Refactoring to --technique

2024-11-22 01:26:42 +03:00 · 2011-04-07 10:00:47 +00:00 · 2011-04-07 10:00:47 +00:00 · 17844eb87c
commit 17844eb87c
parent 287f74dbd2
7 changed files with 95 additions and 17 deletions
--- a/doc/README.html
+++ b/doc/README.html
@ -937,6 +937,7 @@ Options:
    These options can be used to tweak testing of specific SQL injection
    techniques.

+    --technique=TECH    SQL injection techniques to test for (default all)
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
@ -1796,6 +1797,39 @@ expression match.</P>
 techniques.</P>


+<H3>SQL injection techniques to test for</H3>
+
+<P>Switch: <CODE>-</CODE><CODE>-technique</CODE></P>
+
+<P>This switch can be used to specify which SQL injection type to test for.
+By default sqlmap tests for <B>all</B> types/techniques it supports.</P>
+
+<P>In certain situations you may want to test only for one or few specific
+types of SQL injection thought and this is where this switch comes into
+play.</P>
+
+<P>This switch requires an argument. Such argument is a string composed by
+any combination of <CODE>B</CODE>, <CODE>E</CODE>, <CODE>U</CODE>, <CODE>S</CODE> and
+<CODE>T</CODE> characters where each letter stands for a different technique:</P>
+<P>
+<UL>
+<LI><CODE>B</CODE>: Boolean-based blind SQL injection</LI>
+<LI><CODE>E</CODE>: Error-based SQL injection</LI>
+<LI><CODE>U</CODE>: UNION query SQL injection</LI>
+<LI><CODE>S</CODE>: Stacked queries SQL injection</LI>
+<LI><CODE>T</CODE>: Time-based blind SQL injection</LI>
+</UL>
+</P>
+
+<P>For instance, you can provide <CODE>ES</CODE> if you want to test for and
+exploit error-based and stacked queries SQL injection types only.
+The default value is <CODE>BEUST</CODE>.</P>
+
+<P>Note that the string must include stacked queries technique letter,
+<CODE>S</CODE>, when you want to access the file system, takeover the
+operating system or access Windows registry hives.</P>
+
+
 <H3>Seconds to delay the DBMS response for time-based blind SQL injection</H3>

 <P>Switch: <CODE>-</CODE><CODE>-time-sec</CODE></P>
--- a/doc/README.pdf
+++ b/doc/README.pdf
--- a/doc/README.sgml
+++ b/doc/README.sgml
@ -1791,7 +1791,36 @@ techniques.
 Switch: <tt>-</tt><tt>-technique</tt>

 <p>
-TODO
+This switch can be used to specify which SQL injection type to test for.
+By default sqlmap tests for <bf>all</bf> types/techniques it supports.
+
+<p>
+In certain situations you may want to test only for one or few specific
+types of SQL injection thought and this is where this switch comes into
+play.
+
+<p>
+This switch requires an argument. Such argument is a string composed by
+any combination of <tt>B</tt>, <tt>E</tt>, <tt>U</tt>, <tt>S</tt> and
+<tt>T</tt> characters where each letter stands for a different technique:
+
+<itemize>
+<item><tt>B</tt>: Boolean-based blind SQL injection
+<item><tt>E</tt>: Error-based SQL injection
+<item><tt>U</tt>: UNION query SQL injection
+<item><tt>S</tt>: Stacked queries SQL injection
+<item><tt>T</tt>: Time-based blind SQL injection
+</itemize>
+
+<p>
+For instance, you can provide <tt>ES</tt> if you want to test for and
+exploit error-based and stacked queries SQL injection types only.
+The default value is <tt>BEUST</tt>.
+
+<p>
+Note that the string must include stacked queries technique letter,
+<tt>S</tt>, when you want to access the file system, takeover the
+operating system or access Windows registry hives.


