sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-25 19:13:48 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor bug fix to make the Partial UNION query SQL injection technique

Browse Source 
work properly also on Oracle and Microsoft SQL Server.
This commit is contained in:
Bernardo Damele 2008-12-22 22:48:44 +00:00
parent 1f7810e46a
commit 64bb57d786
5 changed files with 24 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/ChangeLog
View File

@ -17,6 +17,8 @@ sqlmap (0.6.4-1) stable; urgency=low
--is-dba query at the moment; --is-dba query at the moment;
* Major bug fix to avoid tracebacks when multiple targets are specified * Major bug fix to avoid tracebacks when multiple targets are specified
and one of them is not reachable; and one of them is not reachable;
* Minor bug fix to make the Partial UNION query SQL injection technique
work properly also on Oracle and Microsoft SQL Server;
* Minor bug fix to make the --postfix work even if --prefix is not * Minor bug fix to make the --postfix work even if --prefix is not
provided; provided;

15
lib/core/agent.py
View File

@ -416,10 +416,6 @@ class Agent:
conditionIndex = query.index(" FROM ") conditionIndex = query.index(" FROM ")
inbandQuery += query[conditionIndex:] inbandQuery += query[conditionIndex:]
if " ORDER BY " in inbandQuery and "(SELECT " in inbandQuery:
orderIndex = inbandQuery.index(" ORDER BY ")
inbandQuery += inbandQuery[orderIndex:].replace(")", "")
if kb.dbms == "Oracle": if kb.dbms == "Oracle":
if " FROM " not in inbandQuery: if " FROM " not in inbandQuery:
inbandQuery += " FROM DUAL" inbandQuery += " FROM DUAL"
@ -461,19 +457,20 @@ class Agent:
limitStr = queries[kb.dbms].limit % (num, 1) limitStr = queries[kb.dbms].limit % (num, 1)
limitedQuery += " %s" % limitStr limitedQuery += " %s" % limitStr
# TODO: fix Partial UNION query SQL injection technique for Oracle
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
if query.startswith("SELECT "): if query.startswith("SELECT "):
limitedQuery = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr) limitedQuery = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr)
else: else:
limitedQuery = "%s FROM (SELECT %s, %s" % (untilFrom, field, limitStr) limitedQuery = "%s FROM (SELECT %s, %s" % (untilFrom, ", ".join(f for f in field), limitStr)
limitedQuery = limitedQuery % fromFrom limitedQuery = limitedQuery % fromFrom
limitedQuery += "=%d" % (num + 1) limitedQuery += "=%d" % (num + 1)
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
if re.search(" ORDER BY ", limitedQuery, re.I): if " ORDER BY " in limitedQuery:
untilOrderChar = limitedQuery.index(" ORDER BY ") limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
limitedQuery = limitedQuery[:untilOrderChar]
limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1) limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
limitedQuery = "%s WHERE %s " % (limitedQuery, field) limitedQuery = "%s WHERE %s " % (limitedQuery, field)

1
lib/core/settings.py
View File

@ -74,6 +74,7 @@ SQL_STATEMENTS = {
"SQL SELECT statement": ( "SQL SELECT statement": (
"select ", "select ",
" from ", " from ",
" from dual",
" where ", " where ",
" group by ", " group by ",
" order by ", " order by ",

10
lib/request/inject.py
View File

@ -82,12 +82,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
expression = agent.limitQuery(num, expression, field) expression = agent.limitQuery(num, expression, field)
expressionReplaced = expression.replace(expressionFields, field, 1) expressionReplaced = expression.replace(expressionFields, field, 1)
output = resume(expressionReplaced, payload)
if " ORDER BY " in expressionReplaced and "(SELECT " in expressionReplaced:
orderIndex = expressionReplaced.index(" ORDER BY ")
expressionReplaced += expressionReplaced[orderIndex:].replace(")", "")
output = resume(expressionReplaced, payload)
if not output or ( expected == "int" and not output.isdigit() ): if not output or ( expected == "int" and not output.isdigit() ):
if output: if output:
@ -326,6 +321,9 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None)
value = None value = None
if inband and conf.unionUse and kb.dbms: if inband and conf.unionUse and kb.dbms:
if kb.dbms == "Oracle" and " ORDER BY " in expression:
expression = expression[:expression.index(" ORDER BY ")]
value = __goInband(expression, expected) value = __goInband(expression, expected)
if not value: if not value:

15
lib/techniques/inband/union/use.py
View File

@ -261,12 +261,19 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
return return
for num in xrange(startLimit, stopLimit): for num in xrange(startLimit, stopLimit):
orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I) if kb.dbms == "Microsoft SQL Server":
orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)
if orderBy:
field = orderBy.group(1)
else:
field = expressionFieldsList[0]
elif kb.dbms == "Oracle":
field = expressionFieldsList
if orderBy:
field = orderBy.group(1)
else: else:
field = expressionFieldsList[0] field = None
limitedExpr = agent.limitQuery(num, expression, field) limitedExpr = agent.limitQuery(num, expression, field)
output = unionUse(limitedExpr, direct=True, unescape=False) output = unionUse(limitedExpr, direct=True, unescape=False)