Skip to content

Commit 8a75c0b

Browse files
committed
Minor patch
1 parent 6e459d6 commit 8a75c0b

3 files changed

Lines changed: 25 additions & 23 deletions

File tree

data/txt/sha256sums.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264 extra/shutils/
162162
1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 extra/vulnserver/__init__.py
163163
617cec1b731e0baacafa6f58c2f56a85b6128d1416627cc1b2f61519c8539a2e extra/vulnserver/vulnserver.py
164164
a2bf70d7f87c3a4e0675c0bad54119a4e04efa6ea2730a8338d5aebcd995630e lib/controller/action.py
165-
6f3198df20330b6ff0eb7f615082ca7046e6887ac5d3e5df3598d36f66724e01 lib/controller/checks.py
165+
736715a73941a06e5d3d349dd01a1f1b171f54eb4c374c6752b2cc44b0977ffe lib/controller/checks.py
166166
666935b658074dc9c42153622b75d4ec7bfe56fbe0742de827a5d30a1a0f9d96 lib/controller/controller.py
167167
d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f lib/controller/handler.py
168168
1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3 lib/controller/__init__.py
@@ -189,7 +189,7 @@ f8de57606325456928e46ae2896f5f8bbec9ad18b1c644b492a566fa992216f6 lib/core/decor
189189
9bf174058f15d14e24e94f9aaf42df045119d3617c6c54bd2f3af79b462f331d lib/core/replication.py
190190
0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6 lib/core/revision.py
191191
888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c lib/core/session.py
192-
b38aa7769be9d31f2d55172a992732f506f05fba49d6a170eb9485f78da7c360 lib/core/settings.py
192+
2f4c7044d36e183fcb0a019d82ccbc7222abab1878454c479df9e89d23430733 lib/core/settings.py
193193
c7804223319e18eb0b8e2cbf0a8b6896d1cefb7b0b1a2e9f1cf826a8a3b56750 lib/core/shell.py
194194
a2e98a94b231432736d6b304fc75525c8b5fdb4768c418387c5b4c1a610dad64 lib/core/subprocessng.py
195195
19f1e3c5e3ba703d28d510cd7a9ab8284d5fbe9df5ce7e77c86e5931571364b7 lib/core/target.py

lib/controller/checks.py

Lines changed: 22 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1289,6 +1289,27 @@ def checkDynamicContent(firstPage, secondPage):
12891289
count += 1
12901290

12911291
if count > conf.retries:
1292+
# Last resort before the (lossy) '--text-only' fallback: if the page is byte-unstable
1293+
# but STRUCTURALLY stable - an identical, non-empty tag/class/id skeleton across
1294+
# requests - base the comparison on that value-free structure instead. Dynamic text
1295+
# (e.g. per-render result rows) then no longer masks an injection whose signal is
1296+
# structural (the HTML counterpart of the structure-aware JSON comparison). Content
1297+
# with no usable structure (empty skeleton, e.g. random/binary bodies) falls through
1298+
# to '--text-only' as before.
1299+
skeleton = extractStructuralTokens(firstPage)
1300+
if skeleton and skeleton == extractStructuralTokens(secondPage):
1301+
kb.pageStructurallyStable = True
1302+
1303+
if kb.nullConnection:
1304+
debugMsg = "turning off NULL connection support because of structural page comparison"
1305+
logger.debug(debugMsg)
1306+
kb.nullConnection = None
1307+
1308+
infoMsg = "target URL content is not byte-stable but structurally stable; sqlmap "
1309+
infoMsg += "will base the page comparison on the page structure"
1310+
logger.info(infoMsg)
1311+
return
1312+
12921313
warnMsg = "target URL content appears to be too dynamic. "
12931314
warnMsg += "Switching to '--text-only' "
12941315
logger.warning(warnMsg)
@@ -1394,26 +1415,7 @@ def checkStability():
13941415
raise SqlmapNoneDataException(errMsg)
13951416

13961417
else:
1397-
# Before engaging the (lossy) dynamic-content removal / '--text-only' escalation, check
1398-
# whether the page is structurally stable (identical tag/class/id skeleton across the two
1399-
# requests) despite differing text. If so, base the comparison on that value-free structure
1400-
# so that dynamic content (e.g. per-render result rows) does not mask an injection. This is
1401-
# the HTML counterpart of the structure-aware JSON comparison
1402-
if firstPage and secondPage and extractStructuralTokens(firstPage) == extractStructuralTokens(secondPage):
1403-
kb.pageStructurallyStable = True
1404-
1405-
if kb.nullConnection:
1406-
debugMsg = "turning off NULL connection "
1407-
debugMsg += "support because of structural page comparison"
1408-
logger.debug(debugMsg)
1409-
1410-
kb.nullConnection = None
1411-
1412-
infoMsg = "target URL content is not byte-stable but structurally stable; sqlmap "
1413-
infoMsg += "will base the page comparison on the page structure"
1414-
logger.info(infoMsg)
1415-
else:
1416-
checkDynamicContent(firstPage, secondPage)
1418+
checkDynamicContent(firstPage, secondPage)
14171419

14181420
return kb.pageStable
14191421

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
from thirdparty import six
2121

2222
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
23-
VERSION = "1.10.7.1"
23+
VERSION = "1.10.7.2"
2424
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2525
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2626
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

0 commit comments

Comments
 (0)