def _get_statements(self, mutant, excludeNumbers=[]):
"""
Returns a list of statement tuples.
"""
res = {}
rndNum = int(createRandNum(2, excludeNumbers))
rndNumPlusOne = rndNum + 1
if mutant.getOriginalValue() == "":
# I use this when I don't have a value setted in the original request
# Unquoted, integer values
trueStm = "%i OR %i=%i " % (rndNum, rndNum, rndNum)
falseStm = "%i AND %i=%i " % (rndNum, rndNum, rndNumPlusOne)
res["numeric"] = (trueStm, falseStm)
# Single quotes
trueStm = "%i' OR '%i'='%i" % (rndNum, rndNum, rndNum)
falseStm = "%i' AND '%i'='%i" % (rndNum, rndNum, rndNumPlusOne)
res["stringsingle"] = (trueStm, falseStm)
# Double quotes
trueStm = '%i" OR "%i"="%i' % (rndNum, rndNum, rndNum)
falseStm = '%i" AND "%i"="%i' % (rndNum, rndNum, rndNumPlusOne)
res["stringdouble"] = (trueStm, falseStm)
else:
# I use this when I HAVE a value setted in the original request
# Unquoted, integer values, they should only be used if the original value is a number
# if it's something like 1209jas and it's used in a WHERE... then it MUST be quoted.
oval = mutant.getOriginalValue()
if oval.isdigit():
trueStm = oval + " OR %i=%i " % (rndNum, rndNum)
falseStm = oval + " AND %i=%i " % (rndNum, rndNumPlusOne)
res["numeric"] = (trueStm, falseStm)
# Single quotes
trueStm = oval + "' OR '%i'='%i" % (rndNum, rndNum)
falseStm = oval + "' AND '%i'='%i" % (rndNum, rndNumPlusOne)
res["stringsingle"] = (trueStm, falseStm)
# Double quotes
trueStm = oval + '" OR "%i"="%i' % (rndNum, rndNum)
falseStm = oval + '" AND "%i"="%i' % (rndNum, rndNumPlusOne)
res["stringdouble"] = (trueStm, falseStm)
return res
def _get_limit_response( self, m ):
'''
We request the limit (something that doesn't exist)
- If http://localhost/a.php?b=1 ; then I should request b=12938795 (random number)
- If http://localhost/a.php?b=abc ; then I should request b=hnv98yks (random alnum)
@return: The limit response object
'''
# Copy the dc, needed to make a good vuln report
dc = copy.deepcopy(m.getDc())
if m.getOriginalValue().isdigit():
m.setModValue( createRandNum(length=8) )
else:
m.setModValue( createRandAlNum(length=8) )
limit_response = self._sendMutant( m , analyze=False )
# restore the dc
m.setDc( dc )
return limit_response
def _get_statements( self, mutant, excludeNumbers=[] ):
'''
Returns a list of statement tuples.
'''
res = {}
rnd_num = int( createRandNum( 2 , excludeNumbers ) )
rnd_num_plus_one = rnd_num + 1
# Numeric/Datetime
true_stm = '%i OR %i=%i ' % (rnd_num, rnd_num, rnd_num )
false_stm = '%i AND %i=%i ' % (rnd_num, rnd_num, rnd_num_plus_one)
res['numeric'] = ( true_stm, false_stm )
# Single quotes
true_stm = "%i' OR '%i'='%i" % (rnd_num, rnd_num, rnd_num )
false_stm = "%i' AND '%i'='%i" % (rnd_num, rnd_num, rnd_num_plus_one)
res['stringsingle'] = ( true_stm, false_stm)
# Double quotes
true_stm = '%i" OR "%i"="%i' % (rnd_num, rnd_num, rnd_num )
false_stm = '%i" AND "%i"="%i' % (rnd_num, rnd_num, rnd_num_plus_one)
res['stringdouble'] = ( true_stm, false_stm)
return res
