Added (heuristic) support for sqlmapproject#1679

Author: stamparm

lib/core/settings.py

@@ -19,7 +19,7 @@
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.3.14"
+VERSION = "1.1.3.15"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/request/connect.py

@@ -1045,19 +1045,28 @@ def _randomizeParameter(paramString, randomParameter):
  found = False
  value = getUnicode(value)
 
- regex = r"\b(%s)\b([^\w]+)(\w+)" % re.escape(name)
- if kb.postHint and re.search(regex, (post or "")):
- found = True
- post = re.sub(regex, "\g<1>\g<2>%s" % value, post)
+ if kb.postHint and re.search(r"\b%s\b" % re.escape(name), post or ""):
+ if kb.postHint in (POST_HINT.XML, POST_HINT.SOAP):
+ if re.search(r"<%s\b" % re.escape(name), post):
+ found = True
+ post = re.sub(r"(?s)(<%s\b[^>]*>)(.*?)(</%s)" % (re.escape(name), re.escape(name)), "\g<1>%s\g<3>" % value, post)
+ elif re.search(r"\b%s>" % re.escape(name), post):
+ found = True
+ post = re.sub(r"(?s)(\b%s>)(.*?)(</[^<]*\b%s>)" % (re.escape(name), re.escape(name)), "\g<1>%s\g<3>" % value, post)
+
+ regex = r"\b(%s)\b([^\w]+)(\w+)" % re.escape(name)
+ if not found and re.search(regex, (post or "")):
+ found = True
+ post = re.sub(regex, "\g<1>\g<2>%s" % value, post)
 
  regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(delimiter), re.escape(name), re.escape(delimiter))
- if re.search(regex, (get or "")):
+ if not found and re.search(regex, (post or "")):
  found = True
- get = re.sub(regex, "\g<1>%s\g<3>" % value, get)
+ post = re.sub(regex, "\g<1>%s\g<3>" % value, post)
 
- if re.search(regex, (post or "")):
+ if re.search(regex, (get or "")):
  found = True
- post = re.sub(regex, "\g<1>%s\g<3>" % value, post)
+ get = re.sub(regex, "\g<1>%s\g<3>" % value, get)
 
  if re.search(regex, (query or "")):
  found = True

txt/checksum.md5

@@ -45,7 +45,7 @@ a8143dab9d3a27490f7d49b6b29ea530 lib/core/data.py
 d8e9250f3775119df07e9070eddccd16 lib/core/replication.py
 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py
 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py
-c33fe4941f9d344d9100104b0a0e4abb lib/core/settings.py
+3d8c01162174b351f890ceb122fd9052 lib/core/settings.py
 d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py
 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py
 afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py
@@ -67,7 +67,7 @@ a0444cc351cd6d29015ad16d9eb46ff4 lib/parse/sitemap.py
 403d873f1d2fd0c7f73d83f104e41850 lib/request/basicauthhandler.py
 0035612a620934d7ebe6d18426cfb065 lib/request/basic.py
 ef48de622b0a6b4a71df64b0d2785ef8 lib/request/comparison.py
-a4e3e939d059bb604309f5089c78c1dc lib/request/connect.py
+46fe0392776e18fcc37bf08d2c3ce5e3 lib/request/connect.py
 fb6b788d0016ab4ec5e5f661f0f702ad lib/request/direct.py
 cc1163d38e9b7ee5db2adac6784c02bb lib/request/dns.py
 5dcdb37823a0b5eff65cd1018bcf09e4 lib/request/httpshandler.py