mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 04:53:48 +03:00
Added support to test for stacked queries support and improved check for time based blind sql injection.
Minor bug fix in --save option
This commit is contained in:
parent
bf2a857b9a
commit
05a8c8d3bf
|
@ -33,6 +33,7 @@ from lib.core.exception import sqlmapUnsupportedDBMSException
|
||||||
from lib.core.settings import SUPPORTED_DBMS
|
from lib.core.settings import SUPPORTED_DBMS
|
||||||
from lib.techniques.blind.timebased import timeTest
|
from lib.techniques.blind.timebased import timeTest
|
||||||
from lib.techniques.inband.union.test import unionTest
|
from lib.techniques.inband.union.test import unionTest
|
||||||
|
from lib.techniques.outband.stacked import stackedTest
|
||||||
|
|
||||||
|
|
||||||
def action():
|
def action():
|
||||||
|
@ -70,6 +71,9 @@ def action():
|
||||||
print "%s\n" % conf.dbmsHandler.getFingerprint()
|
print "%s\n" % conf.dbmsHandler.getFingerprint()
|
||||||
|
|
||||||
# Techniques options
|
# Techniques options
|
||||||
|
if conf.stackedTest:
|
||||||
|
dumper.string("stacked queries support", stackedTest())
|
||||||
|
|
||||||
if conf.timeTest:
|
if conf.timeTest:
|
||||||
dumper.string("time based blind sql injection payload", timeTest())
|
dumper.string("time based blind sql injection payload", timeTest())
|
||||||
|
|
||||||
|
|
|
@ -613,6 +613,7 @@ def __setKnowledgeBaseAttributes():
|
||||||
kb.injType = None
|
kb.injType = None
|
||||||
kb.parenthesis = None
|
kb.parenthesis = None
|
||||||
kb.resumedQueries = {}
|
kb.resumedQueries = {}
|
||||||
|
kb.stackedTest = None
|
||||||
kb.targetUrls = set()
|
kb.targetUrls = set()
|
||||||
kb.timeTest = None
|
kb.timeTest = None
|
||||||
kb.unionComment = ""
|
kb.unionComment = ""
|
||||||
|
@ -656,6 +657,8 @@ def __saveCmdline():
|
||||||
elif datatype in ( "integer", "float" ):
|
elif datatype in ( "integer", "float" ):
|
||||||
if option in ( "threads", "verbose" ):
|
if option in ( "threads", "verbose" ):
|
||||||
value = "1"
|
value = "1"
|
||||||
|
elif option == "timeout":
|
||||||
|
value = "10"
|
||||||
else:
|
else:
|
||||||
value = "0"
|
value = "0"
|
||||||
elif datatype == "string":
|
elif datatype == "string":
|
||||||
|
|
|
@ -45,7 +45,7 @@ optDict = {
|
||||||
"proxy": "string",
|
"proxy": "string",
|
||||||
"threads": "integer",
|
"threads": "integer",
|
||||||
"delay": "float",
|
"delay": "float",
|
||||||
"timeout": "int",
|
"timeout": "float",
|
||||||
},
|
},
|
||||||
|
|
||||||
"Injection": {
|
"Injection": {
|
||||||
|
@ -60,6 +60,7 @@ optDict = {
|
||||||
},
|
},
|
||||||
|
|
||||||
"Techniques": {
|
"Techniques": {
|
||||||
|
"stackedTest": "boolean",
|
||||||
"timeTest": "boolean",
|
"timeTest": "boolean",
|
||||||
"unionTest": "boolean",
|
"unionTest": "boolean",
|
||||||
"unionUse": "boolean",
|
"unionUse": "boolean",
|
||||||
|
|
|
@ -153,10 +153,14 @@ def cmdLineParser():
|
||||||
"the affected parameter(s) rather than using "
|
"the affected parameter(s) rather than using "
|
||||||
"the default blind SQL injection technique.")
|
"the default blind SQL injection technique.")
