sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed custom MSSQL "limited" query support also for Partial UNION query technique

Browse Source
This commit is contained in:
Bernardo Damele 2009-01-03 00:27:04 +00:00
parent 9c42a883be
commit 2d87a3349f
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/core/agent.py
View File

@ -481,15 +481,15 @@ class Agent:
if " ORDER BY " in limitedQuery: if " ORDER BY " in limitedQuery:
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")] limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
if not limitedQuery.startswith("SELECT TOP "): if not limitedQuery.startswith("SELECT TOP ") and not limitedQuery.startswith("TOP "):
limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1) limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
limitedQuery = "%s WHERE %s " % (limitedQuery, field) limitedQuery = "%s WHERE %s " % (limitedQuery, field)
limitedQuery += "NOT IN (%s" % (limitStr % num) limitedQuery += "NOT IN (%s" % (limitStr % num)
limitedQuery += "%s %s)" % (field, fromFrom) limitedQuery += "%s %s)" % (field, fromFrom)
else: else:
topNums = re.search("\ASELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups() topNums = re.search("TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
quantityTopNums = topNums[0] quantityTopNums = topNums[0]
limitedQuery = limitedQuery.replace("SELECT TOP %s" % quantityTopNums, "SELECT TOP 1", 1) limitedQuery = limitedQuery.replace("TOP %s" % quantityTopNums, "TOP 1", 1)
startTopNums = topNums[1] startTopNums = topNums[1]
limitedQuery = limitedQuery.replace(" (SELECT TOP %s" % startTopNums, " (SELECT TOP %d" % num) limitedQuery = limitedQuery.replace(" (SELECT TOP %s" % startTopNums, " (SELECT TOP %d" % num)

3
lib/techniques/inband/union/use.py
View File

@ -216,6 +216,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
untilLimitChar = expression.index(queries[kb.dbms].limitstring) untilLimitChar = expression.index(queries[kb.dbms].limitstring)
expression = expression[:untilLimitChar] expression = expression[:untilLimitChar]
elif kb.dbms == "Microsoft SQL Server":
stopLimit += startLimit
if not stopLimit or stopLimit <= 1: if not stopLimit or stopLimit <= 1:
if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"): if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
test = False test = False

2
xml/queries.xml
View File

@ -169,7 +169,7 @@
<isnull query="ISNULL(%s, ' ')"/> <isnull query="ISNULL(%s, ' ')"/>
<delimiter query="+"/> <delimiter query="+"/>
<limit query="SELECT TOP %d "/> <limit query="SELECT TOP %d "/>
<limitregexp query="SELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/> <limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
<limitgroupstart query="2"/> <limitgroupstart query="2"/>
<limitgroupstop query="1"/> <limitgroupstop query="1"/>
<limitstring/> <limitstring/>