From 0916117447af9e45bd46620d55ee2473c8d575be Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 30 Mar 2011 18:32:10 +0000 Subject: [PATCH] improvement of error-based testing (no more sqlmap aborting on error-based payloads which happens very often on MySQL servers); also, minor improvement on brute forcing of column names --- lib/controller/checks.py | 33 ++++++++++++++++++++------------- lib/techniques/brute/use.py | 6 ++++++ 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index c10ea351c..92de2f75d 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -334,22 +334,29 @@ def checkSqlInjection(place, parameter, value): elif method == PAYLOAD.METHOD.GREP: # Perform the test's request and grep the response # body for the test's regular expression - page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False) - output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \ - or extractRegexResult(check, listToStrValue(headers.headers \ - if headers else None), re.DOTALL | re.IGNORECASE) \ - or extractRegexResult(check, threadData.lastRedirectMsg[1] \ - if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \ - threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE) + try: + page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False) + output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE) \ + or extractRegexResult(check, listToStrValue(headers.headers \ + if headers else None), re.DOTALL | re.IGNORECASE) \ + or extractRegexResult(check, threadData.lastRedirectMsg[1] \ + if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \ + threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE) - if output: - result = output == "1" + if output: + result = output == "1" - if result: - infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) - logger.info(infoMsg) + if result: + infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) + logger.info(infoMsg) - injectable = True + injectable = True + + except sqlmapConnectionException, msg: + debugMsg = "problem occured most likely because the " + debugMsg += "server hasn't recovered as expected from the " + debugMsg += "error-based payload used ('%s')" % msg + logger.debug(debugMsg) # In case of time-based blind or stacked queries # SQL injections diff --git a/lib/techniques/brute/use.py b/lib/techniques/brute/use.py index f238d5661..3426c957e 100644 --- a/lib/techniques/brute/use.py +++ b/lib/techniques/brute/use.py @@ -208,6 +208,12 @@ def columnExists(columnFile, regex=None): infoMsg = "starting %d threads" % conf.threads logger.info(infoMsg) else: + message = "please enter number of threads? [Enter for default (%d)] " % conf.threads + choice = readInput(message, default=str(conf.threads)) + if choice and choice.isdigit(): + conf.threads = int(choice) + + if conf.threads == 1: warnMsg = "running in a single-thread mode. this could take a while." logger.warn(warnMsg)