Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba

2025-01-24 08:14:24 +03:00 · 2011-02-21 16:00:56 +00:00 · 2011-02-21 16:00:56 +00:00 · 3e8c204121
commit 3e8c204121
parent 90582ed7dc
5 changed files with 11 additions and 8 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -328,7 +328,7 @@ class Agent:
        if not Backend.getDbms():
            return fields

-        if fields.startswith("(CASE"):
+        if fields.startswith("(CASE") or fields.startswith("SUBSTR"):
            nulledCastedConcatFields = fields
        else:
            fields = fields.replace(", ", ",")
@ -368,9 +368,12 @@ class Agent:
        fieldsSelectFrom = re.search("\ASELECT%s\s+(.+?)\s+FROM\s+" % prefixRegex, query, re.I)
        fieldsExists = re.search("EXISTS(.*)", query, re.I)
        fieldsSelect = re.search("\ASELECT%s\s+(.*)" % prefixRegex, query, re.I)
+        fieldsSubstr = re.search("\ASUBSTR", query, re.I)
        fieldsNoSelect = query

-        if fieldsExists:
+        if fieldsSubstr:
+            fieldsToCastStr = query
+        elif fieldsExists:
            fieldsToCastStr = fieldsSelect.groups()[0]
        elif fieldsSelectTop:
            fieldsToCastStr = fieldsSelectTop.groups()[0]
@ -386,7 +389,7 @@ class Agent:
            fieldsToCastStr = fieldsNoSelect

        # Function
-        if re.search("\A\w+\(.*\)", fieldsToCastStr, re.I) or fieldsSelectCase:
+        if re.search("\A\w+\(.*\)", fieldsToCastStr, re.I) or fieldsSelectCase or fieldsSubstr:
            fieldsToCastList = [fieldsToCastStr]
        else:
            fieldsToCastList = fieldsToCastStr.replace(", ", ",")
--- a/lib/takeover/udf.py
+++ b/lib/takeover/udf.py
@ -51,8 +51,8 @@ class UDF:
    def __checkExistUdf(self, udf):
        logger.info("checking if UDF '%s' already exist" % udf)

-        query  = agent.forgeCaseStatement(queries[Backend.getIdentifiedDbms()].check_udf.query % (udf, udf))
-        exists = inject.getValue(query, resumeValue=False, unpack=False, charsetType=2)
+        query = agent.forgeCaseStatement(queries[Backend.getIdentifiedDbms()].check_udf.query % (udf, udf))
+        exists = inject.getValue(query, resumeValue=False, charsetType=2)

        if exists == "1":
            return True
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -142,7 +142,7 @@ class Enumeration:
            query = queries[Backend.getIdentifiedDbms()].is_dba.query

        query = agent.forgeCaseStatement(query)
-        isDba = inject.getValue(query, unpack=False, charsetType=1)
+        isDba = inject.getValue(query, charsetType=1)

        if user is None:
            kb.data.isDba = isDba
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@ -74,7 +74,7 @@ class Miscellaneous:
        if conf.direct:
            query = "SELECT %s" % query

-        kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False)
+        kb.bannerFp["dbmsVersion"] = inject.getValue(query)
        kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "")

    def delRemoteFile(self, tempFile):
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -95,7 +95,7 @@
        -->
        <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
        <substring query="SUBSTR((%s)::text, %d, %d)"/>
-        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
        <inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
        <banner query="SELECT VERSION()"/>
        <current_user query="SELECT CURRENT_USER"/>