more update regarding error based injection support

This commit is contained in:
Miroslav Stampar 2010-10-19 18:17:34 +00:00
parent b2e0b615f8
commit 4009ef385e
8 changed files with 100 additions and 18 deletions

View File

@ -16,6 +16,7 @@ from lib.core.data import paths
from lib.core.exception import sqlmapUnsupportedDBMSException from lib.core.exception import sqlmapUnsupportedDBMSException
from lib.core.settings import SUPPORTED_DBMS from lib.core.settings import SUPPORTED_DBMS
from lib.techniques.blind.timebased import timeTest from lib.techniques.blind.timebased import timeTest
from lib.techniques.error.error import errorTest
from lib.techniques.inband.union.test import unionTest from lib.techniques.inband.union.test import unionTest
from lib.techniques.outband.stacked import stackedTest from lib.techniques.outband.stacked import stackedTest
@ -57,6 +58,9 @@ def action():
if conf.stackedTest: if conf.stackedTest:
conf.dumper.technic("stacked queries support", stackedTest()) conf.dumper.technic("stacked queries support", stackedTest())
if conf.errorTest:
conf.dumper.technic("error based injection support", errorTest())
if conf.timeTest: if conf.timeTest:
conf.dumper.technic("time based blind sql injection payload", timeTest()) conf.dumper.technic("time based blind sql injection payload", timeTest())

View File

@ -1050,6 +1050,7 @@ def __setKnowledgeBaseAttributes():
kb.dep = None kb.dep = None
kb.docRoot = None kb.docRoot = None
kb.dynamicContent = [] kb.dynamicContent = []
kb.errorTest = None
kb.headersCount = 0 kb.headersCount = 0
kb.headersFp = {} kb.headersFp = {}
kb.hintValue = None kb.hintValue = None

View File

@ -196,6 +196,15 @@ def setStacked():
if condition: if condition:
dataToSessionFile("[%s][%s][%s][Stacked queries][%s]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), kb.stackedTest)) dataToSessionFile("[%s][%s][%s][Stacked queries][%s]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), kb.stackedTest))
def setError():
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
not kb.resumedQueries[conf.url].has_key("Error based injection") )
)
if condition:
dataToSessionFile("[%s][%s][%s][Error based injection][Yes]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace])))
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False): def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False):
""" """
@param comment: union comment to save in session file @param comment: union comment to save in session file

View File

@ -290,6 +290,7 @@ def initTargetEnv():
kb.dbms = None kb.dbms = None
kb.dbmsDetected = False kb.dbmsDetected = False
kb.dbmsVersion = [ "Unknown" ] kb.dbmsVersion = [ "Unknown" ]
kb.errorTest = None
kb.htmlFp = [] kb.htmlFp = []
kb.lastErrorPage = None kb.lastErrorPage = None
kb.injParameter = None kb.injParameter = None
@ -298,6 +299,8 @@ def initTargetEnv():
kb.nullConnection = None kb.nullConnection = None
kb.parenthesis = None kb.parenthesis = None
kb.proxyAuthHeader = None kb.proxyAuthHeader = None
kb.stackedTest = None
kb.timeTest = None
kb.unionComment = "" kb.unionComment = ""
kb.unionCount = None kb.unionCount = None
kb.unionPosition = None kb.unionPosition = None

View File

@ -491,6 +491,10 @@ def cmdLineParser():
parser.add_option("--error", dest="error", action="store_true", parser.add_option("--error", dest="error", action="store_true",
default=False, help=SUPPRESS_HELP) default=False, help=SUPPRESS_HELP)
parser.add_option("--error-test", dest="errorTest",
action="store_true", default=False,
help=SUPPRESS_HELP)
parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int", default=10, parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int", default=10,
help=SUPPRESS_HELP) help=SUPPRESS_HELP)

View File

@ -445,3 +445,13 @@ def goStacked(expression, silent=False):
page, _ = Request.queryPage(payload, content=True, silent=silent) page, _ = Request.queryPage(payload, content=True, silent=silent)
return payload, page return payload, page
def goError(expression):
#expression = cleanQuery(expression)
if conf.direct:
return direct(expression), None
result = __goError(expression)
return result

View File

@ -20,7 +20,7 @@ from lib.request.connect import Connect as Request
def timeTest(): def timeTest():
infoMsg = "testing time based blind sql injection on parameter " infoMsg = "testing time based blind sql injection on parameter "
infoMsg += "'%s' with AND condition syntax" % kb.injParameter infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic)
logger.info(infoMsg) logger.info(infoMsg)
timeQuery = getDelayQuery(andCond=True) timeQuery = getDelayQuery(andCond=True)

View File

@ -0,0 +1,51 @@
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
import time
from lib.core.common import getUnicode
from lib.core.common import randomInt
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.session import setError
from lib.request import inject
def errorTest():
if conf.direct:
return
if kb.errorTest is not None:
return kb.errorTest
infoMsg = "testing error based sql injection on parameter "
infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic)
logger.info(infoMsg)
randInt = getUnicode(randomInt(1))
query = queries[kb.dbms].case % ("%s=%s" % (randInt, randInt))
result = inject.goError(query)
if result:
infoMsg = "the web application supports error based injection "
infoMsg += "on parameter '%s'" % kb.injParameter
logger.info(infoMsg)
kb.errorTest = True
else:
warnMsg = "the web application does not support error based injection "
warnMsg += "on parameter '%s'" % kb.injParameter
logger.warn(warnMsg)
kb.errorTest = False
setError()
return kb.errorTest