From 2cc167a42eb18030536107803dfbca6a71694f65 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 2 Dec 2010 18:57:43 +0000 Subject: [PATCH] fix for a bug reported by ToR: "AttributeError: 'NoneType' object has no attribute 'isdigit'" --- lib/core/common.py | 3 +++ plugins/generic/enumeration.py | 27 ++++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/lib/core/common.py b/lib/core/common.py index 949fda69c..20a809ea2 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1639,3 +1639,6 @@ def trimAlphaNum(value): value = value[1:] return value + +def isNumPosStrValue(value): + return value and isinstance(value, basestring) and value.isdigit() and value != "0" diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index d8c9affd1..d0fd24feb 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -17,6 +17,7 @@ from lib.core.common import getCompiledRegex from lib.core.common import getConsoleWidth from lib.core.common import getFileItems from lib.core.common import getUnicode +from lib.core.common import isNumPosStrValue from lib.core.common import parsePasswordHash from lib.core.common import popValue from lib.core.common import pushValue @@ -159,7 +160,7 @@ class Enumeration: query = rootQuery.blind.count count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): errMsg = "unable to retrieve the number of database users" raise sqlmapNoneDataException, errMsg @@ -268,7 +269,7 @@ class Enumeration: query = rootQuery.blind.count % user count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "unable to retrieve the number of password " warnMsg += "hashes for user '%s'" % user logger.warn(warnMsg) @@ -547,8 +548,8 @@ class Enumeration: query = rootQuery.blind.count % queryUser count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": - if not count.isdigit() and kb.dbms == DBMS.ORACLE and not query2: + if not isNumPosStrValue(count): + if not (isinstance(count, basestring) and count.isdigit()) and kb.dbms == DBMS.ORACLE and not query2: infoMsg = "trying with table USER_SYS_PRIVS" logger.info(infoMsg) @@ -686,7 +687,7 @@ class Enumeration: query = rootQuery.blind.count count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): errMsg = "unable to retrieve the number of databases" raise sqlmapNoneDataException, errMsg @@ -811,7 +812,7 @@ class Enumeration: query = rootQuery.blind.count % db count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "unable to retrieve the number of " warnMsg += "tables for database '%s'" % db logger.warn(warnMsg) @@ -982,7 +983,7 @@ class Enumeration: count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): errMsg = "unable to retrieve the number of columns " errMsg += "for table '%s' " % conf.tbl errMsg += "on database '%s'" % conf.db @@ -1165,7 +1166,7 @@ class Enumeration: query = rootQuery.blind.count % (conf.db, conf.tbl) count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "unable to retrieve the number of " if conf.col: warnMsg += "columns '%s' " % colString @@ -1400,7 +1401,7 @@ class Enumeration: query += exclDbsQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "no database" if dbConsider == "1": warnMsg += "s like" @@ -1485,7 +1486,7 @@ class Enumeration: query += exclDbsQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "no databases have table" if tblConsider == "1": warnMsg += "s like" @@ -1522,7 +1523,7 @@ class Enumeration: query += " AND %s" % tblQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "no table" if tblConsider == "1": warnMsg += "s like" @@ -1624,7 +1625,7 @@ class Enumeration: query += exclDbsQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "no databases have tables containing column" if colConsider == "1": warnMsg += "s like" @@ -1664,7 +1665,7 @@ class Enumeration: query += " AND %s" % colQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) - if not count.isdigit() or not len(count) or count == "0": + if not isNumPosStrValue(count): warnMsg = "no tables contain column" if colConsider == "1": warnMsg += "s like"