mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 13:03:50 +03:00
Merge branch 'master' of github.com:sqlmapproject/sqlmap
This commit is contained in:
commit
23153e8088
|
@ -675,6 +675,71 @@ class Agent(object):
|
||||||
|
|
||||||
return unionQuery
|
return unionQuery
|
||||||
|
|
||||||
|
def limitCondition(self, expression, dump=False):
|
||||||
|
startLimit = 0
|
||||||
|
stopLimit = None
|
||||||
|
limitCond = True
|
||||||
|
|
||||||
|
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
||||||
|
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
|
||||||
|
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
||||||
|
|
||||||
|
if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
||||||
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
||||||
|
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
||||||
|
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
||||||
|
|
||||||
|
if limitGroupStart.isdigit():
|
||||||
|
if limitRegExp:
|
||||||
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
||||||
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
||||||
|
elif limitRegExp2:
|
||||||
|
startLimit = 0
|
||||||
|
stopLimit = limitRegExp2.group(int(limitGroupStart))
|
||||||
|
limitCond = int(stopLimit) > 1
|
||||||
|
|
||||||
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||||
|
if limitRegExp:
|
||||||
|
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
||||||
|
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
||||||
|
|
||||||
|
if limitGroupStart.isdigit():
|
||||||
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
||||||
|
|
||||||
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
||||||
|
limitCond = int(stopLimit) > 1
|
||||||
|
elif topLimit:
|
||||||
|
startLimit = 0
|
||||||
|
stopLimit = int(topLimit.group(1))
|
||||||
|
limitCond = int(stopLimit) > 1
|
||||||
|
|
||||||
|
elif Backend.isDbms(DBMS.ORACLE):
|
||||||
|
limitCond = False
|
||||||
|
|
||||||
|
# We assume that only queries NOT containing a "LIMIT #, 1"
|
||||||
|
# (or equivalent depending on the back-end DBMS) can return
|
||||||
|
# multiple entries
|
||||||
|
if limitCond:
|
||||||
|
if (limitRegExp or limitRegExp2) and stopLimit is not None:
|
||||||
|
stopLimit = int(stopLimit)
|
||||||
|
|
||||||
|
# From now on we need only the expression until the " LIMIT "
|
||||||
|
# (or equivalent, depending on the back-end DBMS) word
|
||||||
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
||||||
|
stopLimit += startLimit
|
||||||
|
_ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
||||||
|
expression = expression[:_]
|
||||||
|
|
||||||
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||||
|
stopLimit += startLimit
|
||||||
|
elif dump:
|
||||||
|
if conf.limitStart:
|
||||||
|
startLimit = conf.limitStart - 1
|
||||||
|
if conf.limitStop:
|
||||||
|
stopLimit = conf.limitStop
|
||||||
|
|
||||||
|
return expression, limitCond, topLimit, startLimit, stopLimit
|
||||||
|
|
||||||
def limitQuery(self, num, query, field=None, uniqueField=None):
|
def limitQuery(self, num, query, field=None, uniqueField=None):
|
||||||
"""
|
"""
|
||||||
Take in input a query string and return its limited query string.
|
Take in input a query string and return its limited query string.
|
||||||
|
|
|
@ -661,6 +661,9 @@ def filePathToString(filePath):
|
||||||
|
|
||||||
return strRepl
|
return strRepl
|
||||||
|
|
||||||
|
def singleTimeDebugMessage(message):
|
||||||
|
singleTimeLogMessage(message, logging.DEBUG)
|
||||||
|
|
||||||
def singleTimeWarnMessage(message):
|
def singleTimeWarnMessage(message):
|
||||||
singleTimeLogMessage(message, logging.WARN)
|
singleTimeLogMessage(message, logging.WARN)
|
||||||
|
|
||||||
|
|
|
@ -129,7 +129,7 @@ def liveTest():
|
||||||
if case.hasAttribute("name"):
|
if case.hasAttribute("name"):
|
||||||
name = case.getAttribute("name")
|
name = case.getAttribute("name")
|
||||||
|
|
||||||
if conf.runCase and ((conf.runCase.isdigit() and conf.runCase != count) or not re.search(conf.runCase, name, re.DOTALL)):
|
if conf.runCase and ((conf.runCase.isdigit() and conf.runCase != count) or not re.search(conf.runCase, name, re.DOTALL | re.I)):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if case.getElementsByTagName("switches"):
|
if case.getElementsByTagName("switches"):
|
||||||
|
@ -206,7 +206,7 @@ def runCase(switches=None, parse=None):
|
||||||
retVal = False
|
retVal = False
|
||||||
|
|
||||||
if parse and retVal:
|
if parse and retVal:
|
||||||
ifile = open(conf.dumper.getOutputFile(), 'r')
|
ifile = open(conf.dumper.getOutputFile(), "rb")
|
||||||
content = ifile.read()
|
content = ifile.read()
|
||||||
ifile.close()
|
ifile.close()
|
||||||
for item in parse:
|
for item in parse:
|
||||||
|
|
|
@ -139,8 +139,6 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
|
||||||
startLimit = 0
|
startLimit = 0
|
||||||
stopLimit = None
|
stopLimit = None
|
||||||
outputs = BigArray()
|
outputs = BigArray()
|
||||||
untilLimitChar = None
|
|
||||||
untilOrderChar = None
|
|
||||||
|
|
||||||
if not unpack:
|
if not unpack:
|
||||||
return _goInference(payload, expression, charsetType, firstChar, lastChar, dump)
|
return _goInference(payload, expression, charsetType, firstChar, lastChar, dump)
|
||||||
|
@ -160,69 +158,18 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
|
||||||
|
|
||||||
# If we have been here from SQL query/shell we have to check if
|
