mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 09:36:35 +03:00
Introducing extra validation property in case of time-based SQLi (HTTP code) - Issue #1973
This commit is contained in:
parent
556b4d289e
commit
09617c8243
|
@ -156,6 +156,7 @@ def checkSqlInjection(place, parameter, value):
|
||||||
kb.testType = stype = test.stype
|
kb.testType = stype = test.stype
|
||||||
clause = test.clause
|
clause = test.clause
|
||||||
unionExtended = False
|
unionExtended = False
|
||||||
|
trueCode = None
|
||||||
|
|
||||||
if stype == PAYLOAD.TECHNIQUE.UNION:
|
if stype == PAYLOAD.TECHNIQUE.UNION:
|
||||||
configUnion(test.request.char)
|
configUnion(test.request.char)
|
||||||
|
@ -556,6 +557,7 @@ def checkSqlInjection(place, parameter, value):
|
||||||
elif method == PAYLOAD.METHOD.TIME:
|
elif method == PAYLOAD.METHOD.TIME:
|
||||||
# Perform the test's request
|
# Perform the test's request
|
||||||
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
|
trueResult = Request.queryPage(reqPayload, place, timeBasedCompare=True, raise404=False)
|
||||||
|
trueCode = threadData.lastCode
|
||||||
|
|
||||||
if trueResult:
|
if trueResult:
|
||||||
# Confirm test's results
|
# Confirm test's results
|
||||||
|
@ -668,6 +670,7 @@ def checkSqlInjection(place, parameter, value):
|
||||||
injection.data[stype].comment = comment
|
injection.data[stype].comment = comment
|
||||||
injection.data[stype].templatePayload = templatePayload
|
injection.data[stype].templatePayload = templatePayload
|
||||||
injection.data[stype].matchRatio = kb.matchRatio
|
injection.data[stype].matchRatio = kb.matchRatio
|
||||||
|
injection.data[stype].trueCode = trueCode
|
||||||
|
|
||||||
injection.conf.textOnly = conf.textOnly
|
injection.conf.textOnly = conf.textOnly
|
||||||
injection.conf.titles = conf.titles
|
injection.conf.titles = conf.titles
|
||||||
|
|
|
@ -19,7 +19,7 @@ from lib.core.enums import OS
|
||||||
from lib.core.revision import getRevisionNumber
|
from lib.core.revision import getRevisionNumber
|
||||||
|
|
||||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||||
VERSION = "1.0.9.35"
|
VERSION = "1.0.9.36"
|
||||||
REVISION = getRevisionNumber()
|
REVISION = getRevisionNumber()
|
||||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||||
|
@ -546,7 +546,7 @@ HASHDB_FLUSH_RETRIES = 3
|
||||||
HASHDB_END_TRANSACTION_RETRIES = 3
|
HASHDB_END_TRANSACTION_RETRIES = 3
|
||||||
|
|
||||||
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
|
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
|
||||||
HASHDB_MILESTONE_VALUE = "baFJusZrel" # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))'
|
HASHDB_MILESTONE_VALUE = "QWdDkLzhxH" # python -c 'import random, string; print "".join(random.sample(string.ascii_letters, 10))'
|
||||||
|
|
||||||
# Warn user of possible delay due to large page dump in full UNION query injections
|
# Warn user of possible delay due to large page dump in full UNION query injections
|
||||||
LARGE_OUTPUT_THRESHOLD = 1024 ** 2
|
LARGE_OUTPUT_THRESHOLD = 1024 ** 2
|
||||||
|
|
|
@ -42,6 +42,7 @@ class _ThreadData(threading.local):
|
||||||
self.disableStdOut = False
|
self.disableStdOut = False
|
||||||
self.hashDBCursor = None
|
self.hashDBCursor = None
|
||||||
self.inTransaction = False
