Split the parameters into names and values, check if these parameters are within the testable parameters and return in a dictionary.
(place, parameters=None)
| 614 | return Backend.getOs() is not None and Backend.getOs().lower() == os.lower() |
| 615 | |
| 616 | def paramToDict(place, parameters=None): |
| 617 | """ |
| 618 | Split the parameters into names and values, check if these parameters |
| 619 | are within the testable parameters and return in a dictionary. |
| 620 | """ |
| 621 | |
| 622 | testableParameters = OrderedDict() |
| 623 | |
| 624 | if place in conf.parameters and not parameters: |
| 625 | parameters = conf.parameters[place] |
| 626 | |
| 627 | parameters = re.sub(r"&(\w{1,4});", r"%s\g<1>%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), parameters) |
| 628 | if place == PLACE.COOKIE: |
| 629 | splitParams = parameters.split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER) |
| 630 | else: |
| 631 | splitParams = parameters.split(conf.paramDel or DEFAULT_GET_POST_DELIMITER) |
| 632 | |
| 633 | for element in splitParams: |
| 634 | element = re.sub(r"%s(.+?)%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), r"&\g<1>;", element) |
| 635 | parts = element.split("=") |
| 636 | |
| 637 | if len(parts) >= 2: |
| 638 | parameter = urldecode(parts[0].replace(" ", "")) |
| 639 | |
| 640 | if not parameter: |
| 641 | continue |
| 642 | |
| 643 | if conf.paramDel and conf.paramDel == '\n': |
| 644 | parts[-1] = parts[-1].rstrip() |
| 645 | |
| 646 | condition = not conf.testParameter |
| 647 | condition |= conf.testParameter is not None and parameter in conf.testParameter |
| 648 | condition |= place == PLACE.COOKIE and len(intersect((PLACE.COOKIE,), conf.testParameter, True)) > 0 |
| 649 | |
| 650 | if condition: |
| 651 | value = "=".join(parts[1:]) |
| 652 | |
| 653 | if parameter in (conf.base64Parameter or []): |
| 654 | try: |
| 655 | kb.base64Originals[parameter] = oldValue = value |
| 656 | value = urldecode(value, convall=True) |
| 657 | value = decodeBase64(value, binary=False, encoding=conf.encoding or UNICODE_ENCODING) |
| 658 | parameters = re.sub(r"\b%s(\b|\Z)" % re.escape(oldValue), value, parameters) |
| 659 | except: |
| 660 | errMsg = "parameter '%s' does not contain " % parameter |
| 661 | errMsg += "valid Base64 encoded value ('%s')" % value |
| 662 | raise SqlmapValueException(errMsg) |
| 663 | |
| 664 | testableParameters[parameter] = value |
| 665 | |
| 666 | if not conf.multipleTargets and not (conf.csrfToken and re.search(conf.csrfToken, parameter, re.I)): |
| 667 | _ = urldecode(testableParameters[parameter], convall=True) |
| 668 | if (_.endswith("'") and _.count("'") == 1 or re.search(r'\A9{3,}', _) or re.search(r'\A-\d+\Z', _) or re.search(DUMMY_USER_INJECTION, _)) and not re.search(GOOGLE_ANALYTICS_COOKIE_REGEX, parameter): |
| 669 | warnMsg = "it appears that you have provided tainted parameter values " |
| 670 | warnMsg += "('%s') with most likely leftover " % element |
| 671 | warnMsg += "chars/statements from manual SQL injection test(s). " |
| 672 | warnMsg += "Please, always use only valid parameter values " |
| 673 | warnMsg += "so sqlmap could be able to run properly" |
no test coverage detected
searching dependent graphs…