sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-09 08:00:36 +03:00
Code Issues Packages Projects Releases Wiki Activity

Important update to parse correctly the <where> tag during exploitation phase.

Browse Source 
Minor code cleanup.
This commit is contained in:
Bernardo Damele 2010-12-03 10:44:16 +00:00
parent 7d6f51f758
commit 22de82634a
3 changed files with 58 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/core/agent.py
View File

@ -75,8 +75,21 @@ class Agent:
elif kb.injection.place and kb.injection.parameter: elif kb.injection.place and kb.injection.parameter:
paramString = conf.parameters[kb.injection.place] paramString = conf.parameters[kb.injection.place]
paramDict = conf.paramDict[kb.injection.place] paramDict = conf.paramDict[kb.injection.place]
value = paramDict[kb.injection.parameter] origValue = paramDict[kb.injection.parameter]
newValue = self.cleanupPayload(newValue, value)
if kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where
if where == 1:
value = origValue
elif where == 2:
value = "-%s" % origValue
elif where == 3:
value = ""
else:
value = origValue
newValue = self.cleanupPayload(newValue, origValue)
if "POSTxml" in conf.paramDict and kb.injection.place == PLACE.POST: if "POSTxml" in conf.paramDict and kb.injection.place == PLACE.POST:
root = ET.XML(paramString) root = ET.XML(paramString)
@ -90,7 +103,7 @@ class Agent:
retValue = paramString.replace("*", retValue = paramString.replace("*",
self.addPayloadDelimiters("%s%s" % (negValue, falseValue + newValue))) self.addPayloadDelimiters("%s%s" % (negValue, falseValue + newValue)))
else: else:
retValue = paramString.replace("%s=%s" % (kb.injection.parameter, value), retValue = paramString.replace("%s=%s" % (kb.injection.parameter, origValue),
"%s=%s" % (kb.injection.parameter, self.addPayloadDelimiters(negValue + value + falseValue + newValue))) "%s=%s" % (kb.injection.parameter, self.addPayloadDelimiters(negValue + value + falseValue + newValue)))
# Before identifing the injectable parameter # Before identifing the injectable parameter
@ -135,8 +148,17 @@ class Agent:
if conf.direct: if conf.direct:
return self.payloadDirect(string) return self.payloadDirect(string)
if kb.technique == 4:
query = kb.injection.prefix
elif kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where
if where == 3:
query = kb.injection.prefix
else:
query = "%s " % kb.injection.prefix query = "%s " % kb.injection.prefix
query += string
query = "%s%s" % (query, string)
query = self.cleanupPayload(query) query = self.cleanupPayload(query)
return query return query

1
lib/core/option.py
View File

@ -1175,6 +1175,7 @@ def __setKnowledgeBaseAttributes():
kb.tamperFunctions = [] kb.tamperFunctions = []
kb.targetUrls = set() kb.targetUrls = set()
kb.testedParams = set() kb.testedParams = set()
kb.technique = None
kb.unionComment = "" kb.unionComment = ""
kb.unionCount = None kb.unionCount = None
kb.unionPosition = None kb.unionPosition = None

64
lib/request/inject.py
View File

@ -29,7 +29,6 @@ from lib.core.data import logger
from lib.core.data import queries from lib.core.data import queries
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.exception import sqlmapNotVulnerableException from lib.core.exception import sqlmapNotVulnerableException
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from lib.request.direct import direct from lib.request.direct import direct
from lib.techniques.inband.union.use import unionUse from lib.techniques.inband.union.use import unionUse
@ -309,6 +308,31 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
return returnValue return returnValue
def __goError(expression, resumeValue=True):
"""
Retrieve the output of a SQL query taking advantage of an error-based
SQL injection vulnerability on the affected parameter.
"""
result = None
if conf.direct:
return direct(expression), None
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
if condition and resumeValue:
result = resume(expression, None)
if not result:
result = errorUse(expression)
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
return result
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False): def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
""" """
Retrieve the output of a SQL query taking advantage of an inband SQL Retrieve the output of a SQL query taking advantage of an inband SQL
@ -359,6 +383,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
expression = expression.replace("DISTINCT ", "") expression = expression.replace("DISTINCT ", "")
if inband and kb.unionTest is not None: if inband and kb.unionTest is not None:
kb.technique = 3
value = __goInband(expression, expected, sort, resumeValue, unpack, dump) value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
if not value: if not value:
@ -373,7 +398,8 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
kb.unionNegative = False kb.unionNegative = False
if error and kb.errorTest and not value: if error and kb.errorTest and not value:
value = goError(expression) kb.technique = 2
value = __goError(expression, resumeValue)
if not value: if not value:
warnMsg = "for some reason(s) it was not possible to retrieve " warnMsg = "for some reason(s) it was not possible to retrieve "
@ -382,6 +408,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
logger.warn(warnMsg) logger.warn(warnMsg)
if blind and kb.booleanTest and not value: if blind and kb.booleanTest and not value:
kb.technique = 1
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
kb.unionFalseCond = oldParamFalseCond kb.unionFalseCond = oldParamFalseCond
@ -400,6 +427,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
return value return value
def goStacked(expression, silent=False): def goStacked(expression, silent=False):
kb.technique = 4
expression = cleanQuery(expression) expression = cleanQuery(expression)
if conf.direct: if conf.direct:
@ -416,35 +444,3 @@ def goStacked(expression, silent=False):
page, _ = Request.queryPage(payload, content=True, silent=silent) page, _ = Request.queryPage(payload, content=True, silent=silent)
return payload, page return payload, page
def goError(expression, suppressOutput=False):
"""
Retrieve the output of a SQL query taking advantage of an error-based
SQL injection vulnerability on the affected parameter.
"""
result = None
if suppressOutput:
pushValue(conf.verbose)
conf.verbose = 0
if conf.direct:
return direct(expression), None
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
if condition:
result = resume(expression, None)
if not result:
result = errorUse(expression)
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
if suppressOutput:
conf.verbose = popValue()
return result