Skip to content

Commit 4c1fc09

Browse files
stamparmstamparm
committed
Adding heuristic check for FI vulnerability
1 parent a8c6c6f commit 4c1fc09

File tree

2 files changed

+11
-5
lines changed

2 files changed

+11
-5
lines changed

lib/controller/checks.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@
6363
from lib.core.exception import SqlmapSilentQuitException
6464
from lib.core.exception import SqlmapUserQuitException
6565
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
66-
from lib.core.settings import DUMMY_XSS_CHECK_APPENDIX
66+
from lib.core.settings import DUMMY_NON_SQLI_CHECK_APPENDIX
6767
from lib.core.settings import FORMAT_EXCEPTION_STRINGS
6868
from lib.core.settings import HEURISTIC_CHECK_ALPHABET
6969
from lib.core.settings import SUHOSIN_MAX_VALUE_LENGTH
@@ -919,7 +919,8 @@ def _(page):
919919

920920
kb.heuristicMode = True
921921

922-
value = "%s%s%s" % (randomStr(), DUMMY_XSS_CHECK_APPENDIX, randomStr())
922+
randStr1, randStr2 = randomStr(), randomStr()
923+
value = "%s%s%s" % (randStr1, DUMMY_NON_SQLI_CHECK_APPENDIX, randStr2)
923924
payload = "%s%s%s" % (prefix, "'%s" % value, suffix)
924925
payload = agent.payload(place, parameter, newValue=payload)
925926
page, _ = Request.queryPage(payload, place, content=True, raise404=False)
@@ -928,7 +929,12 @@ def _(page):
928929

929930
if value in (page or ""):
930931
infoMsg = "heuristic (XSS) test shows that %s parameter " % paramType
931-
infoMsg += "'%s' might be vulnerable to XSS attacks" % parameter
932+
infoMsg += "'%s' might be vulnerable to cross-site scripting attacks" % parameter
933+
logger.info(infoMsg)
934+
935+
if re.search(r"(?i)Failed opening[^\n]+%s" % randStr1, page or ""):
936+
infoMsg = "heuristic (FI) test shows that %s parameter " % paramType
937+
infoMsg += "'%s' might be vulnerable to file inclusion attacks" % parameter
932938
logger.info(infoMsg)
933939

934940
kb.heuristicMode = False

lib/core/settings.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -548,8 +548,8 @@
548548
# Alphabet used for heuristic checks
549549
HEURISTIC_CHECK_ALPHABET = ('"', '\'', ')', '(', ',', '.')
550550

551-
# String used for dummy XSS check of a tested parameter value
552-
DUMMY_XSS_CHECK_APPENDIX = "<'\">"
551+
# String used for dummy non-SQLi (e.g. XSS) check of a tested parameter value
552+
DUMMY_NON_SQLI_CHECK_APPENDIX = "<'\">"
553553

554554
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
555555
MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024

0 commit comments

Comments
 (0)