sqlmap options are configurable

CERT-Polska · Sep 30, 2024 · 092b19d · 092b19d
1 parent 37cab43
commit 092b19d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/extra_modules_config.py b/extra_modules_config.py
@@ -42,6 +42,21 @@ class ExtraModulesConfig:
         default=25,
     )
 
+    # Command-line options that will be passed to sqlmap
+    SQLMAP_COMMAND_LINE_OPTIONS = decouple.config(
+        "SQLMAP_COMMAND_LINE_OPTIONS",
+        cast=decouple.Csv(str),
+        default=",".join(
+            [
+                "--technique",
+                "BU",
+                "--skip-waf",
+                "--skip-heuristics",
+            ]
+        ),
+    )
+
+    # Tamper scripts to be used by sqlmap (sqlmap will be executed once per tamper script + once without any)
     SQLMAP_TAMPER_SCRIPTS = decouple.config(
         "SQLMAP_TAMPER_SCRIPTS",
         cast=decouple.Csv(str),

diff --git a/karton_sqlmap/karton_sqlmap.py b/karton_sqlmap/karton_sqlmap.py
@@ -71,14 +71,11 @@ def _run() -> SQLmapCallResult:
                         "-u",
                         url,
                         "--batch",
-                        "--technique",
-                        "BU",
-                        "--skip-waf",
-                        "--skip-heuristics",
                         "-v",
                         "1",
                     ]
                     + arguments
+                    + ExtraModulesConfig.SQLMAP_COMMAND_LINE_OPTIONS
                     + additional_configuration
                 )