLOAD.TECHNIQUE.UNION:

configUnion(test.request.char)

if "[CHAR]" in title:

if conf.uChar is None:

continue

else:

title = title.replace("[CHAR]", conf.uChar)

elif "[RANDNUM]" in title or "(NULL)" in title:

title = title.replace("[RANDNUM]", "random number")

if test.request.columns == "[COLSTART]-[COLSTOP]":

if conf.uCols is None:

continue

else:

title = title.replace("[COLSTART]", str(conf.uColsStart))

title = title.replace("[COLSTOP]", str(conf.uColsStop))

elif conf.uCols is not None:

debugMsg = "skipping test '%s' because the user " % title

debugMsg += "provided custom column range %s" % conf.uCols

logger.debug(debugMsg)

continue

match = re.search(r"(\d+)-(\d+)", test.request.columns)

if injection.data and match:

lower, upper = int(match.group(1)), int(match.group(2))

for _ in (lower, upper):

if _ > 1:

unionExtended = True

test.request.columns = re.sub(r"\b%d\b" % _, str(2 * _), test.request.columns)

title = re.sub(r"\b%d\b" % _, str(2 * _), title)

test.title = re.sub(r"\b%d\b" % _, str(2 * _), test.title)

# Skip test if the user's wants to test only for a specific

# technique

if conf.tech and isinstance(conf.tech, list) and stype not in conf.tech:

debugMsg = "skipping test '%s' because the user " % title

debugMsg += "specified to test only for "

debugMsg += "%s techniques" % " & ".join(map(lambda x: PAYLOAD.SQLINJECTION[x], conf.tech))

logger.debug(debugMsg)

continue

# Skip test if it is the same SQL injection type already

# identified by another test

if injection.data and stype in injection.data:

debugMsg = "skipping test '%s' because " % title

debugMsg += "the payload for %s has " % PAYLOAD.SQLINJECTION[stype]

debugMsg += "already been identified"

logger.debug(debugMsg)

continue

# Parse DBMS-specific payloads' details

if "details" in test and "dbms" in test.details:

payloadDbms = test.details.dbms

else:

payloadDbms = None

# Skip tests if title, vector or DBMS is not included by the

# given test filter

if conf.testFilter and not any(conf.testFilter in str(item) or \

re.search(conf.testFilter, str(item), re.I) for item in \

(test.title, test.vector, payloadDbms)):

debugMsg = "skipping test '%s' because its " % title

debugMsg += "name/vector/DBMS is not included by the given filter"

logger.debug(debugMsg)

continue

if payloadDbms is not None:

# Skip DBMS-specific test if it does not match the user's

# provided DBMS

if conf.dbms is not None and not intersect(payloadDbms, conf.dbms, True):

debugMsg = "skipping test '%s' because " % title

debugMsg += "the provided DBMS is %s" % conf.dbms

logger.debug(debugMsg)

continue

# Skip DBMS-specific test if it does not match the

# previously identified DBMS (via DBMS-specific payload)

if injection.dbms is not None and not intersect(payloadDbms, injection.dbms, True):

debugMsg = "skipping test '%s' because the identified " % title

debugMsg += "back-end DBMS is %s" % injection.dbms

logger.debug(debugMsg)

continue

# Skip DBMS-specific test if it does not match the

# previously identified DBMS (via DBMS-specific error message)

if kb.reduceTests and not intersect(payloadDbms, kb.reduceTests, True):

debugMsg = "skipping test '%s' because the parsed " % title

debugMsg += "error message(s) showed that the back-end DBMS "

debugMsg += "could be %s" % Format.getErrorParsedDBMSes()

logger.debug(debugMsg)

continue

# If the user did not decide to extend the tests to all

# DBMS-specific or the test payloads is not specific to the

# identified DBMS, then only test for it if both level and risk

# are below the corrisponding configuration's level and risk

# values

if not conf.testFilter and not (kb.extendTests and intersect(payloadDbms, kb.extendTests, True)):

