mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-26 13:41:10 +03:00 
			
		
		
		
	Merge branch 'master' of github.com:sqlmapproject/sqlmap
This commit is contained in:
		
						commit
						69310e47ce
					
				|  | @ -680,10 +680,15 @@ class Agent(object): | ||||||
|         stopLimit = None |         stopLimit = None | ||||||
|         limitCond = True |         limitCond = True | ||||||
| 
 | 
 | ||||||
|         limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) |  | ||||||
|         limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I) |  | ||||||
|         topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) |         topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) | ||||||
| 
 | 
 | ||||||
|  |         limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) | ||||||
|  | 
 | ||||||
|  |         if hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query2"): | ||||||
|  |             limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I) | ||||||
|  |         else: | ||||||
|  |             limitRegExp2 = None | ||||||
|  | 
 | ||||||
|         if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit): |         if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit): | ||||||
|             if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE): |             if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE): | ||||||
|                 limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query |                 limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query | ||||||
|  | @ -727,7 +732,10 @@ class Agent(object): | ||||||
|                 # (or equivalent, depending on the back-end DBMS) word |                 # (or equivalent, depending on the back-end DBMS) word | ||||||
|                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE): |                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE): | ||||||
|                     stopLimit += startLimit |                     stopLimit += startLimit | ||||||
|                     _ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query) |                     if expression.find(queries[Backend.getIdentifiedDbms()].limitstring.query) > 0: | ||||||
|  |                         _ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query) | ||||||
|  |                     else: | ||||||
|  |                         _ = expression.index("LIMIT ") | ||||||
|                     expression = expression[:_] |                     expression = expression[:_] | ||||||
| 
 | 
 | ||||||
|                 elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): |                 elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE): | ||||||
|  |  | ||||||
|  | @ -191,6 +191,7 @@ def initCase(switches=None): | ||||||
| 
 | 
 | ||||||
|     logger.debug("using output directory '%s' for this test case" % paths.SQLMAP_OUTPUT_PATH) |     logger.debug("using output directory '%s' for this test case" % paths.SQLMAP_OUTPUT_PATH) | ||||||
| 
 | 
 | ||||||
|  |     LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO() | ||||||
|     cmdLineOptions = cmdLineParser() |     cmdLineOptions = cmdLineParser() | ||||||
|     cmdLineOptions.liveTest = cmdLineOptions.smokeTest = False |     cmdLineOptions.liveTest = cmdLineOptions.smokeTest = False | ||||||
| 
 | 
 | ||||||
|  | @ -209,11 +210,11 @@ def runCase(switches=None, parse=None): | ||||||
| 
 | 
 | ||||||
|     initCase(switches) |     initCase(switches) | ||||||
| 
 | 
 | ||||||
|  |     LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO() | ||||||
|     retVal = True |     retVal = True | ||||||
|     exception = None |     exception = None | ||||||
|     result = False |     result = False | ||||||
|     console = "" |     console = "" | ||||||
|     LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO() |  | ||||||
| 
 | 
 | ||||||
|     try: |     try: | ||||||
|         result = start() |         result = start() | ||||||
|  |  | ||||||
|  | @ -1,10 +1,13 @@ | ||||||
| <?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | ||||||
| 
 | 
 | ||||||
| <root> | <root> | ||||||
|  |     <vars> | ||||||
|  |         <random value="random"/> | ||||||
|  |     </vars> | ||||||
|     <global> |     <global> | ||||||
|         <ignoreProxy value="True"/> |         <ignoreProxy value="True"/> | ||||||
|         <batch value="True"/> |         <batch value="True"/> | ||||||
|         <verbose value="1"/> |         <verbose value="2"/> | ||||||
|     </global> |     </global> | ||||||
|     <!-- Common enumeration switches across all techniques --> |     <!-- Common enumeration switches across all techniques --> | ||||||
|     <case name="MySQL boolean-based multi-threaded enumeration - all entries"> |     <case name="MySQL boolean-based multi-threaded enumeration - all entries"> | ||||||
|  | @ -183,21 +186,13 @@ | ||||||
|         <switches> |         <switches> | ||||||
|             <url value="http://debiandev/sqlmap/mysql/get_int_nooutput.php?id=1"/> |             <url value="http://debiandev/sqlmap/mysql/get_int_nooutput.php?id=1"/> | ||||||
