Adding new option --param-exclude on private request

stamparm · stamparm · commit 89bbf5284cfc · 2016-12-25T23:16:44.000+01:00
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
@@ -470,6 +470,12 @@ def start():
                             infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
                             logger.info(infoMsg)
 
+                        elif re.search(conf.paramExclude or "", parameter, re.I) or kb.postHint and re.search(conf.paramExclude or "", parameter.split(' ')[-1], re.I):
+                            testSqlInj = False
+
+                            infoMsg = "skipping %s parameter '%s'" % (paramType, parameter)
+                            logger.info(infoMsg)
+
                         elif parameter == conf.csrfToken:
                             testSqlInj = False
 
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -77,7 +77,8 @@
                                "testParameter":     "string",
                                "skip":              "string",
                                "skipStatic":        "boolean",
-                               "dbms":              "string",
+                               "skip":              "string",
+                               "paramExclude":      "string",
                                "dbmsCred":          "string",
                                "os":                "string",
                                "invalidBignum":     "boolean",
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -19,7 +19,7 @@
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.0.12.14"
+VERSION = "1.0.12.15"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -269,6 +269,9 @@ def cmdLineParser(argv=None):
         injection.add_option("--skip-static", dest="skipStatic", action="store_true",
                              help="Skip testing parameters that not appear to be dynamic")
 
+        injection.add_option("--param-exclude", dest="paramExclude",
+                           help="Regexp to exclude parameters from testing (e.g. \"ses\")")
+
         injection.add_option("--dbms", dest="dbms",
                              help="Force back-end DBMS to this value")
 
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -238,6 +238,9 @@ skip =
 # Valid: True or False
 skipStatic = False
 
+# Regexp to exclude parameters from testing (e.g. "ses").
+paramExclude =
+
 # Force back-end DBMS to this value. If this option is set, the back-end
 # DBMS identification process will be minimized as needed.
 # If not set, sqlmap will detect back-end DBMS automatically by default.
diff --git a/txt/checksum.md5 b/txt/checksum.md5
@@ -21,7 +21,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e  extra/sqlharvest/__init__.py
 4f2f817596540d82f9fcc0c5b2228beb  extra/sqlharvest/sqlharvest.py
 2daa39e4d59526acb4772b6c47eb315f  lib/controller/action.py
 eb36e67d0f698384978486d9b16591c5  lib/controller/checks.py
-f5183cfef62974889db81beb0adbf8fd  lib/controller/controller.py
+531365e625d740ffed1fe97d8318979c  lib/controller/controller.py
 ec007a1424da78cfdae90da6ae49ed9b  lib/controller/handler.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/controller/__init__.py
 cdffff6260c40ccb4e4092fc21d9d63f  lib/core/agent.py
@@ -38,14 +38,14 @@ b218e03ef7426fb0414881b05add1092  lib/core/enums.py
 e4aec2b11c1ad6039d0c3dbbfbc5eb1a  lib/core/exception.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/core/__init__.py
 91c514013daa796e2cdd940389354eac  lib/core/log.py
-86c86d2ee9e0eb74b13c16797b7dfc51  lib/core/optiondict.py
+ea5b08cac48cf538fb4bce31438b387b  lib/core/optiondict.py
 5d530c06c9720626ef6bf9e0a3decd2a  lib/core/option.py
 7af487340c138f7b5dbd443161cbb428  lib/core/profiling.py
 e60456db5380840a586654344003d4e6  lib/core/readlineng.py
 b3a62d41a5af6cd7fa733b6227febb0c  lib/core/replication.py
 dfb664b223ac3585d51e58839b777d9b  lib/core/revision.py
 7c15dd2777af4dac2c89cab6df17462e  lib/core/session.py
-f6750f9990821025ee93de4561b534bc  lib/core/settings.py
+d686c45c24eaa2519bc7e942fa8a2743  lib/core/settings.py
 7af83e4f18cab6dff5e67840eb65be80  lib/core/shell.py
 23657cd7d924e3c6d225719865855827  lib/core/subprocessng.py
 c3ace7874a536d801f308cf1fd03df99  lib/core/target.py
@@ -56,7 +56,7 @@ d43f059747ffd48952922c94152e2a07  lib/core/testing.py
 8485a3cd94c0a5af2718bad60c5f1ae5  lib/core/wordlist.py
 cc9c82cfffd8ee9b25ba3af6284f057e  lib/__init__.py
 c1288bc4ce5651dbdd82d4a9435fdc03  lib/parse/banner.py
-ba4c9a57e87f54c647ca29a14fa82f9c  lib/parse/cmdline.py
+16c1928161aa64e7c98d42116369459c  lib/parse/cmdline.py
 8ec4d4f02634834701f8258726f2e511  lib/parse/configfile.py
 fe4e2152292587928edb94c9a4d311ff  lib/parse/handler.py
 8e6bfb13e5a34b2610f3ff23467a34cf  lib/parse/headers.py
