From 3061eec7d8e46935874d5ac931e43deb04207480 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 19 Dec 2012 16:39:13 +0000
Subject: [PATCH 1/6] added test case for web shell command execution and
 temporary test case for Metasploit integration (--os-pwn)

---
 xml/livetests.xml | 79 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/xml/livetests.xml b/xml/livetests.xml
index 2ffa01e19..ae6136720 100644
--- a/xml/livetests.xml
+++ b/xml/livetests.xml
@@ -1,6 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <root>
+    <vars>
+        <random value="random"/>
+    </vars>
     <global>
         <ignoreProxy value="True"/>
         <batch value="True"/>
@@ -670,4 +673,80 @@
         </parse>
     </case>
     <!-- End of user's provided statement enumeration switches -->
+
+    <!-- File system access switches -->
+    <case name="MySQL boolean-based multi-threaded file read">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="B"/>
+            <rFile value="/etc/hosts,/tmp/invalidfile"/>
+        </switches>
+        <parse>
+            <item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
+        </parse>
+    </case>
+    <case name="MySQL error-based multi-threaded file read">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="E"/>
+            <rFile value="/etc/hosts,/tmp/invalidfile"/>
+        </switches>
+        <parse>
+            <item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
+        </parse>
+    </case>
+    <case name="MySQL UNION query multi-threaded file read">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="U"/>
+            <rFile value="/etc/hosts,/tmp/invalidfile"/>
+        </switches>
+        <parse>
+            <item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
+        </parse>
+    </case>
+    <case name="MySQL UNION query multi-threaded file write">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="U"/>
+            <wFile value="/etc/passwd"/>
+            <dFile value="/tmp/passwd-${random}"/>
+        </switches>
+        <parse>
+            <item value="the remote file /tmp/passwd-${random} is larger than the local file /etc/passwd" console_output="True"/>
+        </parse>
+    </case>
+    <!-- End of file system access switches -->
+
+    <!-- Operating system access switches -->
+    <case name="MySQL web shell - command execution">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <tech value="B"/>
+            <osCmd value="id"/>
+            <answers value="please provide any additional web server=/var/www/test"/>
+        </switches>
+        <parse>
+            <item value="command standard output:    'uid="/>
+        </parse>
+    </case>
+    <!-- TODO: integration with Metasploit cannot be called yet from live testing -->
+    <case name="MySQL shell via Metasploit integration - command execution">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <tech value="B"/>
+            <osPwn value="True"/>
+            <msfPath value="/usr/local/bin/"/>
+            <answers value="please provide any additional web server=/var/www/test"/>
+        </switches>
+        <parse>
+            <item value="r'Sending stage.+Command shell session.+Linux.+uid='"/>
+        </parse>
+    </case>
+    <!-- End of operating system access switches -->
+
 </root>

From 357da43cead7e6590393d1f91ae8e38d3098c496 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 19 Dec 2012 17:28:41 +0000
Subject: [PATCH 2/6] slight improvement of live test engine and added misc
 test cases to xml

---
 lib/core/testing.py |  3 +-
 xml/livetests.xml   | 81 +++++++++++++++++++++++++++++++++++++++------
 2 files changed, 73 insertions(+), 11 deletions(-)

diff --git a/lib/core/testing.py b/lib/core/testing.py
index 4495edf0e..3937c40d5 100644
--- a/lib/core/testing.py
+++ b/lib/core/testing.py
@@ -191,6 +191,7 @@ def initCase(switches=None):
 
     logger.debug("using output directory '%s' for this test case" % paths.SQLMAP_OUTPUT_PATH)
 
+    LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
     cmdLineOptions = cmdLineParser()
     cmdLineOptions.liveTest = cmdLineOptions.smokeTest = False
 
@@ -209,11 +210,11 @@ def runCase(switches=None, parse=None):
 
     initCase(switches)
 