# Skip test if the risk is higher than the provided (or default)

# value

if test.risk > conf.risk:

debugMsg = "skipping test '%s' because the risk (%d) " % (title, test.risk)

debugMsg += "is higher than the provided (%d)" % conf.risk

logger.debug(debugMsg)

continue

# Skip test if the level is higher than the provided (or default)

# value

if test.level > conf.level:

debugMsg = "skipping test '%s' because the level (%d) " % (title, test.level)

debugMsg += "is higher than the provided (%d)" % conf.level

logger.debug(debugMsg)

continue

# Skip test if it does not match the same SQL injection clause

# already identified by another test

clauseMatch = False

for clauseTest in clause:

if injection.clause is not None and clauseTest in injection.clause:

clauseMatch = True

break

if clause != [0] and injection.clause and injection.clause != [0] and not clauseMatch:

debugMsg = "skipping test '%s' because the clauses " % title

debugMsg += "differ from the clause already identified"

logger.debug(debugMsg)

continue

# Skip test if the user provided custom character (for UNION-based payloads)

if conf.uChar is not None and ("random number" in title or "(NULL)" in title):

debugMsg = "skipping test '%s' because the user " % title

debugMsg += "provided a specific character, %s" % conf.uChar

logger.debug(debugMsg)

continue

infoMsg = "testing '%s'" % title

logger.info(infoMsg)

# Force back-end DBMS according to the current test DBMS value

# for proper payload unescaping

Backend.forceDbms(payloadDbms[0] if isinstance(payloadDbms, list) else payloadDbms)

# Parse test's <request>

comment = agent.getComment(test.request) if len(conf.boundaries) > 1 else None

fstPayload = agent.cleanupPayload(test.request.payload, origValue=value if place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER) else None)

# Favoring non-string specific boundaries in case of digit-like parameter values

if value.isdigit():

boundaries = sorted(copy.deepcopy(conf.boundaries), key=lambda x: any(_ in (x.prefix or "") or _ in (x.suffix or "") for _ in ('"', '\'')))

else:

boundaries = conf.boundaries

for boundary in boundaries:

injectable = False

# Skip boundary if the level is higher than the provided (or

# default) value

# Parse boundary's <level>

if boundary.level > conf.level and not (kb.extendTests and intersect(payloadDbms, kb.extendTests, True)):

continue

# Skip boundary if it does not match against test's <clause>

# Parse test's <clause> and boundary's <clause>

clauseMatch = False

for clauseTest in test.clause:

if clauseTest in boundary.clause:

clauseMatch = True

break

if test.clause != [0] and boundary.clause != [0] and not clauseMatch:

continue

# Skip boundary if it does not match against test's <where>

# Parse test's <where> and boundary's <where>

whereMatch = False

for where in test.where:

if where in boundary.where:

whereMatch = True

break

if not whereMatch:

continue

# Parse boundary's <prefix>, <suffix> and <ptype>

prefix = boundary.prefix if boundary.prefix else ""

suffix = boundary.suffix if boundary.suffix else ""

ptype = boundary.ptype

# Options --prefix/--suffix have a higher priority (if set by user)

prefix = conf.prefix if conf.prefix is not None else prefix

suffix = conf.suffix if conf.suffix is not None else suffix

comment = None if conf.suffix is not None else comment

# If the previous injections succeeded, we know which prefix,

# suffix and parameter type to use for further tests, no

# need to cycle through the boundaries for the following tests

condBound = (injection.prefix is not None and injection.suffix is not None)

condBound &= (injection.prefix != prefix or injection.suffix != suffix)

condType = injection.ptype is not None and injection.ptype != ptype

# If the payload is an inline query test for it regardless

# of previously identified injection types

if stype != PAYLOAD.TECHNIQUE.QUERY and (condBound or condType):

continue

# For each test's <where>

for where in test.where:

templatePayload = None

vector = None

# Threat the parameter original value according to the

# test's <where> tag

if where == PAYLOAD.WHERE.ORIGINAL or conf.prefix:

origValue = value

if kb.tamperFunctions:

templatePayload = agent.payload(place, parameter, value="", newValue=origValue, where=where)

elif where == PAYLOAD.WHERE.NEGATIVE:

# Use different page template than the original

# one as we are changing parameters value, which

# will likely result in a different content

kb.data.setdefault("randomInt", str(randomInt(10)))

kb.data.setdefault("randomStr", str(randomStr(10)))

if conf.invalidLogical:

_ = int(kb.data.randomInt[:2])

origValue = "%s AND %s=%s" % (value, _, _ + 1)

elif conf.invalidBignum:

origValue = kb.data.randomInt[:6]

elif conf.invalidString:

origValue = kb.data.randomStr[:6]

else:

origValue = "-%s" % kb.data.randomInt[:4]

templatePayload = agent.payload(place, parameter, value="", newValue=origValue, where=where)

elif where == PAYLOAD.WHERE.REPLACE:

origValue = ""

kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place)

