sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-06-13 17:43:20 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major bug fix for semi-centralize unescape() and cleanupPayload() into prefixQuery() and suffixQuery()

Browse Source
This commit is contained in:
Bernardo Damele 2011-02-06 22:58:12 +00:00
parent 9eac2339ca
commit 0800d9e49b
3 changed files with 16 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/controller/checks.py
View File

@ -54,7 +54,6 @@ from lib.core.settings import UNKNOWN_DBMS_VERSION
from lib.core.settings import LOWER_RATIO_BOUND from lib.core.settings import LOWER_RATIO_BOUND
from lib.core.settings import UPPER_RATIO_BOUND from lib.core.settings import UPPER_RATIO_BOUND
from lib.core.threads import getCurrentThreadData from lib.core.threads import getCurrentThreadData
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from lib.request.templates import getPageTemplate from lib.request.templates import getPageTemplate
from lib.techniques.inband.union.test import unionTest from lib.techniques.inband.union.test import unionTest
@ -200,7 +199,6 @@ def checkSqlInjection(place, parameter, value):
# Parse test's <request> # Parse test's <request>
comment = agent.getComment(test.request) comment = agent.getComment(test.request)
fstPayload = agent.cleanupPayload(test.request.payload, value) fstPayload = agent.cleanupPayload(test.request.payload, value)
fstPayload = unescaper.unescape(fstPayload, dbms=dbms)
for boundary in conf.boundaries: for boundary in conf.boundaries:
injectable = False injectable = False
@ -275,7 +273,6 @@ def checkSqlInjection(place, parameter, value):
# test's ' <payload><comment> ' string # test's ' <payload><comment> ' string
boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause) boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where) boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
boundPayload = agent.cleanupPayload(boundPayload, value)
reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where) reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
# Perform the test's request and check whether or not the # Perform the test's request and check whether or not the
@ -287,7 +284,6 @@ def checkSqlInjection(place, parameter, value):
# In case of boolean-based blind SQL injection # In case of boolean-based blind SQL injection
if method == PAYLOAD.METHOD.COMPARISON: if method == PAYLOAD.METHOD.COMPARISON:
sndPayload = agent.cleanupPayload(test.response.comparison, value) sndPayload = agent.cleanupPayload(test.response.comparison, value)
sndPayload = unescaper.unescape(sndPayload, dbms=dbms)
# Forge response payload by prepending with # Forge response payload by prepending with
# boundary's prefix and appending the boundary's # boundary's prefix and appending the boundary's
@ -295,7 +291,6 @@ def checkSqlInjection(place, parameter, value):
# string # string
boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause) boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where) boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
boundPayload = agent.cleanupPayload(boundPayload, value)
cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where) cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
# Useful to set kb.matchRatio at first based on # Useful to set kb.matchRatio at first based on

29
lib/core/agent.py
View File

@ -129,16 +129,17 @@ class Agent:
return payload return payload
def prefixQuery(self, string, prefix=None, where=None, clause=None): def prefixQuery(self, expression, prefix=None, where=None, clause=None):
""" """
This method defines how the input string has to be escaped This method defines how the input expression has to be escaped
to perform the injection depending on the injection type to perform the injection depending on the injection type
identified as valid identified as valid
""" """
if conf.direct: if conf.direct:
return self.payloadDirect(string) return self.payloadDirect(expression)
expression = unescaper.unescape(expression)
query = None query = None
if where is None and kb.technique and kb.technique in kb.injection.data: if where is None and kb.technique and kb.technique in kb.injection.data:
@ -162,25 +163,27 @@ class Agent:
else: else:
query = kb.injection.prefix or prefix or "" query = kb.injection.prefix or prefix or ""
if not (string and string[0] == ";"): if not (expression and expression[0] == ";"):
query += " " query += " "
query = "%s%s" % (query, string) query = "%s%s" % (query, expression)
query = self.cleanupPayload(query) query = self.cleanupPayload(query)
return query return query
def suffixQuery(self, string, comment=None, suffix=None, where=None): def suffixQuery(self, expression, comment=None, suffix=None, where=None):
""" """
This method appends the DBMS comment to the This method appends the DBMS comment to the
SQL injection request SQL injection request
""" """
if conf.direct: if conf.direct:
return self.payloadDirect(string) return self.payloadDirect(expression)
expression = unescaper.unescape(expression)
if comment is not None: if comment is not None:
string += comment expression += comment
if where is None and kb.technique and kb.technique in kb.injection.data: if where is None and kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where where = kb.injection.data[kb.technique].where
@ -191,13 +194,13 @@ class Agent:
pass pass
elif kb.injection.suffix is not None: elif kb.injection.suffix is not None:
string += " %s" % kb.injection.suffix expression += " %s" % kb.injection.suffix
elif suffix is not None: elif suffix is not None:
string += " %s" % suffix expression += " %s" % suffix
string = self.cleanupPayload(string) expression = self.cleanupPayload(expression)
return string.rstrip() return expression.rstrip()
def cleanupPayload(self, payload, origvalue=None, query=None): def cleanupPayload(self, payload, origvalue=None, query=None):
if payload is None: if payload is None:
@ -241,8 +244,6 @@ class Agent:
errMsg += "knowledge of underlying DBMS" errMsg += "knowledge of underlying DBMS"
raise sqlmapNoneDataException, errMsg raise sqlmapNoneDataException, errMsg
#payload = unescaper.unescape(payload)
return payload return payload
def getComment(self, reqObj): def getComment(self, reqObj):

4
lib/request/inject.py
View File

@ -114,8 +114,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
initTechnique(kb.technique) initTechnique(kb.technique)
vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector) query = agent.prefixQuery(kb.injection.data[kb.technique].vector)
query = agent.prefixQuery(vector)
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
count = None count = None
@ -329,7 +328,6 @@ def __goBooleanProxy(expression, resumeValue=True):
vector = kb.injection.data[kb.technique].vector vector = kb.injection.data[kb.technique].vector
vector = vector.replace("[INFERENCE]", expression) vector = vector.replace("[INFERENCE]", expression)
vector = agent.cleanupPayload(vector)
query = agent.prefixQuery(vector) query = agent.prefixQuery(vector)
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)