# If we have been here from SQL query/shell we have to check if
|
||||||
# the SQL query might return multiple entries and in such case
|
# the SQL query might return multiple entries and in such case
|
||||||
# forge the SQL limiting the query output one entry per time
|
# forge the SQL limiting the query output one entry at a time
|
||||||
# NOTE: I assume that only queries that get data from a table
|
# NOTE: we assume that only queries that get data from a table
|
||||||
# can return multiple entries
|
# can return multiple entries
|
||||||
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
|
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
|
||||||
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
|
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
|
||||||
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
||||||
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
||||||
|
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression)
|
||||||
|
|
||||||
limitCond = True
|
|
||||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
|
||||||
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
|
|
||||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
|
||||||
|
|
||||||
if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
|
||||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
||||||
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
|
||||||
|
|
||||||
if limitGroupStart.isdigit():
|
|
||||||
if limitRegExp2:
|
|
||||||
startLimit = 0
|
|
||||||
stopLimit = limitRegExp2.group(int(limitGroupStart))
|
|
||||||
else:
|
|
||||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
||||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
if limitRegExp:
|
|
||||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
||||||
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
|
||||||
|
|
||||||
if limitGroupStart.isdigit():
|
|
||||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
||||||
|
|
||||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
elif topLimit:
|
|
||||||
startLimit = 0
|
|
||||||
stopLimit = int(topLimit.group(1))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
|
|
||||||
elif Backend.isDbms(DBMS.ORACLE):
|
|
||||||
limitCond = False
|
|
||||||
|
|
||||||
# We assume that only queries NOT containing a "LIMIT #, 1"
|
|
||||||
# (or equivalent depending on the back-end DBMS) can return
|
|
||||||
# multiple entries
|
|
||||||
if limitCond:
|
if limitCond:
|
||||||
if (limitRegExp or limitRegExp2) and stopLimit is not None:
|
|
||||||
stopLimit = int(stopLimit)
|
|
||||||
|
|
||||||
# From now on we need only the expression until the " LIMIT "
|
|
||||||
# (or equivalent, depending on the back-end DBMS) word
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
|
||||||
stopLimit += startLimit
|
|
||||||
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
|
||||||
expression = expression[:untilLimitChar]
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
stopLimit += startLimit
|
|
||||||
|
|
||||||
test = True
|
test = True
|
||||||
|
|
||||||
if not stopLimit or stopLimit <= 1:
|
if not stopLimit or stopLimit <= 1:
|
||||||
if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
|
if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
|
||||||
test = False
|
test = False
|
||||||
|
@ -232,9 +179,9 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
|
||||||
countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
|
countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
|
||||||
countedExpression = expression.replace(expressionFields, countFirstField, 1)
|
countedExpression = expression.replace(expressionFields, countFirstField, 1)
|
||||||
|
|
||||||
if re.search(" ORDER BY ", expression, re.I):
|
if " ORDER BY " in expression.upper():
|
||||||
untilOrderChar = countedExpression.index(" ORDER BY ")
|
_ = countedExpression.upper().rindex(" ORDER BY ")
|
||||||
countedExpression = countedExpression[:untilOrderChar]
|
countedExpression = countedExpression[:_]
|
||||||
|
|
||||||
if not stopLimit:
|
if not stopLimit:
|
||||||
count = _goInference(payload, countedExpression, charsetType=CHARSET_TYPE.DIGITS, firstChar=firstChar, lastChar=lastChar)
|
count = _goInference(payload, countedExpression, charsetType=CHARSET_TYPE.DIGITS, firstChar=firstChar, lastChar=lastChar)
|
||||||
|
|
|
@ -238,14 +238,13 @@ def errorUse(expression, dump=False):
|
||||||
stopLimit = None
|
stopLimit = None
|
||||||
output = None
|
output = None
|
||||||
outputs = None
|
outputs = None
|
||||||
untilLimitChar = None
|
|
||||||
|
|
||||||
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
|
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
|
||||||
|
|
||||||
# We have to check if the SQL query might return multiple entries
|
# We have to check if the SQL query might return multiple entries
|
||||||
# and in such case forge the SQL limiting the query output one
|
# and in such case forge the SQL limiting the query output one
|
||||||
# entry per time
|
# entry at a time
|
||||||
# NOTE: I assume that only queries that get data from a table can
|
# NOTE: we assume that only queries that get data from a table can
|
||||||
# return multiple entries
|
# return multiple entries
|
||||||
if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in \
|
if (dump and (conf.limitStart or conf.limitStop)) or (" FROM " in \
|
||||||
expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) \
|
expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) \
|
||||||
|
@ -253,70 +252,13 @@ def errorUse(expression, dump=False):
|
||||||
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
||||||
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
|
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
|
||||||
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
||||||
|
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
|
||||||
|
|
||||||
limitCond = True
|
|
||||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
|
||||||
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
|
|
||||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
|
||||||
|
|
||||||
if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
|
||||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
||||||
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
|
||||||
|
|
||||||
if limitGroupStart.isdigit():
|
|
||||||
if limitRegExp2:
|
|
||||||
startLimit = 0
|
|
||||||
stopLimit = limitRegExp2.group(int(limitGroupStart))
|
|
||||||
else:
|
|
||||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
||||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
if limitRegExp:
|
|
||||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
||||||
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
|
||||||
|
|
||||||
if limitGroupStart.isdigit():
|
|
||||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
||||||
|
|
||||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
elif topLimit:
|
|
||||||
startLimit = 0
|
|
||||||
stopLimit = int(topLimit.group(1))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
|
|
||||||
elif Backend.isDbms(DBMS.ORACLE):
|
|
||||||
limitCond = False
|
|
||||||
|
|
||||||
# I assume that only queries NOT containing a "LIMIT #, 1"
|
|
||||||
# (or equivalent depending on the back-end DBMS) can return
|
|
||||||
# multiple entries
|
|
||||||
if limitCond:
|
if limitCond:
|
||||||
if (limitRegExp or limitRegExp2) and stopLimit is not None:
|
|
||||||
stopLimit = int(stopLimit)
|
|
||||||
|
|
||||||
# From now on we need only the expression until the " LIMIT "
|
|
||||||
# (or equivalent, depending on the back-end DBMS) word
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
|
||||||
stopLimit += startLimit
|
|
||||||
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
|
||||||
expression = expression[:untilLimitChar]
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
stopLimit += startLimit
|
|
||||||
elif dump:
|
|
||||||
if conf.limitStart:
|
|
||||||
startLimit = conf.limitStart - 1
|
|
||||||
if conf.limitStop:
|
|
||||||
stopLimit = conf.limitStop
|
|
||||||
|
|
||||||
# Count the number of SQL query entries output
|
# Count the number of SQL query entries output
|
||||||
countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
|
countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
|
||||||
|
|
||||||
if " ORDER BY " in expression:
|
if " ORDER BY " in expression.upper():
|
||||||
_ = countedExpression.upper().rindex(" ORDER BY ")
|
_ = countedExpression.upper().rindex(" ORDER BY ")
|
||||||
countedExpression = countedExpression[:_]
|
countedExpression = countedExpression[:_]
|
||||||
|
|
||||||
|
|
|
@ -29,6 +29,7 @@ from lib.core.common import isNumPosStrValue
|
||||||
from lib.core.common import listToStrValue
|
from lib.core.common import listToStrValue
|
||||||
from lib.core.common import parseUnionPage
|
from lib.core.common import parseUnionPage
|
||||||
from lib.core.common import removeReflectiveValues
|
from lib.core.common import removeReflectiveValues
|
||||||
|
from lib.core.common import singleTimeDebugMessage
|
||||||
from lib.core.common import singleTimeWarnMessage
|
from lib.core.common import singleTimeWarnMessage
|
||||||
from lib.core.common import wasLastRequestDBMSError
|
from lib.core.common import wasLastRequestDBMSError
|
||||||
from lib.core.convert import htmlunescape
|
from lib.core.convert import htmlunescape
|
||||||
|
@ -159,14 +160,17 @@ def unionUse(expression, unpack=True, dump=False):
|
||||||
|
|
||||||
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)
|
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)
|
||||||
|
|
||||||
if expressionFieldsList and len(expressionFieldsList) > 1 and " ORDER BY " in expression.upper():
|
if expressionFieldsList and len(expressionFieldsList) > 1 and "ORDER BY" in expression.upper():
|
||||||
# No need for it in multicolumn dumps (one row is retrieved per request) and just slowing down on large table dumps
|
# Removed ORDER BY clause because UNION does not play well with it
|
||||||
expression = expression[:expression.upper().rindex(" ORDER BY ")]
|
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I)
|
||||||
|
debugMsg = "stripping ORDER BY clause from statement because "
|
||||||
|
debugMsg += "it does not play well with UNION query SQL injection"
|
||||||
|
singleTimeDebugMessage(debugMsg)
|
||||||
|
|
||||||
# We have to check if the SQL query might return multiple entries
|
# We have to check if the SQL query might return multiple entries
|
||||||
# and in such case forge the SQL limiting the query output one
|
# if the technique is partial UNION query and in such case forge the
|
||||||
# entry per time
|
# SQL limiting the query output one entry at a time
|
||||||
# NOTE: I assume that only queries that get data from a table can
|
# NOTE: we assume that only queries that get data from a table can
|
||||||
# return multiple entries
|