# Forge request payload by prepending with boundary's

# prefix and appending the boundary's suffix to the

# test's ' <payload><comment> ' string

if fstPayload:

boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)

boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)

reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)

if reqPayload:

if reqPayload in seenPayload:

continue

else:

seenPayload.add(reqPayload)

else:

reqPayload = None

# Perform the test's request and check whether or not the

# payload was successful

# Parse test's <response>

for method, check in test.response.items():

check = agent.cleanupPayload(check, origValue=value if place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER) else None)

# In case of boolean-based blind SQL injection

if method == PAYLOAD.METHOD.COMPARISON:

# Generate payload used for comparison

def genCmpPayload():

sndPayload = agent.cleanupPayload(test.response.comparison, origValue=value if place not in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER) else None)

# Forge response payload by prepending with

# boundary's prefix and appending the boundary's

# suffix to the test's ' <payload><comment> '

# string

boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)

boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)

cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)

return cmpPayload

# Useful to set kb.matchRatio at first based on

# the False response content

kb.matchRatio = None

kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)

Request.queryPage(genCmpPayload(), place, raise404=False)

falsePage = threadData.lastComparisonPage or ""

# Perform the test's True request

trueResult = Request.queryPage(reqPayload, place, raise404=False)

truePage = threadData.lastComparisonPage or ""

if trueResult and not(truePage == falsePage and not kb.nullConnection):

falseResult = Request.queryPage(genCmpPayload(), place, raise404=False)

# Perform the test's False request

if not falseResult:

infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (paramType, parameter, title)

logger.info(infoMsg)

injectable = True

if not injectable and not any((conf.string, conf.notString, conf.regexp)) and kb.pageStable:

trueSet = set(extractTextTagContent(truePage))

falseSet = set(extractTextTagContent(falsePage))

candidates = filter(None, (_.strip() if _.strip() in (kb.pageTemplate or "") and _.strip() not in falsePage and _.strip() not in threadData.lastComparisonHeaders else None for _ in (trueSet - falseSet)))

if candidates:

conf.string = candidates[0]

infoMsg = "%s parameter '%s' seems to be '%s' injectable (with --string=\"%s\")" % (paramType, parameter, title, repr(conf.string).lstrip('u').strip("'"))

logger.info(infoMsg)

injectable = True

# In case of error-based SQL injection

elif method == PAYLOAD.METHOD.GREP:

# Perform the test's request and grep the response

# body for the test's <grep> regular expression

try:

page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)

output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \

or extractRegexResult(check, listToStrValue( \

[headers[key] for key in headers.keys() if key.lower() != URI_HTTP_HEADER.lower()] \

if headers else None), re.DOTALL | re.IGNORECASE) \

or extractRegexResult(check, threadData.lastRedirectMsg[1] \

if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \

threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)

if output:

result = output == "1"

if result:

infoMsg = "%s parameter '%s' is '%s' injectable " % (paramType, parameter, title)

logger.info(infoMsg)

injectable = True

except SqlmapConnectionException, msg:

debugMsg = "problem occurred most likely because the "

debugMsg += "server hasn't recovered as expected from the "

debugMsg += "error-based payload used ('%s')" % msg

logger.debug(debugMsg)

# In case of time-based blind or stacked queries

# SQL injections

elif method == PAYLOAD.METHOD.TIME:

# Perform the test's request

trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)

if trueResult:

# Confirm test's results

trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)

if trueResult:

infoMsg = "%s parameter '%s' seems to be '%s' injectable " % (paramType, parameter, title)

logger.info(infoMsg)

injectable = True

# In case of UNION query SQL injection

elif method == PAYLOAD.METHOD.UNION:

# Test for UNION injection and set the sample

# payload as well as the vector.

# NOTE: vector is set to a tuple with 6 elements,

# used afterwards by Agent.forgeUnionQuery()

# method to forge the UNION query payload

configUnion(test.request.char, test.request.columns)

if not Backend.getIdentifiedDbms():

if kb.heuristicDbms is None:

warnMsg = "using unescaped version of the test "

warnMsg += "because of zero knowledge of the "

warnMsg += "back-end DBMS. You can try to "

warnMsg += "explicitly set it using option '--dbms'"

singleTimeWarnMessage(warnMsg)

else:

