sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
9d50c806e1
sqlmap/lib/techniques/blind/inference.py

530 lines
22 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Changed homepage address
2011-07-08 00:10:03 +04:00
Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
import threading
import time
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
import traceback
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.agent import agent
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
from lib.core.common import Backend
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import dataToSessionFile
from lib.core.common import dataToStdout
fuck yea
2011-01-19 18:25:48 +03:00
from lib.core.common import decodeIntToUnicode
adding filtering of strings for control chars in blind inference mode (way to handle either errornous values, or either binary data)
2011-01-05 13:25:07 +03:00
from lib.core.common import filterControlChars
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.common import getCharset
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
from lib.core.common import goGoodSamaritan
more code updates regarding good samaritan (common output) feature
2010-05-26 13:48:20 +04:00
from lib.core.common import getPartRun
minor update
2010-10-23 12:05:24 +04:00
from lib.core.common import popValue
from lib.core.common import pushValue
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import replaceNewlineTabs
introduced safe string formatting
2010-01-15 19:06:59 +03:00
from lib.core.common import safeStringFormat
more concise
2011-06-08 18:35:23 +04:00
from lib.core.common import singleTimeWarnMessage
minor fix
2011-02-03 16:28:10 +03:00
from lib.core.common import unhandledExceptionMessage
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-26 00:40:31 +04:00
from lib.core.convert import safecharencode
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
from lib.core.data import queries
further refactoring (all enumerations are now put into enums.py)
2010-11-08 12:20:02 +03:00
from lib.core.enums import DBMS
code beautification
2010-12-08 16:04:48 +03:00
from lib.core.enums import PAYLOAD
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
from lib.core.exception import sqlmapConnectionException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapValueException
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
from lib.core.exception import sqlmapThreadException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.progress import ProgressBar
coollyy little commits
2010-12-10 14:32:46 +03:00
from lib.core.settings import CHAR_INFERENCE_MARK
added inference failsafe (like in for instance Firebirds SUBSTR always returns a string value, no matter which starting index you use)
2010-12-11 13:52:04 +03:00
from lib.core.settings import INFERENCE_BLANK_BREAK
important fix for unicode based character inference
2011-01-17 13:15:19 +03:00
from lib.core.settings import INFERENCE_UNKNOWN_CHAR
fix for a bug (--predict-output) noticed by Bernardo
2011-01-31 18:00:41 +03:00
from lib.core.settings import INFERENCE_GREATER_CHAR
from lib.core.settings import INFERENCE_EQUALS_CHAR
implemented validation for time-based inference
2011-01-31 19:07:23 +03:00
from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)
2011-08-16 10:50:20 +04:00
from lib.core.settings import MAX_TIME_REVALIDATION_STEPS
little stabilization of multi threading
2011-06-17 16:50:28 +04:00
from lib.core.settings import PYVERSION
bulk of fixes
2011-07-03 02:48:56 +04:00
from lib.core.threads import getCurrentThreadData
from lib.core.threads import runThreads
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
Minor layout adjustments
2010-02-04 20:45:56 +03:00
Major bug fix to make --first and --last apply only to --dump's entries dump phase (in either of the blind SQL injection techs only)
2011-02-27 15:14:13 +03:00
def bisection(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Bisection algorithm that can be used to perform blind SQL injection
on an affected host
"""
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
partialValue = ""
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
finalValue = ""
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
asciiTbl = getCharset(charsetType)
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-09 02:52:31 +03:00
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
# Set kb.partRun in case "common prediction" feature (a.k.a. "good
# samaritan") is used
Renamed --common-prediction switch to --predict-output
2010-10-17 03:50:13 +04:00
kb.partRun = getPartRun() if conf.predictOutput else None
more code updates regarding good samaritan (common output) feature
2010-05-26 13:48:20 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
if "LENGTH(" in expression or "LEN(" in expression:
firstChar = 0
Major bug fix to make --first and --last apply only to --dump's entries dump phase (in either of the blind SQL injection techs only)
2011-02-27 15:14:13 +03:00
elif dump and conf.firstChar is not None and ( isinstance(conf.firstChar, int) or ( isinstance(conf.firstChar, basestring) and conf.firstChar.isdigit() ) ):
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
firstChar = int(conf.firstChar) - 1
elif firstChar is None:
firstChar = 0
fix regarding proper string isinstance checking (including unicode)
2010-05-25 14:09:35 +04:00
elif ( isinstance(firstChar, basestring) and firstChar.isdigit() ) or isinstance(firstChar, int):
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
firstChar = int(firstChar) - 1
if "LENGTH(" in expression or "LEN(" in expression:
lastChar = 0
Major bug fix to make --first and --last apply only to --dump's entries dump phase (in either of the blind SQL injection techs only)
2011-02-27 15:14:13 +03:00
elif dump and conf.lastChar is not None and ( isinstance(conf.lastChar, int) or ( isinstance(conf.lastChar, basestring) and conf.lastChar.isdigit() ) ):
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
lastChar = int(conf.lastChar)
elif lastChar in ( None, "0" ):
lastChar = 0
fix regarding proper string isinstance checking (including unicode)
2010-05-25 14:09:35 +04:00
elif ( isinstance(lastChar, basestring) and lastChar.isdigit() ) or isinstance(lastChar, int):
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
lastChar = int(lastChar)
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
if Backend.getDbms():
Major bug fix to properly deal with EXISTS() when forging query or retrieving the query columns.