|
||||||
|
|
||||||
|
techniques.add_option("--stacked-test", dest="stackedTest",
|
||||||
|
action="store_true",
|
||||||
|
help="Test for stacked queries (multiple "
|
||||||
|
"statements) support")
|
||||||
|
|
||||||
techniques.add_option("--time-test", dest="timeTest",
|
techniques.add_option("--time-test", dest="timeTest",
|
||||||
action="store_true",
|
action="store_true",
|
||||||
help="Test for Time based blind SQL injection")
|
help="Test for Time based blind SQL injection")
|
||||||
|
|
||||||
techniques.add_option("--union-test", dest="unionTest",
|
techniques.add_option("--union-test", dest="unionTest",
|
||||||
action="store_true",
|
action="store_true",
|
||||||
help="Test for UNION query (inband) SQL injection")
|
help="Test for UNION query (inband) SQL injection")
|
||||||
|
|
|
@ -322,21 +322,15 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None)
|
||||||
return value
|
return value
|
||||||
|
|
||||||
|
|
||||||
def goStacked(expression, timeTest=False):
|
def goStacked(expression):
|
||||||
"""
|
"""
|
||||||
TODO: write description
|
TODO: write description
|
||||||
"""
|
"""
|
||||||
|
|
||||||
comment = queries[kb.dbms].comment
|
comment = queries[kb.dbms].comment
|
||||||
query = agent.prefixQuery("; %s" % expression)
|
query = agent.prefixQuery("; %s" % expression)
|
||||||
query = agent.postfixQuery("%s; %s" % (query, comment))
|
query = agent.postfixQuery("%s;%s" % (query, comment))
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
|
page = Request.queryPage(payload, content=True)
|
||||||
|
|
||||||
start = time.time()
|
return payload, page
|
||||||
Request.queryPage(payload)
|
|
||||||
duration = int(time.time() - start)
|
|
||||||
|
|
||||||
if timeTest:
|
|
||||||
return (duration >= SECONDS, payload)
|
|
||||||
else:
|
|
||||||
return duration >= SECONDS
|
|
||||||
|
|
|
@ -24,24 +24,62 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
import time
|
||||||
|
|
||||||
|
from lib.core.agent import agent
|
||||||
from lib.core.data import kb
|
from lib.core.data import kb
|
||||||
from lib.core.data import logger
|
from lib.core.data import logger
|
||||||
from lib.core.data import queries
|
from lib.core.data import queries
|
||||||
from lib.core.settings import SECONDS
|
from lib.core.settings import SECONDS
|
||||||
from lib.request import inject
|
from lib.request import inject
|
||||||
|
from lib.request.connect import Connect as Request
|
||||||
|
|
||||||
|
|
||||||
def timeTest():
|
def timeTest():
|
||||||
infoMsg = "testing time based blind sql injection on parameter "
|
infoMsg = "testing time based blind sql injection on parameter "
|
||||||
infoMsg += "'%s'" % kb.injParameter
|
infoMsg += "'%s' with AND condition syntax" % kb.injParameter
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
query = queries[kb.dbms].timedelay % SECONDS
|
timeQuery = queries[kb.dbms].timedelay % SECONDS
|
||||||
timeTest = inject.goStacked(query, timeTest=True)
|
|
||||||
|
query = agent.prefixQuery(" AND %s" % timeQuery)
|
||||||
|
query = agent.postfixQuery(query)
|
||||||
|
payload = agent.payload(newValue=query)
|
||||||
|
start = time.time()
|
||||||
|
_ = Request.queryPage(payload)
|
||||||
|
duration = int(time.time() - start)
|
||||||
|
|
||||||
|
if duration >= SECONDS:
|
||||||
|
infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter
|
||||||
|
infoMsg += "based blind sql injection with AND condition syntax"
|
||||||
|
logger.info(infoMsg)
|
||||||
|
|
||||||
|
kb.timeTest = payload
|
||||||
|
|
||||||
if timeTest[0] == True:
|
|
||||||
kb.timeTest = timeTest[1]
|
|
||||||
else:
|
else:
|
||||||
kb.timeTest = False
|
warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter
|
||||||
|
warnMsg += "based blind sql injection with AND condition syntax"
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
infoMsg = "testing time based blind sql injection on parameter "
|
||||||
|
infoMsg += "'%s' with stacked query syntax" % kb.injParameter
|
||||||
|
logger.info(infoMsg)
|
||||||
|
|
||||||
|
start = time.time()
|
||||||
|
payload, _ = inject.goStacked(timeQuery)
|
||||||
|
duration = int(time.time() - start)
|
||||||
|
|
||||||
|
if duration >= SECONDS:
|
||||||
|
infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter
|
||||||
|
infoMsg += "based blind sql injection with stacked query syntax"
|
||||||
|
logger.info(infoMsg)
|
||||||
|
|
||||||
|
kb.timeTest = payload
|
||||||
|
else:
|
||||||
|
warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter
|
||||||
|
warnMsg += "based blind sql injection with stacked query syntax"
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
kb.timeTest = False
|
||||||
|
|
||||||
return kb.timeTest
|
return kb.timeTest
|
||||||
|
|
25
lib/techniques/outband/__init__.py
Normal file
25
lib/techniques/outband/__init__.py
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
"""
|
||||||
|
$Id$
|
||||||
|
|
||||||
|
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
||||||
|
|
||||||
|
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||||
|
and Daniele Bellucci <daniele.bellucci@gmail.com>
|
||||||
|
|
||||||
|
sqlmap is free software; you can redistribute it and/or modify it under
|
||||||
|
the terms of the GNU General Public License as published by the Free
|
||||||
|
Software Foundation version 2 of the License.