|
self.inTransaction = False
|
||||||
|
self.lastCode = None
|
||||||
self.lastComparisonPage = None
|
self.lastComparisonPage = None
|
||||||
self.lastComparisonHeaders = None
|
self.lastComparisonHeaders = None
|
||||||
self.lastComparisonCode = None
|
self.lastComparisonCode = None
|
||||||
|
|
|
@ -1140,6 +1140,7 @@ class Connect(object):
|
||||||
|
|
||||||
threadData.lastQueryDuration = calculateDeltaSeconds(start)
|
threadData.lastQueryDuration = calculateDeltaSeconds(start)
|
||||||
threadData.lastPage = page
|
threadData.lastPage = page
|
||||||
|
threadData.lastCode = code
|
||||||
|
|
||||||
kb.originalCode = kb.originalCode or code
|
kb.originalCode = kb.originalCode or code
|
||||||
|
|
||||||
|
|
|
@ -210,10 +210,17 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(value))
|
unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(value))
|
||||||
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
|
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_NOT_EQUALS_CHAR), (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
|
||||||
|
|
||||||
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
|
result = not Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
|
||||||
|
|
||||||
|
if result and timeBasedCompare:
|
||||||
|
result = threadData.lastCode == kb.injection.data[kb.technique].trueCode
|
||||||
|
if not result:
|
||||||
|
warnMsg = "detected HTTP code '%d' in validation phase is differing from expected '%d'" % (threadData.lastCode, kb.injection.data[kb.technique].trueCode)
|
||||||
|
singleTimeWarnMessage(warnMsg)
|
||||||
|
|
||||||
incrementCounter(kb.technique)
|
incrementCounter(kb.technique)
|
||||||
|
|
||||||
return not result
|
return result
|
||||||
|
|
||||||
def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None, shiftTable=None, retried=None):
|
def getChar(idx, charTbl=None, continuousOrder=True, expand=charsetType is None, shiftTable=None, retried=None):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -20,7 +20,7 @@ b46521e29ea3d813bab5aeb16cac6498 extra/shutils/duplicates.py
|
||||||
cc9c82cfffd8ee9b25ba3af6284f057e extra/sqlharvest/__init__.py
|
cc9c82cfffd8ee9b25ba3af6284f057e extra/sqlharvest/__init__.py
|
||||||
4f2f817596540d82f9fcc0c5b2228beb extra/sqlharvest/sqlharvest.py
|
4f2f817596540d82f9fcc0c5b2228beb extra/sqlharvest/sqlharvest.py
|
||||||
2daa39e4d59526acb4772b6c47eb315f lib/controller/action.py
|
2daa39e4d59526acb4772b6c47eb315f lib/controller/action.py
|
||||||
0b7074043c7ea07002e0ab4803811c9f lib/controller/checks.py
|
af33b6f729a33235d0230e7b9af6b9cb lib/controller/checks.py
|
||||||
7c5ba631796f12d6de9b667e4cc7812b lib/controller/controller.py
|
7c5ba631796f12d6de9b667e4cc7812b lib/controller/controller.py
|
||||||
0a64305c3b3a01a2fc3a5e6204f442f1 lib/controller/handler.py
|
0a64305c3b3a01a2fc3a5e6204f442f1 lib/controller/handler.py
|
||||||
cc9c82cfffd8ee9b25ba3af6284f057e lib/controller/__init__.py
|
cc9c82cfffd8ee9b25ba3af6284f057e lib/controller/__init__.py
|
||||||
|
@ -45,12 +45,12 @@ e60456db5380840a586654344003d4e6 lib/core/readlineng.py
|
||||||
5ef56abb8671c2ca6ceecb208258e360 lib/core/replication.py
|
5ef56abb8671c2ca6ceecb208258e360 lib/core/replication.py
|
||||||
99a2b496b9d5b546b335653ca801153f lib/core/revision.py
|
