MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / paramToDict

Function paramToDict

lib/core/common.py:616–787  ·  view source on GitHub ↗

Split the parameters into names and values, check if these parameters are within the testable parameters and return in a dictionary.

(place, parameters=None)

Source from the content-addressed store, hash-verified

614 return Backend.getOs() is not None and Backend.getOs().lower() == os.lower()
615
616def paramToDict(place, parameters=None):
617 """
618 Split the parameters into names and values, check if these parameters
619 are within the testable parameters and return in a dictionary.
620 """
621
622 testableParameters = OrderedDict()
623
624 if place in conf.parameters and not parameters:
625 parameters = conf.parameters[place]
626
627 parameters = re.sub(r"&(\w{1,4});", r"%s\g<1>%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), parameters)
628 if place == PLACE.COOKIE:
629 splitParams = parameters.split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER)
630 else:
631 splitParams = parameters.split(conf.paramDel or DEFAULT_GET_POST_DELIMITER)
632
633 for element in splitParams:
634 element = re.sub(r"%s(.+?)%s" % (PARAMETER_AMP_MARKER, PARAMETER_SEMICOLON_MARKER), r"&\g<1>;", element)
635 parts = element.split("=")
636
637 if len(parts) >= 2:
638 parameter = urldecode(parts[0].replace(" ", ""))
639
640 if not parameter:
641 continue
642
643 if conf.paramDel and conf.paramDel == '\n':
644 parts[-1] = parts[-1].rstrip()
645
646 condition = not conf.testParameter
647 condition |= conf.testParameter is not None and parameter in conf.testParameter
648 condition |= place == PLACE.COOKIE and len(intersect((PLACE.COOKIE,), conf.testParameter, True)) > 0
649
650 if condition:
651 value = "=".join(parts[1:])
652
653 if parameter in (conf.base64Parameter or []):
654 try:
655 kb.base64Originals[parameter] = oldValue = value
656 value = urldecode(value, convall=True)
657 value = decodeBase64(value, binary=False, encoding=conf.encoding or UNICODE_ENCODING)
658 parameters = re.sub(r"\b%s(\b|\Z)" % re.escape(oldValue), value, parameters)
659 except:
660 errMsg = "parameter '%s' does not contain " % parameter
661 errMsg += "valid Base64 encoded value ('%s')" % value
662 raise SqlmapValueException(errMsg)
663
664 testableParameters[parameter] = value
665
666 if not conf.multipleTargets and not (conf.csrfToken and re.search(conf.csrfToken, parameter, re.I)):
667 _ = urldecode(testableParameters[parameter], convall=True)
668 if (_.endswith("'") and _.count("'") == 1 or re.search(r'\A9{3,}', _) or re.search(r'\A-\d+\Z', _) or re.search(DUMMY_USER_INJECTION, _)) and not re.search(GOOGLE_ANALYTICS_COOKIE_REGEX, parameter):
669 warnMsg = "it appears that you have provided tainted parameter values "
670 warnMsg += "('%s') with most likely leftover " % element
671 warnMsg += "chars/statements from manual SQL injection test(s). "
672 warnMsg += "Please, always use only valid parameter values "
673 warnMsg += "so sqlmap could be able to run properly"

Callers 1

_setRequestParamsFunction · 0.90

Calls 15

OrderedDictClass · 0.90
decodeBase64Function · 0.90
getUnicodeFunction · 0.90
getBytesFunction · 0.90
urldecodeFunction · 0.85
intersectFunction · 0.85
walkFunction · 0.85
debugMethod · 0.80
itemsMethod · 0.80
decodeMethod · 0.80
readInputFunction · 0.70

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…