Backend.forceDbms(kb.heuristicDbms)

if unionExtended:

infoMsg = "automatically extending ranges for UNION "

infoMsg += "query injection technique tests as "

infoMsg += "there is at least one other (potential) "

infoMsg += "technique found"

singleTimeLogMessage(infoMsg)

elif not injection.data:

_ = test.request.columns.split('-')[-1]

if _.isdigit() and int(_) > 10:

if kb.futileUnion is None:

msg = "it is not recommended to perform "

msg += "extended UNION tests if there is not "

msg += "at least one other (potential) "

msg += "technique found. Do you want to skip? [Y/n] "

kb.futileUnion = readInput(msg, default="Y").strip().upper() == 'N'

if kb.futileUnion is False:

continue

# Test for UNION query SQL injection

reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)

if isinstance(reqPayload, basestring):

infoMsg = "%s parameter '%s' is '%s' injectable" % (paramType, parameter, title)

logger.info(infoMsg)

injectable = True

# Overwrite 'where' because it can be set

# by unionTest() directly

where = vector[6]

kb.previousMethod = method

if conf.dummy or conf.offline:

injectable = False

# If the injection test was successful feed the injection

# object with the test's details

if injectable is True:

# Feed with the boundaries details only the first time a

# test has been successful

if injection.place is None or injection.parameter is None:

if place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):

injection.parameter = place

else:

injection.parameter = parameter

injection.place = place

injection.ptype = ptype

injection.prefix = prefix

injection.suffix = suffix

injection.clause = clause

# Feed with test details every time a test is successful

if hasattr(test, "details"):

for dKey, dValue in test.details.items():

if dKey == "dbms":

injection.dbms = dValue

if not isinstance(dValue, list):

Backend.setDbms(dValue)

else:

Backend.forceDbms(dValue[0], True)

elif dKey == "dbms_version" and injection.dbms_version is None and not conf.testFilter:

injection.dbms_version = Backend.setVersion(dValue)

elif dKey == "os" and injection.os is None:

injection.os = Backend.setOs(dValue)

if vector is None and "vector" in test and test.vector is not None:

vector = test.vector

injection.data[stype] = AttribDict()

injection.data[stype].title = title

injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)

injection.data[stype].where = where

injection.data[stype].vector = vector

injection.data[stype].comment = comment

injection.data[stype].templatePayload = templatePayload

injection.data[stype].matchRatio = kb.matchRatio

injection.conf.textOnly = conf.textOnly

injection.conf.titles = conf.titles

injection.conf.string = conf.string

injection.conf.notString = conf.notString

injection.conf.regexp = conf.regexp

injection.conf.optimize = conf.optimize

if not kb.alerted:

if conf.beep:

beep()

if conf.alert:

infoMsg = "executing alerting shell command(s) ('%s')" % conf.alert

logger.info(infoMsg)

process = execute(conf.alert, shell=True)

process.wait()

kb.alerted = True

# There is no need to perform this test for other

# <where> tags

break

if injectable is True:

kb.vulnHosts.add(conf.hostname)

break

# Reset forced back-end DBMS value

Backend.flushForcedDbms()

except KeyboardInterrupt:

warnMsg = "user aborted during detection phase"

logger.warn(warnMsg)

msg = "how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit]"

choice = readInput(msg, default="S", checkBatch=False)

if choice[0] in ("s", "S"):

pass

elif choice[0] in ("c", "C"):

choice = None

while not ((choice or "").isdigit() and 0 <= int(choice) <= 6):

if choice:

logger.warn("invalid value")

msg = "enter new verbosity level: [0-6] "

choice = readInput(msg, default=str(conf.verbose), checkBatch=False).strip()

conf.verbose = int(choice)

setVerbosity()

tests.insert(0, test)

elif choice[0] in ("n", "N"):

return None

elif choice[0] in ("e", "E"):

kb.endDetection = True

elif choice[0] in ("q", "Q"):

raise SqlmapUserQuitException

finally:

# Reset forced back-end DBMS value

Backend.flushForcedDbms()

Backend.flushForcedDbms(True)

