sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

new UNION column detection is going into wild

Browse Source
This commit is contained in:
Miroslav Stampar 2011-02-03 16:16:38 +00:00
parent b56a77e573
commit 3a13fd87fd
1 changed files with 7 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
lib/techniques/inband/union/test.py
View File

@ -81,6 +81,10 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
kb.errorIsNone = popValue() kb.errorIsNone = popValue()
if retVal:
infoMsg = "target url is UNION injectable with %d columns" % retVal
logger.info(infoMsg)
return retVal return retVal
def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL): def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL):
@ -157,9 +161,10 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
vector = None vector = None
query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar) query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)
total = conf.uColsStop+1 - conf.uColsStart total = conf.uColsStop+1 - conf.uColsStart
index = 1
for count in range(conf.uColsStart, conf.uColsStop+1): count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix)
if count:
if Backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[Backend.getIdentifiedDbms()]): if Backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[Backend.getIdentifiedDbms()]):
query = query[:-len(FROM_TABLE[Backend.getIdentifiedDbms()])] query = query[:-len(FROM_TABLE[Backend.getIdentifiedDbms()])]
@ -169,19 +174,8 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
if Backend.getIdentifiedDbms() in FROM_TABLE: if Backend.getIdentifiedDbms() in FROM_TABLE:
query += FROM_TABLE[Backend.getIdentifiedDbms()] query += FROM_TABLE[Backend.getIdentifiedDbms()]
status = "%d/%d" % (count, conf.uColsStop)
debugMsg = "testing %s columns (%d%%)" % (status, round(100.0*index/total))
logger.debug(debugMsg)
validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, count) validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, count)
if validPayload:
break
index += 1
clearConsoleLine(True)
return validPayload, vector return validPayload, vector
def unionTest(comment, place, parameter, value, prefix, suffix): def unionTest(comment, place, parameter, value, prefix, suffix):