mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 13:03:50 +03:00
implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field)
This commit is contained in:
parent
beb98140b3
commit
6fa2fd139c
|
@ -195,7 +195,7 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
|
||||||
or (Backend.getIdentifiedDbms() in FROM_TABLE and not \
|
or (Backend.getIdentifiedDbms() in FROM_TABLE and not \
|
||||||
expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
|
expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
|
||||||
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
|
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
|
||||||
and not any(map(lambda x: x in expression.upper(), ["COUNT(*)", "EXISTS(", "MAX(", "MIN("])):
|
and not any(map(lambda x: x in expression.upper(), ["COUNT(*)", "EXISTS(", "MAX(", "MIN(", "COUNT(DISTINCT"])):
|
||||||
|
|
||||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
||||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
||||||
|
|
|
@ -137,7 +137,7 @@ def unionUse(expression, unpack=True, dump=False):
|
||||||
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
|
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
|
||||||
not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \
|
not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \
|
||||||
and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
|
and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
|
||||||
and not any(map(lambda x: x in expression.upper(), ["(CASE", "COUNT(*)", "EXISTS(", "MAX(", "MIN("])):
|
and not any(map(lambda x: x in expression.upper(), ["(CASE", "COUNT(*)", "EXISTS(", "MAX(", "MIN(", "COUNT(DISTINCT"])):
|
||||||
|
|
||||||
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
||||||
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
||||||
|
|
|
@ -1304,12 +1304,16 @@ class Enumeration:
|
||||||
query = rootQuery.inband.query % (colString, conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
|
query = rootQuery.inband.query % (colString, conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
|
elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
|
||||||
query = rootQuery.inband.query % (colString, conf.tbl)
|
query = rootQuery.inband.query % (colString, conf.tbl)
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
|
elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
|
||||||
table = "%s..%s" % (conf.db, conf.tbl)
|
# Partial inband and error
|
||||||
|
if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL):
|
||||||
|
table = "%s.%s" % (conf.db, conf.tbl)
|
||||||
entries, _ = self.__pivotDumpTable(table, colList, blind=False)
|
entries, _ = self.__pivotDumpTable(table, colList, blind=False)
|
||||||
entries = zip(*[entries[colName] for colName in colList])
|
entries = zip(*[entries[colName] for colName in colList])
|
||||||
else:
|
else:
|
||||||
query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
|
query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
|
||||||
|
else:
|
||||||
|
query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
|
||||||
|
|
||||||
if not entries:
|
if not entries:
|
||||||
entries = inject.getValue(query, blind=False, dump=True)
|
entries = inject.getValue(query, blind=False, dump=True)
|
||||||
|
@ -1358,8 +1362,8 @@ class Enumeration:
|
||||||
query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
|
query = rootQuery.blind.count % (conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())))
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
|
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
|
||||||
query = rootQuery.blind.count % conf.tbl
|
query = rootQuery.blind.count % conf.tbl
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
|
elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
|
||||||
query = rootQuery.blind.count % ("%s..%s" % (conf.db, conf.tbl))
|
query = rootQuery.blind.count % ("%s.%s" % (conf.db, conf.tbl))
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
|
elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
|
||||||
query = rootQuery.blind.count % ("%s" % conf.tbl)
|
query = rootQuery.blind.count % ("%s" % conf.tbl)
|
||||||
else:
|
else:
|
||||||
|
@ -1381,17 +1385,17 @@ class Enumeration:
|
||||||
entries = {}
|
entries = {}
|
||||||
|
|
||||||
try:
|
try:
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB):
|
if Backend.getIdentifiedDbms() in (DBMS.ACCESS, DBMS.SYBASE, DBMS.MAXDB, DBMS.MSSQL):
|
||||||
if Backend.getIdentifiedDbms() == DBMS.ACCESS:
|
if Backend.getIdentifiedDbms() == DBMS.ACCESS:
|
||||||
table = conf.tbl
|
table = conf.tbl
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.SYBASE:
|
elif Backend.getIdentifiedDbms() in (DBMS.SYBASE, DBMS.MSSQL):
|
||||||
table = "%s..%s" % (conf.db, conf.tbl)
|
table = "%s.%s" % (conf.db, conf.tbl)
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
|
elif Backend.getIdentifiedDbms() == DBMS.MAXDB:
|
||||||
table = "%s.%s" % (conf.db, conf.tbl)
|
table = "%s.%s" % (conf.db, conf.tbl)
|
||||||
entries, lengths = self.__pivotDumpTable(table, colList, count, blind=True)
|
entries, lengths = self.__pivotDumpTable(table, colList, count, blind=True)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MSSQL, DBMS.SYBASE):
|
if Backend.getIdentifiedDbms() == DBMS.ORACLE:
|
||||||
plusOne = True
|
plusOne = True
|
||||||
else:
|
else:
|
||||||
plusOne = False
|
plusOne = False
|
||||||
|
@ -1412,11 +1416,6 @@ class Enumeration:
|
||||||
query = rootQuery.blind.query % (column, column,
|
query = rootQuery.blind.query % (column, column,
|
||||||
conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())),
|
conf.tbl.upper() if not conf.db else ("%s.%s" % (conf.db.upper(), conf.tbl.upper())),
|
||||||
index)
|
index)
|
||||||
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
||||||
query = rootQuery.blind.query % (column, index, conf.db,
|
|
||||||
conf.tbl, colList[0],
|
|
||||||
colList[0], colList[0])
|
|
||||||
|
|
||||||
elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
|
elif Backend.getIdentifiedDbms() == DBMS.SQLITE:
|
||||||
query = rootQuery.blind.query % (column, conf.tbl, index)
|
query = rootQuery.blind.query % (column, conf.tbl, index)
|
||||||
|
|
||||||
|
|
|
@ -193,8 +193,7 @@
|
||||||
</columns>
|
</columns>
|
||||||
<dump_table>
|
<dump_table>
|
||||||
<inband query="SELECT %s FROM %s.%s"/>
|
<inband query="SELECT %s FROM %s.%s"/>
|
||||||
<!--<blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>-->
|
<blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
|
||||||
<blind query="SELECT TOP 1 %s FROM (SELECT TOP 1 * FROM ( SELECT TOP %d * FROM %s.%s ORDER BY %s ASC ) AS t1 ORDER BY %s DESC) AS t2 ORDER BY %s ASC" count="SELECT LTRIM(STR(COUNT(*))) FROM %s.%s"/>
|
|
||||||
</dump_table>
|
</dump_table>
|
||||||
<search_db>
|
<search_db>
|
||||||
<inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>
|
<inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user