|             <tech value="T"/> |             <tech value="T"/> | ||||||
|             <timeSec value="1"/> |             <timeSec value="2"/> | ||||||
|             <extensiveFp value="True"/> |  | ||||||
|             <getBanner value="True"/> |             <getBanner value="True"/> | ||||||
|             <getCurrentUser value="True"/> |  | ||||||
|             <getCurrentDb value="True"/> |  | ||||||
|             <getHostname value="True"/> |  | ||||||
|             <isDba value="True"/> |             <isDba value="True"/> | ||||||
|         </switches> |         </switches> | ||||||
|         <parse> |         <parse> | ||||||
|             <item value="Title: MySQL > 5.0.11 AND time-based blind"/> |             <item value="Title: MySQL > 5.0.11 AND time-based blind"/> | ||||||
|             <item value="r'back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0'"/> |  | ||||||
|             <item value="banner:    '5.1.63-0+squeeze1'"/> |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|             <item value="current user:    'root@localhost'"/> |  | ||||||
|             <item value="current database:    'testdb'"/> |  | ||||||
|             <item value="hostname:    'debian"/> |  | ||||||
|             <item value="current user is DBA:    True"/> |             <item value="current user is DBA:    True"/> | ||||||
|         </parse> |         </parse> | ||||||
|     </case> |     </case> | ||||||
|  | @ -670,4 +665,203 @@ | ||||||
|         </parse> |         </parse> | ||||||
|     </case> |     </case> | ||||||
|     <!-- End of user's provided statement enumeration switches --> |     <!-- End of user's provided statement enumeration switches --> | ||||||
|  | 
 | ||||||
|  |     <!-- File system access switches --> | ||||||
|  |     <case name="MySQL boolean-based multi-threaded file read"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <threads value="4"/> | ||||||
|  |             <tech value="B"/> | ||||||
|  |             <rFile value="/etc/hosts,/tmp/invalidfile"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="r'files saved to.+files/_etc_hosts \(same file\)'"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL error-based multi-threaded file read"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <threads value="4"/> | ||||||
|  |             <tech value="E"/> | ||||||
|  |             <rFile value="/etc/hosts,/tmp/invalidfile"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="r'files saved to.+files/_etc_hosts \(same file\)'"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL UNION query multi-threaded file read"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <threads value="4"/> | ||||||
|  |             <tech value="U"/> | ||||||
|  |             <rFile value="/etc/hosts,/tmp/invalidfile"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="r'files saved to.+files/_etc_hosts \(same file\)'"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL UNION query multi-threaded file write"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <threads value="4"/> | ||||||
|  |             <tech value="U"/> | ||||||
|  |             <wFile value="/etc/passwd"/> | ||||||
|  |             <dFile value="/tmp/passwd-${random}"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="the remote file /tmp/passwd-${random} is larger than the local file /etc/passwd" console_output="True"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <!-- End of file system access switches --> | ||||||
|  | 
 | ||||||
|  |     <!-- Operating system access switches --> | ||||||
|  |     <case name="MySQL web shell - command execution"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <tech value="B"/> | ||||||
|  |             <osCmd value="id"/> | ||||||
|  |             <answers value="please provide any additional web server=/var/www/test"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="command standard output:    'uid="/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <!-- TODO: integration with Metasploit cannot be called yet from live testing --> | ||||||
|  |     <case name="MySQL shell via Metasploit integration - command execution"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <tech value="B"/> | ||||||
|  |             <osPwn value="True"/> | ||||||
|  |             <msfPath value="/usr/local/bin/"/> | ||||||
|  |             <answers value="please provide any additional web server=/var/www/test"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="r'Sending stage.+Command shell session.+Linux.+uid='"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <!-- End of operating system access switches --> | ||||||
|  | 
 | ||||||
|  |     <!-- Technique switches --> | ||||||
|  |     <case name="MySQL 4 time-based against unresponsive page"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int_benchmark.php?id=1"/> | ||||||
|  |             <tech value="T"/> | ||||||
|  |             <level value="2"/> | ||||||
|  |             <risk value="2"/> | ||||||
|  |             <timeSec value="2"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="Title: AND/OR time-based blind"/> | ||||||
