sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 05:04:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

ORDER BY does not play well with UNION query SQLi (related to issue #313)

Browse Source
This commit is contained in:
Bernardo Damele 2012-12-19 13:21:16 +00:00
parent 259b345f1f
commit 282aeb734f
3 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/core/common.py
View File

@ -661,6 +661,9 @@ def filePathToString(filePath):
return strRepl return strRepl
def singleTimeDebugMessage(message):
singleTimeLogMessage(message, logging.DEBUG)
def singleTimeWarnMessage(message): def singleTimeWarnMessage(message):
singleTimeLogMessage(message, logging.WARN) singleTimeLogMessage(message, logging.WARN)

9
lib/techniques/union/use.py
View File

@ -29,6 +29,7 @@ from lib.core.common import isNumPosStrValue
from lib.core.common import listToStrValue from lib.core.common import listToStrValue
from lib.core.common import parseUnionPage from lib.core.common import parseUnionPage
from lib.core.common import removeReflectiveValues from lib.core.common import removeReflectiveValues
from lib.core.common import singleTimeDebugMessage
from lib.core.common import singleTimeWarnMessage from lib.core.common import singleTimeWarnMessage
from lib.core.common import wasLastRequestDBMSError from lib.core.common import wasLastRequestDBMSError
from lib.core.convert import htmlunescape from lib.core.convert import htmlunescape
@ -159,6 +160,13 @@ def unionUse(expression, unpack=True, dump=False):
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr) _, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)
if expressionFieldsList and len(expressionFieldsList) > 1 and "ORDER BY" in expression.upper():
# Removed ORDER BY clause because UNION does not play well with it
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I)
debugMsg = "stripping ORDER BY clause from statement because "
debugMsg += "it does not play well with UNION query SQL injection"
singleTimeDebugMessage(debugMsg)
# We have to check if the SQL query might return multiple entries # We have to check if the SQL query might return multiple entries
# if the technique is partial UNION query and in such case forge the # if the technique is partial UNION query and in such case forge the
# SQL limiting the query output one entry at a time # SQL limiting the query output one entry at a time
@ -301,7 +309,6 @@ def unionUse(expression, unpack=True, dump=False):
kb.suppressResumeInfo = False kb.suppressResumeInfo = False
if not value and not abortedFlag: if not value and not abortedFlag:
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union does not play well with ORDER BY
value = _oneShotUnionUse(expression, unpack) value = _oneShotUnionUse(expression, unpack)
duration = calculateDeltaSeconds(start) duration = calculateDeltaSeconds(start)

39
xml/livetests.xml
View File

@ -283,11 +283,14 @@
<item value="r'Database: testdb.+Table: users.+3 entries.+fluffy.+bunny.+wu.+ming'"/> <item value="r'Database: testdb.+Table: users.+3 entries.+fluffy.+bunny.+wu.+ming'"/>
</parse> </parse>
</case> </case>
<!-- TODO: this fails because of issue #305 -->
<case name="MySQL boolean-based multi-threaded custom enumeration - substring"> <case name="MySQL boolean-based multi-threaded custom enumeration - substring">
<switches> <switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<!-- TODO: this fails because of issue #305 -->
<!--
<threads value="4"/> <threads value="4"/>
-->
<threads value="1"/>
<tech value="B"/> <tech value="B"/>
<dumpTable value="True"/> <dumpTable value="True"/>
<db value="testdb"/> <db value="testdb"/>
@ -632,5 +635,39 @@
<item value="r'SELECT \* FROM users LIMIT 0, 2 \[2\].+1, luther, blissett.+2, fluffy, bunny'"/> <item value="r'SELECT \* FROM users LIMIT 0, 2 \[2\].+1, luther, blissett.+2, fluffy, bunny'"/>
</parse> </parse>
</case> </case>
<case name="MySQL boolean-based multi-threaded custom ordered SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
</parse>
</case>
<case name="MySQL error-based multi-threaded custom ordered SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
</parse>
</case>
<case name="MySQL UNION query multi-threaded custom ordered SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<!-- NOTE: it is not sorted on purpose because UNION does not play well with ORDER BY and it is stripped -->
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blissett.+2, fluffy, bunny.+3, wu, ming'"/>
</parse>
</case>
<!-- End of user's provided statement enumeration switches --> <!-- End of user's provided statement enumeration switches -->
</root> </root>