2011-01-18 02:43:37 +03:00
_, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
Major bug fix to properly deal with EXISTS() when forging query or retrieving the query columns.
2011-01-18 02:43:37 +03:00
expressionUnescaped = unescaper.unescape(expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if length and not isinstance(length, int) and length.isdigit():
length = int(length)
if length == 0:
return 0, ""
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
if lastChar > 0 and length > ( lastChar - firstChar ):
length = ( lastChar - firstChar )
Minor code restyling
2011-04-30 17:20:05 +04:00
showEta = conf.eta and isinstance(length, int)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
numThreads = min(conf.threads, length)
if showEta:
progress = ProgressBar(maxValue=length)
progressTime = []
minor update
2011-10-28 15:11:55 +04:00
if timeBasedCompare and conf.threads > 1:
warnMsg = "multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically"
singleTimeWarnMessage(warnMsg)
Minor cosmetic fixes
2010-10-14 19:28:54 +04:00
if numThreads > 1:
update regarding time based data retrieval
2011-01-16 20:52:42 +03:00
if not timeBasedCompare:
debugMsg = "starting %d thread%s" % (numThreads, ("s" if numThreads > 1 else ""))
logger.debug(debugMsg)
else:
numThreads = 1
Minor layout adjustment
2010-03-12 17:48:33 +03:00
user friendliness uber 9000
2011-05-27 12:30:52 +04:00
if conf.threads == 1 and not timeBasedCompare:
"Please consider to provide" is a bad English
2011-06-18 13:46:22 +04:00
warnMsg = "running in a single-thread mode. Please consider "
now user can explicitly state number of UNION affected columns via --union-cols (e.g. --union-cols=5)
2011-06-18 14:51:14 +04:00
warnMsg += "usage of --threads switch for faster data retrieval"
more concise
2011-06-08 18:35:23 +04:00
singleTimeWarnMessage(warnMsg)
user friendliness uber 9000
2011-05-27 12:30:52 +04:00
Avoid displaying single retrieved character when --verbose > 2
2010-11-08 01:42:56 +03:00
if conf.verbose in (1, 2) and not showEta:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if isinstance(length, int) and conf.threads > 1:
minor adjustments
2010-03-12 15:46:26 +03:00
dataToStdout("[%s] [INFO] retrieved: %s" % (time.strftime("%X"), "_" * min(length, conf.progressWidth)))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
dataToStdout("\r[%s] [INFO] retrieved: " % time.strftime("%X"))
else:
dataToStdout("[%s] [INFO] retrieved: " % time.strftime("%X"))
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
queriesCount = [0] # As list to deal with nested scoping rules
hintlock = threading.Lock()
Minor bug fix to add the "hinted" request to the total number of requests performed Minor layout adjustments.
2010-04-15 14:08:27 +04:00
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
def tryHint(idx):
hintlock.acquire()
hintValue = kb.hintValue
hintlock.release()
Minor bug fix to add the "hinted" request to the total number of requests performed Minor layout adjustments.