# return multiple entries
|
||||||
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
|
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
|
||||||
(dump and (conf.limitStart or conf.limitStop))) and \
|
(dump and (conf.limitStart or conf.limitStop))) and \
|
||||||
|
@ -174,66 +178,9 @@ def unionUse(expression, unpack=True, dump=False):
|
||||||
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE \
|
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE \
|
||||||
and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
||||||
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
||||||
|
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
|
||||||
|
|
||||||
limitCond = True
|
|
||||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
|
||||||
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
|
|
||||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
|
||||||
|
|
||||||
if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
|
||||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
||||||
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
|
||||||
|
|
||||||
if limitGroupStart.isdigit():
|
|
||||||
if limitRegExp2:
|
|
||||||
startLimit = 0
|
|
||||||
stopLimit = limitRegExp2.group(int(limitGroupStart))
|
|
||||||
else:
|
|
||||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
||||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
if limitRegExp:
|
|
||||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
||||||
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
|
||||||
|
|
||||||
if limitGroupStart.isdigit():
|
|
||||||
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
||||||
|
|
||||||
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
elif topLimit:
|
|
||||||
startLimit = 0
|
|
||||||
stopLimit = int(topLimit.group(1))
|
|
||||||
limitCond = int(stopLimit) > 1
|
|
||||||
|
|
||||||
elif Backend.isDbms(DBMS.ORACLE):
|
|
||||||
limitCond = False
|
|
||||||
|
|
||||||
# I assume that only queries NOT containing a "LIMIT #, 1"
|
|
||||||
# (or equivalent depending on the back-end DBMS) can return
|
|
||||||
# multiple entries
|
|
||||||
if limitCond:
|
if limitCond:
|
||||||
if (limitRegExp or limitRegExp2) and stopLimit is not None:
|
|
||||||
stopLimit = int(stopLimit)
|
|
||||||
|
|
||||||
# From now on we need only the expression until the " LIMIT "
|
|
||||||
# (or equivalent, depending on the back-end DBMS) word
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
|
||||||
stopLimit += startLimit
|
|
||||||
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
|
||||||
expression = expression[:untilLimitChar]
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
stopLimit += startLimit
|
|
||||||
elif dump:
|
|
||||||
if conf.limitStart:
|
|
||||||
startLimit = conf.limitStart - 1
|
|
||||||
if conf.limitStop:
|
|
||||||
stopLimit = conf.limitStop
|
|
||||||
|
|
||||||
# Count the number of SQL query entries output
|
# Count the number of SQL query entries output
|
||||||
countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
|
countedExpression = expression.replace(expressionFields, queries[Backend.getIdentifiedDbms()].count.query % ('*' if len(expressionFieldsList) > 1 else expressionFields), 1)
|
||||||
|
|
||||||
|
@ -362,7 +309,6 @@ def unionUse(expression, unpack=True, dump=False):
|
||||||
kb.suppressResumeInfo = False
|
kb.suppressResumeInfo = False
|
||||||
|
|
||||||
if not value and not abortedFlag:
|
if not value and not abortedFlag:
|
||||||
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union doesn't play well with ORDER BY
|
|
||||||
value = _oneShotUnionUse(expression, unpack)
|
value = _oneShotUnionUse(expression, unpack)
|
||||||
|
|
||||||
duration = calculateDeltaSeconds(start)
|
duration = calculateDeltaSeconds(start)
|
||||||
|
|
145
thirdparty/magic/magic.py
vendored
145
thirdparty/magic/magic.py
vendored
|
@ -106,99 +106,100 @@ def from_buffer(buffer, mime=False):
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
try:
|
||||||
|
libmagic = None
|
||||||
|
# Let's try to find magic or magic1
|
||||||
|
dll = ctypes.util.find_library('magic') or ctypes.util.find_library('magic1')
|
||||||
|
|
||||||
libmagic = None
|
# This is necessary because find_library returns None if it doesn't find the library
|
||||||
# Let's try to find magic or magic1
|
if dll:
|
||||||
dll = ctypes.util.find_library('magic') or ctypes.util.find_library('magic1')
|
libmagic = ctypes.CDLL(dll)
|
||||||
|
|
||||||
# This is necessary because find_library returns None if it doesn't find the library
|
if not libmagic or not libmagic._name:
|
||||||
if dll:
|
import sys
|
||||||
libmagic = ctypes.CDLL(dll)
|
platform_to_lib = {'darwin': ['/opt/local/lib/libmagic.dylib',
|
||||||
|
'/usr/local/lib/libmagic.dylib',
|
||||||
|
'/usr/local/Cellar/libmagic/5.10/lib/libmagic.dylib'],
|
||||||
|
'win32': ['magic1.dll']}
|
||||||
|
for dll in platform_to_lib.get(sys.platform, []):
|
||||||
|
try:
|
||||||
|
libmagic = ctypes.CDLL(dll)
|
||||||
|
except OSError:
|
||||||
|
pass
|
||||||
|
|
||||||
if not libmagic or not libmagic._name:
|
if not libmagic or not libmagic._name:
|
||||||
import sys
|
# It is better to raise an ImportError since we are importing magic module
|
||||||
platform_to_lib = {'darwin': ['/opt/local/lib/libmagic.dylib',
|
raise ImportError('failed to find libmagic. Check your installation')
|
||||||
'/usr/local/lib/libmagic.dylib',
|
|
||||||
