(inj)
| 142 | kb.injection = kb.injections[index] |
| 143 | |
| 144 | def _formatInjection(inj): |
| 145 | paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else inj.place |
| 146 | data = "Parameter: %s (%s)\n" % (inj.parameter, paramType) |
| 147 | |
| 148 | for stype, sdata in inj.data.items(): |
| 149 | title = sdata.title |
| 150 | vector = sdata.vector |
| 151 | comment = sdata.comment |
| 152 | payload = agent.adjustLateValues(sdata.payload) |
| 153 | if inj.place == PLACE.CUSTOM_HEADER: |
| 154 | payload = payload.split(',', 1)[1] |
| 155 | if stype == PAYLOAD.TECHNIQUE.UNION: |
| 156 | count = re.sub(r"(?i)(\(.+\))|(\blimit[^a-z]+)", "", sdata.payload).count(',') + 1 |
| 157 | title = re.sub(r"\d+ to \d+", str(count), title) |
| 158 | vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6]) |
| 159 | if count == 1: |
| 160 | title = title.replace("columns", "column") |
| 161 | elif comment: |
| 162 | vector = "%s%s" % (vector, comment) |
| 163 | data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype] |
| 164 | data += " Title: %s\n" % title |
| 165 | data += " Payload: %s\n" % urldecode(payload, unsafe="&", spaceplus=(inj.place != PLACE.GET and kb.postSpaceToPlus)) |
| 166 | data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n" |
| 167 | |
| 168 | return data |
| 169 | |
| 170 | def _showInjections(): |
| 171 | if conf.wizard and kb.wizardMode: |
no test coverage detected
searching dependent graphs…