sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity
ddd296030d
sqlmap/lib/request/inject.py

505 lines
20 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
large commit with copyright header modifications
2010-10-14 18:41:14 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
import re
import time
from lib.core.agent import agent
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
from lib.core.common import backend
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
from lib.core.common import calculateDeltaSeconds
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import cleanQuery
from lib.core.common import dataToSessionFile
from lib.core.common import expandAsteriskForColumns
quick fix of a fix
2010-12-15 15:10:33 +03:00
from lib.core.common import getPublicTypeMembers
code refactoring and some fixes
2010-12-18 12:51:34 +03:00
from lib.core.common import initTechnique
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
from lib.core.common import isNumPosStrValue
quick fix of a fix
2010-12-15 15:10:33 +03:00
from lib.core.common import isTechniqueAvailable
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
from lib.core.common import parseUnionPage
minor cosmetic update
2010-10-11 17:52:32 +04:00
from lib.core.common import popValue
from lib.core.common import pushValue
added randInt to error injection vectors
2010-10-20 12:56:58 +04:00
from lib.core.common import randomInt
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
Properly save error-based enumerated data in session file, able to be resumed like with other techniques
2010-11-12 14:40:37 +03:00
from lib.core.common import replaceNewlineTabs
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
from lib.core.common import safeStringFormat
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
further refactoring (all enumerations are now put into enums.py)
2010-11-08 12:20:02 +03:00
from lib.core.enums import DBMS
minor refactoring
2010-12-10 15:30:36 +03:00
from lib.core.enums import EXPECTED
code beautification
2010-12-08 16:04:48 +03:00
from lib.core.enums import PAYLOAD
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
from lib.core.exception import sqlmapNotVulnerableException
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
from lib.core.exception import sqlmapUserQuitException
from lib.core.settings import FROM_TABLE
now resume is available for time-based blinds too
2010-12-08 15:49:26 +03:00
from lib.core.settings import MIN_TIME_RESPONSES
cosmetics
2010-12-21 18:26:23 +03:00
from lib.core.settings import MAX_TECHNIQUES_PER_VALUE
some fixes
2011-01-07 19:39:47 +03:00
from lib.core.threads import getCurrentThreadData
you won't believe commit
2010-12-10 16:20:59 +03:00
from lib.core.unescaper import unescaper
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
from lib.request.connect import Connect as Request
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
from lib.request.direct import direct
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.techniques.inband.union.use import unionUse
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2008-11-13 02:44:09 +03:00
from lib.techniques.blind.inference import bisection
code refactoring
2010-10-20 13:09:04 +04:00
from lib.techniques.error.use import errorUse
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.utils.resume import queryOutputLength
from lib.utils.resume import resume
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
start = time.time()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update regarding time based data retrieval
2011-01-16 20:52:42 +03:00
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if (conf.eta or conf.threads > 1) and backend.getIdentifiedDbms() and not timeBasedCompare:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
_, length, _ = queryOutputLength(expression, payload)
else:
length = None
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression))
Minor fix
2008-10-16 19:39:25 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
logger.debug(debugMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
outputs = []
origExpr = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
for field in expressionFieldsList:
output = None
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if field.startswith("ROWNUM "):
continue
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
origExpr = expression
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
expression = agent.limitQuery(num, expression, field)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if "ROWNUM" in expressionFieldsList:
expressionReplaced = expression
Major bug fixes
2009-01-23 01:28:27 +03:00
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
output = resume(expressionReplaced, payload)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
if not output or (expected == EXPECTED.INT and not output.isdigit()):
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if output:
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
warnMsg = "expected value type %s, resumed '%s', " % (expected, output)
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
warnMsg += "sqlmap is going to retrieve the value again"
logger.warn(warnMsg)
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
expression = origExpr
After the storm, a restore..
