diff --git a/lib/request/inject.py b/lib/request/inject.py index 3e5080c74..eeb5cb1d3 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -31,6 +31,8 @@ from lib.core.common import cleanQuery from lib.core.common import dataToSessionFile from lib.core.common import expandAsteriskForColumns from lib.core.common import parseUnionPage +from lib.core.common import popValue +from lib.core.common import pushValue from lib.core.common import readInput from lib.core.data import conf from lib.core.data import kb @@ -339,7 +341,7 @@ def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=Tr return data -def getValue(expression, blind=True, inband=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False): +def getValue(expression, blind=True, inband=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=False): """ Called each time sqlmap inject a SQL query on the SQL injection affected parameter. It can call a function to retrieve the output @@ -347,37 +349,44 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None, (if selected). """ + if suppressOutput: + pushValue(conf.verbose) + conf.verbose = 0 + if conf.direct: - return direct(expression) + value = direct(expression) + else: + expression = cleanQuery(expression) + expression = expandAsteriskForColumns(expression) + value = None - expression = cleanQuery(expression) - expression = expandAsteriskForColumns(expression) - value = None + expression = expression.replace("DISTINCT ", "") - expression = expression.replace("DISTINCT ", "") + if inband and kb.unionPosition: + value = __goInband(expression, expected, sort, resumeValue, unpack, dump) - if inband and kb.unionPosition: - value = __goInband(expression, expected, sort, resumeValue, unpack, dump) + if not value: + warnMsg = "for some reasons it was not possible to retrieve " + warnMsg += "the query output through inband SQL injection " + warnMsg += "technique, sqlmap is going blind" + logger.warn(warnMsg) - if not value: - warnMsg = "for some reasons it was not possible to retrieve " - warnMsg += "the query output through inband SQL injection " - warnMsg += "technique, sqlmap is going blind" - logger.warn(warnMsg) + oldParamFalseCond = kb.unionFalseCond + oldParamNegative = kb.unionNegative + kb.unionFalseCond = False + kb.unionNegative = False - oldParamFalseCond = kb.unionFalseCond - oldParamNegative = kb.unionNegative - kb.unionFalseCond = False - kb.unionNegative = False + if blind and not value: + value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) - if blind and not value: - value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) + kb.unionFalseCond = oldParamFalseCond + kb.unionNegative = oldParamNegative - kb.unionFalseCond = oldParamFalseCond - kb.unionNegative = oldParamNegative + if value and isinstance(value, basestring): + value = value.strip() - if value and isinstance(value, basestring): - value = value.strip() + if suppressOutput: + conf.verbose = popValue() return value diff --git a/plugins/dbms/mssqlserver/fingerprint.py b/plugins/dbms/mssqlserver/fingerprint.py index b0b86301b..1ee73bffc 100644 --- a/plugins/dbms/mssqlserver/fingerprint.py +++ b/plugins/dbms/mssqlserver/fingerprint.py @@ -194,7 +194,7 @@ class Fingerprint(GenericFingerprint): query += "LIKE '%Windows NT " + data[0] + "%')>0" query = agent.forgeCaseStatement(query) - if inject.getValue(query, charsetType=1) == "1": + if inject.getValue(query, charsetType=1, suppressOutput=True) == "1": kb.osVersion = version infoMsg += " %s" % kb.osVersion @@ -221,7 +221,7 @@ class Fingerprint(GenericFingerprint): query += "LIKE '%Service Pack " + getUnicode(sp) + "%')>0" query = agent.forgeCaseStatement(query) - if inject.getValue(query, charsetType=1) == "1": + if inject.getValue(query, charsetType=1, suppressOutput=True) == "1": kb.osSP = sp break diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py index f19e75c28..c9fa2317f 100644 --- a/plugins/dbms/mysql/fingerprint.py +++ b/plugins/dbms/mysql/fingerprint.py @@ -187,7 +187,7 @@ class Fingerprint(GenericFingerprint): return False # Determine if it is MySQL >= 5.0.0 - if inject.getValue("SELECT %s FROM information_schema.TABLES LIMIT 0, 1" % randInt, charsetType=2) == randInt: + if inject.getValue("SELECT %s FROM information_schema.TABLES LIMIT 0, 1" % randInt, charsetType=2, suppressOutput=True) == randInt: kb.data.has_information_schema = True kb.dbmsVersion = [">= 5.0.0"] @@ -199,28 +199,28 @@ class