sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 05:04:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

basic live tests against 3 major DBMSes

Browse Source
This commit is contained in:
Miroslav Stampar 2011-03-24 11:47:01 +00:00
parent ecbbfeba6e
commit 2b15ad57c2
3 changed files with 122 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/core/option.py
View File

@ -1349,7 +1349,7 @@ def __setVerbosity():
elif conf.verbose >= 5:
logger.setLevel(7)
def __mergeOptions(inputOptions):
def __mergeOptions(inputOptions, overrideOptions):
"""
Merge command line options with configuration file options.
@ -1367,7 +1367,7 @@ def __mergeOptions(inputOptions):
for key, value in inputOptionsItems:
if key not in conf or (conf[key] is False and value is True) or \
value not in (None, False):
value not in (None, False) or overrideOptions:
conf[key] = value
def __setTrafficOutputFP():
@ -1425,7 +1425,7 @@ def __basicOptionValidation():
errMsg = "value for --time-sec option must be an integer greater than 0"
raise sqlmapSyntaxException, errMsg
def init(inputOptions=advancedDict()):
def init(inputOptions=advancedDict(), overrideOptions=False):
"""
Set attributes into both configuration and knowledge base singletons
based upon command line and configuration file options.
@ -1433,7 +1433,7 @@ def init(inputOptions=advancedDict()):
__setConfAttributes()
__setKnowledgeBaseAttributes()
__mergeOptions(inputOptions)
__mergeOptions(inputOptions, overrideOptions)
__setVerbosity()
__saveCmdline()
__setRequestFromFile()

12
lib/core/testing.py
View File

@ -17,6 +17,7 @@ import tempfile
import time
from lib.controller.controller import start
from lib.core.common import beep
from lib.core.common import clearConsoleLine
from lib.core.common import dataToStdout
from lib.core.common import getCompiledRegex
@ -74,6 +75,10 @@ def smokeTest():
return retVal
def adjustValueType(tagName, value):
# as it's not part of optDict
if tagName == "technique":
value = int(value)
for family in optDict.keys():
for name, type_ in optDict[family].items():
if type(type_) == tuple:
@ -146,6 +151,7 @@ def liveTest():
logger.info("test passed")
else:
logger.error("test failed")
beep()
retVal &= result
dataToStdout("\n")
@ -169,7 +175,7 @@ def initCase(switches=None):
cmdLineOptions.__dict__[key] = value
conf.sessionFile = None
init(cmdLineOptions)
init(cmdLineOptions, True)
__setVerbosity()
def cleanCase():
@ -194,7 +200,7 @@ def runCase(switches=None, log=None, session=None):
ifile.close()
for item in session:
if item.startswith("r'") and item.endswith("'"):
if not re.search(item[2:-1], content):
if not re.search(item[2:-1], content, re.DOTALL):
retVal = False
break
elif content.find(item) < 0:
@ -207,7 +213,7 @@ def runCase(switches=None, log=None, session=None):
ifile.close()
for item in log:
if item.startswith("r'") and item.endswith("'"):
if not re.search(item[2:-1], content):
if not re.search(item[2:-1], content, re.DOTALL):
retVal = False
break
elif content.find(item) < 0:

129
xml/livetests.xml
View File

@ -3,44 +3,133 @@
<root>
<global>
<ignoreProxy value="True"/>
<batch value="True"/>
<verbose value="0"/>
</global>
<vars>
<host value="172.16.104.130"/>
</vars>
<case name="Postgres (--is-dba)">
<case name="Postgres (--technique=2 --is-dba --banner --current-user --current-db --dbs --tables -D testdb)">
<switches>
<url value="http://${host}/sqlmap/pgsql/get_int.php?id=1"/>
<url value="http://debianenv/sqlmap/pgsql/get_int.php?id=1"/>
<isDba value="True"/>
<technique value="2"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<db value="testdb"/>
</switches>
<log>
<item value="current user is DBA: 'True'"/>
<item value="PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2"/>
<item value="current user: 'testuser'"/>
<item value="current database: 'testdb'"/>
<item value="r'postgres.+template0.+template1.+testdb'"/>
<item value="r'1 table.+users'"/>
</log>
</case>
<case name="MySQL (--banner --threads=5)">
<case name="Postgres (--technique=3 --is-dba --banner --current-user --current-db --dbs --tables -D testdb)">
<switches>
<url value="http://${host}/sqlmap/mysql/get_int.php?id=1"/>
<url value="http://debianenv/sqlmap/pgsql/get_int.php?id=1"/>
<isDba value="True"/>
<technique value="3"/>
<getBanner value="True"/>
<threads value="5"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<db value="testdb"/>
</switches>
<log>
<item value="5.1.41-3~bpo50+1"/>
<item value="current user is DBA: 'True'"/>
<item value="PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2"/>
<item value="current user: 'testuser'"/>
<item value="current database: 'testdb'"/>
<item value="r'postgres.+template0.+template1.+testdb'"/>
<item value="r'1 table.+users'"/>
</log>
</case>
<case name="Oracle (-o -f --users)">
<case name="MySQL (--technique=2 --is-dba --banner --current-user --current-db --dbs --tables -D testdb)">
<switches>
<url value="http://${host}/sqlmap/oracle/get_int.php?id=1"/>
<extensiveFp value="True"/>
<optimize value="True"/>
<getUsers value="True"/>
<url value="http://debianenv/sqlmap/mysql/get_int.php?id=1"/>
<isDba value="True"/>
<technique value="2"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<db value="testdb"/>
</switches>
<log>
<item value="database management system users"/>
<item value="r'SYS.*N'"/> <!--sample for regex-->
<item value="current user is DBA: 'True'"/>
<item value="banner: '5.1.41-3~bpo50+1'"/>
<item value="current user: 'root@localhost'"/>
<item value="current database: 'testdb'"/>
<item value="r'information_schema.+mysql.+owasp10.+testdb'"/>
<item value="r'1 table.+users'"/>
</log>
</case>
<case name="MySQL (--technique=3 --is-dba --banner --current-user --current-db --dbs --tables -D testdb)">
<switches>
<url value="http://debianenv/sqlmap/mysql/get_int.php?id=1"/>
<isDba value="True"/>
<technique value="3"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<db value="testdb"/>
</switches>
<log>
<item value="current user is DBA: 'True'"/>
<item value="banner: '5.1.41-3~bpo50+1'"/>
<item value="current user: 'root@localhost'"/>
<item value="current database: 'testdb'"/>
<item value="r'information_schema.+mysql.+owasp10.+testdb'"/>
<item value="r'1 table.+users'"/>
</log>
</case>
<case name="Oracle (--technique=2 --is-dba --banner --current-user --current-db --dbs --tables -D SCOTT)">
<switches>
<url value="http://debianenv/sqlmap/oracle/get_int.php?id=1"/>
<isDba value="True"/>
<technique value="2"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<db value="SCOTT"/>
</switches>
<log>
<item value="current user is DBA: 'True'"/>
<item value="banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'"/>
<item value="current user: 'SYS'"/>
<item value="'TESTDB.REGRESS.RDBMS.DEV.US.ORACLE.COM'"/>
<item value="r'available databases.+15.+CTXSYS.+DBSNMP.+SCOTT.+SYS.+SYSMAN'"/>
<item value="r'5 tables.+BONUS.+DEPT.+EMP.+SALGRADE.+USERS'"/>
</log>
</case>
<case name="Oracle (--technique=3 --is-dba --banner --current-user --current-db --dbs --tables -D SCOTT)">
<switches>
<url value="http://debianenv/sqlmap/oracle/get_int.php?id=1"/>
<isDba value="True"/>
<technique value="3"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<db value="SCOTT"/>
</switches>
<log>
<item value="current user is DBA: 'True'"/>
<item value="banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'"/>
<item value="current user: 'SYS'"/>
<item value="'TESTDB.REGRESS.RDBMS.DEV.US.ORACLE.COM'"/>
<item value="r'available databases.+15.+CTXSYS.+DBSNMP.+SCOTT.+SYS.+SYSMAN'"/>
<item value="r'5 tables.+BONUS.+DEPT.+EMP.+SALGRADE.+USERS'"/>
</log>
<session>
<item value="SELECT DISTINCT(USERNAME)"/>
<item value="[DBMS][Oracle]"/>
</session>
</case>
</root>