sqlmap supports automatic pseudo-static batch testing

0x00 Foreword

---

Because yet to find a more suitable tool for batch testing sql injection point (proxy + batch sql injection detection sqlmapapi way batch testing and the like), my eyes turned to sqlmap. Although sqlmap not support pseudo-static test injection point (need to manually add injection mark), because it is written in python, it can be quickly and easily for secondary development.

0x01 ideas

---

My idea is to modify the url .html suffix like .html or neither or contain "?" Is.

Pseudo-static injection point generally in the numbers, so I would add injected mark after the number. Pseudo-static string to engage, and engage in a lot of the workload will be added.

Test with the following URL

#!bash
http://www.site.com/index.php/index/id/14
http://www.site.com/index.php/newsContent/id/341.html
http://www.site.com/show/?29-575.html

The results are as follows

#!bash
http://www.site.com/index.php/index/id/14*
http://www.site.com/index.php/newsContent/id/341*.html
http://www.site.com/show/?29*-575*.html

code show as below:

#!python
if re.search('html|htm|sthml',url) or url.find("?") == -1:
    flag = 0
    suffix = ""
    if re.search('html|htm|sthml',url):
        suffix = "." + re.search('html|htm|sthml',url).group()
    urlList = url.split("/")

    returnList = []

    for i in urlList:
        i = re.sub('\.html|\.htm','', i)
        if i.isdigit():
            returnList.append(i + "*")
            flag = 1
        else:
            returnList.append(i)
    url = '/'.join(returnList) + suffix

    returnList = []
    if flag == 0:
        for i in urlList:
            if re.search('html|htm|sthml',i):
                digitList = re.findall('\d+',i)
                for digit in digitList:
                    i = i.replace(digit, digit + "*")
                returnList.append(i)
            else:
                returnList.append(i)
        url = '/'.join(returnList)    
    print url

0x02 sqlmap support automatic detection of a single pseudo-static

---

Related documents

• https://github.com/sqlmapproject/sqlmap/blob/master/sqlmap.py
• https://github.com/sqlmapproject/sqlmap/blob/master/lib/controller/controller.py
• https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/target.py

Process

Sqlmap.py 116行start()->controller.py 256行setupTargetEnv()->target.py 72行_setRequestParams()->target.py 117行

#!python
if kb.processUserMarks is None and CUSTOM_INJECTION_MARK_CHAR in conf.data:
message = "custom injection marking character ('%s') found in option " % CUSTOM_INJECTION_MARK_CHAR
message += "'--data'. Do you want to process it? [Y/n/q] "
test = readInput(message, default="Y")
if test and test[0] in ("q", "Q"):
raise SqlmapUserQuitException
else:
kb.processUserMarks = not test or test[0] not in ("n", "N")

if kb.processUserMarks:
kb.testOnlyCustom = True

Here detecting whether the injection mark.

After completion of sqlmap get all the information you specified, before beginning formal detect whether there is injected, detects whether the injection marks ' *', if any, on the first point of this process is injected labeled for testing.

This injection understand the process mark, as long as the deal before _setRequestParams function call URL, you can support automatic injection of pseudo-static testing.

As long as the added line 260

#!python
if re.search('html|htm|sthml',conf.url) or conf.url.find("?") == -1:
    flag = 0
    suffix = ""
    if re.search('html|htm|sthml',conf.url):
        suffix = "." + re.search('html|htm|sthml',conf.url).group()
    urlList = conf.url.split("/")

    returnList = []

    for i in urlList:
        i = re.sub('\.html|\.htm','', i)
        if i.isdigit():
            returnList.append(i + "*")
            flag = 1
        else:
            returnList.append(i)
    conf.url = '/'.join(returnList) + suffix

    returnList = []
    if flag == 0:
        for i in urlList:
            if re.search('html|htm|sthml',i):
                digitList = re.findall('\d+',i)
                for digit in digitList:
                    i = i.replace(digit, digit + "*")
                returnList.append(i)
            else:
                returnList.append(i)
        conf.url = '/'.join(returnList)
    logger.info(conf.url)

that's it.

Renderings

Here are just a single, batch testing to support the injection point. Modify here is not enough.

0x03 sqlmap support batch automatically detect the pseudo-static

---

Relevant documents
https://github.com/sqlmapproject/sqlmap/blob/master/lib/core/option.py

583 line at

#!python
for line in getFileItems(conf.bulkFile):
    if re.match(r"[^ ]+\?(.+)", line, re.I) or CUSTOM_INJECTION_MARK_CHAR in line:
        found = True
        kb.targets.add((line.strip(), conf.method, conf.data, conf.cookie, None))

Read the file line by line inside the url. As long as there is a question mark to match "?" Or have injected marked "*" before testing.

Add 583

#!python
    if re.search('html|htm|sthml',line) or line.find("?") == -1:
        flag = 0
        suffix = ""
        if re.search('html|htm|sthml',line):
            suffix = "." + re.search('html|htm|sthml',line).group()
        urlList = line.split("/")

        returnList = []

        for i in urlList:
            i = re.sub('\.html|\.htm','', i)
            if i.isdigit():
                returnList.append(i + "*")
                flag = 1
            else:
                returnList.append(i)
        line = '/'.join(returnList) + suffix

        returnList = []
        if flag == 0:
            for i in urlList:
                if re.search('html|htm|sthml',i):
                    digitList = re.findall('\d+',i)
                    for digit in digitList:
                        i = i.replace(digit, digit + "*")
                    returnList.append(i)
                else:
                    returnList.append(i)
            line = '/'.join(returnList)

Renderings: