closes #219 - unhidden switch --technique and adapted code accordingly (renamed conf.technique to conf.tech to fit properly in the -h help message)

This commit is contained in:
Bernardo Damele 2011-04-06 14:41:44 +00:00
parent 8b14a9eaa7
commit 05d12790f1
8 changed files with 48 additions and 17 deletions

View File

@ -96,10 +96,10 @@ def checkSqlInjection(place, parameter, value):
# Skip test if the user's wants to test only for a specific # Skip test if the user's wants to test only for a specific
# technique # technique
if conf.technique and isinstance(conf.technique, list) and stype not in conf.technique: if conf.tech and isinstance(conf.tech, list) and stype not in conf.tech:
debugMsg = "skipping test '%s' because the user " % title debugMsg = "skipping test '%s' because the user " % title
debugMsg += "specified to test only for " debugMsg += "specified to test only for "
debugMsg += "%s" % ",".join(map(lambda x: PAYLOAD.SQLINJECTION[x], conf.technique)) debugMsg += "%s" % ",".join(map(lambda x: PAYLOAD.SQLINJECTION[x], conf.tech))
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue

View File

@ -406,14 +406,19 @@ def start():
if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None): if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None):
if not conf.realTest: if not conf.realTest:
errMsg = "all parameters are not injectable, try " errMsg = "all parameters are not injectable, try to "
errMsg += "a higher --level/--risk to use more tests" errMsg += "increase --level/--risk values to perform "
errMsg += "more tests."
if isinstance(conf.tech, list) and len(conf.tech) > 0:
errMsg += " Rerun without providing the --technique switch."
if not conf.textOnly and kb.originalPage: if not conf.textOnly and kb.originalPage:
percent = (100.0 * len(getFilteredPageContent(kb.originalPage)) / len(kb.originalPage)) percent = (100.0 * len(getFilteredPageContent(kb.originalPage)) / len(kb.originalPage))
errMsg += " and/or --text-only switch if the target page " errMsg += " Give it a go with the --text-only switch "
errMsg += "has a low percentage of textual content " errMsg += "if the target page has a low percentage of "
errMsg += "(approximately %.2f%% of page content is text)" % percent errMsg += "textual content (~%.2f%% of " % percent
errMsg += "page content is text)"
raise sqlmapNotVulnerableException, errMsg raise sqlmapNotVulnerableException, errMsg
else: else:

View File

@ -2177,7 +2177,7 @@ def isTechniqueAvailable(technique=None):
technique specified technique specified
""" """
if conf.technique and isinstance(conf.technique, list) and technique not in conf.technique: if conf.tech and isinstance(conf.tech, list) and technique not in conf.tech:
return False return False
else: else:
return getTechniqueData(technique) is not None return getTechniqueData(technique) is not None

View File

@ -605,10 +605,22 @@ def __setOS():
raise sqlmapUnsupportedDBMSException, errMsg raise sqlmapUnsupportedDBMSException, errMsg
def __setTechnique(): def __setTechnique():
if not conf.technique or not isinstance(conf.technique, int): if not conf.tech or not isinstance(conf.tech, int):
conf.technique = [] conf.tech = []
else: else:
conf.technique = filter(lambda x: x in PAYLOAD.SQLINJECTION, [int(c) for c in str(conf.technique)]) conf.tech = filter(lambda x: x in PAYLOAD.SQLINJECTION, [int(c) for c in str(conf.tech)])
if len(conf.tech) > 0:
# TODO: consider MySQL/PHP/ASP/web backdoor case where stacked
# queries is technically not necessary
if any(map(lambda x: conf.__getitem__(x), ['rFile', 'wFile', \
'osCmd', 'osShell', 'osPwn', 'osSmb', 'osBof', 'regRead', \
'regAdd', 'regDel'])) and PAYLOAD.TECHNIQUE.STACKED not in conf.tech:
errMsg = "value for --technique must include stacked queries "
errMsg += "technique (4) when you want to access the file "
errMsg += "system, takeover the operating system or access "
errMsg += "Windows registry hives"
raise sqlmapSyntaxException, errMsg
def __setDBMS(): def __setDBMS():
""" """

View File

@ -70,6 +70,7 @@ optDict = {
}, },
"Techniques": { "Techniques": {
"tech": "integer",
"timeSec": "integer", "timeSec": "integer",
"uCols": "string", "uCols": "string",
"uChar": "string" "uChar": "string"

View File

@ -164,9 +164,9 @@ def resumeConfKb(expression, url, value):
if injection.place in conf.paramDict and \ if injection.place in conf.paramDict and \
injection.parameter in conf.paramDict[injection.place]: injection.parameter in conf.paramDict[injection.place]:
if not conf.technique or intersect(conf.technique, injection.data.keys()): if not conf.tech or intersect(conf.tech, injection.data.keys()):
if intersect(conf.technique, injection.data.keys()): if intersect(conf.tech, injection.data.keys()):
injection.data = dict(filter(lambda (key, item): key in conf.technique, injection.data.items())) injection.data = dict(filter(lambda (key, item): key in conf.tech, injection.data.items()))
if injection not in kb.injections: if injection not in kb.injections:
kb.injections.append(injection) kb.injections.append(injection)

View File

@ -207,6 +207,10 @@ def cmdLineParser():
"used to tweak testing of specific SQL " "used to tweak testing of specific SQL "
"injection techniques.") "injection techniques.")
techniques.add_option("--technique", dest="tech", type="int",
default=0, help="SQL injection techniques to "
"test for (default all)")
techniques.add_option("--time-sec", dest="timeSec", techniques.add_option("--time-sec", dest="timeSec",
type="int", default=TIME_DEFAULT_DELAY, type="int", default=TIME_DEFAULT_DELAY,
help="Seconds to delay the DBMS response " help="Seconds to delay the DBMS response "
@ -528,9 +532,6 @@ def cmdLineParser():
parser.add_option("--run-case", dest="runCase", type="int", parser.add_option("--run-case", dest="runCase", type="int",
default=None, help=SUPPRESS_HELP) default=None, help=SUPPRESS_HELP)
parser.add_option("--technique", dest="technique", type="int",
default=0, help=SUPPRESS_HELP)
parser.add_option("--group-concat", dest="groupConcat", action="store_true", parser.add_option("--group-concat", dest="groupConcat", action="store_true",
default=False, help=SUPPRESS_HELP) default=False, help=SUPPRESS_HELP)

View File

@ -223,6 +223,18 @@ textOnly = False
# techniques. # techniques.
[Techniques] [Techniques]
# SQL injection techniques to test for.
# Valid: an integer composed by 1, 2, 3, 4 or 5 where:
# 1: boolean-based blind SQL injection
# 2: error-based SQL injection
# 3: UNION query SQL injection
# 4: stacked queries SQL injection
# 5: time-based blind SQL injection
# Example: 24 (means test for error-based and stacked queries SQL
# injection types only)
# Default: 0 (means test for all SQL injection types - recommended)
tech = 0
# Seconds to delay the response from the DBMS. # Seconds to delay the response from the DBMS.
# Valid: integer # Valid: integer
# Default: 5 # Default: 5