sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update for an Issue #24

Browse Source
This commit is contained in:
Miroslav Stampar 2013-01-08 10:55:25 +01:00
parent 614f4657f1
commit 55a552ddc4
3 changed files with 23 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/core/agent.py
View File

@ -444,19 +444,9 @@ class Agent(object):
return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, fieldsToCastList, fieldsToCastStr, fieldsExists return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, fieldsToCastList, fieldsToCastStr, fieldsExists
def simpleConcatQuery(self, query1, query2): def simpleConcatenate(self, first, second):
concatenatedQuery = "" rootQuery = queries[Backend.getIdentifiedDbms()]
return rootQuery.concatenate.query % (first, second)
if Backend.isDbms(DBMS.MYSQL):
concatenatedQuery = "CONCAT(%s,%s)" % (query1, query2)
elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE, DBMS.DB2):
concatenatedQuery = "%s||%s" % (query1, query2)
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
concatenatedQuery = "%s+%s" % (query1, query2)
return concatenatedQuery
def concatQuery(self, query, unpack=True): def concatQuery(self, query, unpack=True):
""" """

2
plugins/generic/filesystem.py
View File

@ -97,7 +97,7 @@ class Filesystem:
if counter == 0: if counter == 0:
sqlQueries.append("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, fcEncodedLine)) sqlQueries.append("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, fcEncodedLine))
else: else:
updatedField = agent.simpleConcatQuery(self.tblField, fcEncodedLine) updatedField = agent.simpleConcatenate(self.tblField, fcEncodedLine)
sqlQueries.append("UPDATE %s SET %s=%s" % (self.fileTblName, self.tblField, updatedField)) sqlQueries.append("UPDATE %s SET %s=%s" % (self.fileTblName, self.tblField, updatedField))
counter += 1 counter += 1

