mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-26 03:23:48 +03:00
Got rid of UNION false cond
This commit is contained in:
parent
a1e89d3e94
commit
17449754fe
|
@ -49,7 +49,7 @@ class Agent:
|
|||
|
||||
return query
|
||||
|
||||
def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False):
|
||||
def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False):
|
||||
"""
|
||||
This method replaces the affected parameter with the SQL
|
||||
injection statement to request
|
||||
|
@ -64,9 +64,6 @@ class Agent:
|
|||
|
||||
if negative or kb.unionNegative:
|
||||
negValue = "-"
|
||||
elif falseCond or kb.unionFalseCond:
|
||||
randInt = randomInt()
|
||||
falseValue = " AND %d=%d" % (randInt, randInt + 1)
|
||||
|
||||
# After identifing the injectable parameter
|
||||
if kb.injection.place == PLACE.UA and kb.injection.parameter:
|
||||
|
|
|
@ -1182,7 +1182,6 @@ def __setKnowledgeBaseAttributes():
|
|||
kb.unionCount = None
|
||||
kb.unionPosition = None
|
||||
kb.unionNegative = False
|
||||
kb.unionFalseCond = False
|
||||
kb.userAgents = None
|
||||
kb.valueStack = []
|
||||
kb.redirectSetCookie = None
|
||||
|
|
|
@ -203,7 +203,7 @@ def setTimeBased(place, parameter, payload):
|
|||
if condition:
|
||||
dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload))
|
||||
|
||||
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, char=None, payload=None):
|
||||
def setUnion(comment=None, count=None, position=None, negative=False, char=None, payload=None):
|
||||
"""
|
||||
@param comment: union comment to save in session file
|
||||
@type comment: C{str}
|
||||
|
@ -260,18 +260,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
|
|||
|
||||
kb.unionNegative = True
|
||||
|
||||
if falseCond:
|
||||
condition = (
|
||||
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
|
||||
( not kb.resumedQueries[conf.url].has_key("Union false condition")
|
||||
) )
|
||||
)
|
||||
|
||||
if condition:
|
||||
dataToSessionFile("[%s][%s][%s][Union false condition][Yes]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place])))
|
||||
|
||||
kb.unionFalseCond = True
|
||||
|
||||
if char:
|
||||
condition = (
|
||||
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
|
||||
|
@ -475,12 +463,6 @@ def resumeConfKb(expression, url, value):
|
|||
logMsg = "resuming union negative from session file"
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Union false condition" and url == conf.url:
|
||||
kb.unionFalseCond = True if value[:-1] == "Yes" else False
|
||||
|
||||
logMsg = "resuming union false condition from session file"
|
||||
logger.info(logMsg)
|
||||
|
||||
elif expression == "Union char" and url == conf.url:
|
||||
conf.uChar = value[:-1]
|
||||
|
||||
|
|
|
@ -392,9 +392,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
|
|||
warnMsg += "technique, sqlmap is going blind"
|
||||
logger.warn(warnMsg)
|
||||
|
||||
oldParamFalseCond = kb.unionFalseCond
|
||||
oldParamNegative = kb.unionNegative
|
||||
kb.unionFalseCond = False
|
||||
kb.unionNegative = False
|
||||
|
||||
if error and kb.errorTest and not value:
|
||||
|
@ -411,7 +409,6 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
|
|||
kb.technique = 1
|
||||
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
|
||||
|
||||
kb.unionFalseCond = oldParamFalseCond
|
||||
kb.unionNegative = oldParamNegative
|
||||
|
||||
if value and isinstance(value, basestring):
|
||||
|
|
|
@ -19,7 +19,7 @@ from lib.core.unescaper import unescaper
|
|||
from lib.parse.html import htmlParser
|
||||
from lib.request.connect import Connect as Request
|
||||
|
||||
def __unionPosition(negative=False, falseCond=False, count=None, comment=None):
|
||||
def __unionPosition(negative=False, count=None, comment=None):
|
||||
validPayload = None
|
||||
|
||||
if count is None:
|
||||
|
@ -36,7 +36,7 @@ def __unionPosition(negative=False, falseCond=False, count=None, comment=None):
|
|||
|
||||
# Forge the inband SQL injection request
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment)
|
||||
payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)
|
||||
payload = agent.payload(newValue=query, negative=negative)
|
||||
|
||||
# Perform the request
|
||||
resultPage, _ = Request.queryPage(payload, content=True)
|
||||
|
@ -72,18 +72,6 @@ def __unionConfirm(count=None, comment=None):
|
|||
# (single entry) inband SQL injection position with negative
|
||||
# parameter validPayload
|
||||
if not isinstance(kb.unionPosition, int):
|
||||
# NOTE: disable false condition for the time being, in the
|
||||
# end it produces the same as prepending the original
|
||||
# parameter value with a minus (negative)
|
||||
#validPayload = __unionPosition(falseCond=True, count=count, comment=comment)
|
||||
#
|
||||
# Assure that the above function found the exploitable partial
|
||||
# (single entry) inband SQL injection position by appending
|
||||
# a false condition after the parameter validPayload
|
||||
#if not isinstance(kb.unionPosition, int):
|
||||
# return None
|
||||
#else:
|
||||
# setUnion(falseCond=True)
|
||||
return None
|
||||
else:
|
||||
setUnion(negative=True)
|
||||
|
|
|
@ -57,7 +57,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
|||
expression = agent.concatQuery(expression, unpack)
|
||||
expression = unescaper.unescape(expression)
|
||||
|
||||
if ( kb.unionNegative or kb.unionFalseCond ) and not direct:
|
||||
if kb.unionNegative and not direct:
|
||||
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)
|
||||
|
||||
# We have to check if the SQL query might return multiple entries
|
||||
|
|
|
@ -88,17 +88,12 @@ class Filesystem(GenericFilesystem):
|
|||
|
||||
unionTest()
|
||||
|
||||
oldParamFalseCond = kb.unionFalseCond
|
||||
kb.unionFalseCond = True
|
||||
|
||||
debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
|
||||
logger.debug(debugMsg)
|
||||
|
||||
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
|
||||
unionUse(sqlQuery, direct=True, unescape=False, nullChar="''")
|
||||
|
||||
kb.unionFalseCond = oldParamFalseCond
|
||||
|
||||
if confirm:
|
||||
self.askCheckWrittenFile(wFile, dFile, fileType)
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user