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
Minor code adjustments
2010-10-25 18:11:47 +04:00
code refactoring and some fixes
2010-12-18 12:51:34 +03:00
initTechnique(kb.technique)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector)
query = agent.prefixQuery(vector)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
outputs = []
test = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
untilLimitChar = None
untilOrderChar = None
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
output = resume(expression, payload)
else:
output = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
if output and (expected is None or (expected == EXPECTED.INT and output.isdigit())):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return output
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if not unpack:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
return __goInference(payload, expression, charsetType, firstChar, lastChar)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
if rdbRegExp and backend.getIdentifiedDbms() == DBMS.FIREBIRD:
expressionFieldsList = [expressionFields]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if len(expressionFieldsList) > 1:
infoMsg = "the SQL query provided has more than a field. "
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry per time
# NOTE: I assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression.upper() and ((backend.getIdentifiedDbms() not in FROM_TABLE) or (backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[backend.getIdentifiedDbms()]))):
limitRegExp = re.search(queries[backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if limitRegExp or (backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
if backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
limitGroupStart = queries[backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[backend.getIdentifiedDbms()].limitgroupstop.query
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if limitRegExp:
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
limitGroupStart = queries[backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[backend.getIdentifiedDbms()].limitgroupstop.query
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
elif topLimit:
startLimit = 0
stopLimit = int(topLimit.group(1))
limitCond = int(stopLimit) > 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif backend.getIdentifiedDbms() == DBMS.ORACLE:
limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return
# multiple entries
if limitCond:
if limitRegExp:
stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word
if backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
stopLimit += startLimit
untilLimitChar = expression.index(queries[backend.getIdentifiedDbms()].limitstring.query)
expression = expression[:untilLimitChar]
elif backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
stopLimit += startLimit
if not stopLimit or stopLimit <= 1:
if backend.getIdentifiedDbms() in FROM_TABLE and expression.upper().endswith(FROM_TABLE[backend.getIdentifiedDbms()]):
test = False
else:
test = True
if test:
# Count the number of SQL query entries output
countFirstField = queries[backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):
untilOrderChar = countedExpression.index(" ORDER BY ")
countedExpression = countedExpression[:untilOrderChar]
if resumeValue:
count = resume(countedExpression, payload)
if not stopLimit:
if not count or not count.isdigit():
count = __goInference(payload, countedExpression, 2, firstChar, lastChar)
if isNumPosStrValue(count):
count = int(count)
if batch:
stopLimit = count
else:
message = "the SQL query provided can return "
message += "%d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
test = readInput(message, default="a")
if not test or test[0] in ("a", "A"):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
stopLimit = count
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif test.isdigit() and int(test) > 0 and int(test) <= count:
stopLimit = int(test)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif test[0] in ("#", "s", "S"):
message = "how many? "
stopLimit = readInput(message, default="10")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if not stopLimit.isdigit():
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
errMsg = "invalid choice"
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
logger.error(errMsg)
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
else:
stopLimit = int(stopLimit)
else:
errMsg = "invalid choice"
logger.error(errMsg)
Minor adjustments and bug fixes
2008-12-17 23:11:18 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
return None
Minor adjustments and bug fixes
2008-12-17 23:11:18 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif count and not count.isdigit():
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit = 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif (not count or int(count) == 0):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
warnMsg = "the SQL query provided does not "
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
warnMsg += "return any output"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif (not count or int(count) == 0) and (not stopLimit or stopLimit == 0):
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
logger.warn(warnMsg)
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
try:
for num in xrange(startLimit, stopLimit):
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
outputs.append(output)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
except KeyboardInterrupt:
print
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
return outputs
elif backend.getIdentifiedDbms() in FROM_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
expression += FROM_TABLE[backend.getIdentifiedDbms()]
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
returnValue = ", ".join([output for output in outputs])
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return returnValue
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
def __goBooleanProxy(expression, resumeValue=True):
"""
Retrieve the output of a boolean based SQL query
"""
initTechnique(kb.technique)
vector = kb.injection.data[kb.technique].vector
vector = vector.replace("[INFERENCE]", expression)
vector = agent.cleanupPayload(vector)
query = agent.prefixQuery(vector)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
timeBasedCompare = kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)
if resumeValue:
output = resume(expression, payload)
else:
output = None
if not output:
output = Request.queryPage(payload, timeBasedCompare=timeBasedCompare, raise404=False)
return output
def __goError(expression, expected=None, resumeValue=True, dump=False):
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
"""
Retrieve the output of a SQL query taking advantage of an error-based
SQL injection vulnerability on the affected parameter.
"""
result = None
if conf.direct:
return direct(expression), None
code refactoring
2010-12-15 15:43:56 +03:00
if resumeValue:
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
result = resume(expression, None)
if not result:
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
result = errorUse(expression, expected, resumeValue, dump)
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
return result
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 19:48:40 +04:00
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query taking advantage of an inband SQL
injection vulnerability on the affected parameter.
"""
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
output = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
partial = False
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
data = []
After the storm, a restore..
2008-10-15 19:38:22 +04:00
code refactoring
2010-12-15 15:43:56 +03:00
if resumeValue:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
output = resume(expression, None)
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
if not output or (expected == EXPECTED.INT and not output.isdigit()):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
partial = True
if not output:
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 19:48:40 +04:00
output = unionUse(expression, resetCounter=True, unpack=unpack, dump=dump)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if output:
minor fix
2010-12-15 23:51:29 +03:00
data = parseUnionPage(output, expression, partial, None, sort)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return data
update
2010-12-09 01:38:26 +03:00
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=False, expectingNone=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Called each time sqlmap inject a SQL query on the SQL injection
affected parameter. It can call a function to retrieve the output
through inband SQL injection (if selected) and/or blind SQL injection
(if selected).
