sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-02 20:54:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

On my way to properly parse test's <where> tag in exploitation phase

Browse Source
This commit is contained in:
Bernardo Damele 2010-12-01 23:32:58 +00:00
parent 09b265a1ea
commit 283a04e29a
4 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/controller/checks.py
View File

@ -151,7 +151,7 @@ def checkSqlInjection(place, parameter, value):
# Parse test's <request> # Parse test's <request>
comment = agent.getComment(test.request) comment = agent.getComment(test.request)
fstPayload = agent.cleanupPayload(test.request.payload) fstPayload = agent.cleanupPayload(test.request.payload, value)
fstPayload = unescapeDbms(fstPayload, injection, dbms) fstPayload = unescapeDbms(fstPayload, injection, dbms)
fstPayload = "%s%s" % (fstPayload, comment) fstPayload = "%s%s" % (fstPayload, comment)
@ -246,18 +246,18 @@ def checkSqlInjection(place, parameter, value):
# test's ' <payload><comment> ' string # test's ' <payload><comment> ' string
boundPayload = "%s%s %s %s" % (origValue, prefix, fstPayload, suffix) boundPayload = "%s%s %s %s" % (origValue, prefix, fstPayload, suffix)
boundPayload = boundPayload.strip() boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload) boundPayload = agent.cleanupPayload(boundPayload, value)
reqPayload = agent.payload(place, parameter, value, boundPayload) reqPayload = agent.payload(place, parameter, value, boundPayload)
# Perform the test's request and check whether or not the # Perform the test's request and check whether or not the
# payload was successful # payload was successful
# Parse test's <response> # Parse test's <response>
for method, check in test.response.items(): for method, check in test.response.items():
check = agent.cleanupPayload(check) check = agent.cleanupPayload(check, value)
# In case of boolean-based blind SQL injection # In case of boolean-based blind SQL injection
if method == "comparison": if method == "comparison":
sndPayload = agent.cleanupPayload(test.response.comparison) sndPayload = agent.cleanupPayload(test.response.comparison, value)
sndPayload = unescapeDbms(sndPayload, injection, dbms) sndPayload = unescapeDbms(sndPayload, injection, dbms)
sndPayload = "%s%s" % (sndPayload, comment) sndPayload = "%s%s" % (sndPayload, comment)
@ -267,7 +267,7 @@ def checkSqlInjection(place, parameter, value):
# string # string
boundPayload = "%s%s %s %s" % (origValue, prefix, sndPayload, suffix) boundPayload = "%s%s %s %s" % (origValue, prefix, sndPayload, suffix)
boundPayload = boundPayload.strip() boundPayload = boundPayload.strip()
boundPayload = agent.cleanupPayload(boundPayload) boundPayload = agent.cleanupPayload(boundPayload, value)
cmpPayload = agent.payload(place, parameter, value, boundPayload) cmpPayload = agent.payload(place, parameter, value, boundPayload)
# Useful to set conf.matchRatio at first based on # Useful to set conf.matchRatio at first based on

11
lib/core/agent.py
View File

@ -76,6 +76,7 @@ class Agent:
paramString = conf.parameters[kb.injection.place] paramString = conf.parameters[kb.injection.place]
paramDict = conf.paramDict[kb.injection.place] paramDict = conf.paramDict[kb.injection.place]
value = paramDict[kb.injection.parameter] value = paramDict[kb.injection.parameter]
newValue = self.cleanupPayload(newValue, value)
if "POSTxml" in conf.paramDict and kb.injection.place == PLACE.POST: if "POSTxml" in conf.paramDict and kb.injection.place == PLACE.POST:
root = ET.XML(paramString) root = ET.XML(paramString)
@ -155,9 +156,9 @@ class Agent:
string += " %s" % kb.injection.suffix string += " %s" % kb.injection.suffix
string = self.cleanupPayload(string) string = self.cleanupPayload(string)
return string return string.rstrip()
def cleanupPayload(self, payload): def cleanupPayload(self, payload, origvalue=None):
if payload is None: if payload is None:
return return
@ -174,6 +175,12 @@ class Agent:
payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop) payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
if origvalue is not None:
if not origvalue.isdigit():
origvalue = "'%s'" % origvalue
payload = payload.replace("[ORIGVALUE]", origvalue)
return payload return payload
def getComment(self, reqObj): def getComment(self, reqObj):

7
lib/request/inject.py
View File

@ -99,7 +99,12 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
parameter through a bisection algorithm. parameter through a bisection algorithm.
""" """
query = agent.prefixQuery(queries[kb.misc.testedDbms].inference.query) if kb.injection.data[1].epayload is not None:
vector = agent.cleanupPayload(kb.injection.data[1].epayload)
else:
vector = queries[kb.misc.testedDbms].inference.query
query = agent.prefixQuery(vector)
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
count = None count = None

1
lib/techniques/error/use.py
View File

@ -35,7 +35,6 @@ def errorUse(expression):
""" """
output = None output = None
randInt = randomInt(1)
query = agent.cleanupPayload(kb.injection.data[2].epayload) query = agent.cleanupPayload(kb.injection.data[2].epayload)
query = unescaper.unescape(query) query = unescaper.unescape(query)
query = agent.prefixQuery(query) query = agent.prefixQuery(query)