'/usr/local/Cellar/libmagic/5.10/lib/libmagic.dylib'],
|
|
||||||
'win32': ['magic1.dll']}
|
|
||||||
for dll in platform_to_lib.get(sys.platform, []):
|
|
||||||
try:
|
|
||||||
libmagic = ctypes.CDLL(dll)
|
|
||||||
except OSError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
if not libmagic or not libmagic._name:
|
magic_t = ctypes.c_void_p
|
||||||
# It is better to raise an ImportError since we are importing magic module
|
|
||||||
raise ImportError('failed to find libmagic. Check your installation')
|
|
||||||
|
|
||||||
magic_t = ctypes.c_void_p
|
def errorcheck(result, func, args):
|
||||||
|
err = magic_error(args[0])
|
||||||
|
if err is not None:
|
||||||
|
raise MagicException(err)
|
||||||
|
else:
|
||||||
|
return result
|
||||||
|
|
||||||
def errorcheck(result, func, args):
|
def coerce_filename(filename):
|
||||||
err = magic_error(args[0])
|
if filename is None:
|
||||||
if err is not None:
|
return None
|
||||||
raise MagicException(err)
|
return filename.encode(sys.getfilesystemencoding())
|
||||||
else:
|
|
||||||
return result
|
|
||||||
|
|
||||||
def coerce_filename(filename):
|
magic_open = libmagic.magic_open
|
||||||
if filename is None:
|
magic_open.restype = magic_t
|
||||||
return None
|
magic_open.argtypes = [c_int]
|
||||||
return filename.encode(sys.getfilesystemencoding())
|
|
||||||
|
|
||||||
magic_open = libmagic.magic_open
|
magic_close = libmagic.magic_close
|
||||||
magic_open.restype = magic_t
|
magic_close.restype = None
|
||||||
magic_open.argtypes = [c_int]
|
magic_close.argtypes = [magic_t]
|
||||||
|
|
||||||
magic_close = libmagic.magic_close
|
magic_error = libmagic.magic_error
|
||||||
magic_close.restype = None
|
magic_error.restype = c_char_p
|
||||||
magic_close.argtypes = [magic_t]
|
magic_error.argtypes = [magic_t]
|
||||||
|
|
||||||
magic_error = libmagic.magic_error
|
magic_errno = libmagic.magic_errno
|
||||||
magic_error.restype = c_char_p
|
magic_errno.restype = c_int
|
||||||
magic_error.argtypes = [magic_t]
|
magic_errno.argtypes = [magic_t]
|
||||||
|
|
||||||
magic_errno = libmagic.magic_errno
|
_magic_file = libmagic.magic_file
|
||||||
magic_errno.restype = c_int
|
_magic_file.restype = c_char_p
|
||||||
magic_errno.argtypes = [magic_t]
|
_magic_file.argtypes = [magic_t, c_char_p]
|
||||||
|
_magic_file.errcheck = errorcheck
|
||||||
|
|
||||||
_magic_file = libmagic.magic_file
|
def magic_file(cookie, filename):
|
||||||
_magic_file.restype = c_char_p
|
return _magic_file(cookie, coerce_filename(filename))
|
||||||
_magic_file.argtypes = [magic_t, c_char_p]
|
|
||||||
_magic_file.errcheck = errorcheck
|
|
||||||
|
|
||||||
def magic_file(cookie, filename):
|
_magic_buffer = libmagic.magic_buffer
|
||||||
return _magic_file(cookie, coerce_filename(filename))
|
_magic_buffer.restype = c_char_p
|
||||||
|
_magic_buffer.argtypes = [magic_t, c_void_p, c_size_t]
|
||||||
_magic_buffer = libmagic.magic_buffer
|
_magic_buffer.errcheck = errorcheck
|
||||||
_magic_buffer.restype = c_char_p
|
|
||||||
_magic_buffer.argtypes = [magic_t, c_void_p, c_size_t]
|
|
||||||
_magic_buffer.errcheck = errorcheck
|
|
||||||
|
|
||||||
|
|
||||||
def magic_buffer(cookie, buf):
|
def magic_buffer(cookie, buf):
|
||||||
return _magic_buffer(cookie, buf, len(buf))
|
return _magic_buffer(cookie, buf, len(buf))
|
||||||
|
|
||||||
|
|
||||||
_magic_load = libmagic.magic_load
|
_magic_load = libmagic.magic_load
|
||||||
_magic_load.restype = c_int
|
_magic_load.restype = c_int
|
||||||
_magic_load.argtypes = [magic_t, c_char_p]
|
_magic_load.argtypes = [magic_t, c_char_p]
|
||||||
_magic_load.errcheck = errorcheck
|
_magic_load.errcheck = errorcheck
|
||||||
|
|
||||||
def magic_load(cookie, filename):
|
def magic_load(cookie, filename):
|
||||||
return _magic_load(cookie, coerce_filename(filename))
|
return _magic_load(cookie, coerce_filename(filename))
|
||||||
|
|
||||||
magic_setflags = libmagic.magic_setflags
|
magic_setflags = libmagic.magic_setflags
|
||||||
magic_setflags.restype = c_int
|
magic_setflags.restype = c_int
|
||||||
magic_setflags.argtypes = [magic_t, c_int]
|
magic_setflags.argtypes = [magic_t, c_int]
|
||||||
|
|
||||||
magic_check = libmagic.magic_check
|
magic_check = libmagic.magic_check
|
||||||
magic_check.restype = c_int
|
magic_check.restype = c_int
|
||||||
magic_check.argtypes = [magic_t, c_char_p]
|
magic_check.argtypes = [magic_t, c_char_p]
|
||||||
|
|
||||||
magic_compile = libmagic.magic_compile
|
|
||||||
magic_compile.restype = c_int
|
|
||||||
magic_compile.argtypes = [magic_t, c_char_p]
|
|
||||||
|
|
||||||
|
magic_compile = libmagic.magic_compile
|
||||||
|
magic_compile.restype = c_int
|
||||||
|
magic_compile.argtypes = [magic_t, c_char_p]
|
||||||
|
except ImportError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
MAGIC_NONE = 0x000000 # No flags
|
MAGIC_NONE = 0x000000 # No flags
|
||||||
|
|
|
@ -44,7 +44,7 @@
|
||||||
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
||||||
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
||||||
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+3 tables.+users'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
||||||
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
||||||
|
@ -87,7 +87,7 @@
|
||||||
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
||||||
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
||||||
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+3 tables.+users'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