 <sect2>Seconds to delay the DBMS response for time-based blind SQL injection
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -27,6 +27,7 @@ from extra.xmlobject import xmlobject
 from lib.controller.checks import checkConnection
 from lib.core.common import Backend
 from lib.core.common import dataToStdout
+from lib.core.common import getPublicTypeMembers
 from lib.core.common import extractRegexResult
 from lib.core.common import filterStringValue
 from lib.core.common import getConsoleWidth
@ -605,8 +606,22 @@ def __setOS():
        raise sqlmapUnsupportedDBMSException, errMsg

 def __setTechnique():
-    if not conf.tech or not isinstance(conf.tech, int):
-        conf.tech = []
+    validTechniques = getPublicTypeMembers(PAYLOAD.TECHNIQUE)
+    selTechniques = []
+
+    if conf.tech and isinstance(conf.tech, basestring):
+        for t in conf.tech:
+            if t.upper() not in ("B", "E", "U", "S", "T"):
+                errMsg = "value for --technique must be a string composed "
+                errMsg += "by the letters B, E, U, S and T. Refer to the "
+                errMsg += "user's manual for details"
+                raise sqlmapSyntaxException, errMsg
+
+            for validTech, validInt in validTechniques:
+                if t.upper() == validTech[0]:
+                    selTechniques.append(validInt)
+                    break
+        conf.tech = selTechniques
    else:
        conf.tech = filter(lambda x: x in PAYLOAD.SQLINJECTION, [int(c) for c in str(conf.tech)])

@ -617,7 +632,7 @@ def __setTechnique():
           'osCmd', 'osShell', 'osPwn', 'osSmb', 'osBof', 'regRead', \
           'regAdd', 'regDel'])) and PAYLOAD.TECHNIQUE.STACKED not in conf.tech:
            errMsg = "value for --technique must include stacked queries "
-            errMsg += "technique (4) when you want to access the file "
+            errMsg += "technique (S) when you want to access the file "
            errMsg += "system, takeover the operating system or access "
            errMsg += "Windows registry hives"
            raise sqlmapSyntaxException, errMsg
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -70,7 +70,7 @@ optDict = {
                             },

            "Techniques":    {
-                               "tech":              "integer",
+                               "tech":              "string",
                               "timeSec":           "integer",
                               "uCols":             "string",
                               "uChar":             "string"
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -207,9 +207,9 @@ def cmdLineParser():
                                 "used to tweak testing of specific SQL "
                                 "injection techniques.")

-        techniques.add_option("--technique", dest="tech", type="int",
-                          default=0, help="SQL injection techniques to "
-                                          "test for (default all)")
+        techniques.add_option("--technique", dest="tech", default="BEUST",
+                              help="SQL injection techniques to test for "
+                                   "(default BEUST)")

        techniques.add_option("--time-sec", dest="timeSec",
                              type="int", default=TIME_DEFAULT_DELAY,
--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -224,16 +224,16 @@ textOnly = False
 [Techniques]

 # SQL injection techniques to test for.
-# Valid: an integer composed by 1, 2, 3, 4 or 5 where:
-# 1: boolean-based blind SQL injection
-# 2: error-based SQL injection
-# 3: UNION query SQL injection
-# 4: stacked queries SQL injection
-# 5: time-based blind SQL injection
-# Example: 24 (means test for error-based and stacked queries SQL
+# Valid: a string composed by B, E, U, S and T where:
+# B: Boolean-based blind SQL injection
+# E: Error-based SQL injection
+# U: UNION query SQL injection
+# S: Stacked queries SQL injection
+# T: Time-based blind SQL injection
+# Example: ES (means test for error-based and stacked queries SQL
 # injection types only)
-# Default: 0 (means test for all SQL injection types - recommended)
-tech = 0
+# Default: BEUST (means test for all SQL injection types - recommended)
+tech = BEUST

 # Seconds to delay the response from the DBMS.
 # Valid: integer