27
xml/queries.xml
View File

@ -22,6 +22,7 @@
* http://dev.mysql.com/doc/refman/5.1/en/miscellaneous-functions.html#function_sleep * http://dev.mysql.com/doc/refman/5.1/en/miscellaneous-functions.html#function_sleep
--> -->
<substring query="MID((%s),%d,%d)"/> <substring query="MID((%s),%d,%d)"/>
<concatenate query="CONCAT(%s,%s)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<hex query="HEX(%s)"/> <hex query="HEX(%s)"/>
<inference query="ORD(MID((%s),%d,1)) > %d"/> <inference query="ORD(MID((%s),%d,1)) > %d"/>
@ -95,6 +96,7 @@
* http://www.postgresql.org/docs/8.3/interactive/functions-datetime.html#FUNCTIONS-DATETIME-DELAY * http://www.postgresql.org/docs/8.3/interactive/functions-datetime.html#FUNCTIONS-DATETIME-DELAY
--> -->
<substring query="SUBSTR((%s)::text,%d,%d)"/> <substring query="SUBSTR((%s)::text,%d,%d)"/>
<concatenate query="%s||%s"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<hex query="ENCODE(CONVERT_TO((%s),'UTF8'),'HEX')"/> <hex query="ENCODE(CONVERT_TO((%s),'UTF8'),'HEX')"/>
<inference query="ASCII(SUBSTR((%s)::text,%d,1)) > %d"/> <inference query="ASCII(SUBSTR((%s)::text,%d,1)) > %d"/>
@ -162,6 +164,7 @@
<count query="COUNT(%s)"/> <count query="COUNT(%s)"/>
<comment query="--" query2="/*"/> <comment query="--" query2="/*"/>
<substring query="SUBSTRING((%s),%d,%d)"/> <substring query="SUBSTRING((%s),%d,%d)"/>
<concatenate query="%s+%s"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<hex query="master.sys.fn_varbintohexstr(CAST(%s AS VARBINARY(MAX)))"/> <hex query="master.sys.fn_varbintohexstr(CAST(%s AS VARBINARY(MAX)))"/>
<inference query="UNICODE(SUBSTRING((%s),%d,1)) > %d"/> <inference query="UNICODE(SUBSTRING((%s),%d,1)) > %d"/>
@ -227,6 +230,7 @@
<count query="COUNT(%s)"/> <count query="COUNT(%s)"/>
<comment query="--"/> <comment query="--"/>
<substring query="SUBSTRC((%s),%d,%d)"/> <substring query="SUBSTRC((%s),%d,%d)"/>
<concatenate query="%s||%s"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<hex query="RAWTOHEX(%s)"/> <hex query="RAWTOHEX(%s)"/>
<inference query="ASCII(SUBSTRC((%s),%d,1)) > %d"/> <inference query="ASCII(SUBSTRC((%s),%d,1)) > %d"/>
@ -315,6 +319,7 @@
<count query="COUNT(%s)"/> <count query="COUNT(%s)"/>
<comment query="--" query2="/*"/> <comment query="--" query2="/*"/>
<substring query="SUBSTR((%s),%d,%d)"/> <substring query="SUBSTR((%s),%d,%d)"/>
<concatenate query="%s||%s"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<hex query="HEX(%s)"/> <hex query="HEX(%s)"/>
<inference query="SUBSTR((%s),%d,1) > '%c'"/> <inference query="SUBSTR((%s),%d,1) > '%c'"/>
@ -361,6 +366,7 @@
<count query="COUNT(%s)"/> <count query="COUNT(%s)"/>
<comment query="%00"/> <comment query="%00"/>
<substring query="MID((%s),%d,%d)"/> <substring query="MID((%s),%d,%d)"/>
<concatenate query="%s&amp;%s"/>
<case query="SELECT (IIF(%s,1,0))"/> <case query="SELECT (IIF(%s,1,0))"/>
<banner/> <banner/>
<!--CURRENTUSER() is not available outside the MS Access query tool itself--> <!--CURRENTUSER() is not available outside the MS Access query tool itself-->
@ -403,6 +409,7 @@
<comment query="--"/> <comment query="--"/>
<count query="COUNT(%s)"/> <count query="COUNT(%s)"/>
<substring query="SUBSTRING((%s) FROM %d FOR %d)"/> <substring query="SUBSTRING((%s) FROM %d FOR %d)"/>
<concatenate query="%s||%s"/>
<case query="SELECT IIF(%s,1,0)"/> <case query="SELECT IIF(%s,1,0)"/>
<banner query="SELECT RDB$GET_CONTEXT('SYSTEM','ENGINE_VERSION') FROM RDB$DATABASE" dbms_version="&gt;=2.1"/> <banner query="SELECT RDB$GET_CONTEXT('SYSTEM','ENGINE_VERSION') FROM RDB$DATABASE" dbms_version="&gt;=2.1"/>
<current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/> <current_user query="SELECT CURRENT_USER FROM RDB$DATABASE"/>
@ -447,21 +454,23 @@
<!-- SAP MaxDB --> <!-- SAP MaxDB -->
<dbms value="SAP MaxDB"> <dbms value="SAP MaxDB">
<length query="LENGTH(%s)"/> <length query="LENGTH(%s)"/>
<banner query="SELECT ID FROM SYSINFO.VERSION"/>
<isnull query="VALUE(%s,' ')" query2="IFNULL(%s,' ')"/> <isnull query="VALUE(%s,' ')" query2="IFNULL(%s,' ')"/>
<comment query="--" query2="#"/> <delimiter query=","/>
<count query="COUNT(%s)"/>
<!-- No real cast on SAP MaxDB --> <!-- No real cast on SAP MaxDB -->
<cast query="REPLACE(CHR(%s),' ','_')"/> <cast query="REPLACE(CHR(%s),' ','_')"/>
<current_user query="SELECT USER() FROM DUAL"/>
<current_db query="SELECT DATABASE() FROM DUAL"/>
<hostname/>
<order query="ORDER BY %s ASC"/> <order query="ORDER BY %s ASC"/>
<count query="COUNT(%s)"/>
<comment query="--" query2="#"/>
<substring query="SUBSTR((%s),%d,%d)"/>
<concatenate query="CONCAT(%s,%s)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<hex query="HEX(%s)"/> <hex query="HEX(%s)"/>
<inference query="SUBSTR((%s),%d,1) > '%c'"/> <inference query="SUBSTR((%s),%d,1) > '%c'"/>
<delimiter query=","/> <banner query="SELECT ID FROM SYSINFO.VERSION"/>
<substring query="SUBSTR((%s),%d,%d)"/> <current_user query="SELECT USER() FROM DUAL"/>
<current_db query="SELECT DATABASE() FROM DUAL"/>
<hostname/>
<is_dba/>
<users> <users>
<inband query="SELECT username FROM domain.users"/> <inband query="SELECT username FROM domain.users"/>
<blind query="SELECT MIN(username) FROM domain.users WHERE username>'%s'" count="SELECT CHR(COUNT(*)) FROM domain.users"/> <blind query="SELECT MIN(username) FROM domain.users WHERE username>'%s'" count="SELECT CHR(COUNT(*)) FROM domain.users"/>
@ -503,6 +512,7 @@
<count query="COUNT(%s)"/> <count query="COUNT(%s)"/>
<comment query="--" query2="/*"/> <comment query="--" query2="/*"/>
<substring query="SUBSTRING((%s),%d,%d)"/> <substring query="SUBSTRING((%s),%d,%d)"/>
<concatenate query="%s+%s"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<hex query="BINTOSTR(CONVERT(VARBINARY,%s))"/> <hex query="BINTOSTR(CONVERT(VARBINARY,%s))"/>
<inference query="ASCII(SUBSTRING((%s),%d,1)) > %d"/> <inference query="ASCII(SUBSTRING((%s),%d,1)) > %d"/>
@ -571,6 +581,7 @@
<comment query="--"/> <comment query="--"/>
<!-- TODO --> <!-- TODO -->
<substring query="SUBSTR((%s),%d,%d)"/> <substring query="SUBSTR((%s),%d,%d)"/>
<concatenate query="%s||%s"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END) FROM SYSIBM.SYSDUMMY1"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END) FROM SYSIBM.SYSDUMMY1"/>
<hex query="HEX(%s)"/> <hex query="HEX(%s)"/>
<inference query="SUBSTR((%s),%d,1) > '%c'"/> <inference query="SUBSTR((%s),%d,1) > '%c'"/>