# Return the injection object

if injection.place is not None and injection.parameter is not None:

if not conf.dropSetCookie and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data and injection.data[PAYLOAD.TECHNIQUE.BOOLEAN].vector.startswith('OR'):

warnMsg = "in OR boolean-based injections, please consider usage "

warnMsg += "of switch '--drop-set-cookie' if you experience any "

warnMsg += "problems during data retrieval"

logger.warn(warnMsg)

injection = checkFalsePositives(injection)

if not injection:

kb.vulnHosts.remove(conf.hostname)

else:

injection = None

if injection:

checkSuhosinPatch(injection)

checkFilteredChars(injection)

"""

retVal = False

pushValue(kb.injection)

kb.injection = injection

for dbms in getPublicTypeMembers(DBMS, True):

if not FROM_DUMMY_TABLE.get(dbms, ""):

continue

randStr1, randStr2 = randomStr(), randomStr()

Backend.forceDbms(dbms)

if checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr1)):

if not checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr2)):

retVal = dbms

break

Backend.flushForcedDbms()

kb.injection = popValue()

if retVal:

infoMsg = "heuristic (extended) test shows that the back-end DBMS " # Not as important as "parsing" counter-part (because of false-positives)

infoMsg += "could be '%s' " % retVal

logger.info(infoMsg)

"""

retVal = injection

if all(_ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) for _ in injection.data) or\

(len(injection.data) == 1 and PAYLOAD.TECHNIQUE.UNION in injection.data and "Generic" in injection.data[PAYLOAD.TECHNIQUE.UNION].title):

pushValue(kb.injection)

infoMsg = "checking if the injection point on %s " % injection.place

infoMsg += "parameter '%s' is a false positive" % injection.parameter

logger.info(infoMsg)

def _():

return int(randomInt(2)) + 1

kb.injection = injection

for i in xrange(conf.level):

while True:

randInt1, randInt2, randInt3 = (_() for j in xrange(3))

randInt1 = min(randInt1, randInt2, randInt3)

randInt3 = max(randInt1, randInt2, randInt3)

if randInt3 > randInt2 > randInt1:

break

if not checkBooleanExpression("%d=%d" % (randInt1, randInt1)):

retVal = None

break

# Just in case if DBMS hasn't properly recovered from previous delayed request

if PAYLOAD.TECHNIQUE.BOOLEAN not in injection.data:

checkBooleanExpression("%d=%d" % (randInt1, randInt2))

if checkBooleanExpression("%d=%d" % (randInt1, randInt3)):

retVal = None

break

elif checkBooleanExpression("%d=%d" % (randInt3, randInt2)):

retVal = None

break

elif not checkBooleanExpression("%d=%d" % (randInt2, randInt2)):

retVal = None

break

if retVal is None:

warnMsg = "false positive or unexploitable injection point detected"

logger.warn(warnMsg)

kb.injection = popValue()

"""

if injection.place == PLACE.GET:

debugMsg = "checking for parameter length "

debugMsg += "constrainting mechanisms"

logger.debug(debugMsg)

pushValue(kb.injection)

kb.injection = injection

randInt = randomInt()

if not checkBooleanExpression("%d=%s%d" % (randInt, ' ' * SUHOSIN_MAX_VALUE_LENGTH, randInt)):

warnMsg = "parameter length constrainting "

warnMsg += "mechanism detected (e.g. Suhosin patch). "

warnMsg += "Potential problems in enumeration phase can be expected"

logger.warn(warnMsg)

debugMsg = "checking for filtered characters"

logger.debug(debugMsg)

pushValue(kb.injection)

kb.injection = injection

randInt = randomInt()

# all other techniques are already using parentheses in tests

if len(injection.data) == 1 and PAYLOAD.TECHNIQUE.BOOLEAN in injection.data:

if not checkBooleanExpression("(%d)=%d" % (randInt, randInt)):

warnMsg = "it appears that some non-alphanumeric characters (i.e. ()) are "

warnMsg += "filtered by the back-end server. There is a strong "

warnMsg += "possibility that sqlmap won't be able to properly "

warnMsg += "exploit this vulnerability"

logger.warn(warnMsg)

