Introducing extra validation property in case of time-based SQLi (HTTP code) - Issue #1973

This commit is contained in:
Miroslav Stampar 2016-09-27 10:20:36 +02:00
parent 556b4d289e
commit 09617c8243
6 changed files with 21 additions and 9 deletions

View File

@ -156,6 +156,7 @@ def checkSqlInjection(place, parameter, value):
kb.testType = stype = test.stype
clause = test.clause
unionExtended = False
trueCode = None
if stype == PAYLOAD.TECHNIQUE.UNION:
configUnion(test.request.char)
@ -556,6 +557,7 @@ def checkSqlInjection(place, parameter, value):
elif method == PAYLOAD.METHOD.TIME:
# Perform the test's request
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
trueCode = threadData.lastCode
if trueResult:
# Confirm test's results
@ -668,6 +670,7 @@ def checkSqlInjection(place, parameter, value):
injection.data[stype].comment = comment
injection.data[stype].templatePayload = templatePayload
injection.data[stype].matchRatio = kb.matchRatio
injection.data[stype].trueCode = trueCode
injection.conf.textOnly = conf.textOnly
injection.conf.titles = conf.titles

View File

@ -19,7 +19,7 @@ from lib.core.enums import OS
from lib.core.revision import getRevisionNumber
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.0.9.35"
VERSION = "1.0.9.36"
REVISION = getRevisionNumber()
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
@ -546,7 +546,7 @@ HASHDB_FLUSH_RETRIES = 3
HASHDB_END_TRANSACTION_RETRIES = 3
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
HASHDB_MILESTONE_VALUE = "baFJusZrel" # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))'
HASHDB_MILESTONE_VALUE = "QWdDkLzhxH" # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))'
# Warn user of possible delay due to large page dump in full UNION query injections
LARGE_OUTPUT_THRESHOLD = 1024 ** 2

View File

@ -42,6 +42,7 @@ class _ThreadData(threading.local):
self.disableStdOut = False
self.hashDBCursor = None
self.inTransaction = False
self.lastCode = None
self.lastComparisonPage = None
self.lastComparisonHeaders = None
self.lastComparisonCode = None

View File

@ -1140,6 +1140,7 @@ class Connect(object):
threadData.lastQueryDuration = calculateDeltaSeconds(start)
threadData.lastPage = page
threadData.lastCode = code
kb.originalCode = kb.originalCode or code

View File

@ -210,10 +210,17 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(value))
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
result = not Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
if result and timeBasedCompare:
result = threadData.lastCode == kb.injection.data[kb.technique].trueCode
if not result:
warnMsg = "detected HTTP code '%d' in validation phase is differing from expected '%d'" % (threadData.lastCode, kb.injection.data[kb.technique].trueCode)
singleTimeWarnMessage(warnMsg)
incrementCounter(kb.technique)
return not result
return result
def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None, shiftTable=None, retried=None):
"""

View File

@ -20,7 +20,7 @@ b46521e29ea3d813bab5aeb16cac6498 extra/shutils/duplicates.py
cc9c82cfffd8ee9b25ba3af6284f057e extra/sqlharvest/__init__.py
4f2f817596540d82f9fcc0c5b2228beb extra/sqlharvest/sqlharvest.py
2daa39e4d59526acb4772b6c47eb315f lib/controller/action.py
0b7074043c7ea07002e0ab4803811c9f lib/controller/checks.py
af33b6f729a33235d0230e7b9af6b9cb lib/controller/checks.py
7c5ba631796f12d6de9b667e4cc7812b lib/controller/controller.py
0a64305c3b3a01a2fc3a5e6204f442f1 lib/controller/handler.py
cc9c82cfffd8ee9b25ba3af6284f057e lib/controller/__init__.py
@ -45,12 +45,12 @@ e60456db5380840a586654344003d4e6 lib/core/readlineng.py
5ef56abb8671c2ca6ceecb208258e360 lib/core/replication.py
99a2b496b9d5b546b335653ca801153f lib/core/revision.py
7c15dd2777af4dac2c89cab6df17462e lib/core/session.py
434f63a6f4943d675125459d54616653 lib/core/settings.py
c007f8f0c5f3d8f7b801f33d0ec58448 lib/core/settings.py
7af83e4f18cab6dff5e67840eb65be80 lib/core/shell.py
23657cd7d924e3c6d225719865855827 lib/core/subprocessng.py
0bc2fae1dec18cdd11954b22358293f2 lib/core/target.py
d43f059747ffd48952922c94152e2a07 lib/core/testing.py
424a6cf9bdfaf7182657ed7929d7df5a lib/core/threads.py
7ec80da7d7fa8ceaf2ff606cfa578c15 lib/core/threads.py
53c15b78e0288274f52410db25406432 lib/core/unescaper.py
6bdc53e2ca152ff8cd35ad671e48a96b lib/core/update.py
8485a3cd94c0a5af2718bad60c5f1ae5 lib/core/wordlist.py
@ -68,7 +68,7 @@ b40a4c5d91770d347df36d3065b63798 lib/parse/sitemap.py
9299f21804033f099681525bb9bf51c0 lib/request/basicauthhandler.py
ca9879ea9277810c5fce0f0d8d2f8e03 lib/request/basic.py
c48285682a61d49982cb508351013cb4 lib/request/comparison.py
20fe3d96ae45cf46d19504415cebd819 lib/request/connect.py
29148e4412209526b18acbd8a942fe03 lib/request/connect.py
49b4c583af68689de5f9acb162de2939 lib/request/direct.py
1a46f7bb26b23ec0c0d9d9c95828241b lib/request/dns.py
70ceefe39980611494d4f99afb96f652 lib/request/httpshandler.py
@ -87,7 +87,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e lib/takeover/__init__.py
7d6cd7bdfc8f4bc4e8aed60c84cdf87f lib/takeover/udf.py
f6e3084abd506925a8be3d1c0a6d058c lib/takeover/web.py
9af83a62de360184f1c14e69b8a95cfe lib/takeover/xp_cmdshell.py
03b8c2028e996c471e45308fa518d79a lib/techniques/blind/inference.py
004c45c172d549e098a5fd5285a54cb3 lib/techniques/blind/inference.py
cc9c82cfffd8ee9b25ba3af6284f057e lib/techniques/blind/__init__.py
cc9c82cfffd8ee9b25ba3af6284f057e lib/techniques/brute/__init__.py
d36effffe64e63ef9b3be490f850e2cc lib/techniques/brute/use.py