Patch for MsSQL column name injection

This commit is contained in:
Miroslav Stampar 2018-09-06 13:59:07 +02:00
parent c37014b8e8
commit 2b56bdfaa6
4 changed files with 19 additions and 8 deletions

View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.2.9.9" VERSION = "1.2.9.10"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@ -324,6 +324,7 @@ FILE_PATH_REGEXES = (r"<b>(?P<result>[^<>]+?)</b> on line \d+", r"in (?P<result>
# Regular expressions used for parsing error messages (--parse-errors) # Regular expressions used for parsing error messages (--parse-errors)
ERROR_PARSING_REGEXES = ( ERROR_PARSING_REGEXES = (
r"\[Microsoft\]\[ODBC SQL Server Driver\]\[SQL Server\](?P<result>[^<]+)",
r"<b>[^<]*(fatal|error|warning|exception)[^<]*</b>:?\s*(?P<result>.+?)<br\s*/?\s*>", r"<b>[^<]*(fatal|error|warning|exception)[^<]*</b>:?\s*(?P<result>.+?)<br\s*/?\s*>",
r"(?m)^\s*(fatal|error|warning|exception):?\s*(?P<result>[^\n]+?)$", r"(?m)^\s*(fatal|error|warning|exception):?\s*(?P<result>[^\n]+?)$",
r"(?P<result>[^\n>]*SQL Syntax[^\n<]+)", r"(?P<result>[^\n>]*SQL Syntax[^\n<]+)",

View File

@ -182,6 +182,16 @@ class ColorizingStreamHandler(logging.StreamHandler):
message = message.replace(counter, ''.join((self.csi, str(self.color_map["yellow"] + 30), 'm', counter, reset)), 1) message = message.replace(counter, ''.join((self.csi, str(self.color_map["yellow"] + 30), 'm', counter, reset)), 1)
if level != "PAYLOAD": if level != "PAYLOAD":
if any(_ in message for _ in ("parsed DBMS error message",)):
string = re.search(r": '(.+)'", message).group(1)
if not message.endswith(self.reset):
reset = self.reset
elif self.bold in message: # bold
reset = self.reset + self.bold
else:
reset = self.reset
message = message.replace("'%s'" % string, "'%s'" % ''.join((self.csi, str(self.color_map["white"] + 30), 'm', string, reset)), 1)
else:
for match in re.finditer(r"[^\w]'([^']+)'", message): # single-quoted for match in re.finditer(r"[^\w]'([^']+)'", message): # single-quoted
string = match.group(1) string = match.group(1)
if not message.endswith(self.reset): if not message.endswith(self.reset):

View File

@ -50,7 +50,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
fcb74fcc9577523524659ec49e2e964b lib/core/session.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py
c762da4ab30d1e245ca359df355ff7a7 lib/core/settings.py 021d606c9405fd23d630108bf5c39853 lib/core/settings.py
dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
815d1cf27f0f8738d81531e73149867d lib/core/target.py 815d1cf27f0f8738d81531e73149867d lib/core/target.py
@ -287,7 +287,7 @@ f2b9eac52d346315f5705f71beeda791 tamper/varnish.py
0e40966a51d1eb5d42a2159d2015a8a4 tamper/versionedkeywords.py 0e40966a51d1eb5d42a2159d2015a8a4 tamper/versionedkeywords.py
0fba004bf1be6edbefbda89f23f4e518 tamper/versionedmorekeywords.py 0fba004bf1be6edbefbda89f23f4e518 tamper/versionedmorekeywords.py
de532c4e3160039335010c499129d54f tamper/xforwardedfor.py de532c4e3160039335010c499129d54f tamper/xforwardedfor.py
1996d6afa985a526df02efa1bf121976 thirdparty/ansistrm/ansistrm.py b422795c5e589decec725963e480ffba thirdparty/ansistrm/ansistrm.py
d41d8cd98f00b204e9800998ecf8427e thirdparty/ansistrm/__init__.py d41d8cd98f00b204e9800998ecf8427e thirdparty/ansistrm/__init__.py
8e775c25bc9e84891ad6fcb4f0005c23 thirdparty/beautifulsoup/beautifulsoup.py 8e775c25bc9e84891ad6fcb4f0005c23 thirdparty/beautifulsoup/beautifulsoup.py
cb2e1fe7c404dff41a2ae9132828f532 thirdparty/beautifulsoup/__init__.py cb2e1fe7c404dff41a2ae9132828f532 thirdparty/beautifulsoup/__init__.py
@ -469,7 +469,7 @@ d48c971769c6131e35bd52d2315a8d58 xml/banner/servlet-engine.xml
d989813ee377252bca2103cea524c06b xml/banner/sharepoint.xml d989813ee377252bca2103cea524c06b xml/banner/sharepoint.xml
350605448f049cd982554123a75f11e1 xml/banner/x-aspnet-version.xml 350605448f049cd982554123a75f11e1 xml/banner/x-aspnet-version.xml
817078783e1edaa492773d3b34d8eef0 xml/banner/x-powered-by.xml 817078783e1edaa492773d3b34d8eef0 xml/banner/x-powered-by.xml
b306c99a038b03421beea655dc804b64 xml/boundaries.xml de871ef9c982799a7f7f84621f103f26 xml/boundaries.xml
6cffc395cd0280f5c1a84542da6642e5 xml/errors.xml 6cffc395cd0280f5c1a84542da6642e5 xml/errors.xml
a279656ea3fcb85c727249b02f828383 xml/livetests.xml a279656ea3fcb85c727249b02f828383 xml/livetests.xml
fe2a865a8579f2045d2be057a00f5b49 xml/payloads/boolean_blind.xml fe2a865a8579f2045d2be057a00f5b49 xml/payloads/boolean_blind.xml

View File

@ -513,8 +513,8 @@ Formats:
<clause>8</clause> <clause>8</clause>
<where>1</where> <where>1</where>
<ptype>6</ptype> <ptype>6</ptype>
<prefix>]=[[ORIGINAL]]</prefix> <prefix>]-(SELECT 0 WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix> AND [[ORIGINAL]]=[[ORIGINAL]</suffix> <suffix>)|[[ORIGINAL]</suffix>
</boundary> </boundary>
<!-- End of escaped column name boundaries --> <!-- End of escaped column name boundaries -->