mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 19:13:48 +03:00
Merge branch 'master' of github.com:sqlmapproject/sqlmap
This commit is contained in:
commit
69310e47ce
|
@ -680,10 +680,15 @@ class Agent(object):
|
|||
stopLimit = None
|
||||
limitCond = True
|
||||
|
||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
||||
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
|
||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
||||
|
||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
||||
|
||||
if hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query2"):
|
||||
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
|
||||
else:
|
||||
limitRegExp2 = None
|
||||
|
||||
if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
||||
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
||||
|
@ -727,7 +732,10 @@ class Agent(object):
|
|||
# (or equivalent, depending on the back-end DBMS) word
|
||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
|
||||
stopLimit += startLimit
|
||||
if expression.find(queries[Backend.getIdentifiedDbms()].limitstring.query) > 0:
|
||||
_ = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
||||
else:
|
||||
_ = expression.index("LIMIT ")
|
||||
expression = expression[:_]
|
||||
|
||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
||||
|
|
|
@ -191,6 +191,7 @@ def initCase(switches=None):
|
|||
|
||||
logger.debug("using output directory '%s' for this test case" % paths.SQLMAP_OUTPUT_PATH)
|
||||
|
||||
LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
|
||||
cmdLineOptions = cmdLineParser()
|
||||
cmdLineOptions.liveTest = cmdLineOptions.smokeTest = False
|
||||
|
||||
|
@ -209,11 +210,11 @@ def runCase(switches=None, parse=None):
|
|||
|
||||
initCase(switches)
|
||||
|
||||
LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
|
||||
retVal = True
|
||||
exception = None
|
||||
result = False
|
||||
console = ""
|
||||
LOGGER_HANDLER.stream = sys.stdout = StringIO.StringIO()
|
||||
|
||||
try:
|
||||
result = start()
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
|
||||
<root>
|
||||
<vars>
|
||||
<random value="random"/>
|
||||
</vars>
|
||||
<global>
|
||||
<ignoreProxy value="True"/>
|
||||
<batch value="True"/>
|
||||
<verbose value="1"/>
|
||||
<verbose value="2"/>
|
||||
</global>
|
||||
<!-- Common enumeration switches across all techniques -->
|
||||
<case name="MySQL boolean-based multi-threaded enumeration - all entries">
|
||||
|
@ -183,21 +186,13 @@
|
|||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_nooutput.php?id=1"/>
|
||||
<tech value="T"/>
|
||||
<timeSec value="1"/>
|
||||
<extensiveFp value="True"/>
|
||||
<timeSec value="2"/>
|
||||
<getBanner value="True"/>
|
||||
<getCurrentUser value="True"/>
|
||||
<getCurrentDb value="True"/>
|
||||
<getHostname value="True"/>
|
||||
<isDba value="True"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="Title: MySQL > 5.0.11 AND time-based blind"/>
|
||||
<item value="r'back-end DBMS: active fingerprint: MySQL >= 5.1.12 and < 5.5.0'"/>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
<item value="current user: 'root@localhost'"/>
|
||||
<item value="current database: 'testdb'"/>
|
||||
<item value="hostname: 'debian"/>
|
||||
<item value="current user is DBA: True"/>
|
||||
</parse>
|
||||
</case>
|
||||
|
@ -670,4 +665,203 @@
|
|||
</parse>
|
||||
</case>
|
||||
<!-- End of user's provided statement enumeration switches -->
|
||||
|
||||
<!-- File system access switches -->
|
||||
<case name="MySQL boolean-based multi-threaded file read">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<threads value="4"/>
|
||||
<tech value="B"/>
|
||||
<rFile value="/etc/hosts,/tmp/invalidfile"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL error-based multi-threaded file read">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<threads value="4"/>
|
||||
<tech value="E"/>
|
||||
<rFile value="/etc/hosts,/tmp/invalidfile"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL UNION query multi-threaded file read">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<threads value="4"/>
|
||||
<tech value="U"/>
|
||||
<rFile value="/etc/hosts,/tmp/invalidfile"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="r'files saved to.+files/_etc_hosts \(same file\)'"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL UNION query multi-threaded file write">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<threads value="4"/>
|
||||
<tech value="U"/>
|
||||
<wFile value="/etc/passwd"/>
|
||||
<dFile value="/tmp/passwd-${random}"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="the remote file /tmp/passwd-${random} is larger than the local file /etc/passwd" console_output="True"/>
|
||||
</parse>
|
||||
</case>
|
||||
<!-- End of file system access switches -->
|
||||
|
||||
<!-- Operating system access switches -->
|
||||
<case name="MySQL web shell - command execution">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<tech value="B"/>
|
||||
<osCmd value="id"/>
|
||||