||||||
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
||||||
|
@ -130,7 +130,7 @@
|
||||||
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
||||||
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
||||||
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+3 tables.+users'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
||||||
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
||||||
|
@ -173,7 +173,7 @@
|
||||||
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
||||||
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
||||||
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+3 tables.+users'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
||||||
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
||||||
|
@ -190,18 +190,6 @@
|
||||||
<getCurrentDb value="True"/>
|
<getCurrentDb value="True"/>
|
||||||
<getHostname value="True"/>
|
<getHostname value="True"/>
|
||||||
<isDba value="True"/>
|
<isDba value="True"/>
|
||||||
<getUsers value="True"/>
|
|
||||||
<getPasswordHashes value="True"/>
|
|
||||||
<getPrivileges value="True"/>
|
|
||||||
<getRoles value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<getCount value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<excludeSysDbs value="True"/>
|
|
||||||
</switches>
|
</switches>
|
||||||
<parse>
|
<parse>
|
||||||
<item value="Title: MySQL > 5.0.11 AND time-based blind"/>
|
<item value="Title: MySQL > 5.0.11 AND time-based blind"/>
|
||||||
|
@ -211,15 +199,6 @@
|
||||||
<item value="current database: 'testdb'"/>
|
<item value="current database: 'testdb'"/>
|
||||||
<item value="hostname: 'debian"/>
|
<item value="hostname: 'debian"/>
|
||||||
<item value="current user is DBA: True"/>
|
<item value="current user is DBA: True"/>
|
||||||
<item value="r'database management system users \[.+'debian-sys-maint'@'localhost'.+'root'@''"/>
|
|
||||||
<item value="r'database management system users password hashes:.+root \[.+password hash: \*00E247AC5F9AF26AE0194B41E1E769DEE1429A29.+clear-text password: testpass'"/>
|
|
||||||
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
|
||||||
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
|
||||||
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
|
||||||
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
|
||||||
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
|
||||||
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
|
||||||
</parse>
|
</parse>
|
||||||
</case>
|
</case>
|
||||||
<case name="MySQL inline queries multi-threaded enumeration - all entries">
|
<case name="MySQL inline queries multi-threaded enumeration - all entries">
|
||||||
|
@ -259,7 +238,7 @@
|
||||||
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
<item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
|
||||||
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
<item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
|
||||||
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
<item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+3 tables.+users'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
<item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
|
||||||
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
<item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
|
||||||
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
<item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
|
||||||
|
@ -304,11 +283,14 @@
|
||||||
<item value="r'Database: testdb.+Table: users.+3 entries.+fluffy.+bunny.+wu.+ming'"/>
|
<item value="r'Database: testdb.+Table: users.+3 entries.+fluffy.+bunny.+wu.+ming'"/>
|
||||||
</parse>
|
</parse>
|
||||||
</case>
|
</case>
|
||||||
<!-- TODO: this fails because of issue #304 -->
|
|
||||||
<case name="MySQL boolean-based multi-threaded custom enumeration - substring">
|
<case name="MySQL boolean-based multi-threaded custom enumeration - substring">
|
||||||
<switches>
|
<switches>
|
||||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||||
|
<!-- TODO: this fails because of issue #305 -->
|
||||||
|
<!--
|
||||||
<threads value="4"/>
|
<threads value="4"/>
|
||||||
|
-->
|
||||||
|
<threads value="1"/>
|
||||||
<tech value="B"/>
|
<tech value="B"/>
|
||||||
<dumpTable value="True"/>
|
<dumpTable value="True"/>
|
||||||
<db value="testdb"/>
|
<db value="testdb"/>
|
||||||
|
@ -366,7 +348,7 @@
|
||||||
<tech value="B"/>
|
<tech value="B"/>
|
||||||
<search value="True"/>
|
<search value="True"/>
|
||||||
<db value="testdb"/>
|
<db value="testdb"/>
|
||||||
<tbl value="a,e,i"/>
|
<tbl value="foo,se,bar"/>
|
||||||
</switches>
|
</switches>
|
||||||
<parse>
|
<parse>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+1 table.+users'"/>
|
||||||
|
@ -380,7 +362,7 @@
|
||||||
<tech value="E"/>
|
<tech value="E"/>
|
||||||
<search value="True"/>
|
<search value="True"/>
|
||||||
<db value="testdb"/>
|
<db value="testdb"/>
|
||||||
<tbl value="a,e,i"/>
|
<tbl value="foo,se,bar"/>
|
||||||
</switches>
|
</switches>
|
||||||
<parse>
|
<parse>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+1 table.+users'"/>
|
||||||
|
@ -394,7 +376,7 @@
|
||||||
<tech value="U"/>
|
<tech value="U"/>
|
||||||
<search value="True"/>
|
<search value="True"/>
|
||||||
<db value="testdb"/>
|
<db value="testdb"/>
|
||||||
<tbl value="a,e,i"/>
|
<tbl value="foo,se,bar"/>
|
||||||
</switches>
|
