sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-10-31 16:07:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

improvement for limited queries (more stable to have TOP/LIMIT/OFFSET mechanisms as part of a subquery)

Browse Source
This commit is contained in:
Miroslav Stampar 2011-07-31 23:40:09 +00:00
parent 0627bb02cb
commit 018d7ed646
2 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/core/agent.py
View File

@ -522,7 +522,7 @@ class Agent:
return concatenatedQuery return concatenatedQuery
def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None): def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None, limited=False):
""" """
Take in input an query (pseudo query) string and return its Take in input an query (pseudo query) string and return its
processed UNION ALL SELECT query. processed UNION ALL SELECT query.
@ -558,17 +558,16 @@ class Agent:
inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix) inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix)
if query.startswith("TOP"): if limited:
# TOP enumeration on DBMS.MSSQL is too specific and it has to go
# into its own brackets because those NULLs cause problems with
# ORDER BY clause
if Backend.isDbms(DBMS.MSSQL):
inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count))) inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count)))
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
inbandQuery += FROM_TABLE.get(Backend.getIdentifiedDbms(), "")
return inbandQuery return inbandQuery
topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1) topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
if topNumRegex:
topNum = topNumRegex.group(1)
query = query[len("TOP %s " % topNum):] query = query[len("TOP %s " % topNum):]
inbandQuery += "TOP %s " % topNum inbandQuery += "TOP %s " % topNum

6
lib/techniques/union/use.py
View File

@ -47,7 +47,7 @@ from lib.utils.resume import resume
reqCount = 0 reqCount = 0
def __oneShotUnionUse(expression, unpack=True): def __oneShotUnionUse(expression, unpack=True, limited=False):
global reqCount global reqCount
check = "(?P<result>%s.*%s)" % (kb.misc.start, kb.misc.stop) check = "(?P<result>%s.*%s)" % (kb.misc.start, kb.misc.stop)
@ -64,7 +64,7 @@ def __oneShotUnionUse(expression, unpack=True):
# Forge the inband SQL injection request # Forge the inband SQL injection request
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]) query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], None, limited)
payload = agent.payload(newValue=query, where=where) payload = agent.payload(newValue=query, where=where)
# Perform the request # Perform the request
@ -299,7 +299,7 @@ def unionUse(expression, unpack=True, dump=False):
output = resume(limitedExpr, None) output = resume(limitedExpr, None)
if not output: if not output:
output = __oneShotUnionUse(limitedExpr, unpack) output = __oneShotUnionUse(limitedExpr, unpack, True)
if not kb.threadContinue: if not kb.threadContinue:
break break