<answers value="please provide any additional web server=/var/www/test"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="command standard output: 'uid="/>
|
||||
</parse>
|
||||
</case>
|
||||
<!-- TODO: integration with Metasploit cannot be called yet from live testing -->
|
||||
<case name="MySQL shell via Metasploit integration - command execution">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<tech value="B"/>
|
||||
<osPwn value="True"/>
|
||||
<msfPath value="/usr/local/bin/"/>
|
||||
<answers value="please provide any additional web server=/var/www/test"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="r'Sending stage.+Command shell session.+Linux.+uid='"/>
|
||||
</parse>
|
||||
</case>
|
||||
<!-- End of operating system access switches -->
|
||||
|
||||
<!-- Technique switches -->
|
||||
<case name="MySQL 4 time-based against unresponsive page">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_benchmark.php?id=1"/>
|
||||
<tech value="T"/>
|
||||
<level value="2"/>
|
||||
<risk value="2"/>
|
||||
<timeSec value="2"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="Title: AND/OR time-based blind"/>
|
||||
<item value="Title: MySQL < 5.0.12 AND time-based blind (heavy query)"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL against page protected by custom weak filter">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_filtered.php?id=1"/>
|
||||
<tech value="BE"/>
|
||||
<level value="3"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="Title: Generic boolean-based blind - Parameter replace (original value)"/>
|
||||
<item value="Title: MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL injection in GROUP BY clause">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_groupby.php?id=1"/>
|
||||
<tech value="B"/>
|
||||
<level value="3"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)"/>
|
||||
</parse>
|
||||
</case>
|
||||
<!-- TODO: this crashes the library that parses XML as it has UTF-8 characters
|
||||
<case name="MySQL boolean-based multi-threaded enumeration - international data">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_international.php?id=1"/>
|
||||
<threads value="4"/>
|
||||
<tech value="B"/>
|
||||
<getBanner value="True"/>
|
||||
<dumpTable value="True"/>
|
||||
<db value="testdb"/>
|
||||
<tbl value="international"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
<item value="r'Database: testdb.+Table: international.+3 entries.+šućuraj.+река Москва'"/>
|
||||
</parse>
|
||||
</case>
|
||||
-->
|
||||
<case name="MySQL partial UNION query multi-threaded enumeration - invalid bignum">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
|
||||
<tech value="U"/>
|
||||
<invalidBignum value="True"/>
|
||||
<getBanner value="True"/>
|
||||
<isDba value="True"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="Title: MySQL UNION query (NULL) - 3 columns"/>
|
||||
<item value="r'Payload: id=[\d]+\.[\d]+ UNION'"/>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
<item value="current user is DBA: True"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL partial UNION query multi-threaded enumeration - invalid logical">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
|
||||
<tech value="U"/>
|
||||
<invalidLogical value="True"/>
|
||||
<getBanner value="True"/>
|
||||
<isDba value="True"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="Title: MySQL UNION query (NULL) - 3 columns"/>
|
||||
<item value="r'Payload: id=1 AND [\d]+=[\d]+ UNION'"/>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
<item value="current user is DBA: True"/>
|
||||
</parse>
|
||||
</case>
|
||||
<!-- End of technique switches -->
|
||||
|
||||
<!-- Other switches -->
|
||||
<case name="MySQL error-based HTTP basic authentication">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/basic/get_int.php?id=1"/>
|
||||
<tech value="E"/>
|
||||
<aType value="Basic"/>
|
||||
<aCred value="testuser:testpass"/>
|
||||
<getBanner value="True"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL error-based HTTP digest authentication">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/digest/get_int.php?id=1"/>
|
||||
<tech value="E"/>
|
||||
<aType value="Digest"/>
|
||||
<aCred value="testuser:testpass"/>
|
||||
<getBanner value="True"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
</parse>
|
||||
</case>
|
||||
<case name="MySQL boolean-based predict output enumeration">
|
||||
<switches>
|
||||
<url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
|
||||
<predictOutput value="True"/>
|
||||
<tech value="B"/>
|
||||
<getBanner value="True"/>
|
||||
</switches>
|
||||
<parse>
|
||||
<item value="banner: '5.1.63-0+squeeze1'"/>
|
||||
<item value="r'performed 112 queries'" console_output="True"/>
|
||||
</parse>
|
||||
</case>
|
||||
<!-- End of other switches -->
|
||||
|
||||
</root>
|
||||
|
|
|
@ -717,7 +717,7 @@ Formats:
|
|||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)</title>
|
||||
<title>MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
|
|
Loading…
Reference in New Issue
Block a user