You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# DB-error-looking text for any non-baseline input -> baits error-based detection.
1081
+
output="<html><body>Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result</body></html>"ifidv!="1"else"<html><body><b>SQL results:</b><table><tr><td>1</td><td>luther</td></tr></table></body></html>"
1082
+
eliftrap=="lengthrand":
1083
+
# response length varies at random (not with the payload) -> baits length-based heuristics.
("-u <url> --data=\"reflect=1\" --flush-session --wizard --disable-coloring", ("Please choose:", "back-end DBMS: SQLite", "current user is DBA: True", "banner: '3.")),
@@ -63,7 +63,7 @@ def vulnTest():
63
63
("-u <url> --data=\"security_level=3\" -p id --flush-session --technique=B", ("bypassed the WAF/IPS by using tamper script", "Type: boolean-based blind")), # automatic WAF-bypass: SQL-tamper dimension at a stricter signature threshold
64
64
("-u <url> --data=\"security_level=4\" -p id --flush-session --technique=B --banner", ("random (non-scanner) User-Agent and browser-like headers to bypass the WAF/IPS", "Type: boolean-based blind", "banner: '3.")), # automatic WAF-bypass against a libinjection-class WAF: tampers cannot help, only the non-scanner User-Agent does
65
65
("-u <url> --data=\"security_level=5\" -p id --flush-session --technique=B", ("unable to automatically bypass the WAF/IPS", "does not seem to be injectable")), # automatic WAF-bypass honest bail: a libinjection-class WAF that no User-Agent or tamper can defeat
66
-
("-u <url> -p id --flush-session --proof", ("sqlmap proved exploitation of the following injection point", "Parameter: id (GET)", "Technique: boolean-based blind", "TRUE (5/5)", "repeatably", "Retrieved: back-end DBMS banner '3.")), # --proof: report-grade proof in the injection-point style - forces the boolean technique (so a multi-technique point still proves), and actively reads a value out as the strongest proof
66
+
("-u <url> -p id --flush-session --technique=B --proof", ("sqlmap proved exploitation of the following injection point", "Parameter: id (GET)", "Technique: boolean-based blind", "TRUE (5/5)", "repeatably", "Retrieved: back-end DBMS banner '3.")), # --proof: report-grade proof in the injection-point style - forces the boolean technique (so a multi-technique point still proves), and actively reads a value out as the strongest proof
67
67
("-r <request> --flush-session -v 5 --test-skip=\"heavy\" --save=<config>", ("CloudFlare", "web application technology: Express", "possible DBMS: 'SQLite'", "User-Agent: foobar", "~Type: time-based blind", "saved command line options to the configuration file")),
("-l <log> --flush-session --skip-waf -vvvvv --technique=U --union-from=users --banner --parse-errors", ("banner: '3.", "ORDER BY term out of range", "~xp_cmdshell", "Connection: keep-alive")),
("--purge -v 3", ("~ERROR", "~CRITICAL", "deleting the whole directory tree")),
102
102
)
103
103
@@ -263,9 +263,9 @@ def _thread():
263
263
264
264
clearConsoleLine()
265
265
ifretVal:
266
-
logger.info("vuln test final result: PASSED")
266
+
logger.info("%s test final result: PASSED"%label)
267
267
else:
268
-
logger.error("vuln test final result: FAILED")
268
+
logger.error("%s test final result: FAILED"%label)
269
269
270
270
forfilenameincleanups:
271
271
try:
@@ -280,6 +280,31 @@ def _thread():
280
280
281
281
returnretVal
282
282
283
+
deffpTest():
284
+
"""
285
+
On-demand false-positive battery ('--fp-test'): a set of deliberately NON-injectable traps that
286
+
each bait a specific FP defense (boolean confirmation, dynamic-content removal, structure-aware
287
+
comparison, canary/sanity gate, reflection, error-regex specificity, length and time heuristics),
288
+
paired with real injectable twins. An A+ engine rejects every trap AND still detects every twin.
289
+
Kept out of the default '--vuln-test' (CI budget); run explicitly against 'vulnserver'.
290
+
"""
291
+
292
+
FP_TESTS= (
293
+
# false-positive traps -> sqlmap MUST NOT flag these as injectable
294
+
("-u \"<base>fp?trap=intcast&id=1\" -p id --technique=BEU --level=3 --risk=2 --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # boolean confirmation / checkFalsePositives
295
+
("-u \"<base>fp?trap=structrand&id=1\" -p id --technique=BEU --level=3 --risk=2 --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # structure-aware comparison
296
+
("-u \"<base>fp?trap=acceptall&id=1\" -p id --technique=BEU --level=3 --risk=2 --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # canary / sanity gate (reads-everything-true)
297
+
("-u \"<base>fp?trap=reflect&id=1\" -p id --technique=BEU --level=3 --risk=2 --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # reflection handling
298
+
("-u \"<base>fp?trap=errors&id=1\" -p id --technique=BE --level=3 --risk=2 --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # error-regex specificity
299
+
("-u \"<base>fp?trap=lengthrand&id=1\" -p id --technique=BEU --level=3 --risk=2 --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # length heuristics
300
+
("-u \"<base>fp?trap=slowrand&id=1\" -p id --technique=T --flush-session", ("~identified the following injection point", "do not appear to be injectable")), # time-based statistical model
301
+
# true-positive twins -> sqlmap MUST still detect real injection (the discrimination that makes it A+)
302
+
("-u <url> -p id --technique=B --flush-session", ("identified the following injection point", "Type: boolean-based blind")),
303
+
("-u \"<url>&json=1\" -p id --technique=B --flush-session", ("identified the following injection point",)),
304
+
)
305
+
306
+
returnvulnTest(tests=FP_TESTS, label="fp")
307
+
283
308
defapiTest():
284
309
"""
285
310
Runs a basic live test of the REST API: launches the server in a separate process
0 commit comments