2010-04-15 14:08:27 +04:00
if hintValue is not None and len(hintValue) >= idx:
Minor improvement at blind SQL inj technique for DB2
2011-06-28 02:28:12 +04:00
if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB, DBMS.DB2):
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
posValue = hintValue[idx-1]
else:
posValue = ord(hintValue[idx-1])
fix for a bug (--predict-output) noticed by Bernardo
2011-01-31 18:00:41 +03:00
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
queriesCount[0] += 1
few bug fixes
2010-12-24 21:40:48 +03:00
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
Minor bug fix to add the "hinted" request to the total number of requests performed Minor layout adjustments.
2010-04-15 14:08:27 +04:00
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
if result:
return hintValue[idx-1]
Minor bug fix to add the "hinted" request to the total number of requests performed Minor layout adjustments.
2010-04-15 14:08:27 +04:00
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
hintlock.acquire()
kb.hintValue = None
hintlock.release()
Minor bug fix to add the "hinted" request to the total number of requests performed Minor layout adjustments.
2010-04-15 14:08:27 +04:00
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
return None
implemented validation for time-based inference
2011-01-31 19:07:23 +03:00
def validateChar(idx, value):
"""
Just.. cosmetics ;)
2011-02-01 01:51:14 +03:00
Used in time-based inference (in case that original and retrieved
value are not equal there will be a deliberate delay).
implemented validation for time-based inference
2011-01-31 19:07:23 +03:00
"""
Just.. cosmetics ;)
2011-02-01 01:51:14 +03:00
implemented validation for time-based inference
2011-01-31 19:07:23 +03:00
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx, value))
queriesCount[0] += 1
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
return not result
bug fix
2012-01-05 14:55:58 +04:00
def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is None, shiftTable=None):
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
"""
continuousOrder means that distance between each two neighbour's
numerical values is exactly 1
"""
coollyy little commits
2010-12-10 14:32:46 +03:00
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
result = tryHint(idx)
Minor bug fix to add the "hinted" request to the total number of requests performed Minor layout adjustments.
2010-04-15 14:08:27 +04:00
implemented feature request from Ole Rasmussen regarding table name retrieval speedup
2010-04-15 13:36:13 +04:00
if result:
return result
minor fix
2010-12-11 13:22:18 +03:00
originalTbl = list(charTbl)
bug fix
2012-01-05 14:55:58 +04:00
if continuousOrder and shiftTable is None:
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# Used for gradual expanding into unicode charspace
shiftTable = [5, 4]
new commit regarding good samaritan feature
2010-05-25 17:06:23 +04:00
urllib2 doesn't play well with '\n' when non unescaped chars used
2010-12-12 00:17:54 +03:00
if CHAR_INFERENCE_MARK in payload and ord('\n') in charTbl:
charTbl.remove(ord('\n'))
new commit regarding good samaritan feature
2010-05-25 17:06:23 +04:00
if len(charTbl) == 1:
fix for a bug (--predict-output) noticed by Bernardo
2011-01-31 18:00:41 +03:00
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, charTbl[0]))
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
queriesCount[0] += 1
few bug fixes
2010-12-24 21:40:48 +03:00
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
new commit regarding good samaritan feature
2010-05-25 17:06:23 +04:00
if result:
minor revisit of inference
2011-03-24 23:10:40 +03:00
return decodeIntToUnicode(charTbl[0])
implemented validation for time-based inference
2011-01-31 19:07:23 +03:00
else:
new commit regarding good samaritan feature
2010-05-25 17:06:23 +04:00
return None
some speedup (usage of xrange (virtual range) instead of range)
2010-05-24 02:14:57 +04:00
maxChar = maxValue = charTbl[-1]
quick fix
2010-05-28 14:01:19 +04:00
minChar = minValue = charTbl[0]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
some speedup (usage of xrange (virtual range) instead of range)
2010-05-24 02:14:57 +04:00
while len(charTbl) != 1:
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
position = (len(charTbl) >> 1)
posValue = charTbl[position]
Initial support for SQLite (90% approx). Initial support for Firebird (30% approx). Initial support for Access (10% approx). Shared libraries code/installation scripts ported to 64bit, directory structure adapted. Minor code adjustments.
