sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba

Browse Source
This commit is contained in:
Bernardo Damele 2011-02-21 16:00:56 +00:00
parent 90582ed7dc
commit 3e8c204121
5 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/core/agent.py
View File

@ -328,7 +328,7 @@ class Agent:
if not Backend.getDbms(): if not Backend.getDbms():
return fields return fields
if fields.startswith("(CASE"): if fields.startswith("(CASE") or fields.startswith("SUBSTR"):
nulledCastedConcatFields = fields nulledCastedConcatFields = fields
else: else:
fields = fields.replace(", ", ",") fields = fields.replace(", ", ",")
@ -368,9 +368,12 @@ class Agent:
fieldsSelectFrom = re.search("\ASELECT%s\s+(.+?)\s+FROM\s+" % prefixRegex, query, re.I) fieldsSelectFrom = re.search("\ASELECT%s\s+(.+?)\s+FROM\s+" % prefixRegex, query, re.I)
fieldsExists = re.search("EXISTS(.*)", query, re.I) fieldsExists = re.search("EXISTS(.*)", query, re.I)
fieldsSelect = re.search("\ASELECT%s\s+(.*)" % prefixRegex, query, re.I) fieldsSelect = re.search("\ASELECT%s\s+(.*)" % prefixRegex, query, re.I)
fieldsSubstr = re.search("\ASUBSTR", query, re.I)
fieldsNoSelect = query fieldsNoSelect = query
if fieldsExists: if fieldsSubstr:
fieldsToCastStr = query
elif fieldsExists:
fieldsToCastStr = fieldsSelect.groups()[0] fieldsToCastStr = fieldsSelect.groups()[0]
elif fieldsSelectTop: elif fieldsSelectTop:
fieldsToCastStr = fieldsSelectTop.groups()[0] fieldsToCastStr = fieldsSelectTop.groups()[0]
@ -386,7 +389,7 @@ class Agent:
fieldsToCastStr = fieldsNoSelect fieldsToCastStr = fieldsNoSelect
# Function # Function
if re.search("\A\w+\(.*\)", fieldsToCastStr, re.I) or fieldsSelectCase: if re.search("\A\w+\(.*\)", fieldsToCastStr, re.I) or fieldsSelectCase or fieldsSubstr:
fieldsToCastList = [fieldsToCastStr] fieldsToCastList = [fieldsToCastStr]
else: else:
fieldsToCastList = fieldsToCastStr.replace(", ", ",") fieldsToCastList = fieldsToCastStr.replace(", ", ",")

4
lib/takeover/udf.py
View File

@ -51,8 +51,8 @@ class UDF:
def __checkExistUdf(self, udf): def __checkExistUdf(self, udf):
logger.info("checking if UDF '%s' already exist" % udf) logger.info("checking if UDF '%s' already exist" % udf)
query = agent.forgeCaseStatement(queries[Backend.getIdentifiedDbms()].check_udf.query % (udf, udf)) query = agent.forgeCaseStatement(queries[Backend.getIdentifiedDbms()].check_udf.query % (udf, udf))
exists = inject.getValue(query, resumeValue=False, unpack=False, charsetType=2) exists = inject.getValue(query, resumeValue=False, charsetType=2)
if exists == "1": if exists == "1":
return True return True

2
plugins/generic/enumeration.py
View File

@ -142,7 +142,7 @@ class Enumeration:
query = queries[Backend.getIdentifiedDbms()].is_dba.query query = queries[Backend.getIdentifiedDbms()].is_dba.query
query = agent.forgeCaseStatement(query) query = agent.forgeCaseStatement(query)
isDba = inject.getValue(query, unpack=False, charsetType=1) isDba = inject.getValue(query, charsetType=1)
if user is None: if user is None:
kb.data.isDba = isDba kb.data.isDba = isDba

2
plugins/generic/misc.py
View File

@ -74,7 +74,7 @@ class Miscellaneous:
if conf.direct: if conf.direct:
query = "SELECT %s" % query query = "SELECT %s" % query
kb.bannerFp["dbmsVersion"] = inject.getValue(query, unpack=False) kb.bannerFp["dbmsVersion"] = inject.getValue(query)
kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "") kb.bannerFp["dbmsVersion"] = kb.bannerFp["dbmsVersion"].replace(",", "").replace("-", "").replace(" ", "")
def delRemoteFile(self, tempFile): def delRemoteFile(self, tempFile):

2
xml/queries.xml
View File

@ -95,7 +95,7 @@
--> -->
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/> <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
<substring query="SUBSTR((%s)::text, %d, %d)"/> <substring query="SUBSTR((%s)::text, %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/> <inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/> <banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER"/> <current_user query="SELECT CURRENT_USER"/>