mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
commit of all sorts (bug fix for heuristics and URI injections, fine tunning of tampering modules with SQL keywords,...)
This commit is contained in:
parent
cf73d9c799
commit
162d01abed
|
@ -38,6 +38,7 @@ from lib.core.common import readInput
|
|||
from lib.core.common import showStaticWords
|
||||
from lib.core.common import DynamicContentItem
|
||||
from lib.core.convert import md5hash
|
||||
from lib.core.convert import urlencode
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import logger
|
||||
|
@ -105,9 +106,6 @@ def heuristicCheckSqlInjection(place, parameter, value):
|
|||
prefix = ""
|
||||
postfix = ""
|
||||
|
||||
if place == "URI":
|
||||
return
|
||||
|
||||
if conf.prefix or conf.postfix:
|
||||
if conf.prefix:
|
||||
prefix = conf.prefix
|
||||
|
@ -116,9 +114,11 @@ def heuristicCheckSqlInjection(place, parameter, value):
|
|||
postfix = conf.postfix
|
||||
|
||||
payload = "%s%s%s" % (prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
|
||||
if place == "URI":
|
||||
payload = conf.paramDict[place][parameter].replace('*', payload)
|
||||
Request.queryPage(payload, place)
|
||||
result = kb.lastErrorPage and kb.lastErrorPage[0]==kb.lastRequestUID
|
||||
infoMsg = "heuristics show that %s parameter '%s' is " % (place, parameter)
|
||||
infoMsg = "(error based) heuristics show that %s parameter '%s' is " % (place, parameter)
|
||||
if result:
|
||||
infoMsg += "injectable"
|
||||
logger.info(infoMsg)
|
||||
|
|
|
@ -663,6 +663,7 @@ def setPaths():
|
|||
paths.SQLMAP_CONFIG = os.path.join(paths.SQLMAP_ROOT_PATH, "sqlmap-%s.conf" % randomStr())
|
||||
paths.COMMON_OUTPUTS = os.path.join(paths.SQLMAP_TXT_PATH, 'common-outputs.txt')
|
||||
paths.COMMON_TABLES = os.path.join(paths.SQLMAP_TXT_PATH, "common-tables.txt")
|
||||
paths.SQLKEYWORDS = os.path.join(paths.SQLMAP_TXT_PATH, "keywords.txt")
|
||||
paths.FUZZ_VECTORS = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
|
||||
paths.DETECTION_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
|
||||
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
|
||||
|
|
|
@ -36,6 +36,7 @@ import urlparse
|
|||
from extra.keepalive import keepalive
|
||||
from extra.xmlobject import xmlobject
|
||||
from lib.core.common import getConsoleWidth
|
||||
from lib.core.common import getFileItems
|
||||
from lib.core.common import getFileType
|
||||
from lib.core.common import normalizePath
|
||||
from lib.core.common import ntToPosixSlashes
|
||||
|
@ -1057,12 +1058,13 @@ def __setKnowledgeBaseAttributes():
|
|||
kb.lastErrorPage = None
|
||||
kb.headersCount = 0
|
||||
kb.headersFp = {}
|
||||
kb.hintValue = None
|
||||
kb.htmlFp = []
|
||||
kb.injParameter = None
|
||||
kb.injPlace = None
|
||||
kb.injType = None
|
||||
kb.injections = xmlobject.XMLFile(path=paths.INJECTIONS_XML)
|
||||
kb.hintValue = None
|
||||
kb.keywords = getFileItems(paths.SQLKEYWORDS)
|
||||
kb.nullConnection = None
|
||||
|
||||
# Back-end DBMS underlying operating system fingerprint via banner (-b)
|
||||
|
|
|
@ -2,12 +2,32 @@ import re
|
|||
import string
|
||||
|
||||
from lib.core.common import randomRange
|
||||
from lib.core.exception import sqlmapUnsupportedFeatureException
|
||||
from lib.core.convert import urldecode
|
||||
from lib.core.convert import urlencode
|
||||
from lib.core.data import kb
|
||||
|
||||
"""
|
||||