|
||||||
|
|
||||||
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||||
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||||
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||||
|
details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along
|
||||||
|
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
||||||
|
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
"""
|
||||||
|
|
||||||
|
pass
|
60
lib/techniques/outband/stacked.py
Normal file
60
lib/techniques/outband/stacked.py
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
"""
|
||||||
|
$Id$
|
||||||
|
|
||||||
|
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
||||||
|
|
||||||
|
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||||
|
and Daniele Bellucci <daniele.bellucci@gmail.com>
|
||||||
|
|
||||||
|
sqlmap is free software; you can redistribute it and/or modify it under
|
||||||
|
the terms of the GNU General Public License as published by the Free
|
||||||
|
Software Foundation version 2 of the License.
|
||||||
|
|
||||||
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||||
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||||||
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||||||
|
details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along
|
||||||
|
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
||||||
|
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
"""
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
import time
|
||||||
|
|
||||||
|
from lib.core.data import kb
|
||||||
|
from lib.core.data import logger
|
||||||
|
from lib.core.data import queries
|
||||||
|
from lib.core.settings import SECONDS
|
||||||
|
from lib.request import inject
|
||||||
|
|
||||||
|
|
||||||
|
def stackedTest():
|
||||||
|
infoMsg = "testing stacked queries support on parameter "
|
||||||
|
infoMsg += "'%s'" % kb.injParameter
|
||||||
|
logger.info(infoMsg)
|
||||||
|
|
||||||
|
query = queries[kb.dbms].timedelay % SECONDS
|
||||||
|
start = time.time()
|
||||||
|
payload, _ = inject.goStacked(query)
|
||||||
|
duration = int(time.time() - start)
|
||||||
|
|
||||||
|
if duration >= SECONDS:
|
||||||
|
infoMsg = "the web application supports stacked queries "
|
||||||
|
infoMsg += "on parameter '%s'" % kb.injParameter
|
||||||
|
logger.info(infoMsg)
|
||||||
|
|
||||||
|
kb.stackedTest = payload
|
||||||
|
|
||||||
|
else:
|
||||||
|
warnMsg = "the web application does not support stacked queries "
|
||||||
|
warnMsg += "on parameter '%s'" % kb.injParameter
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
kb.stackedTest = False
|
||||||
|
|
||||||
|
return kb.stackedTest
|
|
@ -3,8 +3,8 @@
|
||||||
# Target URL.
|
# Target URL.
|
||||||
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
|
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
|
||||||
# PHP and MySQL (local)
|
# PHP and MySQL (local)
|
||||||
#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
|
url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
|
||||||
url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
|
#url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
|
||||||
# PHP and Oracle (local)
|
# PHP and Oracle (local)
|
||||||
#url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
|
#url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
|
||||||
# PHP and PostgreSQL (local)
|
# PHP and PostgreSQL (local)
|
||||||
|
@ -146,6 +146,10 @@ eRegexp =
|
||||||
|
|
||||||
[Techniques]
|
[Techniques]
|
||||||
|
|
||||||
|
# Test for stacked queries (multiple statements) support.
|
||||||
|
# Valid: True or False
|
||||||
|
stackedTest = False
|
||||||
|
|
||||||
# Test for Time based blind SQL injection.
|
# Test for Time based blind SQL injection.
|
||||||
# Valid: True or False
|
# Valid: True or False
|
||||||
timeTest = False
|
timeTest = False
|
||||||
|
|
Loading…
Reference in New Issue
Block a user