sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:sqlmapproject/sqlmap

Browse Source
This commit is contained in:
Miroslav Stampar 2012-12-20 09:54:39 +01:00
commit 69310e47ce
4 changed files with 218 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/core/agent.py
View File

@ -680,10 +680,15 @@ class Agent(object):
stopLimit = None
limitCond = True
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
if hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query2"):
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
else:
limitRegExp2 = None
if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
@ -727,7 +732,10 @@ class Agent(object):
# (or equivalent, depending on the back-end DBMS) word
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
stopLimit += startLimit
_ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
if expression.find(queries[Backend.getIdentifiedDbms()].limitstring.query) > 0:
_ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
else:
_ = expression.index("LIMIT ")
expression = expression[:_]
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):

3
lib/core/testing.py
View File

@ -191,6 +191,7 @@ def initCase(switches=None):
logger.debug("using output directory '%s' for this test case" % paths.SQLMAP_OUTPUT_PATH)
LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
cmdLineOptions = cmdLineParser()
cmdLineOptions.liveTest = cmdLineOptions.smokeTest = False
@ -209,11 +210,11 @@ def runCase(switches=None, parse=None):
initCase(switches)
LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
retVal = True
exception = None
result = False
console = ""
LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
try:
result = start()

214
xml/livetests.xml
View File

@ -1,10 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<root>
<vars>
<random value="random"/>
</vars>
<global>
<ignoreProxy value="True"/>
<batch value="True"/>
<verbose value="1"/>
<verbose value="2"/>
</global>
<!-- Common enumeration switches across all techniques -->
<case name="MySQL boolean-based multi-threaded enumeration - all entries">
@ -183,21 +186,13 @@
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_nooutput.php?id=1"/>
<tech value="T"/>
<timeSec value="1"/>
<extensiveFp value="True"/>
<timeSec value="2"/>
<getBanner value="True"/>
<getCurrentUser value="True"/>
<getCurrentDb value="True"/>
<getHostname value="True"/>
<isDba value="True"/>
</switches>
<parse>
<item value="Title: MySQL &gt; 5.0.11 AND time-based blind"/>
<item value="r'back-end DBMS: active fingerprint: MySQL &gt;= 5.1.12 and &lt; 5.5.0'"/>
<item value="banner: '5.1.63-0+squeeze1'"/>
<item value="current user: 'root@localhost'"/>
<item value="current database: 'testdb'"/>
<item value="hostname: 'debian"/>
<item value="current user is DBA: True"/>
</parse>
</case>
@ -670,4 +665,203 @@
</parse>
</case>
<!-- End of user's provided statement enumeration switches -->
<!-- File system access switches -->
<case name="MySQL boolean-based multi-threaded file read">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<rFile value="/etc/hosts,/tmp/invalidfile"/>
</switches>
<parse>
<item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
</parse>
</case>
<case name="MySQL error-based multi-threaded file read">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="E"/>
<rFile value="/etc/hosts,/tmp/invalidfile"/>
</switches>
<parse>
<item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
</parse>
</case>
<case name="MySQL UNION query multi-threaded file read">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<rFile value="/etc/hosts,/tmp/invalidfile"/>
</switches>
<parse>
<item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
</parse>
</case>
<case name="MySQL UNION query multi-threaded file write">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<threads value="4"/>
<tech value="U"/>
<wFile value="/etc/passwd"/>
<dFile value="/tmp/passwd-${random}"/>
</switches>
<parse>
<item value="the remote file /tmp/passwd-${random} is larger than the local file /etc/passwd" console_output="True"/>
</parse>
</case>
<!-- End of file system access switches -->
<!-- Operating system access switches -->
<case name="MySQL web shell - command execution">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<tech value="B"/>
<osCmd value="id"/>
<answers value="please provide any additional web server=/var/www/test"/>
</switches>
<parse>
<item value="command standard output: 'uid="/>