+    LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
     retVal = True
     exception = None
     result = False
     console = ""
-    LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
 
     try:
         result = start()
diff --git a/xml/livetests.xml b/xml/livetests.xml
index ae6136720..8737dc30a 100644
--- a/xml/livetests.xml
+++ b/xml/livetests.xml
@@ -7,7 +7,7 @@
     <global>
         <ignoreProxy value="True"/>
         <batch value="True"/>
-        <verbose value="1"/>
+        <verbose value="2"/>
     </global>
     <!-- Common enumeration switches across all techniques -->
     <case name="MySQL boolean-based multi-threaded enumeration - all entries">
@@ -186,21 +186,13 @@
         <switches>
             <url value="http://debiandev/sqlmap/mysql/get_int_nooutput.php?id=1"/>
             <tech value="T"/>
-            <timeSec value="1"/>
-            <extensiveFp value="True"/>
+            <timeSec value="2"/>
             <getBanner value="True"/>
-            <getCurrentUser value="True"/>
-            <getCurrentDb value="True"/>
-            <getHostname value="True"/>
             <isDba value="True"/>
         </switches>
         <parse>
             <item value="Title: MySQL &gt; 5.0.11 AND time-based blind"/>
-            <item value="r'back-end DBMS: active fingerprint: MySQL &gt;= 5.1.12 and &lt; 5.5.0'"/>
             <item value="banner:    '5.1.63-0+squeeze1'"/>
-            <item value="current user:    'root@localhost'"/>
-            <item value="current database:    'testdb'"/>
-            <item value="hostname:    'debian"/>
             <item value="current user is DBA:    True"/>
         </parse>
     </case>
@@ -749,4 +741,73 @@
     </case>
     <!-- End of operating system access switches -->
 
+    <!-- Other switches -->
+    <case name="MySQL partial UNION query multi-threaded enumeration - invalid bignum">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
+            <tech value="U"/>
+            <invalidBignum value="True"/>
+            <getBanner value="True"/>
+            <isDba value="True"/>
+        </switches>
+        <parse>
+            <item value="Title: MySQL UNION query (NULL) - 3 columns"/>
+            <item value="r'Payload: id=[\d]+\.[\d]+ UNION'"/>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="current user is DBA:    True"/>
+        </parse>
+    </case>
+    <case name="MySQL partial UNION query multi-threaded enumeration - invalid logical">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
+            <tech value="U"/>
+            <invalidLogical value="True"/>
+            <getBanner value="True"/>
+            <isDba value="True"/>
+        </switches>
+        <parse>
+            <item value="Title: MySQL UNION query (NULL) - 3 columns"/>
+            <item value="r'Payload: id=1 AND [\d]+=[\d]+ UNION'"/>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="current user is DBA:    True"/>
+        </parse>
+    </case>
+    <case name="MySQL error-based HTTP basic authentication">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/basic/get_int.php?id=1"/>
+            <tech value="E"/>
+            <aType value="Basic"/>
+            <aCred value="testuser:testpass"/>
+            <getBanner value="True"/>
+        </switches>
+        <parse>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+        </parse>
+    </case>
+    <case name="MySQL error-based HTTP digest authentication">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/digest/get_int.php?id=1"/>
+            <tech value="E"/>
+            <aType value="Digest"/>
+            <aCred value="testuser:testpass"/>
+            <getBanner value="True"/>
+        </switches>
+        <parse>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+        </parse>
+    </case>
+    <case name="MySQL boolean-based predict output enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <predictOutput value="True"/>
+            <tech value="B"/>
+            <getBanner value="True"/>
+        </switches>
+        <parse>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="r'performed 112 queries'" console_output="True"/>
+        </parse>
+    </case>
+    <!-- End of other switches -->
+
 </root>

From a2c58847e67d30dd699aa46cf010f8bb0ad68a57 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 19 Dec 2012 18:29:00 +0000
Subject: [PATCH 3/6] fixed title

---
 xml/payloads.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xml/payloads.xml b/xml/payloads.xml
index 27fb0de3f..6e9155ff2 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -717,7 +717,7 @@ Formats:
     </test>
 