99a2b496b9d5b546b335653ca801153f lib/core/revision.py
|
||||||
7c15dd2777af4dac2c89cab6df17462e lib/core/session.py
|
7c15dd2777af4dac2c89cab6df17462e lib/core/session.py
|
||||||
434f63a6f4943d675125459d54616653 lib/core/settings.py
|
c007f8f0c5f3d8f7b801f33d0ec58448 lib/core/settings.py
|
||||||
7af83e4f18cab6dff5e67840eb65be80 lib/core/shell.py
|
7af83e4f18cab6dff5e67840eb65be80 lib/core/shell.py
|
||||||
23657cd7d924e3c6d225719865855827 lib/core/subprocessng.py
|
23657cd7d924e3c6d225719865855827 lib/core/subprocessng.py
|
||||||
0bc2fae1dec18cdd11954b22358293f2 lib/core/target.py
|
0bc2fae1dec18cdd11954b22358293f2 lib/core/target.py
|
||||||
d43f059747ffd48952922c94152e2a07 lib/core/testing.py
|
d43f059747ffd48952922c94152e2a07 lib/core/testing.py
|
||||||
424a6cf9bdfaf7182657ed7929d7df5a lib/core/threads.py
|
7ec80da7d7fa8ceaf2ff606cfa578c15 lib/core/threads.py
|
||||||
53c15b78e0288274f52410db25406432 lib/core/unescaper.py
|
53c15b78e0288274f52410db25406432 lib/core/unescaper.py
|
||||||
6bdc53e2ca152ff8cd35ad671e48a96b lib/core/update.py
|
6bdc53e2ca152ff8cd35ad671e48a96b lib/core/update.py
|
||||||
8485a3cd94c0a5af2718bad60c5f1ae5 lib/core/wordlist.py
|
8485a3cd94c0a5af2718bad60c5f1ae5 lib/core/wordlist.py
|
||||||
|
@ -68,7 +68,7 @@ b40a4c5d91770d347df36d3065b63798 lib/parse/sitemap.py
|
||||||
9299f21804033f099681525bb9bf51c0 lib/request/basicauthhandler.py
|
9299f21804033f099681525bb9bf51c0 lib/request/basicauthhandler.py
|
||||||
ca9879ea9277810c5fce0f0d8d2f8e03 lib/request/basic.py
|
ca9879ea9277810c5fce0f0d8d2f8e03 lib/request/basic.py
|
||||||
c48285682a61d49982cb508351013cb4 lib/request/comparison.py
|
c48285682a61d49982cb508351013cb4 lib/request/comparison.py
|
||||||
20fe3d96ae45cf46d19504415cebd819 lib/request/connect.py
|
29148e4412209526b18acbd8a942fe03 lib/request/connect.py
|
||||||
49b4c583af68689de5f9acb162de2939 lib/request/direct.py
|
49b4c583af68689de5f9acb162de2939 lib/request/direct.py
|
||||||
1a46f7bb26b23ec0c0d9d9c95828241b lib/request/dns.py
|
1a46f7bb26b23ec0c0d9d9c95828241b lib/request/dns.py
|
||||||
70ceefe39980611494d4f99afb96f652 lib/request/httpshandler.py
|
70ceefe39980611494d4f99afb96f652 lib/request/httpshandler.py
|
||||||
|
@ -87,7 +87,7 @@ cc9c82cfffd8ee9b25ba3af6284f057e lib/takeover/__init__.py
|
||||||
7d6cd7bdfc8f4bc4e8aed60c84cdf87f lib/takeover/udf.py
|
7d6cd7bdfc8f4bc4e8aed60c84cdf87f lib/takeover/udf.py
|
||||||
f6e3084abd506925a8be3d1c0a6d058c lib/takeover/web.py
|
f6e3084abd506925a8be3d1c0a6d058c lib/takeover/web.py
|
||||||
9af83a62de360184f1c14e69b8a95cfe lib/takeover/xp_cmdshell.py
|
9af83a62de360184f1c14e69b8a95cfe lib/takeover/xp_cmdshell.py
|
||||||
03b8c2028e996c471e45308fa518d79a lib/techniques/blind/inference.py
|
004c45c172d549e098a5fd5285a54cb3 lib/techniques/blind/inference.py
|
||||||
cc9c82cfffd8ee9b25ba3af6284f057e lib/techniques/blind/__init__.py
|
cc9c82cfffd8ee9b25ba3af6284f057e lib/techniques/blind/__init__.py
|
||||||
cc9c82cfffd8ee9b25ba3af6284f057e lib/techniques/brute/__init__.py
|
cc9c82cfffd8ee9b25ba3af6284f057e lib/techniques/brute/__init__.py
|
||||||
d36effffe64e63ef9b3be490f850e2cc lib/techniques/brute/use.py
|
d36effffe64e63ef9b3be490f850e2cc lib/techniques/brute/use.py
|
||||||
|
|
Loading…
Reference in New Issue
Block a user