|  |             <item value="Title: MySQL < 5.0.12 AND time-based blind (heavy query)"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL against page protected by custom weak filter"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int_filtered.php?id=1"/> | ||||||
|  |             <tech value="BE"/> | ||||||
|  |             <level value="3"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="Title: Generic boolean-based blind - Parameter replace (original value)"/> | ||||||
|  |             <item value="Title: MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL injection in GROUP BY clause"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int_groupby.php?id=1"/> | ||||||
|  |             <tech value="B"/> | ||||||
|  |             <level value="3"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <!-- TODO: this crashes the library that parses XML as it has UTF-8 characters | ||||||
|  |     <case name="MySQL boolean-based multi-threaded enumeration - international data"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int_international.php?id=1"/> | ||||||
|  |             <threads value="4"/> | ||||||
|  |             <tech value="B"/> | ||||||
|  |             <getBanner value="True"/> | ||||||
|  |             <dumpTable value="True"/> | ||||||
|  |             <db value="testdb"/> | ||||||
|  |             <tbl value="international"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|  |             <item value="r'Database: testdb.+Table: international.+3 entries.+šućuraj.+река Москва'"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     --> | ||||||
|  |     <case name="MySQL partial UNION query multi-threaded enumeration - invalid bignum"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/> | ||||||
|  |             <tech value="U"/> | ||||||
|  |             <invalidBignum value="True"/> | ||||||
|  |             <getBanner value="True"/> | ||||||
|  |             <isDba value="True"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="Title: MySQL UNION query (NULL) - 3 columns"/> | ||||||
|  |             <item value="r'Payload: id=[\d]+\.[\d]+ UNION'"/> | ||||||
|  |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|  |             <item value="current user is DBA:    True"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL partial UNION query multi-threaded enumeration - invalid logical"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/> | ||||||
|  |             <tech value="U"/> | ||||||
|  |             <invalidLogical value="True"/> | ||||||
|  |             <getBanner value="True"/> | ||||||
|  |             <isDba value="True"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="Title: MySQL UNION query (NULL) - 3 columns"/> | ||||||
|  |             <item value="r'Payload: id=1 AND [\d]+=[\d]+ UNION'"/> | ||||||
|  |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|  |             <item value="current user is DBA:    True"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <!-- End of technique switches --> | ||||||
|  | 
 | ||||||
|  |     <!-- Other switches --> | ||||||
|  |     <case name="MySQL error-based HTTP basic authentication"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/basic/get_int.php?id=1"/> | ||||||
|  |             <tech value="E"/> | ||||||
|  |             <aType value="Basic"/> | ||||||
|  |             <aCred value="testuser:testpass"/> | ||||||
|  |             <getBanner value="True"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL error-based HTTP digest authentication"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/digest/get_int.php?id=1"/> | ||||||
|  |             <tech value="E"/> | ||||||
|  |             <aType value="Digest"/> | ||||||
|  |             <aCred value="testuser:testpass"/> | ||||||
|  |             <getBanner value="True"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <case name="MySQL boolean-based predict output enumeration"> | ||||||
|  |         <switches> | ||||||
|  |             <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/> | ||||||
|  |             <predictOutput value="True"/> | ||||||
|  |             <tech value="B"/> | ||||||
|  |             <getBanner value="True"/> | ||||||
|  |         </switches> | ||||||
|  |         <parse> | ||||||
|  |             <item value="banner:    '5.1.63-0+squeeze1'"/> | ||||||
|  |             <item value="r'performed 112 queries'" console_output="True"/> | ||||||
|  |         </parse> | ||||||
|  |     </case> | ||||||
|  |     <!-- End of other switches --> | ||||||
|  | 
 | ||||||
| </root> | </root> | ||||||
|  |  | ||||||
|  | @ -717,7 +717,7 @@ Formats: | ||||||
|     </test> |     </test> | ||||||
| 
 | 
 | ||||||
|     <test> |     <test> | ||||||
|         <title>MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)</title> |         <title>MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)</title> | ||||||
|         <stype>1</stype> |         <stype>1</stype> | ||||||
|         <level>3</level> |         <level>3</level> | ||||||
|         <risk>1</risk> |         <risk>1</risk> | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user