[sqlmap-users] Google search ('dork') bug in sqlmap?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

When using the Google 'dork' feature (-g option) in the latest development
version of sqlmap (and what I can only assume would be all previous
versions), it appears that when Google returns results it encodes HTML
entities like the ampersand "&" with &amp;. sqlmap does not do anything with
these encoded entities and results in improperly named variables/parameters
being checked.

Observe the following output:

[23:50:28] [WARNING] GET parameter 'amp;s' is not dynamic
[23:50:28] [INFO] testing if GET parameter 'amp;id' is dynamic
[23:50:29] [WARNING] GET parameter 'amp;id' is not dynamic
[23:50:29] [INFO] testing if GET parameter 'amp;Name' is dynamic

As "&amp;" isn't converted to "&" prior to the disassembly of the URL for
testing, sqlmap is under the impression that variable names are different
than what they should be, and the wrong variables get tested.

I have written a one-line patch to remedy this. In lib/utils/google.py, line
74 adds the target URL. Prior to the targetUrls.add() statement, place the
following:
match = match.replace("&amp;", "&")

This results in the for match .. block that the statements are contained in
resembling:

        for match in self.__matches:
            if re.search("(.*?)\?(.+)", match, re.I):
                match = match.replace("&amp;", "&")
                kb.targetUrls.add(( match, None, None, None ))

If I am wrong and the right variables are being tested (but not properly
displayed in the verbose output), please let me know. Otherwise this patch
should be committed to the codebase in order to remedy this Google search
results issue.

- Brandon