2010-03-18 20:20:54 +03:00
coollyy little commits
2010-12-10 14:32:46 +03:00
if CHAR_INFERENCE_MARK not in payload:
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
else:
unescaping of char marked payloads
2011-01-24 15:00:16 +03:00
# e.g.: ... > '%c' -> ... > ORD(..)
markingValue = "'%s'" % CHAR_INFERENCE_MARK
minor revisit of inference
2011-03-24 23:10:40 +03:00
unescapedCharValue = unescaper.unescape(markingValue % decodeIntToUnicode(posValue))
unescaping of char marked payloads
2011-01-24 15:00:16 +03:00
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
changes regarding Feature #157 (Evaluate BETWEEN for inference algorithm)
2010-05-12 15:30:32 +04:00
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
queriesCount[0] += 1
few bug fixes
2010-12-24 21:40:48 +03:00
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
Fixed a bug reported by Bedirhan Urgun <bedirhanurgun@gmail.com>
2008-10-16 18:01:14 +04:00
fix for Feature #157
2010-05-13 15:17:24 +04:00
if result:
minValue = posValue
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
some speedup (usage of xrange (virtual range) instead of range)
2010-05-24 02:14:57 +04:00
if type(charTbl) != xrange:
charTbl = charTbl[position:]
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
else:
# xrange() - extended virtual charset used for memory/space optimization
some speedup (usage of xrange (virtual range) instead of range)
2010-05-24 02:14:57 +04:00
charTbl = xrange(charTbl[position], charTbl[-1] + 1)
fix for Feature #157
2010-05-13 15:17:24 +04:00
else:
maxValue = posValue
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
some speedup (usage of xrange (virtual range) instead of range)
2010-05-24 02:14:57 +04:00
if type(charTbl) != xrange:
charTbl = charTbl[:position]
some comments added
2010-06-02 19:18:33 +04:00
else:
fix
2010-05-24 13:28:20 +04:00
charTbl = xrange(charTbl[0], charTbl[position])
After the storm, a restore..
2008-10-15 19:38:22 +04:00
some speedup (usage of xrange (virtual range) instead of range)
2010-05-24 02:14:57 +04:00
if len(charTbl) == 1:
some renaming
2010-05-28 14:50:54 +04:00
if continuousOrder:
quick fix
2010-05-28 14:01:19 +04:00
if maxValue == 1:
return None
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# Going beyond the original charset
elif minValue == maxChar:
# If the original charTbl was [0,..,127] new one
# will be [128,..,128*16-1] or from 128 to 2047
Minor layout adjustment
2010-06-17 17:27:43 +04:00
# and instead of making a HUGE list with all the
# elements we use a xrange, which is a virtual
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# list
some more adjustments
2010-06-10 19:03:08 +04:00
if expand and shiftTable:
fix for an bug reported by David Guimaraes
2010-06-10 18:52:33 +04:00
charTbl = xrange(maxChar + 1, (maxChar + 1) << shiftTable.pop())
important fix for unicode based character inference
2011-01-17 13:15:19 +03:00
originalTbl = list(charTbl)
fix for an bug reported by David Guimaraes
2010-06-10 18:52:33 +04:00
maxChar = maxValue = charTbl[-1]
minChar = minValue = charTbl[0]
else:
return None
quick fix
2010-05-28 14:01:19 +04:00
else:
retVal = minValue + 1
Just.. cosmetics ;)
2011-02-01 01:51:14 +03:00
urllib2 doesn't play well with '\n' when non unescaped chars used
2010-12-12 00:17:54 +03:00
if retVal in originalTbl or (retVal == ord('\n') and CHAR_INFERENCE_MARK in payload):
LOL. removing that debug 'True'
2011-01-31 19:22:55 +03:00
if timeBasedCompare and not validateChar(idx, retVal):
minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)
2011-08-16 10:50:20 +04:00
if not kb.originalTimeDelay:
kb.originalTimeDelay = conf.timeSec
minor update
2011-11-22 19:06:51 +04:00
if (conf.timeSec - kb.originalTimeDelay) < MAX_TIME_REVALIDATION_STEPS:
errMsg = "invalid character detected. retrying.."