value -> value with inserted random blanks (e.g., INSERT->IN/**/S/**/ERT)
|
||||
"""
|
||||
#TODO: all
|
||||
#TODO: only do it for deepness = 0 regarding '"
|
||||
def tamper(place, value):
|
||||
return value
|
||||
retVal = value
|
||||
if value:
|
||||
if place != "URI":
|
||||
retVal = urldecode(retVal)
|
||||
|
||||
for match in re.finditer(r"[A-Za-z_]+", retVal):
|
||||
word = match.group()
|
||||
|
||||
if len(word) < 2:
|
||||
continue
|
||||
|
||||
if word.upper() in kb.keywords:
|
||||
newWord = word[0]
|
||||
for i in xrange(1, len(word) - 1):
|
||||
newWord += "%s%s" % ("/**/" if randomRange(0,1) else "", word[i])
|
||||
newWord += word[-1]
|
||||
retVal = retVal.replace(word, newWord)
|
||||
|
||||
if place != "URI":
|
||||
retVal = urlencode(retVal)
|
||||
return retVal
|
||||
|
|
|
@ -2,19 +2,28 @@ import re
|
|||
import string
|
||||
|
||||
from lib.core.common import randomRange
|
||||
from lib.core.exception import sqlmapUnsupportedFeatureException
|
||||
from lib.core.convert import urldecode
|
||||
from lib.core.convert import urlencode
|
||||
from lib.core.data import kb
|
||||
|
||||
"""
|
||||
value -> chars from value with random case (e.g., INSERT->InsERt)
|
||||
"""
|
||||
#TODO: only do it for deepness = 0 regarding '"
|
||||
def tamper(place, value):
|
||||
retVal = value
|
||||
if value:
|
||||
retVal = ""
|
||||
for i in xrange(len(value)):
|
||||
if value[i].isalpha():
|
||||
retVal += value[i].upper() if randomRange(0,1) else value[i].lower()
|
||||
else:
|
||||
retVal += value[i]
|
||||
if place != "URI":
|
||||
retVal = urldecode(retVal)
|
||||
|
||||
for match in re.finditer(r"[A-Za-z_]+", retVal):
|
||||
word = match.group()
|
||||
if word.upper() in kb.keywords:
|
||||
newWord = str()
|
||||
for i in xrange(len(word)):
|
||||
newWord += word[i].upper() if randomRange(0,1) else word[i].lower()
|
||||
retVal = retVal.replace(word, newWord)
|
||||
|
||||
if place != "URI":
|
||||
retVal = urlencode(retVal)
|
||||
|
||||
return retVal
|
||||
|
|
|
@ -6,12 +6,28 @@ from lib.core.convert import urlencode
|
|||
"""
|
||||
' ' -> /**/ (e.g., SELECT id FROM users->SELECT/**/id/**/FROM users)
|
||||
"""
|
||||
#TODO: only do it for deepness = 0 regarding '"
|
||||
def tamper(place, value):
|
||||
retVal = value
|
||||
if value:
|
||||
if place != "URI":
|
||||
value = urldecode(value)
|
||||
value = value.replace(" ", "/**/")
|
||||
|
||||
retVal = ""
|
||||
qoute, doublequote, firstspace = False, False, False
|
||||
|
||||
for i in xrange(len(value)):
|
||||
if not firstspace:
|
||||
firstspace = value[i].isspace()
|
||||
elif value[i] == '\'':
|
||||
qoute = not qoute
|
||||
elif value[i] == '"':
|
||||
doublequote = not doublequote
|
||||
elif value[i]==" " and not doublequote and not qoute:
|
||||
retVal += "/**/"
|
||||
continue
|
||||
retVal += value[i]
|
||||
|
||||
if place != "URI":
|
||||
value = urlencode(value)
|
||||
return value
|
||||
retVal = urlencode(retVal)
|
||||
return retVal
|
||||
|
||||
|
|
257
txt/keywords.txt
Normal file
257
txt/keywords.txt
Normal file
|
@ -0,0 +1,257 @@
|
|||
#SQL-92 keywords (reference: http://developer.mimer.com/validator/sql-reserved-words.tml)
|
||||
|
||||
ABSOLUTE
|
||||
ACTION
|
||||
ADD
|
||||
ALL
|
||||
ALLOCATE
|
||||
ALTER
|
||||
AND
|
||||
ANY
|
||||
ARE
|
||||
AS
|
||||
ASC
|
||||
ASSERTION
|
||||
AT
|
||||
AUTHORIZATION
|
||||
AVG
|
||||
BEGIN
|
||||
BETWEEN
|
||||
BIT
|
||||
BIT_LENGTH
|
||||
BOTH