Fingerprint(GenericFingerprint): return True # Check if it is MySQL >= 5.5.0 - if inject.getValue("SELECT MID(TO_SECONDS(950501), 1, 1)", unpack=False, charsetType=2) == "6": + if inject.getValue("SELECT MID(TO_SECONDS(950501), 1, 1)", unpack=False, charsetType=2, suppressOutput=True) == "6": kb.dbmsVersion = [">= 5.5.0"] # Check if it is MySQL >= 5.1.2 and < 5.5.0 elif inject.getValue("SELECT MID(@@table_open_cache, 1, 1)", unpack=False): - if inject.getValue("SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt: + if inject.getValue("SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1" % randInt, unpack=False, charsetType=2, suppressOutput=True) == randInt: kb.dbmsVersion = [">= 5.1.12", "< 5.5.0"] - elif inject.getValue("SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt: + elif inject.getValue("SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1" % randInt, unpack=False, charsetType=2, suppressOutput=True) == randInt: kb.dbmsVersion = [">= 5.1.7", "< 5.1.12"] - elif inject.getValue("SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt: + elif inject.getValue("SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1" % randInt, unpack=False, charsetType=2, suppressOutput=True) == randInt: kb.dbmsVersion = ["= 5.1.6"] - elif inject.getValue("SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1" % randInt, unpack=False, charsetType=2) == randInt: + elif inject.getValue("SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1" % randInt, unpack=False, charsetType=2, suppressOutput=True) == randInt: kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"] else: kb.dbmsVersion = [">= 5.1.2", "< 5.1.5"] # Check if it is MySQL >= 5.0.0 and < 5.1.2 - elif inject.getValue("SELECT MID(@@hostname, 1, 1)", unpack=False): + elif inject.getValue("SELECT MID(@@hostname, 1, 1)", unpack=False, suppressOutput=True): kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"] - elif inject.getValue("SELECT 1 FROM DUAL", charsetType=1) == "1": + elif inject.getValue("SELECT 1 FROM DUAL", charsetType=1, suppressOutput=True) == "1": kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"] - elif inject.getValue("SELECT DATABASE() LIKE SCHEMA()"): + elif inject.getValue("SELECT DATABASE() LIKE SCHEMA()", suppressOutput=True): kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"] else: kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"] @@ -237,24 +237,24 @@ class Fingerprint(GenericFingerprint): return True # Check which version of MySQL < 5.0.0 it is - coercibility = inject.getValue("SELECT COERCIBILITY(USER())") + coercibility = inject.getValue("SELECT COERCIBILITY(USER())", suppressOutput=True) if coercibility == "3": kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"] elif coercibility == "2": kb.dbmsVersion = [">= 4.1.1", "< 4.1.11"] - elif inject.getValue("SELECT CURRENT_USER()"): + elif inject.getValue("SELECT CURRENT_USER()", suppressOutput=True): kb.dbmsVersion = [">= 4.0.6", "< 4.1.1"] - if inject.getValue("SELECT CHARSET(CURRENT_USER())") == "utf8": + if inject.getValue("SELECT CHARSET(CURRENT_USER())", suppressOutput=True) == "utf8": kb.dbmsVersion = ["= 4.1.0"] else: kb.dbmsVersion = [">= 4.0.6", "< 4.1.0"] - elif inject.getValue("SELECT FOUND_ROWS()", charsetType=1) == "0": + elif inject.getValue("SELECT FOUND_ROWS()", charsetType=1, suppressOutput=True) == "0": kb.dbmsVersion = [">= 4.0.0", "< 4.0.6"] - elif inject.getValue("SELECT CONNECTION_ID()"): + elif inject.getValue("SELECT CONNECTION_ID()", suppressOutput=True): kb.dbmsVersion = [">= 3.23.14", "< 4.0.0"] - elif re.search("@[\w\.\-\_]+", inject.getValue("SELECT USER()")): + elif re.search("@[\w\.\-\_]+", inject.getValue("SELECT USER()", suppressOutput=True)): kb.dbmsVersion = [">= 3.22.11", "< 3.23.14"] else: kb.dbmsVersion = ["< 3.22.11"] @@ -273,7 +273,7 @@ class Fingerprint(GenericFingerprint): infoMsg = "fingerprinting the back-end DBMS operating system" logger.info(infoMsg) - datadirSubstr = inject.getValue("SELECT MID(@@datadir, 1, 1)", unpack=False) + datadirSubstr = inject.getValue("SELECT MID(@@datadir, 1, 1)", unpack=False, suppressOutput=True) if datadirSubstr == "/": kb.os = "Linux" diff --git a/plugins/dbms/oracle/fingerprint.py b/plugins/dbms/oracle/fingerprint.py index 7efc3249c..9200d880e 100644 --- a/plugins/dbms/oracle/fingerprint.py +++ b/plugins/dbms/oracle/fingerprint.py @@ -123,7 +123,7 @@ class Fingerprint(GenericFingerprint): return True