</switches>
|
||||||
<parse>
|
<parse>
|
||||||
<item value="r'Database: testdb.+1 table.+users'"/>
|
<item value="r'Database: testdb.+1 table.+users'"/>
|
||||||
|
@ -653,400 +635,39 @@
|
||||||
<item value="r'SELECT \* FROM users LIMIT 0, 2 \[2\].+1, luther, blissett.+2, fluffy, bunny'"/>
|
<item value="r'SELECT \* FROM users LIMIT 0, 2 \[2\].+1, luther, blissett.+2, fluffy, bunny'"/>
|
||||||
</parse>
|
</parse>
|
||||||
</case>
|
</case>
|
||||||
|
<case name="MySQL boolean-based multi-threaded custom ordered SQL query enumeration">
|
||||||
|
<switches>
|
||||||
|
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||||
|
<threads value="4"/>
|
||||||
|
<tech value="B"/>
|
||||||
|
<query value="SELECT * FROM users ORDER BY name"/>
|
||||||
|
</switches>
|
||||||
|
<parse>
|
||||||
|
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
|
||||||
|
</parse>
|
||||||
|
</case>
|
||||||
|
<case name="MySQL error-based multi-threaded custom ordered SQL query enumeration">
|
||||||
|
<switches>
|
||||||
|
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||||
|
<threads value="4"/>
|
||||||
|
<tech value="E"/>
|
||||||
|
<query value="SELECT * FROM users ORDER BY name"/>
|
||||||
|
</switches>
|
||||||
|
<parse>
|
||||||
|
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
|
||||||
|
</parse>
|
||||||
|
</case>
|
||||||
|
<case name="MySQL UNION query multi-threaded custom ordered SQL query enumeration">
|
||||||
|
<switches>
|
||||||
|
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||||
|
<threads value="4"/>
|
||||||
|
<tech value="U"/>
|
||||||
|
<query value="SELECT * FROM users ORDER BY name"/>
|
||||||
|
</switches>
|
||||||
|
<parse>
|
||||||
|
<!-- NOTE: it is not sorted on purpose because UNION does not play well with ORDER BY and it is stripped -->
|
||||||
|
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blissett.+2, fluffy, bunny.+3, wu, ming'"/>
|
||||||
|
</parse>
|
||||||
|
</case>
|
||||||
<!-- End of user's provided statement enumeration switches -->
|
<!-- End of user's provided statement enumeration switches -->
|
||||||
|
|
||||||
<!-- Old test cases -->
|
|
||||||
<case name="MySQL (--technique=E --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="E"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: '5.1.63-0+squeeze2'"/>
|
|
||||||
<item value="current user: 'root@localhost'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'information_schema.+mysql.+owasp10.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar\(1000\)'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="MySQL (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
|
||||||
<item value="current user: 'root@localhost'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'information_schema.+mysql.+owasp10.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar\(1000\)'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="MySQL partial union (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
|
||||||
<item value="current user: 'root@localhost'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'information_schema.+mysql.+owasp10.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar\(1000\)'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Postgres (--technique=B --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump --threads=4)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/pgsql/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="B"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
<threads value="4"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2"/>
|
|
||||||
<item value="current user: 'testuser'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'postgres.+template0.+template1.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+username.+bpchar'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Postgres (--technique=E --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/pgsql/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="E"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2"/>
|
|
||||||
<item value="current user: 'testuser'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'postgres.+template0.+template1.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+username.+bpchar'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Postgres (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/pgsql/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2"/>
|
|
||||||
<item value="current user: 'testuser'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'postgres.+template0.+template1.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+username.+bpchar'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Postgres partial union (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/pgsql/get_int_partialunion.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2"/>
|
|
||||||
<item value="current user: 'testuser'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'postgres.+template0.+template1.+testdb'"/>
|
|
||||||
<item value="r'1 table.+users'"/>
|
|
||||||
<item value="r'3 columns.+username.+bpchar'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Oracle (--technique=B --is-dba --banner --current-user --current-db --dbs --tables -D SCOTT -T users --columns --dump --threads=4)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="B"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="SCOTT"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