logger.error(errMsg)
minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)
2011-08-16 10:50:20 +04:00
warnMsg = "increasing time delay to %d second%s " % (conf.timeSec, 's' if conf.timeSec > 1 else '')
logger.warn(warnMsg)
minor update
2011-11-22 19:06:51 +04:00
conf.timeSec += 1
minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)
2011-08-16 10:50:20 +04:00
if kb.adjustTimeDelay:
dbgMsg = "turning off auto-adjustment mechanism"
logger.debug(dbgMsg)
kb.adjustTimeDelay = False
bug fix
2012-01-05 14:55:58 +04:00
return getChar(idx, originalTbl, continuousOrder, expand, shiftTable)
minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)
2011-08-16 10:50:20 +04:00
else:
minor update
2011-11-22 19:06:51 +04:00
errMsg = "unable to properly validate last character value ('%s').." % decodeIntToUnicode(retVal)
minor update related to the last commit
2011-08-16 11:01:14 +04:00
logger.error(errMsg)
minor adjustment of a time based char retrievals (no more infinite increasing of timeSec value for problematic characters)
2011-08-16 10:50:20 +04:00
conf.timeSec = kb.originalTimeDelay
minor update related to the last commit
2011-08-16 11:01:14 +04:00
return decodeIntToUnicode(retVal)
implemented validation for time-based inference
2011-01-31 19:07:23 +03:00
else:
minor revisit of inference
2011-03-24 23:10:40 +03:00
return decodeIntToUnicode(retVal)
minor fix
2010-12-11 13:22:18 +03:00
else:
return None
new commit regarding good samaritan feature
2010-05-25 17:06:23 +04:00
else:
quick fix
2010-05-28 14:01:19 +04:00
if minValue == maxChar or maxValue == minChar:
return None
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# If we are working with non-continuous elements, set
# both minValue and character afterwards are possible
# candidates
for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]):
fix for a bug (--predict-output) noticed by Bernardo
2011-01-31 18:00:41 +03:00
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, retVal))
some changes regarding --common-outputs feature
2010-05-31 13:41:41 +04:00
queriesCount[0] += 1
few bug fixes
2010-12-24 21:40:48 +03:00
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
some changes regarding --common-outputs feature
2010-05-31 13:41:41 +04:00
if result:
minor revisit of inference
2011-03-24 23:10:40 +03:00
return decodeIntToUnicode(retVal)
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
some changes regarding --common-outputs feature
2010-05-31 13:41:41 +04:00
return None
Minor layout adjustments
2010-02-04 20:45:56 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def etaProgressUpdate(charTime, index):
if len(progressTime) <= ( (length * 3) / 100 ):
eta = 0
else:
midTime = sum(progressTime) / len(progressTime)
midTimeWithLatest = (midTime + charTime) / 2
eta = midTimeWithLatest * (length - index) / conf.threads
progressTime.append(charTime)
progress.update(index)
progress.draw(eta)
Minor layout adjustments
2010-02-04 20:45:56 +03:00
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# Go multi-threading (--threads > 1)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if conf.threads > 1 and isinstance(length, int) and length > 1:
bulk of fixes
2011-07-03 02:48:56 +04:00
value = []
threadData = getCurrentThreadData()
threadData.shared.value = [ None ] * length
threadData.shared.index = [ firstChar ] # As list for python nested function scoping
try:
def blindThread():
threadData = getCurrentThreadData()
some refactoring
2010-12-20 21:56:06 +03:00
while kb.threadContinue:
some refactoring
2011-12-28 20:27:17 +04:00
kb.locks.index.acquire()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
bulk of fixes
2011-07-03 02:48:56 +04:00
if threadData.shared.index[0] >= length:
some refactoring
2011-12-28 20:27:17 +04:00
kb.locks.index.release()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major silent bug fix to multi-threading functionality. Thanks Nico Leidecker for reporting!
2009-05-20 13:34:13 +04:00
return
After the storm, a restore..
2008-10-15 19:38:22 +04:00
bulk of fixes
2011-07-03 02:48:56 +04:00
threadData.shared.index[0] += 1
curidx = threadData.shared.index[0]
some refactoring
2011-12-28 20:27:17 +04:00
kb.locks.index.release()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
some refactoring
2010-12-20 21:56:06 +03:00
if kb.threadContinue:
fix for Bug #166 (Keyboard interrupt in Python threading)
2010-03-11 14:14:20 +03:00
charStart = time.time()
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
val = getChar(curidx)
fix for Bug #166 (Keyboard interrupt in Python threading)
2010-03-11 14:14:20 +03:00
if val is None:
important fix for unicode based character inference
2011-01-17 13:15:19 +03:00
val = INFERENCE_UNKNOWN_CHAR
fix for Bug #166 (Keyboard interrupt in Python threading)
2010-03-11 14:14:20 +03:00
else:
break
After the storm, a restore..