# inference techniques depend on character '>'

if not any(_ in injection.data for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.QUERY)):

if not checkBooleanExpression("%d>%d" % (randInt+1, randInt)):

warnMsg = "it appears that the character '>' is "

warnMsg += "filtered by the back-end server. You are strongly "

warnMsg += "advised to rerun with the '--tamper=between'"

logger.warn(warnMsg)

if kb.nullConnection:

debugMsg = "heuristic check skipped because NULL connection used"

logger.debug(debugMsg)

return None

origValue = conf.paramDict[place][parameter]

paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place

prefix = ""

suffix = ""

if conf.prefix or conf.suffix:

if conf.prefix:

prefix = conf.prefix

if conf.suffix:

suffix = conf.suffix

randStr = ""

while '\'' not in randStr:

randStr = randomStr(length=10, alphabet=HEURISTIC_CHECK_ALPHABET)

kb.heuristicMode = True

payload = "%s%s%s" % (prefix, randStr, suffix)

payload = agent.payload(place, parameter, newValue=payload)

page, _ = Request.queryPage(payload, place, content=True, raise404=False)

kb.heuristicMode = False

parseFilePaths(page)

result = wasLastResponseDBMSError()

infoMsg = "heuristic (basic) test shows that %s parameter " % paramType

infoMsg += "'%s' might " % parameter

def _(page):

return any(_ in (page or "") for _ in FORMAT_EXCEPTION_STRINGS)

casting = _(page) and not _(kb.originalPage)

if not casting and not result and kb.dynamicParameter and origValue.isdigit():

randInt = int(randomInt())

payload = "%s%s%s" % (prefix, "%d-%d" % (int(origValue) + randInt, randInt), suffix)

payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)

result = Request.queryPage(payload, place, raise404=False)

if not result:

randStr = randomStr()

payload = "%s%s%s" % (prefix, "%s%s" % (origValue, randStr), suffix)

payload = agent.payload(place, parameter, newValue=payload, where=PAYLOAD.WHERE.REPLACE)

casting = Request.queryPage(payload, place, raise404=False)

kb.heuristicTest = HEURISTIC_TEST.CASTED if casting else HEURISTIC_TEST.NEGATIVE if not result else HEURISTIC_TEST.POSITIVE

if casting:

errMsg = "possible %s casting " % ("integer" if origValue.isdigit() else "type")

errMsg += "detected (e.g. \"$%s=intval($_REQUEST['%s'])\") " % (parameter, parameter)

errMsg += "at the back-end web application"

logger.error(errMsg)

if kb.ignoreCasted is None:

message = "do you want to skip those kind of cases (and save scanning time)? %s " % ("[Y/n]" if conf.multipleTargets else "[y/N]")

kb.ignoreCasted = readInput(message, default='Y' if conf.multipleTargets else 'N').upper() != 'N'

elif result:

infoMsg += "be injectable"

if Backend.getErrorParsedDBMSes():

infoMsg += " (possible DBMS: '%s')" % Format.getErrorParsedDBMSes()

logger.info(infoMsg)

else:

infoMsg += "not be injectable"

logger.warn(infoMsg)

kb.heuristicMode = True

value = "%s%s%s" % (randomStr(), DUMMY_XSS_CHECK_APPENDIX, randomStr())

payload = "%s%s%s" % (prefix, "'%s" % value, suffix)

payload = agent.payload(place, parameter, newValue=payload)

page, _ = Request.queryPage(payload, place, content=True, raise404=False)

paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place

if value in (page or ""):

infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType

infoMsg += "'%s' might be vulnerable to XSS attacks" % parameter

logger.info(infoMsg)

kb.heuristicMode = False

"""

if kb.redirectChoice:

return None

kb.matchRatio = None

dynResult = None

randInt = randomInt()

paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place

infoMsg = "testing if %s parameter '%s' is dynamic" % (paramType, parameter)

logger.info(infoMsg)

try:

payload = agent.payload(place, parameter, value, getUnicode(randInt))

dynResult = Request.queryPage(payload, place, raise404=False)

if not dynResult:

infoMsg = "confirming that %s parameter '%s' is dynamic" % (paramType, parameter)

logger.info(infoMsg)

randInt = randomInt()

payload = agent.payload(place, parameter, value, getUnicode(randInt))

dynResult = Request.queryPage(payload, place, raise404=False)

except SqlmapConnectionException:

pass

result = None if dynResult is None else not dynResult

kb.dynamicParameter = result

"""

if kb.nullConnection:

debugMsg = "dynamic content checking skipped "

debugMsg += "because NULL connection used"

logger.debug(debugMsg)