@@ -214,6 +214,22 @@ def process(match, repl):
214214 conf .data = conf .data .replace (kb .customInjectionMark , ASTERISK_MARKER )
215215 conf .data = re .sub (r"(<(?P<name>[^>]+)( [^<]*)?>)([^<]+)(</\2)" , functools .partial (process , repl = r"\g<1>\g<4>%s\g<5>" % kb .customInjectionMark ), conf .data )
216216
217+ # Also expose XML attribute values (e.g. <item id="1">) as injection points, not just
218+ # element text (Reference: https://github.com/sqlmapproject/sqlmap/issues/5993). Done per
219+ # opening tag (skipping <?...?> declarations, <!...> and closing tags) so every attribute
220+ # is covered while the XML declaration/namespaces are left intact.
221+ def processAttributes (match ):
222+ def _attr (m ):
223+ name = m .group ("name" )
224+ if name == "xmlns" or name .startswith ("xmlns:" ): # namespace declarations are not injection points
225+ return m .group (0 )
226+ if conf .testParameter and name not in (removePostHintPrefix (_ ) for _ in conf .testParameter ):
227+ return m .group (0 )
228+ hintNames .append (("%s%s%s" % (m .group (1 ), m .group (3 ), m .group (4 )), name ))
229+ return "%s%s%s%s%s" % (m .group (1 ), m .group (3 ), m .group (4 ), kb .customInjectionMark , m .group (5 ))
230+ return re .sub (r'(\s(?P<name>[\w:.-]+)\s*=\s*)(["\'])([^"\'<>]*)(["\'])' , _attr , match .group (0 ))
231+ conf .data = re .sub (r"(?s)<[^>?!/][^>]*>" , processAttributes , conf .data )
232+
217233 elif re .search (MULTIPART_RECOGNITION_REGEX , conf .data ):
218234 message = "Multipart-like data found in %s body. " % conf .method
219235 message += "Do you want to process it? [Y/n/q] "
0 commit comments