2008-10-15 19:38:22 +04:00
some refactoring
2011-12-28 20:27:17 +04:00
kb.locks.value.acquire()
bulk of fixes
2011-07-03 02:48:56 +04:00
threadData.shared.value[curidx-1] = val
currentValue = list(threadData.shared.value)
some refactoring
2011-12-28 20:27:17 +04:00
kb.locks.value.release()
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
some refactoring
2010-12-20 21:56:06 +03:00
if kb.threadContinue:
fix for Bug #166 (Keyboard interrupt in Python threading)
2010-03-11 14:14:20 +03:00
if showEta:
bulk of fixes
2011-07-03 02:48:56 +04:00
etaProgressUpdate(time.time() - charStart, threadData.shared.index[0])
fix for Bug #166 (Keyboard interrupt in Python threading)
2010-03-11 14:14:20 +03:00
elif conf.verbose >= 1:
fix for Bug #167
2010-03-12 15:38:19 +03:00
startCharIndex = 0
endCharIndex = 0
Minor layout adjustment
2010-03-25 19:26:50 +03:00
fix for Bug #167
2010-03-12 15:38:19 +03:00
for i in xrange(length):
fixed that thread partial output problem (one character behind) reported by Kasper Fons
2010-05-11 15:06:21 +04:00
if currentValue[i] is not None:
fix for Bug #167
2010-03-12 15:38:19 +03:00
endCharIndex = max(endCharIndex, i)
Minor layout adjustment
2010-03-25 19:26:50 +03:00
fix for Bug #167
2010-03-12 15:38:19 +03:00
output = ''
Minor layout adjustment
2010-03-25 19:26:50 +03:00
minor adjustments
2010-03-12 15:46:26 +03:00
if endCharIndex > conf.progressWidth:
startCharIndex = endCharIndex - conf.progressWidth
Minor layout adjustment
2010-03-25 19:26:50 +03:00
fix for Bug #167
2010-03-12 15:38:19 +03:00
count = 0
Minor layout adjustment
2010-03-25 19:26:50 +03:00
fixed that thread partial output problem (one character behind) reported by Kasper Fons
2010-05-11 15:06:21 +04:00
for i in xrange(startCharIndex, endCharIndex + 1):
output += '_' if currentValue[i] is None else currentValue[i]
Minor bug fix and layout adjustment regarding --threading and standard output
2010-03-22 20:38:19 +03:00
fix for Bug #167
2010-03-12 15:38:19 +03:00
for i in xrange(length):
fixed that thread partial output problem (one character behind) reported by Kasper Fons
2010-05-11 15:06:21 +04:00
count += 1 if currentValue[i] is not None else 0
Minor bug fix and layout adjustment regarding --threading and standard output
2010-03-22 20:38:19 +03:00
fix for Bug #167
2010-03-12 15:38:19 +03:00
if startCharIndex > 0:
two dots instead of three
2010-03-12 17:31:14 +03:00
output = '..' + output[2:]
Minor bug fix and layout adjustment regarding --threading and standard output
2010-03-22 20:38:19 +03:00
fix for Bug #183
2010-04-19 19:25:52 +04:00
if (endCharIndex - startCharIndex == conf.progressWidth) and (endCharIndex < length-1):
two dots instead of three
2010-03-12 17:31:14 +03:00
output = output[:-2] + '..'