|
||||
BY
|
||||
CALL
|
||||
CASCADE
|
||||
CASCADED
|
||||
CASE
|
||||
CAST
|
||||
CATALOG
|
||||
CHAR
|
||||
CHAR_LENGTH
|
||||
CHARACTER
|
||||
CHARACTER_LENGTH
|
||||
CHECK
|
||||
CLOSE
|
||||
COALESCE
|
||||
COLLATE
|
||||
COLLATION
|
||||
COLUMN
|
||||
COMMIT
|
||||
CONDITION
|
||||
CONNECT
|
||||
CONNECTION
|
||||
CONSTRAINT
|
||||
CONSTRAINTS
|
||||
CONTAINS
|
||||
CONTINUE
|
||||
CONVERT
|
||||
CORRESPONDING
|
||||
COUNT
|
||||
CREATE
|
||||
CROSS
|
||||
CURRENT
|
||||
CURRENT_DATE
|
||||
CURRENT_PATH
|
||||
CURRENT_TIME
|
||||
CURRENT_TIMESTAMP
|
||||
CURRENT_USER
|
||||
CURSOR
|
||||
DATE
|
||||
DAY
|
||||
DEALLOCATE
|
||||
DEC
|
||||
DECIMAL
|
||||
DECLARE
|
||||
DEFAULT
|
||||
DEFERRABLE
|
||||
DEFERRED
|
||||
DELETE
|
||||
DESC
|
||||
DESCRIBE
|
||||
DESCRIPTOR
|
||||
DETERMINISTIC
|
||||
DIAGNOSTICS
|
||||
DISCONNECT
|
||||
DISTINCT
|
||||
DO
|
||||
DOMAIN
|
||||
DOUBLE
|
||||
DROP
|
||||
ELSE
|
||||
ELSEIF
|
||||
END
|
||||
ESCAPE
|
||||
EXCEPT
|
||||
EXCEPTION
|
||||
EXEC
|
||||
EXECUTE
|
||||
EXISTS
|
||||
EXIT
|
||||
EXTERNAL
|
||||
EXTRACT
|
||||
FALSE
|
||||
FETCH
|
||||
FIRST
|
||||
FLOAT
|
||||
FOR
|
||||
FOREIGN
|
||||
FOUND
|
||||
FROM
|
||||
FULL
|
||||
FUNCTION
|
||||
GET
|
||||
GLOBAL
|
||||
GO
|
||||
GOTO
|
||||
GRANT
|
||||
GROUP
|
||||
HANDLER
|
||||
HAVING
|
||||
HOUR
|
||||
IDENTITY
|
||||
IF
|
||||
IMMEDIATE
|
||||
IN
|
||||
INDICATOR
|
||||
INITIALLY
|
||||
INNER
|
||||
INOUT
|
||||
INPUT
|
||||
INSENSITIVE
|
||||
INSERT
|
||||
INT
|
||||
INTEGER
|
||||
INTERSECT
|
||||
INTERVAL
|
||||
INTO
|
||||
IS
|
||||
ISOLATION
|
||||
JOIN
|
||||
KEY
|
||||
LANGUAGE
|
||||
LAST
|
||||
LEADING
|
||||
LEAVE
|
||||
LEFT
|
||||
LEVEL
|
||||
LIKE
|
||||
LOCAL
|
||||
LOOP
|
||||
LOWER
|
||||
MATCH
|
||||
MAX
|
||||
MIN
|
||||
MINUTE
|
||||
MODULE
|
||||
MONTH
|
||||
NAMES
|
||||
NATIONAL
|
||||
NATURAL
|
||||
NCHAR
|
||||
NEXT
|
||||
NO
|
||||
NOT
|
||||
NULL
|
||||
NULLIF
|
||||
NUMERIC
|
||||
OCTET_LENGTH
|
||||
OF
|
||||
ON
|
||||
ONLY
|
||||
OPEN
|
||||
OPTION
|
||||
OR
|
||||
ORDER
|
||||
OUT
|
||||
OUTER
|
||||
OUTPUT
|
||||
OVERLAPS
|
||||
PAD
|
||||
PARAMETER
|
||||
PARTIAL
|
||||
PATH
|
||||
POSITION
|
||||
PRECISION
|
||||
PREPARE
|
||||
PRESERVE
|
||||
PRIMARY
|
||||
PRIOR
|
||||
PRIVILEGES
|
||||
PROCEDURE
|
||||
PUBLIC
|
||||
READ
|
||||
REAL
|
||||
REFERENCES
|
||||
RELATIVE
|
||||
REPEAT
|
||||
RESIGNAL
|
||||
RESTRICT
|
||||
RETURN
|
||||
RETURNS
|
||||
REVOKE
|
||||
RIGHT
|
||||
ROLLBACK
|
||||
ROUTINE
|
||||
ROWS
|
||||
SCHEMA
|
||||
SCROLL
|
||||
SECOND
|
||||
SECTION
|
||||
SELECT
|
||||
SESSION
|
||||
SESSION_USER
|
||||
SET
|
||||
SIGNAL
|
||||
SIZE
|
||||
SMALLINT
|
||||
SOME
|
||||
SPACE
|
||||
SPECIFIC
|
||||
SQL
|
||||
SQLCODE
|
||||
SQLERROR
|
||||
SQLEXCEPTION
|
||||
SQLSTATE
|
||||
SQLWARNING
|
||||
SUBSTRING
|
||||
SUM
|
||||
SYSTEM_USER
|
||||
TABLE
|
||||
TEMPORARY
|
||||
THEN
|
||||
TIME
|
||||
TIMESTAMP
|
||||
TIMEZONE_HOUR
|
||||
TIMEZONE_MINUTE
|
||||
TO
|
||||
TRAILING
|
||||
TRANSACTION
|
||||
TRANSLATE
|
||||
TRANSLATION
|
||||
TRIM
|
||||
TRUE
|
||||
UNDO
|
||||
UNION
|
||||
UNIQUE
|
||||
UNKNOWN
|
||||
UNTIL
|
||||
UPDATE
|
||||
UPPER
|
||||
USAGE
|
||||
USER
|
||||
USING
|
||||
VALUE
|
||||
VALUES
|
||||
VARCHAR
|
||||
VARYING
|
||||
VIEW
|
||||
WHEN
|
||||
WHENEVER
|
||||
WHERE
|
||||
WHILE
|
||||
WITH
|
||||
WORK
|
||||
WRITE
|
||||
YEAR
|
||||
ZONE
|
Loading…
Reference in New Issue
Block a user