From 0800d9e49b9aff9b6ac687166c9856327a669042 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sun, 6 Feb 2011 22:58:12 +0000 Subject: [PATCH] Major bug fix for semi-centralize unescape() and cleanupPayload() into prefixQuery() and suffixQuery() --- lib/controller/checks.py | 5 ----- lib/core/agent.py | 29 +++++++++++++++-------------- lib/request/inject.py | 4 +--- 3 files changed, 16 insertions(+), 22 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 6c803a5aa..49b972b30 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -54,7 +54,6 @@ from lib.core.settings import UNKNOWN_DBMS_VERSION from lib.core.settings import LOWER_RATIO_BOUND from lib.core.settings import UPPER_RATIO_BOUND from lib.core.threads import getCurrentThreadData -from lib.core.unescaper import unescaper from lib.request.connect import Connect as Request from lib.request.templates import getPageTemplate from lib.techniques.inband.union.test import unionTest @@ -200,7 +199,6 @@ def checkSqlInjection(place, parameter, value): # Parse test's comment = agent.getComment(test.request) fstPayload = agent.cleanupPayload(test.request.payload, value) - fstPayload = unescaper.unescape(fstPayload, dbms=dbms) for boundary in conf.boundaries: injectable = False @@ -275,7 +273,6 @@ def checkSqlInjection(place, parameter, value): # test's ' ' string boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause) boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where) - boundPayload = agent.cleanupPayload(boundPayload, value) reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where) # Perform the test's request and check whether or not the @@ -287,7 +284,6 @@ def checkSqlInjection(place, parameter, value): # In case of boolean-based blind SQL injection if method == PAYLOAD.METHOD.COMPARISON: sndPayload = agent.cleanupPayload(test.response.comparison, value) - sndPayload = unescaper.unescape(sndPayload, dbms=dbms) # Forge response payload by prepending with # boundary's prefix and appending the boundary's @@ -295,7 +291,6 @@ def checkSqlInjection(place, parameter, value): # string boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause) boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where) - boundPayload = agent.cleanupPayload(boundPayload, value) cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where) # Useful to set kb.matchRatio at first based on diff --git a/lib/core/agent.py b/lib/core/agent.py index efba63bbc..1be719e63 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -129,16 +129,17 @@ class Agent: return payload - def prefixQuery(self, string, prefix=None, where=None, clause=None): + def prefixQuery(self, expression, prefix=None, where=None, clause=None): """ - This method defines how the input string has to be escaped + This method defines how the input expression has to be escaped to perform the injection depending on the injection type identified as valid """ if conf.direct: - return self.payloadDirect(string) + return self.payloadDirect(expression) + expression = unescaper.unescape(expression) query = None if where is None and kb.technique and kb.technique in kb.injection.data: @@ -162,25 +163,27 @@ class Agent: else: query = kb.injection.prefix or prefix or "" - if not (string and string[0] == ";"): + if not (expression and expression[0] == ";"): query += " " - query = "%s%s" % (query, string) + query = "%s%s" % (query, expression) query = self.cleanupPayload(query) return query - def suffixQuery(self, string, comment=None, suffix=None, where=None): + def suffixQuery(self, expression, comment=None, suffix=None, where=None): """ This method appends the DBMS comment to the SQL injection request """ if conf.direct: - return self.payloadDirect(string) + return self.payloadDirect(expression) + + expression = unescaper.unescape(expression) if comment is not None: - string += comment + expression += comment if where is None and kb.technique and kb.technique in kb.injection.data: where = kb.injection.data[kb.technique].where @@ -191,13 +194,13 @@ class Agent: pass elif kb.injection.suffix is not None: - string += " %s" % kb.injection.suffix + expression += " %s" % kb.injection.suffix elif suffix is not None: - string += " %s" % suffix + expression += " %s" % suffix - string = self.cleanupPayload(string) + expression = self.cleanupPayload(expression) - return string.rstrip() + return expression.rstrip() def cleanupPayload(self, payload, origvalue=None, query=None): if payload is None: @@ -241,8 +244,6 @@ class Agent: errMsg += "knowledge of underlying DBMS" raise sqlmapNoneDataException, errMsg - #payload = unescaper.unescape(payload) - return payload def getComment(self, reqObj): diff --git a/lib/request/inject.py b/lib/request/inject.py index 8568636f5..ac8b1969b 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -114,8 +114,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r initTechnique(kb.technique) - vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector) - query = agent.prefixQuery(vector) + query = agent.prefixQuery(kb.injection.data[kb.technique].vector) query = agent.suffixQuery(query) payload = agent.payload(newValue=query) count = None @@ -329,7 +328,6 @@ def __goBooleanProxy(expression, resumeValue=True): vector = kb.injection.data[kb.technique].vector vector = vector.replace("[INFERENCE]", expression) - vector = agent.cleanupPayload(vector) query = agent.prefixQuery(vector) query = agent.suffixQuery(query) payload = agent.payload(newValue=query)