def _get_statements(self, mutant, excludeNumbers=[]): """ Returns a list of statement tuples. """ res = {} rndNum = int(createRandNum(2, excludeNumbers)) rndNumPlusOne = rndNum + 1 if mutant.getOriginalValue() == "": # I use this when I don't have a value setted in the original request # Unquoted, integer values trueStm = "%i OR %i=%i " % (rndNum, rndNum, rndNum) falseStm = "%i AND %i=%i " % (rndNum, rndNum, rndNumPlusOne) res["numeric"] = (trueStm, falseStm) # Single quotes trueStm = "%i' OR '%i'='%i" % (rndNum, rndNum, rndNum) falseStm = "%i' AND '%i'='%i" % (rndNum, rndNum, rndNumPlusOne) res["stringsingle"] = (trueStm, falseStm) # Double quotes trueStm = '%i" OR "%i"="%i' % (rndNum, rndNum, rndNum) falseStm = '%i" AND "%i"="%i' % (rndNum, rndNum, rndNumPlusOne) res["stringdouble"] = (trueStm, falseStm) else: # I use this when I HAVE a value setted in the original request # Unquoted, integer values, they should only be used if the original value is a number # if it's something like 1209jas and it's used in a WHERE... then it MUST be quoted. oval = mutant.getOriginalValue() if oval.isdigit(): trueStm = oval + " OR %i=%i " % (rndNum, rndNum) falseStm = oval + " AND %i=%i " % (rndNum, rndNumPlusOne) res["numeric"] = (trueStm, falseStm) # Single quotes trueStm = oval + "' OR '%i'='%i" % (rndNum, rndNum) falseStm = oval + "' AND '%i'='%i" % (rndNum, rndNumPlusOne) res["stringsingle"] = (trueStm, falseStm) # Double quotes trueStm = oval + '" OR "%i"="%i' % (rndNum, rndNum) falseStm = oval + '" AND "%i"="%i' % (rndNum, rndNumPlusOne) res["stringdouble"] = (trueStm, falseStm) return res
def _get_limit_response( self, m ): ''' We request the limit (something that doesn't exist) - If http://localhost/a.php?b=1 ; then I should request b=12938795 (random number) - If http://localhost/a.php?b=abc ; then I should request b=hnv98yks (random alnum) @return: The limit response object ''' # Copy the dc, needed to make a good vuln report dc = copy.deepcopy(m.getDc()) if m.getOriginalValue().isdigit(): m.setModValue( createRandNum(length=8) ) else: m.setModValue( createRandAlNum(length=8) ) limit_response = self._sendMutant( m , analyze=False ) # restore the dc m.setDc( dc ) return limit_response
def _get_statements( self, mutant, excludeNumbers=[] ): ''' Returns a list of statement tuples. ''' res = {} rnd_num = int( createRandNum( 2 , excludeNumbers ) ) rnd_num_plus_one = rnd_num + 1 # Numeric/Datetime true_stm = '%i OR %i=%i ' % (rnd_num, rnd_num, rnd_num ) false_stm = '%i AND %i=%i ' % (rnd_num, rnd_num, rnd_num_plus_one) res['numeric'] = ( true_stm, false_stm ) # Single quotes true_stm = "%i' OR '%i'='%i" % (rnd_num, rnd_num, rnd_num ) false_stm = "%i' AND '%i'='%i" % (rnd_num, rnd_num, rnd_num_plus_one) res['stringsingle'] = ( true_stm, false_stm) # Double quotes true_stm = '%i" OR "%i"="%i' % (rnd_num, rnd_num, rnd_num ) false_stm = '%i" AND "%i"="%i' % (rnd_num, rnd_num, rnd_num_plus_one) res['stringdouble'] = ( true_stm, false_stm) return res