mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-07-03 15:01:13 +00:00
Minor patch
This commit is contained in:
parent
6e459d66f2
commit
8a75c0bb62
3 changed files with 25 additions and 23 deletions
|
|
@ -1289,6 +1289,27 @@ def checkDynamicContent(firstPage, secondPage):
|
|||
count += 1
|
||||
|
||||
if count > conf.retries:
|
||||
# Last resort before the (lossy) '--text-only' fallback: if the page is byte-unstable
|
||||
# but STRUCTURALLY stable - an identical, non-empty tag/class/id skeleton across
|
||||
# requests - base the comparison on that value-free structure instead. Dynamic text
|
||||
# (e.g. per-render result rows) then no longer masks an injection whose signal is
|
||||
# structural (the HTML counterpart of the structure-aware JSON comparison). Content
|
||||
# with no usable structure (empty skeleton, e.g. random/binary bodies) falls through
|
||||
# to '--text-only' as before.
|
||||
skeleton = extractStructuralTokens(firstPage)
|
||||
if skeleton and skeleton == extractStructuralTokens(secondPage):
|
||||
kb.pageStructurallyStable = True
|
||||
|
||||
if kb.nullConnection:
|
||||
debugMsg = "turning off NULL connection support because of structural page comparison"
|
||||
logger.debug(debugMsg)
|
||||
kb.nullConnection = None
|
||||
|
||||
infoMsg = "target URL content is not byte-stable but structurally stable; sqlmap "
|
||||
infoMsg += "will base the page comparison on the page structure"
|
||||
logger.info(infoMsg)
|
||||
return
|
||||
|
||||
warnMsg = "target URL content appears to be too dynamic. "
|
||||
warnMsg += "Switching to '--text-only' "
|
||||
logger.warning(warnMsg)
|
||||
|
|
@ -1394,26 +1415,7 @@ def checkStability():
|
|||
raise SqlmapNoneDataException(errMsg)
|
||||
|
||||
else:
|
||||
# Before engaging the (lossy) dynamic-content removal / '--text-only' escalation, check
|
||||
# whether the page is structurally stable (identical tag/class/id skeleton across the two
|
||||
# requests) despite differing text. If so, base the comparison on that value-free structure
|
||||
# so that dynamic content (e.g. per-render result rows) does not mask an injection. This is
|
||||
# the HTML counterpart of the structure-aware JSON comparison
|
||||
if firstPage and secondPage and extractStructuralTokens(firstPage) == extractStructuralTokens(secondPage):
|
||||
kb.pageStructurallyStable = True
|
||||
|
||||
if kb.nullConnection:
|
||||
debugMsg = "turning off NULL connection "
|
||||
debugMsg += "support because of structural page comparison"
|
||||
logger.debug(debugMsg)
|
||||
|
||||
kb.nullConnection = None
|
||||
|
||||
infoMsg = "target URL content is not byte-stable but structurally stable; sqlmap "
|
||||
infoMsg += "will base the page comparison on the page structure"
|
||||
logger.info(infoMsg)
|
||||
else:
|
||||
checkDynamicContent(firstPage, secondPage)
|
||||
checkDynamicContent(firstPage, secondPage)
|
||||
|
||||
return kb.pageStable
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ from lib.core.enums import OS
|
|||
from thirdparty import six
|
||||
|
||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||
VERSION = "1.10.7.1"
|
||||
VERSION = "1.10.7.2"
|
||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue