Implementation for #2709

2024-11-25 19:13:48 +03:00 · 2017-09-25 11:32:40 +02:00 · 2017-09-25 11:32:40 +02:00 · 222fd856fa
commit 222fd856fa
parent db94d24db1
3 changed files with 96 additions and 81 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.9.23"
+VERSION = "1.1.9.24"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -278,6 +278,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
            lastCheck = False
            unexpectedCode = False

+            if continuousOrder:
                while len(charTbl) > 1:
                    position = None

@ -357,7 +358,6 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                            charTbl = xrange(charTbl[0], charTbl[position])

                    if len(charTbl) == 1:
-                    if continuousOrder:
                        if maxValue == 1:
                            return None

@ -417,24 +417,39 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                            else:
                                return None
            else:
-                        if minValue == maxChar or maxValue == minChar:
-                            return None
+                candidates = list(originalTbl)
+                bit = 0
+                while len(candidates) > 1:
+                    bits = {}
+                    for candidate in candidates:
+                        bit = 0
+                        while candidate:
+                            bits.setdefault(bit, 0)
+                            bits[bit] += 1 if candidate & 1 else -1
+                            candidate >>= 1
+                            bit += 1

-                        for index in xrange(len(originalTbl)):
-                            if originalTbl[index] == minValue:
-                                break
+                    choice = sorted(bits.items(), key=lambda _: abs(_[1]))[0][0]
+                    mask = 1 << choice

-                        # If we are working with non-continuous elements, both minValue and character after
-                        # are possible candidates
-                        for retVal in (originalTbl[index], originalTbl[index + 1]):
-                            forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, retVal))
+                    forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, "&%d%s" % (mask, INFERENCE_GREATER_CHAR)), (expressionUnescaped, idx, 0))
                    result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
                    incrementCounter(kb.technique)

                    if result:
-                                return decodeIntToUnicode(retVal)
+                        candidates = [_ for _ in candidates if _ & mask > 0]
+                    else:
+                        candidates = [_ for _ in candidates if _ & mask == 0]

-                        return None
+                    bit += 1
+
+                if candidates:
+                    forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, candidates[0]))
+                    result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
+                    incrementCounter(kb.technique)
+
+                    if result:
+                        return decodeIntToUnicode(candidates[0])

        # Go multi-threading (--threads > 1)
        if conf.threads > 1 and isinstance(length, int) and length > 1:
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@ -46,7 +46,7 @@ e8e9fd4f224ead0caa1569312b5b2582  lib/core/optiondict.py
 d8e9250f3775119df07e9070eddccd16  lib/core/replication.py
 785f86e3f963fa3798f84286a4e83ff2  lib/core/revision.py
 40c80b28b3a5819b737a5a17d4565ae9  lib/core/session.py
-bc83df99ea0febcf872e078408a71c8f  lib/core/settings.py
+bb423d7f62041a13e0264e9718d003f2  lib/core/settings.py
 d91291997d2bd2f6028aaf371bf1d3b6  lib/core/shell.py
 2ad85c130cc5f2b3701ea85c2f6bbf20  lib/core/subprocessng.py
 effc153067a00bd43461bfc1cdec1122  lib/core/target.py
@ -87,7 +87,7 @@ ac541a0d38e4ecb4e41e97799a7235f4  lib/takeover/registry.py
 ff1af7f85fdf4f2a5369f2927d149824  lib/takeover/udf.py
 8df5a334823b724a2207a28c94f6fe3d  lib/takeover/web.py
 b4c3264b9b6dcbf00cb7bffa447d1f6c  lib/takeover/xp_cmdshell.py
-988677fd3625518b771566b407adfef6  lib/techniques/blind/inference.py
+f18caf2e50366057771316a490c90795  lib/techniques/blind/inference.py
 310efc965c862cfbd7b0da5150a5ad36  lib/techniques/blind/__init__.py
 310efc965c862cfbd7b0da5150a5ad36  lib/techniques/dns/__init__.py
 ab1601a7f429b47637c4fb8af703d0f1  lib/techniques/dns/test.py