"""
some fixes
2011-01-07 19:39:47 +03:00
getCurrentThreadData().disableStdOut = suppressOutput
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
update
2010-12-09 01:38:26 +03:00
try:
if conf.direct:
value = direct(expression)
minor cosmetics
2010-12-15 15:15:43 +03:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
elif any(map(isTechniqueAvailable, getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True))):
fix
2010-12-10 18:06:53 +03:00
query = cleanQuery(expression)
query = expandAsteriskForColumns(query)
cosmetics
2010-12-10 18:24:25 +03:00
value = None
found = False
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
resume of brute forced data is now available
2010-12-27 17:17:20 +03:00
if query and not 'COUNT(*)' in query:
query = query.replace("DISTINCT ", "")
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count = 0
fix
2010-12-10 18:06:53 +03:00
fix
2010-12-10 19:03:32 +03:00
if expected == EXPECTED.BOOL:
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
forgeCaseExpression = booleanExpression = expression
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
if expression.upper().startswith("SELECT "):
booleanExpression = expression[len("SELECT "):]
else:
forgeCaseExpression = agent.forgeCaseStatement(expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
update
2010-12-09 01:38:26 +03:00
kb.technique = PAYLOAD.TECHNIQUE.UNION
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
if expected == EXPECTED.BOOL:
value = __goInband(forgeCaseExpression, expected, sort, resumeValue, unpack, dump)
else:
value = __goInband(query, expected, sort, resumeValue, unpack, dump)
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count += 1
minor bug fix
2010-12-31 15:04:39 +03:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
Higher precedence to union query sql inj than error-based
2010-12-01 13:57:17 +03:00
quick fix of a fix
2010-12-15 15:10:33 +03:00
if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
update
2010-12-09 01:38:26 +03:00
kb.technique = PAYLOAD.TECHNIQUE.ERROR
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
fix
2010-12-10 19:03:32 +03:00
if expected == EXPECTED.BOOL:
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
value = __goError(forgeCaseExpression, expected, resumeValue, dump)
fix
2010-12-10 19:03:32 +03:00
else:
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
value = __goError(query, expected, resumeValue, dump)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count += 1
minor bug fix
2010-12-31 15:04:39 +03:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
now resume is available for time-based blinds too
2010-12-08 15:49:26 +03:00
quick fix of a fix
2010-12-15 15:10:33 +03:00
if blind and isTechniqueAvailable(PAYLOAD.TECHNIQUE.BOOLEAN) and not found:
update
2010-12-09 01:38:26 +03:00
kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
minor refactoring
2010-12-10 15:30:36 +03:00
if expected == EXPECTED.BOOL:
another update
2010-12-10 18:18:15 +03:00
value = __goBooleanProxy(booleanExpression, resumeValue)
update regarding boolean based expressions
2010-12-10 00:15:18 +03:00
else:
fix
2010-12-10 18:06:53 +03:00
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count += 1
minor bug fix
2010-12-31 15:04:39 +03:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
now resume is available for time-based blinds too
2010-12-08 15:49:26 +03:00
quick fix of a fix
2010-12-15 15:10:33 +03:00
if time and (isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED)) and not found:
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME):
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-09 02:52:31 +03:00
kb.technique = PAYLOAD.TECHNIQUE.TIME
quick fix of a fix
2010-12-15 15:10:33 +03:00
else:
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-09 02:52:31 +03:00
kb.technique = PAYLOAD.TECHNIQUE.STACKED
sqlmap premiere of blind time based query/bisection
2010-12-08 15:28:54 +03:00
fix
2010-12-10 19:03:32 +03:00
if expected == EXPECTED.BOOL:
value = __goBooleanProxy(booleanExpression, resumeValue)
else:
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update
2010-12-09 01:38:26 +03:00
if value and isinstance(value, basestring):
value = value.strip()
else:
errMsg = "none of the injection types identified can be "
errMsg += "leveraged to retrieve queries output"
raise sqlmapNotVulnerableException, errMsg
minor cosmetics
2010-12-15 15:34:14 +03:00
update
2010-12-09 01:38:26 +03:00
finally:
some fixes
2011-01-07 19:39:47 +03:00
getCurrentThreadData().disableStdOut = False
Minor bug fix
2010-03-18 20:36:58 +03:00
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
if value and expected == EXPECTED.BOOL:
if isinstance(value, basestring):
minor cosmetics
2010-12-15 15:34:14 +03:00
if value.lower() in ("true", "false"):
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
value = bool(value)
added one more level of MSSQL version check (if first fails for some reason)
2010-12-18 00:01:14 +03:00
elif value.capitalize() == "None":
value = None
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
else:
value = value != "0"
elif isinstance(value, int):
value = bool(value)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def goStacked(expression, silent=False):
code beautification
2010-12-08 16:04:48 +03:00
kb.technique = PAYLOAD.TECHNIQUE.STACKED
Ahead with the improvements to the comparison algorithm. Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2008-12-19 23:09:46 +03:00
expression = cleanQuery(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
return direct(expression), None
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
comment = queries[backend.getIdentifiedDbms()].comment.query
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
query = agent.prefixQuery("; %s" % expression)
query = agent.suffixQuery("%s;%s" % (query, comment))
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
payload = agent.payload(newValue=query)
minor update
2010-12-08 17:33:10 +03:00
page, _ = Request.queryPage(payload, content=True, silent=silent, noteResponseTime=False)
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
return payload, page
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
2010-12-06 21:20:57 +03:00
just in case as maybe there will be some boolean expression to check where we won't expect None, but explicitly True/False
2010-12-14 12:05:00 +03:00
def checkBooleanExpression(expression, expectingNone=True):
return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, suppressOutput=True, expectingNone=expectingNone)
Reference in New Issue Copy Permalink