sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-18 12:30:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Got rid of UNION false cond

Browse Source
This commit is contained in:
Bernardo Damele 2010-12-05 16:16:15 +00:00
parent a1e89d3e94
commit 17449754fe
7 changed files with 8 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/core/agent.py
View File

@ -49,7 +49,7 @@ class Agent:
return query return query
def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False): def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False):
""" """
This method replaces the affected parameter with the SQL This method replaces the affected parameter with the SQL
injection statement to request injection statement to request
@ -64,9 +64,6 @@ class Agent:
if negative or kb.unionNegative: if negative or kb.unionNegative:
negValue = "-" negValue = "-"
elif falseCond or kb.unionFalseCond:
randInt = randomInt()
falseValue = " AND %d=%d" % (randInt, randInt + 1)
# After identifing the injectable parameter # After identifing the injectable parameter
if kb.injection.place == PLACE.UA and kb.injection.parameter: if kb.injection.place == PLACE.UA and kb.injection.parameter:

1
lib/core/option.py
View File

@ -1182,7 +1182,6 @@ def __setKnowledgeBaseAttributes():
kb.unionCount = None kb.unionCount = None
kb.unionPosition = None kb.unionPosition = None
kb.unionNegative = False kb.unionNegative = False
kb.unionFalseCond = False
kb.userAgents = None kb.userAgents = None
kb.valueStack = [] kb.valueStack = []
kb.redirectSetCookie = None kb.redirectSetCookie = None

20
lib/core/session.py
View File

@ -203,7 +203,7 @@ def setTimeBased(place, parameter, payload):
if condition: if condition:
dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload)) dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload))
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, char=None, payload=None): def setUnion(comment=None, count=None, position=None, negative=False, char=None, payload=None):
""" """
@param comment: union comment to save in session file @param comment: union comment to save in session file
@type comment: C{str} @type comment: C{str}
@ -260,18 +260,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
kb.unionNegative = True kb.unionNegative = True
if falseCond:
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
( not kb.resumedQueries[conf.url].has_key("Union false condition")
) )
)
if condition:
dataToSessionFile("[%s][%s][%s][Union false condition][Yes]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place])))
kb.unionFalseCond = True
if char: if char:
condition = ( condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@ -475,12 +463,6 @@ def resumeConfKb(expression, url, value):
logMsg = "resuming union negative from session file" logMsg = "resuming union negative from session file"
logger.info(logMsg) logger.info(logMsg)
elif expression == "Union false condition" and url == conf.url:
kb.unionFalseCond = True if value[:-1] == "Yes" else False
logMsg = "resuming union false condition from session file"
logger.info(logMsg)
elif expression == "Union char" and url == conf.url: elif expression == "Union char" and url == conf.url:
conf.uChar = value[:-1] conf.uChar = value[:-1]

3
lib/request/inject.py
View File

@ -392,9 +392,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
warnMsg += "technique, sqlmap is going blind" warnMsg += "technique, sqlmap is going blind"
logger.warn(warnMsg) logger.warn(warnMsg)
oldParamFalseCond = kb.unionFalseCond
oldParamNegative = kb.unionNegative oldParamNegative = kb.unionNegative
kb.unionFalseCond = False
kb.unionNegative = False kb.unionNegative = False
if error and kb.errorTest and not value: if error and kb.errorTest and not value:
@ -411,7 +409,6 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
kb.technique = 1 kb.technique = 1
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
kb.unionFalseCond = oldParamFalseCond
kb.unionNegative = oldParamNegative kb.unionNegative = oldParamNegative
if value and isinstance(value, basestring): if value and isinstance(value, basestring):

16
lib/techniques/inband/union/test.py
View File

@ -19,7 +19,7 @@ from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
def __unionPosition(negative=False, falseCond=False, count=None, comment=None): def __unionPosition(negative=False, count=None, comment=None):
validPayload = None validPayload = None
if count is None: if count is None:
@ -36,7 +36,7 @@ def __unionPosition(negative=False, falseCond=False, count=None, comment=None):
# Forge the inband SQL injection request # Forge the inband SQL injection request
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment) query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment)
payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond) payload = agent.payload(newValue=query, negative=negative)
# Perform the request # Perform the request
resultPage, _ = Request.queryPage(payload, content=True) resultPage, _ = Request.queryPage(payload, content=True)
@ -72,18 +72,6 @@ def __unionConfirm(count=None, comment=None):
# (single entry) inband SQL injection position with negative # (single entry) inband SQL injection position with negative
# parameter validPayload # parameter validPayload
if not isinstance(kb.unionPosition, int): if not isinstance(kb.unionPosition, int):
# NOTE: disable false condition for the time being, in the
# end it produces the same as prepending the original
# parameter value with a minus (negative)
#validPayload = __unionPosition(falseCond=True, count=count, comment=comment)
#
# Assure that the above function found the exploitable partial
# (single entry) inband SQL injection position by appending
# a false condition after the parameter validPayload
#if not isinstance(kb.unionPosition, int):
# return None
#else:
# setUnion(falseCond=True)
return None return None
else: else:
setUnion(negative=True) setUnion(negative=True)

2
lib/techniques/inband/union/use.py
View File

@ -57,7 +57,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
expression = agent.concatQuery(expression, unpack) expression = agent.concatQuery(expression, unpack)
expression = unescaper.unescape(expression) expression = unescaper.unescape(expression)
if ( kb.unionNegative or kb.unionFalseCond ) and not direct: if kb.unionNegative and not direct:
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr) _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)
# We have to check if the SQL query might return multiple entries # We have to check if the SQL query might return multiple entries

5
plugins/dbms/mysql/filesystem.py
View File

@ -88,17 +88,12 @@ class Filesystem(GenericFilesystem):
unionTest() unionTest()
oldParamFalseCond = kb.unionFalseCond
kb.unionFalseCond = True
debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile) debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
logger.debug(debugMsg) logger.debug(debugMsg)
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile) sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
unionUse(sqlQuery, direct=True, unescape=False, nullChar="''") unionUse(sqlQuery, direct=True, unescape=False, nullChar="''")
kb.unionFalseCond = oldParamFalseCond
if confirm: if confirm:
self.askCheckWrittenFile(wFile, dFile, fileType) self.askCheckWrittenFile(wFile, dFile, fileType)