<threads value="4"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'"/>
|
|
||||||
<item value="current user: 'SYS'"/>
|
|
||||||
<item value="'TESTDB.REGRESS.RDBMS.DEV.US.ORACLE.COM'"/>
|
|
||||||
<item value="r'available databases.+15.+CTXSYS.+DBSNMP.+SCOTT.+SYS.+SYSMAN'"/>
|
|
||||||
<item value="r'5 tables.+BONUS.+DEPT.+EMP.+SALGRADE.+USERS'"/>
|
|
||||||
<item value="r'3 columns.+SURNAME.+VARCHAR'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Oracle (--technique=E --is-dba --banner --current-user --current-db --dbs --tables -D SCOTT -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="E"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="SCOTT"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'"/>
|
|
||||||
<item value="current user: 'SYS'"/>
|
|
||||||
<item value="'TESTDB.REGRESS.RDBMS.DEV.US.ORACLE.COM'"/>
|
|
||||||
<item value="r'available databases.+15.+CTXSYS.+DBSNMP.+SCOTT.+SYS.+SYSMAN'"/>
|
|
||||||
<item value="r'5 tables.+BONUS.+DEPT.+EMP.+SALGRADE.+USERS'"/>
|
|
||||||
<item value="r'3 columns.+SURNAME.+VARCHAR'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Oracle (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D SCOTT -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="SCOTT"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'"/>
|
|
||||||
<item value="current user: 'SYS'"/>
|
|
||||||
<item value="'TESTDB.REGRESS.RDBMS.DEV.US.ORACLE.COM'"/>
|
|
||||||
<item value="r'available databases.+15.+CTXSYS.+DBSNMP.+SCOTT.+SYS.+SYSMAN'"/>
|
|
||||||
<item value="r'5 tables.+BONUS.+DEPT.+EMP.+SALGRADE.+USERS'"/>
|
|
||||||
<item value="r'3 columns.+SURNAME.+VARCHAR'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="Oracle partial union (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D SCOTT -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://debiandev/sqlmap/oracle/get_int_partialunion.php?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="SCOTT"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'"/>
|
|
||||||
<item value="current user: 'SYS'"/>
|
|
||||||
<item value="'TESTDB.REGRESS.RDBMS.DEV.US.ORACLE.COM'"/>
|
|
||||||
<item value="r'available databases.+15.+CTXSYS.+DBSNMP.+SCOTT.+SYS.+SYSMAN'"/>
|
|
||||||
<item value="r'5 tables.+BONUS.+DEPT.+EMP.+SALGRADE.+USERS'"/>
|
|
||||||
<item value="r'3 columns.+SURNAME.+VARCHAR'"/>
|
|
||||||
<item value="r'4 entries.+nameisnull'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="MSSQL (--technique=B --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump --threads=4)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://windowsdev/sqlmap/mssql/iis/get_int.asp?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="B"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
<threads value="4"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="r'Microsoft SQL Server 2005.+Oct 14 2005 00:33:37'"/>
|
|
||||||
<item value="current user: 'sa'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'available databases.+5.+master.+model.+msdb.+tempdb.+testdb'"/>
|
|
||||||
<item value="r'dbo\.sysdiagrams.+dbo\.users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="MSSQL (--technique=E --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://windowsdev/sqlmap/mssql/iis/get_int.asp?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="E"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="r'Microsoft SQL Server 2005.+Oct 14 2005 00:33:37'"/>
|
|
||||||
<item value="current user: 'sa'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'available databases.+5.+master.+model.+msdb.+tempdb.+testdb'"/>
|
|
||||||
<item value="r'dbo\.sysdiagrams.+dbo\.users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="MSSQL (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://windowsdev/sqlmap/mssql/iis/get_int.asp?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="r'Microsoft SQL Server 2005.+Oct 14 2005 00:33:37'"/>
|
|
||||||
<item value="current user: 'sa'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'available databases.+5.+master.+model.+msdb.+tempdb.+testdb'"/>
|
|
||||||
<item value="r'dbo\.sysdiagrams.+dbo\.users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
<case name="MSSQL partial union (--technique=U --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">
|
|
||||||
<switches>
|
|
||||||
<url value="http://windowsdev/sqlmap/mssql/iis/get_int_partialunion.asp?id=1"/>
|
|
||||||
<isDba value="True"/>
|
|
||||||
<tech value="U"/>
|
|
||||||
<getBanner value="True"/>
|
|
||||||
<getCurrentUser value="True"/>
|
|
||||||
<getCurrentDb value="True"/>
|
|
||||||
<getDbs value="True"/>
|
|
||||||
<getTables value="True"/>
|
|
||||||
<db value="testdb"/>
|
|
||||||
<tbl value="users"/>
|
|
||||||
<getColumns value="True"/>
|
|
||||||
<dumpTable value="True"/>
|
|
||||||
</switches>
|
|
||||||
<parse>
|
|
||||||
<item value="current user is DBA: True"/>
|
|
||||||
<item value="r'Microsoft SQL Server 2005.+Oct 14 2005 00:33:37'"/>
|
|
||||||
<item value="current user: 'sa'"/>
|
|
||||||
<item value="current database: 'testdb'"/>
|
|
||||||
<item value="r'available databases.+5.+master.+model.+msdb.+tempdb.+testdb'"/>
|
|
||||||
<item value="r'dbo\.sysdiagrams.+dbo\.users'"/>
|
|
||||||
<item value="r'3 columns.+surname.+varchar'"/>
|
|
||||||
<item value="r'5 entries.+nameisnull.+'"/>
|
|
||||||
</parse>
|
|
||||||
</case>
|
|
||||||
</root>
|
</root>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user