query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1" - version = inject.getValue(query, unpack=False) + version = inject.getValue(query, unpack=False, suppressOutput=True) if re.search("^11", version): kb.dbmsVersion = ["11i"] diff --git a/plugins/dbms/postgresql/fingerprint.py b/plugins/dbms/postgresql/fingerprint.py index a62c82657..1f378d62c 100644 --- a/plugins/dbms/postgresql/fingerprint.py +++ b/plugins/dbms/postgresql/fingerprint.py @@ -123,33 +123,33 @@ class Fingerprint(GenericFingerprint): if not conf.extensiveFp: return True - if inject.getValue("SELECT DIV(6, 3)", unpack=False, charsetType=2) == "2": + if inject.getValue("SELECT DIV(6, 3)", unpack=False, charsetType=2, suppressOutput=True) == "2": kb.dbmsVersion = [">= 8.4.0"] - elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ) and not inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ): + elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ) and not inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ): kb.dbmsVersion = [">= 8.3.0", "< 8.4"] - elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2): + elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True): kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"] - elif inject.getValue("SELECT GREATEST(5, 9, 1)", unpack=False, charsetType=2) == "9": + elif inject.getValue("SELECT GREATEST(5, 9, 1)", unpack=False, charsetType=2, suppressOutput=True) == "9": kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"] - elif inject.getValue("SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2) == "3": + elif inject.getValue("SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2, suppressOutput=True) == "3": kb.dbmsVersion = [">= 8.0.0", "< 8.1.0"] - elif inject.getValue("SELECT SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False): + elif inject.getValue("SELECT SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False, suppressOutput=True): kb.dbmsVersion = [">= 7.4.0", "< 8.0.0"] - elif inject.getValue("SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False) == "p": + elif inject.getValue("SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False, suppressOutput=True) == "p": kb.dbmsVersion = [">= 7.3.0", "< 7.4.0"] elif inject.getValue("SELECT BIT_LENGTH(1)") == "8": kb.dbmsVersion = [">= 7.2.0", "< 7.3.0"] - elif inject.getValue("SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False) == "a": + elif inject.getValue("SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False, suppressOutput=True) == "a": kb.dbmsVersion = [">= 7.1.0", "< 7.2.0"] - elif inject.getValue("SELECT POW(2, 3)", unpack=False, charsetType=2) == "8": + elif inject.getValue("SELECT POW(2, 3)", unpack=False, charsetType=2, suppressOutput=True) == "8": kb.dbmsVersion = [">= 7.0.0", "< 7.1.0"] elif inject.getValue("SELECT MAX('a')") == "a": kb.dbmsVersion = [">= 6.5.0", "< 6.5.3"] - elif re.search("([\d\.]+)", inject.getValue("SELECT SUBSTR(VERSION(), 12, 5)", unpack=False)): + elif re.search("([\d\.]+)", inject.getValue("SELECT SUBSTR(VERSION(), 12, 5)", unpack=False, suppressOutput=True)): kb.dbmsVersion = [">= 6.4.0", "< 6.5.0"] - elif inject.getValue("SELECT SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2) == "2": + elif inject.getValue("SELECT SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) == "2": kb.dbmsVersion = [">= 6.3.0", "< 6.4.0"] - elif inject.getValue("SELECT SUBSTRING('sqlmap', 1, 1)", unpack=False) == "s": + elif inject.getValue("SELECT SUBSTRING('sqlmap', 1, 1)", unpack=False, suppressOutput=True) == "s": kb.dbmsVersion = [">= 6.2.0", "< 6.3.0"] else: kb.dbmsVersion = ["< 6.2.0"] @@ -180,7 +180,7 @@ class Fingerprint(GenericFingerprint): query += "LIKE '%" + osPattern + "%')>0" query = agent.forgeCaseStatement(query) - if inject.getValue(query, charsetType=1) == "1": + if inject.getValue(query, charsetType=1, suppressOutput=True) == "1": kb.os = "Windows" break diff --git a/plugins/dbms/sqlite/fingerprint.py b/plugins/dbms/sqlite/fingerprint.py index c0e5750c1..49ed3988d 100644 --- a/plugins/dbms/sqlite/fingerprint.py +++ b/plugins/dbms/sqlite/fingerprint.py @@ -117,7 +117,7 @@ class Fingerprint(GenericFingerprint): if not conf.extensiveFp: return True - version = inject.getValue("SELECT SUBSTR((SQLITE_VERSION()), 1, 1)", unpack=False, charsetType=2) + version = inject.getValue("SELECT SUBSTR((SQLITE_VERSION()), 1, 1)", unpack=False, charsetType=2, suppressOutput=True) kb.dbmsVersion = [ version ] return True