This method replaces the affected parameter with the SQL injection statement to request
(self, place=None, parameter=None, value=None, newValue=None, where=None)
| 87 | return query |
| 88 | |
| 89 | def payload(self, place=None, parameter=None, value=None, newValue=None, where=None): |
| 90 | """ |
| 91 | This method replaces the affected parameter with the SQL |
| 92 | injection statement to request |
| 93 | """ |
| 94 | |
| 95 | if conf.direct: |
| 96 | return self.payloadDirect(newValue) |
| 97 | |
| 98 | retVal = "" |
| 99 | |
| 100 | if kb.forceWhere: |
| 101 | where = kb.forceWhere |
| 102 | elif where is None and isTechniqueAvailable(getTechnique()): |
| 103 | where = getTechniqueData().where |
| 104 | |
| 105 | if kb.injection.place is not None: |
| 106 | place = kb.injection.place |
| 107 | |
| 108 | if kb.injection.parameter is not None: |
| 109 | parameter = kb.injection.parameter |
| 110 | |
| 111 | paramString = conf.parameters[place] |
| 112 | paramDict = conf.paramDict[place] |
| 113 | origValue = getUnicode(paramDict[parameter]) |
| 114 | newValue = getUnicode(newValue) if newValue else newValue |
| 115 | base64Encoding = re.sub(r" \(.+", "", parameter) in conf.base64Parameter |
| 116 | |
| 117 | if place == PLACE.URI or BOUNDED_INJECTION_MARKER in origValue: |
| 118 | paramString = origValue |
| 119 | if place == PLACE.URI: |
| 120 | origValue = origValue.split(kb.customInjectionMark)[0] |
| 121 | else: |
| 122 | try: |
| 123 | origValue = filterNone(re.search(_, origValue.split(BOUNDED_INJECTION_MARKER)[0]) for _ in (r"\w+\Z", r"[^\"'><]+\Z", r"[^ ]+\Z"))[0].group(0) |
| 124 | except IndexError: |
| 125 | pass |
| 126 | origValue = origValue[origValue.rfind('/') + 1:] |
| 127 | for char in ('?', '=', ':', ',', '&'): |
| 128 | if char in origValue: |
| 129 | origValue = origValue[origValue.rfind(char) + 1:] |
| 130 | elif place == PLACE.CUSTOM_POST: |
| 131 | paramString = origValue |
| 132 | origValue = origValue.split(kb.customInjectionMark)[0] |
| 133 | if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML): |
| 134 | origValue = re.split(r"['\">]", origValue)[-1] |
| 135 | elif kb.postHint in (POST_HINT.JSON, POST_HINT.JSON_LIKE): |
| 136 | match = re.search(r"['\"]", origValue) |
| 137 | quote = match.group(0) if match else '"' |
| 138 | origValue = extractRegexResult(r"%s\s*:\s*(?P<result>\d+)\Z" % quote, origValue) or extractRegexResult(r"(?P<result>[^%s]*)\Z" % quote, origValue) |
| 139 | else: |
| 140 | _ = extractRegexResult(r"(?s)(?P<result>[^\s<>{}();'\"&]+\Z)", origValue) or "" |
| 141 | origValue = _.split('=', 1)[1] if '=' in _ else _ |
| 142 | elif place == PLACE.CUSTOM_HEADER: |
| 143 | paramString = origValue |
| 144 | origValue = origValue[origValue.find(',') + 1:] |
| 145 | origValue = origValue.split(kb.customInjectionMark)[0] |
| 146 | match = re.search(r"([^;]+)=(?P<value>[^;]*);?\Z", origValue) |