mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-24 16:24:25 +03:00
Major bug fix to make --first and --last apply only to --dump's entries dump phase (in either of the blind SQL injection techs only)
This commit is contained in:
parent
88faedc0fe
commit
60605b6e7c
|
@ -49,7 +49,7 @@ from lib.techniques.error.use import errorUse
|
||||||
from lib.utils.resume import queryOutputLength
|
from lib.utils.resume import queryOutputLength
|
||||||
from lib.utils.resume import resume
|
from lib.utils.resume import resume
|
||||||
|
|
||||||
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
|
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
||||||
start = time.time()
|
start = time.time()
|
||||||
|
|
||||||
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
|
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
|
||||||
|
@ -61,14 +61,14 @@ def __goInference(payload, expression, charsetType=None, firstChar=None, lastCha
|
||||||
|
|
||||||
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression))
|
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression))
|
||||||
|
|
||||||
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar)
|
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump)
|
||||||
|
|
||||||
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
|
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
return value
|
return value
|
||||||
|
|
||||||
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
|
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
||||||
outputs = []
|
outputs = []
|
||||||
origExpr = None
|
origExpr = None
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
|
||||||
warnMsg += "sqlmap is going to retrieve the value again"
|
warnMsg += "sqlmap is going to retrieve the value again"
|
||||||
logger.warn(warnMsg)
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar)
|
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump)
|
||||||
|
|
||||||
if isinstance(num, int):
|
if isinstance(num, int):
|
||||||
expression = origExpr
|
expression = origExpr
|
||||||
|
@ -105,7 +105,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
|
||||||
|
|
||||||
return outputs
|
return outputs
|
||||||
|
|
||||||
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
|
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
||||||
"""
|
"""
|
||||||
Retrieve the output of a SQL query characted by character taking
|
Retrieve the output of a SQL query characted by character taking
|
||||||
advantage of an blind SQL injection vulnerability on the affected
|
advantage of an blind SQL injection vulnerability on the affected
|
||||||
|
@ -134,7 +134,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||||
return output
|
return output
|
||||||
|
|
||||||
if not unpack:
|
if not unpack:
|
||||||
return __goInference(payload, expression, charsetType, firstChar, lastChar)
|
return __goInference(payload, expression, charsetType, firstChar, lastChar, dump)
|
||||||
|
|
||||||
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
|
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
|
||||||
|
|
||||||
|
@ -301,7 +301,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||||
|
|
||||||
try:
|
try:
|
||||||
for num in xrange(startLimit, stopLimit):
|
for num in xrange(startLimit, stopLimit):
|
||||||
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
|
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
|
||||||
outputs.append(output)
|
outputs.append(output)
|
||||||
|
|
||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
|
@ -314,7 +314,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
|
||||||
elif Backend.getIdentifiedDbms() in FROM_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
|
elif Backend.getIdentifiedDbms() in FROM_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
|
||||||
expression += FROM_TABLE[Backend.getIdentifiedDbms()]
|
expression += FROM_TABLE[Backend.getIdentifiedDbms()]
|
||||||
|
|
||||||
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
|
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
|
||||||
returnValue = ", ".join([output for output in outputs])
|
returnValue = ", ".join([output for output in outputs])
|
||||||
|
|
||||||
return returnValue
|
return returnValue
|
||||||
|
@ -449,7 +449,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
||||||
if expected == EXPECTED.BOOL:
|
if expected == EXPECTED.BOOL:
|
||||||
value = __goBooleanProxy(booleanExpression, resumeValue)
|
value = __goBooleanProxy(booleanExpression, resumeValue)
|
||||||
else:
|
else:
|
||||||
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
|
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar, dump)
|
||||||
|
|
||||||
count += 1
|
count += 1
|
||||||
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
||||||
|
@ -463,7 +463,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
||||||
if expected == EXPECTED.BOOL:
|
if expected == EXPECTED.BOOL:
|
||||||
value = __goBooleanProxy(booleanExpression, resumeValue)
|
value = __goBooleanProxy(booleanExpression, resumeValue)
|
||||||
else:
|
else:
|
||||||
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
|
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar, dump)
|
||||||
|
|
||||||
if value and isinstance(value, basestring):
|
if value and isinstance(value, basestring):
|
||||||
value = value.strip()
|
value = value.strip()
|
||||||
|
|
|
@ -45,7 +45,7 @@ from lib.core.settings import INFERENCE_NOT_EQUALS_CHAR
|
||||||
from lib.core.unescaper import unescaper
|
from lib.core.unescaper import unescaper
|
||||||
from lib.request.connect import Connect as Request
|
from lib.request.connect import Connect as Request
|
||||||
|
|
||||||
def bisection(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None):
|
def bisection(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
||||||
"""
|
"""
|
||||||
Bisection algorithm that can be used to perform blind SQL injection
|
Bisection algorithm that can be used to perform blind SQL injection
|
||||||
on an affected host
|
on an affected host
|
||||||
|
@ -62,7 +62,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
|
|
||||||
if "LENGTH(" in expression or "LEN(" in expression:
|
if "LENGTH(" in expression or "LEN(" in expression:
|
||||||
firstChar = 0
|
firstChar = 0
|
||||||
elif conf.firstChar is not None and ( isinstance(conf.firstChar, int) or ( isinstance(conf.firstChar, basestring) and conf.firstChar.isdigit() ) ):
|
elif dump and conf.firstChar is not None and ( isinstance(conf.firstChar, int) or ( isinstance(conf.firstChar, basestring) and conf.firstChar.isdigit() ) ):
|
||||||
firstChar = int(conf.firstChar) - 1
|
firstChar = int(conf.firstChar) - 1
|
||||||
elif firstChar is None:
|
elif firstChar is None:
|
||||||
firstChar = 0
|
firstChar = 0
|
||||||
|
@ -71,7 +71,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
|
||||||
|
|
||||||
if "LENGTH(" in expression or "LEN(" in expression:
|
if "LENGTH(" in expression or "LEN(" in expression:
|
||||||
lastChar = 0
|
lastChar = 0
|
||||||
elif conf.lastChar is not None and ( isinstance(conf.lastChar, int) or ( isinstance(conf.lastChar, basestring) and conf.lastChar.isdigit() ) ):
|
elif dump and conf.lastChar is not None and ( isinstance(conf.lastChar, int) or ( isinstance(conf.lastChar, basestring) and conf.lastChar.isdigit() ) ):
|
||||||
lastChar = int(conf.lastChar)
|
lastChar = int(conf.lastChar)
|
||||||
elif lastChar in ( None, "0" ):
|
elif lastChar in ( None, "0" ):
|
||||||
lastChar = 0
|
lastChar = 0
|
||||||
|
|
|
@ -1427,7 +1427,7 @@ class Enumeration:
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
|
elif Backend.getIdentifiedDbms() == DBMS.FIREBIRD:
|
||||||
query = rootQuery.blind.query % (index, column, conf.tbl)
|
query = rootQuery.blind.query % (index, column, conf.tbl)
|
||||||
|
|
||||||
value = inject.getValue(query, inband=False, error=False)
|
value = inject.getValue(query, inband=False, error=False, dump=True)
|
||||||
|
|
||||||
lengths[column] = max(lengths[column], len(value) if value else 0)
|
lengths[column] = max(lengths[column], len(value) if value else 0)
|
||||||
entries[column].append(value)
|
entries[column].append(value)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user