Minor bug fix and layout adjustment regarding --threading and standard output
2010-03-22 20:38:19 +03:00
Minor code refactoring and cosmetics
2011-01-12 00:46:21 +03:00
if conf.verbose in (1, 2) and not showEta:
output += '_' * (min(length, conf.progressWidth) - len(output))
status = ' %d/%d (%d%s)' % (count, length, round(100.0*count/length), '%')
output += status if count != length else " "*len(status)
dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), filterControlChars(output)))
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
some refactoring
2010-12-20 21:56:06 +03:00
if not kb.threadContinue:
multithreading save to session on abort
2010-07-19 12:37:45 +04:00
if int(threading.currentThread().getName()) == numThreads - 1:
partialValue = unicode()
bulk of fixes
2011-07-03 02:48:56 +04:00
for v in threadData.shared.value:
minor adjustment
2010-07-19 13:06:19 +04:00
if v is None:
break
elif isinstance(v, basestring):
multithreading save to session on abort
2010-07-19 12:37:45 +04:00
partialValue += v
if len(partialValue) > 0:
dataToSessionFile(replaceNewlineTabs(partialValue))
bulk of fixes
2011-07-03 02:48:56 +04:00
runThreads(numThreads, blindThread, startThreadMsg=False)
little stabilization of multi threading
2011-06-17 16:50:28 +04:00
fix for Bug #166 (Keyboard interrupt in Python threading)
2010-03-11 14:14:20 +03:00
except KeyboardInterrupt:
raise
minor makeup fix
2010-03-11 14:20:52 +03:00
bulk of fixes
2011-07-03 02:48:56 +04:00
finally:
value = threadData.shared.value
fixed a bug reported by Mosk Dmitri (infoMsg UnboundLocalError)
2010-04-29 12:30:29 +04:00
infoMsg = None
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
# If we have got one single character not correctly fetched it
# can mean that the connection to the target url was lost
if None in value:
for v in value:
fix regarding proper string isinstance checking (including unicode)
2010-05-25 14:09:35 +04:00
if isinstance(v, basestring) and v is not None:
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
partialValue += v
After the storm, a restore..
2008-10-15 19:38:22 +04:00
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
if partialValue:
finalValue = partialValue
adding filtering of strings for control chars in blind inference mode (way to handle either errornous values, or either binary data)
2011-01-05 13:25:07 +03:00
infoMsg = "\r[%s] [INFO] partially retrieved: %s" % (time.strftime("%X"), filterControlChars(finalValue))
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
else:
finalValue = "".join(value)
adding filtering of strings for control chars in blind inference mode (way to handle either errornous values, or either binary data)
2011-01-05 13:25:07 +03:00
infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), filterControlChars(finalValue))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
fix regarding proper string isinstance checking (including unicode)
2010-05-25 14:09:35 +04:00
if isinstance(finalValue, basestring) and len(finalValue) > 0:
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
dataToSessionFile(replaceNewlineTabs(finalValue))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Avoid displaying single retrieved character when --verbose > 2
2010-11-08 01:42:56 +03:00
if conf.verbose in (1, 2) and not showEta and infoMsg:
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
dataToStdout(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# No multi-threading (--threads = 1)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
index = firstChar
After the storm, a restore..
2008-10-15 19:38:22 +04:00
while True:
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
index += 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
charStart = time.time()
periodical commit
2010-05-21 13:35:36 +04:00
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
# Common prediction feature (a.k.a. "good samaritan")
# NOTE: to be used only when multi-threading is not set for
# the moment
Renamed --common-prediction switch to --predict-output
2010-10-17 03:50:13 +04:00
if conf.predictOutput and len(finalValue) > 0 and kb.partRun is not None:
minor update regarding good samaritan
2010-05-25 18:51:02 +04:00
val = None
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
commonValue, commonPattern, commonCharset, otherCharset = goGoodSamaritan(finalValue, asciiTbl)
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
# If there is one single output in common-outputs, check
# it via equal against the query output
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
if commonValue is not None:
# One-shot query containing equals commonValue
testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
Minor code adjustments
2010-10-25 18:11:47 +04:00
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
query = agent.suffixQuery(query)
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
queriesCount[0] += 1
few bug fixes
2010-12-24 21:40:48 +03:00
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
# Did we have luck?
more code updates regarding good samaritan (common output) feature
2010-05-26 13:48:20 +04:00
if result:
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
dataToSessionFile(replaceNewlineTabs(commonValue[index-1:]))
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
fuck yea, first tests (MySQL/--tables & --common-prediction) are great :)
2010-05-26 14:41:37 +04:00
if showEta:
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
etaProgressUpdate(time.time() - charStart, len(commonValue))
Avoid displaying single retrieved character when --verbose > 2
2010-11-08 01:42:56 +03:00
elif conf.verbose in (1, 2):
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
dataToStdout(commonValue[index-1:])
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
finalValue = commonValue
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
more code updates regarding good samaritan (common output) feature
2010-05-26 13:48:20 +04:00
break
Minor bug fix in common.py goGoodSamaritan(). Minor code cleanup and adjustments.
