Minor (cosmetic) bug in output when using GET with a body #4471
Description
Describe the bug
When forcing GET to use a body for an injection (sometimes useful for WAF bypasses) the requests are formed correctly- I verified with -vvvvvvvv that the request is in-fact a GET request, with a valid Content-Length and the injections candidates are present in the body of the requests. However, the UI shows:
[20:34:22] [INFO] parsing HTTP request from 'r'
custom injection marker ('*') found in GET body. Do you want to process it? [Y/n/q] y
JSON data found in GET body. Do you want to process it? [Y/n/q] y
[20:34:25] [INFO] testing connection to the target URL
[20:34:25] [INFO] testing if the target URL content is stable
[20:34:26] [INFO] target URL content is stable
[20:34:26] [INFO] testing if (custom) POST parameter 'JSON #1*' is dynamic
[20:34:26] [INFO] (custom) POST parameter 'JSON #1*' appears to be dynamic
The logic is clearly all working, and the initial few lines correctly describe it as a GET body, it's just those final two lines that go back to assuming it's a POST. I assume this was a simple oversight when support for GET body was added. I just found the issue where this was initially added, which referenced the commit- but I somehow lost the link and can't find it now- sorry. I'm sure this won't be easy to track down without that info.
To Reproduce
Use a request file that is a standard POST request with a body, mark the injection point with an asterisk in the POST body, then invoke sqlmap using:
./sqlmap.py -r <request file> --level=4 --force-ssl --method=GET
When prompted, you can choose "y" to use the injection marker and "y" in the case that your body has JSON (likely not too relevant, just mentioning in it, as this was my test case)
Expected behavior
Expected the status output to say:
[20:34:26] [INFO] testing if (custom) GET (body) parameter 'JSON #1*' is dynamic
[20:34:26] [INFO] (custom) GET (body) parameter 'JSON #1*' appears to be dynamic
I don't know what you might prefer as the exact way to describe this in the output, so I arbitrarily chose "GET (body) parameter" as a suggestion. Perhaps you consider this correct behavior, but it seems incorrect to me.
Running environment:
- sqlmap version 1.4.11.6 dev
- Installation method: git
- Operating system: Debian 10, x86_64,
- Python version: 2.7.16
Target details:
Irrelevant in this case as the output occurs before any requests are made
Additional context
This is really a very, very minor issue. I'm just bringing it to your attention in case you have an obsession with correctness as I tend to :)
Feel free to close this with WONTFIX
Thanks!