Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase.

Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2025-02-02 20:54:13 +03:00 · 2010-11-28 21:27:47 +00:00 · 2010-11-28 21:27:47 +00:00 · 472f4465a6
commit 472f4465a6
parent 7e3b24afe6
6 changed files with 33 additions and 20 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -306,7 +306,10 @@ def checkSqlInjection(place, parameter, value):

                break

+    if injection.place is not None and injection.parameter is not None:
        return injection
+    else:
+        return None

 def heuristicCheckSqlInjection(place, parameter, value):
    if kb.nullConnection:
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -126,21 +126,22 @@ def __selectInjection():
        kb.injection = kb.injections[index]

 def __formatInjection(inj):
-    header = "Place: %s\n" % inj.place
-    header += "Parameter: %s\n" % inj.parameter
-    data = ""
+    data = "Place: %s\n" % inj.place
+    data += "Parameter: %s\n" % inj.parameter

    for stype, sdata in inj.data.items():
-        data += "Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
-        data += "Payload: %s\n\n" % sdata[3]
+        data += "    Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
+        data += "    Payload: %s\n\n" % sdata[3]

-    return header, data
+    return data

 def __showInjections():
-    dataToStdout("sqlmap identified the following injection points:\n")
+    header = "sqlmap identified the following injection points"
+    data = ""

    for inj in kb.injections:
-        header, data = __formatInjection(inj)
+        data += __formatInjection(inj)
+
    dumper.technic(header, data)

 def start():
@ -318,9 +319,6 @@ def start():
                    for parameter, value in paramDict.items():
                        testSqlInj = True

-                        # TODO: with the new detection engine, review this
-                        # part. Perhaps dynamicity test will not be of any
-                        # use
                        paramKey = (conf.hostname, conf.path, place, parameter)

                        if paramKey in kb.testedParams:
@ -337,7 +335,6 @@ def start():
                        elif not checkDynParam(place, parameter, value):
                            warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
                            logger.warn(warnMsg)
-                            testSqlInj = False

                        else:
                            logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
--- a/lib/controller/handler.py
+++ b/lib/controller/handler.py
@ -63,15 +63,23 @@ def setHandler():
                ]

    if kb.htmlFp:
+        inferencedDbms = kb.htmlFp[-1]
+    elif hasattr(kb.injection, "dbms"):
+        inferencedDbms = kb.injection.dbms
+    else:
+        inferencedDbms = None
+
+    if inferencedDbms is not None:
        for i in xrange(len(dbmsMap)):
            dbmsAliases, _, _ = dbmsMap[i]
-            if kb.htmlFp[-1].lower() in dbmsAliases:
+
+            if inferencedDbms.lower() in dbmsAliases:
                if i > 0:
                    pushValue(dbmsMap[i])
                    dbmsMap.remove(dbmsMap[i])
                    dbmsMap.insert(0, popValue())
-                break

+                break

    for dbmsAliases, dbmsMap, dbmsConn in dbmsMap:
        if conf.dbms and conf.dbms not in dbmsAliases:
--- a/lib/core/dump.py
+++ b/lib/core/dump.py
@ -89,7 +89,7 @@ class Dump:
        if elements:
            self.__write("")

-    def technic(self,header,data):
+    def technic(self, header, data):
        self.string(header, data)

    def banner(self,data):
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1129,6 +1129,7 @@ def __setKnowledgeBaseAttributes():
    kb.errorTest       = None
    kb.stackedTest     = None
    kb.timeTest        = None
+    kb.unionTest       = None

    # Basic back-end DBMS fingerprint
    kb.dbms            = None
@ -1180,7 +1181,6 @@ def __setKnowledgeBaseAttributes():
    kb.unionPosition   = None
    kb.unionNegative   = False
    kb.unionFalseCond  = False
-    kb.unionTest       = None
    kb.userAgents      = None
    kb.valueStack      = []

--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -28,6 +28,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.enums import DBMS
+from lib.core.exception import sqlmapNotVulnerableException
 from lib.core.unescaper import unescaper
 from lib.request.connect import Connect as Request
 from lib.request.direct import direct
@ -346,7 +347,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex

    if conf.direct:
        value = direct(expression)
-    else:
+    elif kb.booleanTest or kb.errorTest or kb.unionTest:
        expression = cleanQuery(expression)
        expression = expandAsteriskForColumns(expression)
        value      = None
@ -376,7 +377,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
        kb.unionFalseCond   = False
        kb.unionNegative    = False

-        if blind and not value:
+        if blind and kb.booleanTest and not value:
            value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)

        kb.unionFalseCond = oldParamFalseCond
@ -384,6 +385,10 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex

        if value and isinstance(value, basestring):
            value = value.strip()
+    else:
+        errMsg = "none of the injection types identified can be "
+        errMsg += "leveraged to retrieve queries output"
+        raise sqlmapNotVulnerableException, errMsg

    if suppressOutput:
        conf.verbose = popValue()