sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-03-03 11:45:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism

Browse Source
This commit is contained in:
Miroslav Stampar 2012-03-29 14:33:27 +00:00
parent ce4c697bbd
commit 637a8d8273
5 changed files with 23 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/controller/checks.py
View File

@ -327,6 +327,7 @@ def checkSqlInjection(place, parameter, value):
# Useful to set kb.matchRatio at first based on # Useful to set kb.matchRatio at first based on
# the False response content # the False response content
kb.matchRatio = None kb.matchRatio = None
kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)
Request.queryPage(genCmpPayload(), place, raise404=False) Request.queryPage(genCmpPayload(), place, raise404=False)
# Perform the test's True request # Perform the test's True request

1
lib/core/common.py
View File

@ -2386,6 +2386,7 @@ def initTechnique(technique=None):
if data: if data:
kb.pageTemplate, kb.errorIsNone = getPageTemplate(data.templatePayload, kb.injection.place) kb.pageTemplate, kb.errorIsNone = getPageTemplate(data.templatePayload, kb.injection.place)
kb.matchRatio = data.matchRatio kb.matchRatio = data.matchRatio
kb.negativeLogic = (technique == PAYLOAD.TECHNIQUE.BOOLEAN) and (data.where == PAYLOAD.WHERE.NEGATIVE)
# Restoring stored conf options # Restoring stored conf options
for key, value in kb.injection.conf.items(): for key, value in kb.injection.conf.items():

17
lib/request/comparison.py
View File

@ -29,12 +29,19 @@ from lib.core.settings import UPPER_RATIO_BOUND
from lib.core.threads import getCurrentThreadData from lib.core.threads import getCurrentThreadData
def comparison(page, headers, code=None, getRatioValue=False, pageLength=None): def comparison(page, headers, code=None, getRatioValue=False, pageLength=None):
#return _checkNegativeLogic(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue) return _adjust(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue)
return _comparison(page, headers, code, getRatioValue, pageLength)
def _checkNegativeLogic(condition, getRatioValue): def _adjust(condition, getRatioValue):
condition = not (condition or False) if kb.negativeLogic else condition # Negative logic approach is used in raw page comparison scheme as that what is "different" than original
return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) # PAYLOAD.WHERE.NEGATIVE response is considered as True; in switch based approach negative logic is not
# applied as that is by the user considered as True is that what is returned by the comparison mechanism
# itself
if not any([conf.string, conf.regexp, conf.code]):
retVal = not (condition or False) if kb.negativeLogic else condition
else:
retVal = condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO)
return retVal
def _comparison(page, headers, code, getRatioValue, pageLength): def _comparison(page, headers, code, getRatioValue, pageLength):
if page is None and pageLength is None: if page is None and pageLength is None:

2
lib/request/connect.py
View File

@ -502,8 +502,6 @@ class Connect:
string match check ('--string' command line parameter) string match check ('--string' command line parameter)
""" """
kb.negativeLogic = "OR NOT" in (value or "")
if conf.direct: if conf.direct:
return direct(value, content) return direct(value, content)

18
xml/payloads.xml
View File

@ -615,12 +615,12 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR NOT ([INFERENCE])</vector> <vector>OR ([INFERENCE])</vector>
<request> <request>
<payload>OR NOT ([RANDNUM]=[RANDNUM])</payload> <payload>OR ([RANDNUM]=[RANDNUM])</payload>
</request> </request>
<response> <response>
<comparison>OR NOT ([RANDNUM]=[RANDNUM1])</comparison> <comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
</response> </response>
</test> </test>
@ -631,13 +631,13 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR NOT ([INFERENCE])</vector> <vector>OR ([INFERENCE])</vector>
<request> <request>
<payload>OR NOT ([RANDNUM]=[RANDNUM])</payload> <payload>OR ([RANDNUM]=[RANDNUM])</payload>
<comment>#</comment> <comment>#</comment>
</request> </request>
<response> <response>
<comparison>OR NOT ([RANDNUM]=[RANDNUM1])</comparison> <comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
</response> </response>
<details> <details>
<dbms>MySQL</dbms> <dbms>MySQL</dbms>
@ -651,13 +651,13 @@ Formats:
<risk>3</risk> <risk>3</risk>
<clause>1</clause> <clause>1</clause>
<where>2</where> <where>2</where>
<vector>OR NOT ([INFERENCE])</vector> <vector>OR ([INFERENCE])</vector>
<request> <request>
<payload>OR NOT ([RANDNUM]=[RANDNUM])</payload> <payload>OR ([RANDNUM]=[RANDNUM])</payload>
<comment>-- </comment> <comment>-- </comment>
</request> </request>
<response> <response>
<comparison>OR NOT ([RANDNUM]=[RANDNUM1])</comparison> <comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
</response> </response>
</test> </test>