[sqlmap-users] Bug report in connect.py
Brought to you by:
inquisb
From: pacman730 <pac...@us...> - 2009-12-09 03:50:18
|
Hi sqlmap team, I found a bug in the getPage function in Connect class. The bug occurs when there is a timeout exception or others types. In this case the function is gonna call on itself (if retriesCout < conf.retires), but with changed url variable. So in this case its gonna connect to: http://www.test.com/list.php?id=354%20sqlinjectionhere?id=354%20sqlinjectionhere You can't see this with -v 3 because requestMsg its how it should be, I found it with Wireshark. To fix this you need to change lines 90, 92, 111 and 130. This is how I did it: [...] line 88 if direct: if "?" in url: url2, params = url.split("?") params = urlencode(params).replace("%%", "%") url2 = "%s?%s" % (url2, params) requestMsg += "?%s" % params [...] line 105 else: if conf.parameters.has_key("GET") and not get: get = conf.parameters["GET"] if get: get = urlencode(get).replace("%%", "%") url2 = "%s?%s" % (url, get) requestMsg += "?%s" % get [...] line 127 try: # Perform HTTP request headers = forgeHeaders(cookie, ua) req = urllib2.Request(url2, post, headers) conn = urllib2.urlopen(req) I just made a new var url2 to not change url and send it back modified. Or maybe you can change line 216 to: return Connect.__getPageProxy(kwargs) but I haven't tried it because i was to busy and I'm kinda new to python. Have a nice day, pacman730 |