     <test>
-        <title>MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)</title>
+        <title>MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)</title>
         <stype>1</stype>
         <level>3</level>
         <risk>1</risk>

From 602405c171fe97c1b2c97cfb7f4d3571d64e24b2 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 19 Dec 2012 18:30:04 +0000
Subject: [PATCH 4/6] added more test cases

---
 xml/livetests.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/xml/livetests.xml b/xml/livetests.xml
index 8737dc30a..8903e35ec 100644
--- a/xml/livetests.xml
+++ b/xml/livetests.xml
@@ -741,7 +741,58 @@
     </case>
     <!-- End of operating system access switches -->
 
-    <!-- Other switches -->
+    <!-- Technique switches -->
+    <case name="MySQL 4 time-based against unresponsive page">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_benchmark.php?id=1"/>
+            <tech value="T"/>
+            <level value="2"/>
+            <risk value="2"/>
+            <timeSec value="2"/>
+        </switches>
+        <parse>
+            <item value="Title: AND/OR time-based blind"/>
+            <item value="Title: MySQL &lt; 5.0.12 AND time-based blind (heavy query)"/>
+        </parse>
+    </case>
+    <case name="MySQL against page protected by custom weak filter">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_filtered.php?id=1"/>
+            <tech value="BE"/>
+            <level value="3"/>
+        </switches>
+        <parse>
+            <item value="Title: Generic boolean-based blind - Parameter replace (original value)"/>
+            <item value="Title: MySQL &gt;= 5.1 error-based - Parameter replace (EXTRACTVALUE)"/>
+        </parse>
+    </case>
+    <case name="MySQL injection in GROUP BY clause">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_groupby.php?id=1"/>
+            <tech value="B"/>
+            <level value="3"/>
+        </switches>
+        <parse>
+            <item value="MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)"/>
+        </parse>
+    </case>
+    <!-- TODO: this crashes the library that parses XML as it has UTF-8 characters
+    <case name="MySQL boolean-based multi-threaded enumeration - international data">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_international.php?id=1"/>
+            <threads value="4"/>
+            <tech value="B"/>
+            <getBanner value="True"/>
+            <dumpTable value="True"/>
+            <db value="testdb"/>
+            <tbl value="international"/>
+        </switches>
+        <parse>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="r'Database: testdb.+Table: international.+3 entries.+šućuraj.+река Москва'"/>
+        </parse>
+    </case>
+    -->
     <case name="MySQL partial UNION query multi-threaded enumeration - invalid bignum">
         <switches>
             <url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
@@ -772,6 +823,9 @@
             <item value="current user is DBA:    True"/>
         </parse>
     </case>
+    <!-- End of technique switches -->
+
+    <!-- Other switches -->
     <case name="MySQL error-based HTTP basic authentication">
         <switches>
             <url value="http://debiandev/sqlmap/mysql/basic/get_int.php?id=1"/>

From 77843f44fb40315916694840b4774c91f2e3cab7 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 19 Dec 2012 22:49:02 +0000
Subject: [PATCH 5/6] minor bug fix (issue #314)

---
 lib/core/agent.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index f9b72b397..57ff0edac 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -680,10 +680,15 @@ class Agent(object):
         stopLimit = None
         limitCond = True
 
-        limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
-        limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
         topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
 
+        limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
+
+        if hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query2"):
+            limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
+        else:
+            limitRegExp2 = None
+
         if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
             if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
                 limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query

From 86872956d539367f0ce5b83da4052d85fbeecb24 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 19 Dec 2012 22:55:31 +0000
Subject: [PATCH 6/6] minor bug fix (for PostgreSQL)

---
 lib/core/agent.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index 57ff0edac..56ec22590 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -732,7 +732,10 @@ class Agent(object):
                 # (or equivalent, depending on the back-end DBMS) word
                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
                     stopLimit += startLimit
-                    _ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
+                    if expression.find(queries[Backend.getIdentifiedDbms()].limitstring.query) > 0:
+                        _ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
+                    else:
+                        _ = expression.index("LIMIT ")
                     expression = expression[:_]
 
                 elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):