</parse>
</case>
<!-- TODO: integration with Metasploit cannot be called yet from live testing -->
<case name="MySQL shell via Metasploit integration - command execution">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<tech value="B"/>
<osPwn value="True"/>
<msfPath value="/usr/local/bin/"/>
<answers value="please provide any additional web server=/var/www/test"/>
</switches>
<parse>
<item value="r'Sending stage.+Command shell session.+Linux.+uid='"/>
</parse>
</case>
<!-- End of operating system access switches -->
<!-- Technique switches -->
<case name="MySQL 4 time-based against unresponsive page">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_benchmark.php?id=1"/>
<tech value="T"/>
<level value="2"/>
<risk value="2"/>
<timeSec value="2"/>
</switches>
<parse>
<item value="Title: AND/OR time-based blind"/>
<item value="Title: MySQL &lt; 5.0.12 AND time-based blind (heavy query)"/>
</parse>
</case>
<case name="MySQL against page protected by custom weak filter">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_filtered.php?id=1"/>
<tech value="BE"/>
<level value="3"/>
</switches>
<parse>
<item value="Title: Generic boolean-based blind - Parameter replace (original value)"/>
<item value="Title: MySQL &gt;= 5.1 error-based - Parameter replace (EXTRACTVALUE)"/>
</parse>
</case>
<case name="MySQL injection in GROUP BY clause">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_groupby.php?id=1"/>
<tech value="B"/>
<level value="3"/>
</switches>
<parse>
<item value="MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)"/>
</parse>
</case>
<!-- TODO: this crashes the library that parses XML as it has UTF-8 characters
<case name="MySQL boolean-based multi-threaded enumeration - international data">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_international.php?id=1"/>
<threads value="4"/>
<tech value="B"/>
<getBanner value="True"/>
<dumpTable value="True"/>
<db value="testdb"/>
<tbl value="international"/>
</switches>
<parse>
<item value="banner: '5.1.63-0+squeeze1'"/>
<item value="r'Database: testdb.+Table: international.+3 entries.+šućuraj.+река Москва'"/>
</parse>
</case>
-->
<case name="MySQL partial UNION query multi-threaded enumeration - invalid bignum">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
<tech value="U"/>
<invalidBignum value="True"/>
<getBanner value="True"/>
<isDba value="True"/>
</switches>
<parse>
<item value="Title: MySQL UNION query (NULL) - 3 columns"/>
<item value="r'Payload: id=[\d]+\.[\d]+ UNION'"/>
<item value="banner: '5.1.63-0+squeeze1'"/>
<item value="current user is DBA: True"/>
</parse>
</case>
<case name="MySQL partial UNION query multi-threaded enumeration - invalid logical">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
<tech value="U"/>
<invalidLogical value="True"/>
<getBanner value="True"/>
<isDba value="True"/>
</switches>
<parse>
<item value="Title: MySQL UNION query (NULL) - 3 columns"/>
<item value="r'Payload: id=1 AND [\d]+=[\d]+ UNION'"/>
<item value="banner: '5.1.63-0+squeeze1'"/>
<item value="current user is DBA: True"/>
</parse>
</case>
<!-- End of technique switches -->
<!-- Other switches -->
<case name="MySQL error-based HTTP basic authentication">
<switches>
<url value="http://debiandev/sqlmap/mysql/basic/get_int.php?id=1"/>
<tech value="E"/>
<aType value="Basic"/>
<aCred value="testuser:testpass"/>
<getBanner value="True"/>
</switches>
<parse>
<item value="banner: '5.1.63-0+squeeze1'"/>
</parse>
</case>
<case name="MySQL error-based HTTP digest authentication">
<switches>
<url value="http://debiandev/sqlmap/mysql/digest/get_int.php?id=1"/>
<tech value="E"/>
<aType value="Digest"/>
<aCred value="testuser:testpass"/>
<getBanner value="True"/>
</switches>
<parse>
<item value="banner: '5.1.63-0+squeeze1'"/>
</parse>
</case>
<case name="MySQL boolean-based predict output enumeration">
<switches>
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
<predictOutput value="True"/>
<tech value="B"/>
<getBanner value="True"/>
</switches>
<parse>
<item value="banner: '5.1.63-0+squeeze1'"/>
<item value="r'performed 112 queries'" console_output="True"/>
</parse>
</case>
<!-- End of other switches -->
</root>

2
xml/payloads.xml
View File

@ -717,7 +717,7 @@ Formats:
</test>
<test>
<title>MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)</title>
<title>MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)</title>
<stype>1</stype>
<level>3</level>
<risk>1</risk>