Update for sqlmapproject#4928

Author: stamparm

lib/core/option.py

@@ -2116,6 +2116,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
  kb.pageStable = None
  kb.partRun = None
  kb.permissionFlag = False
+ kb.place = None
  kb.postHint = None
  kb.postSpaceToPlus = False
  kb.postUrlEncode = True

lib/core/settings.py

@@ -20,7 +20,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.6.1.7"
+VERSION = "1.6.2.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/core/target.py

@@ -26,8 +26,10 @@
 from lib.core.common import removePostHintPrefix
 from lib.core.common import resetCookieJar
 from lib.core.common import safeStringFormat
+from lib.core.common import unArrayizeValue
 from lib.core.common import urldecode
 from lib.core.compat import xrange
+from lib.core.convert import decodeBase64
 from lib.core.convert import getUnicode
 from lib.core.data import conf
 from lib.core.data import kb
@@ -741,6 +743,15 @@ class _(six.text_type):
  setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
  kb.postSpaceToPlus = '+' in original
 
+ if conf.data and unArrayizeValue(conf.base64Parameter) == HTTPMETHOD.POST:
+ if '=' not in conf.data.strip('='):
+ try:
+ original = conf.data
+ conf.data = _(decodeBase64(conf.data, binary=False))
+ setattr(conf.data, UNENCODED_ORIGINAL_VALUE, original)
+ except:
+ pass
+
  match = re.search(INJECT_HERE_REGEX, "%s %s %s" % (conf.url, conf.data, conf.httpHeaders))
  kb.customInjectionMark = match.group(0) if match else CUSTOM_INJECTION_MARK_CHAR
 

lib/core/testing.py

@@ -65,6 +65,7 @@ def vulnTest():
  ("-u <url> --flush-session --banner --invalid-logical --technique=B --predict-output --test-filter=\"OR boolean\" --tamper=space2dash", ("banner: '3.", " LIKE ")),
  ("-u <url> --flush-session --cookie=\"PHPSESSID=d41d8cd98f00b204e9800998ecf8427e; id=1*; id2=2\" --tables --union-cols=3", ("might be injectable", "Cookie #1* ((custom) HEADER)", "Type: boolean-based blind", "Type: time-based blind", "Type: UNION query", " users ")),
  ("-u <url> --flush-session --null-connection --technique=B --tamper=between,randomcase --banner --count -T users", ("NULL connection is supported with HEAD method", "banner: '3.", "users | 5")),
+ ("-u <base> --data=\"aWQ9MQ==\" --flush-session --base64=POST -v 6", ("aWQ9MTtXQUlURk9SIERFTEFZICcwOjA",)),
  ("-u <url> --flush-session --parse-errors --test-filter=\"subquery\" --eval=\"import hashlib; id2=2; id3=hashlib.md5(id.encode()).hexdigest()\" --referer=\"localhost\"", ("might be injectable", ": syntax error", "back-end DBMS: SQLite", "WHERE or HAVING clause (subquery")),
  ("-u <url> --banner --schema --dump -T users --binary-fields=surname --where \"id>3\"", ("banner: '3.", "INTEGER", "TEXT", "id", "name", "surname", "2 entries", "6E616D6569736E756C6C")),
  ("-u <url> --technique=U --fresh-queries --force-partial --dump -T users --dump-format=HTML --answers=\"crack=n\" -v 3", ("performed 6 queries", "nameisnull", "~using default dictionary", "dumped to HTML file")),

lib/request/connect.py

@@ -56,12 +56,14 @@ class WebSocketException(Exception):
 from lib.core.common import singleTimeLogMessage
 from lib.core.common import singleTimeWarnMessage
 from lib.core.common import stdev
+from lib.core.common import unArrayizeValue
 from lib.core.common import unsafeVariableNaming
 from lib.core.common import urldecode
 from lib.core.common import urlencode
 from lib.core.common import wasLastResponseDelayed
 from lib.core.compat import patchHeaders
 from lib.core.compat import xrange
+from lib.core.convert import encodeBase64
 from lib.core.convert import getBytes
 from lib.core.convert import getText
 from lib.core.convert import getUnicode
@@ -466,7 +468,7 @@ def getPage(**kwargs):
  break
 
  if post is not None and not multipart and not getHeader(headers, HTTP_HEADER.CONTENT_TYPE):
- headers[HTTP_HEADER.CONTENT_TYPE] = POST_HINT_CONTENT_TYPES.get(kb.postHint, DEFAULT_CONTENT_TYPE)
+ headers[HTTP_HEADER.CONTENT_TYPE] = POST_HINT_CONTENT_TYPES.get(kb.postHint, DEFAULT_CONTENT_TYPE if unArrayizeValue(conf.base64Parameter) != HTTPMETHOD.POST else PLAIN_TEXT_CONTENT_TYPE)
 
  if headers.get(HTTP_HEADER.CONTENT_TYPE) == POST_HINT_CONTENT_TYPES[POST_HINT.MULTIPART]:
  warnMsg = "missing 'boundary parameter' in '%s' header. " % HTTP_HEADER.CONTENT_TYPE
@@ -552,6 +554,13 @@ class _(dict):
  else:
  post = getBytes(post)
 
+ if unArrayizeValue(conf.base64Parameter) == HTTPMETHOD.POST:
+ if kb.place != HTTPMETHOD.POST:
+ conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)
+ else:
+ post = urldecode(post, convall=True)
+ post = encodeBase64(post)
+
  if target and cmdLineOptions.method or method and method not in (HTTPMETHOD.GET, HTTPMETHOD.POST):
  req = MethodRequest(url, post, headers)
  req.set_method(cmdLineOptions.method or method)
@@ -976,6 +985,8 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
  if not place:
  place = kb.injection.place or PLACE.GET
 
+ kb.place = place
+
  if not auxHeaders:
  auxHeaders = {}
 
@@ -1191,7 +1202,7 @@ def _adjustParameter(paramString, parameter, newValue):
 
  if not token:
  if conf.csrfUrl and conf.csrfToken and conf.csrfUrl != conf.url and code == _http_client.OK:
- if headers and "text/plain" in headers.get(HTTP_HEADER.CONTENT_TYPE, ""):
+ if headers and PLAIN_TEXT_CONTENT_TYPE in headers.get(HTTP_HEADER.CONTENT_TYPE, ""):
  token.name = conf.csrfToken
  token.value = page