2010-05-31 19:05:29 +04:00
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# If there is a common pattern starting with finalValue,
# check it via equal against the substring-query output
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
if commonPattern is not None:
# Substring-query containing equals commonPattern
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
subquery = queries[Backend.getIdentifiedDbms()].substring.query % (expressionUnescaped, 1, len(commonPattern))
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
Minor code adjustments
2010-10-25 18:11:47 +04:00
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
query = agent.suffixQuery(query)
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
queriesCount[0] += 1
few bug fixes
2010-12-24 21:40:48 +03:00
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# Did we have luck?
if result:
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
val = commonPattern[index-1:]
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
index += len(val)-1
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
# Otherwise if there is no commonValue (single match from
# txt/common-outputs.txt) and no commonPattern
Added common pattern value support to bisection algorithm
2010-06-17 15:38:32 +04:00
# (common pattern) use the returned common charset only
# to retrieve the query output
if not val and commonCharset:
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
val = getChar(index, commonCharset, False)
Minor enhancements and bug fixes to "good samaritan" feature - see #4
2010-06-21 18:40:12 +04:00
# If we had no luck with commonValue and common charset,
Code refactoring and minor bug fixes.
2010-05-27 20:45:09 +04:00
# use the returned other charset
periodical commit
2010-05-21 13:35:36 +04:00
if not val:
minor fix
2010-05-28 14:17:03 +04:00
val = getChar(index, otherCharset, otherCharset == asciiTbl)
periodical commit
2010-05-21 13:35:36 +04:00
else:
val = getChar(index, asciiTbl)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
if val is None or ( lastChar > 0 and index > lastChar ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
break
implemented --banner for MaxDB and some minor fixes
2010-11-02 23:51:55 +03:00
if kb.data.processChar:
val = kb.data.processChar(val)
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
finalValue += val
Implemented a better way to deal with % characters in parameters' value. Minor code restyle.
2008-10-16 19:31:02 +04:00
dataToSessionFile(replaceNewlineTabs(val))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if showEta:
etaProgressUpdate(time.time() - charStart, index)
Avoid displaying single retrieved character when --verbose > 2
2010-11-08 01:42:56 +03:00
elif conf.verbose in (1, 2):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
dataToStdout(val)
added inference failsafe (like in for instance Firebirds SUBSTR always returns a string value, no matter which starting index you use)
2010-12-11 13:52:04 +03:00
if len(finalValue) > INFERENCE_BLANK_BREAK and finalValue[-INFERENCE_BLANK_BREAK:].isspace():
break
Avoid displaying single retrieved character when --verbose > 2
2010-11-08 01:42:56 +03:00
if conf.verbose in (1, 2) or showEta:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
dataToStdout("\n")
Minor output bug fix
2010-05-11 18:15:03 +04:00
if ( conf.verbose in ( 1, 2 ) and showEta ) or conf.verbose >= 3:
adding filtering of strings for control chars in blind inference mode (way to handle either errornous values, or either binary data)
2011-01-05 13:25:07 +03:00
infoMsg = "retrieved: %s" % filterControlChars(finalValue)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.info(infoMsg)
sqlmap 0.6.3-rc4: Minor enhancement to be able to specify the number of seconds before timeout the connection, default is set to 10 seconds. Minor improvement to retry the HTTP request up to three times in case an exception is raised during the connection to the target url. Minor bug fix to correctly catch connection exceptions and notify to the user also if they occur within a thread. Minor code restyling. Updated documentation.
2008-12-04 20:40:03 +03:00
if not partialValue:
dataToSessionFile("]\n")
code refactoring regarding standard output suppression and some threading issues
2010-12-21 17:21:24 +03:00
if kb.threadException:
grammar fix
2010-06-03 12:55:13 +04:00
raise sqlmapThreadException, "something unexpected happened inside the threads"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-26 00:40:31 +04:00
return queriesCount[0], safecharencode(finalValue) if kb.safeCharEncode else finalValue
Reference in New Issue Copy Permalink