mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Update for an Issue #278
This commit is contained in:
parent
949fcb77cf
commit
775e0df04b
|
@ -68,7 +68,7 @@ _arguments -C -s \
|
||||||
'(--code)'--code=-'[HTTP code to match when query is evaluated to True]' \
|
'(--code)'--code=-'[HTTP code to match when query is evaluated to True]' \
|
||||||
'(--text-only)'--text-only'[Compare pages based only on the textual content]' \
|
'(--text-only)'--text-only'[Compare pages based only on the textual content]' \
|
||||||
'(--titles)'--titles'[Compare pages based only on their titles]' \
|
'(--titles)'--titles'[Compare pages based only on their titles]' \
|
||||||
'(--technique)'--technique=-'[SQL injection techniques to test for (default "BEUST")]:TECH:->list-techniques' \
|
'(--technique)'--technique=-'[SQL injection techniques to test for (default "BEUSTQ")]:TECH:->list-techniques' \
|
||||||
'(--time-sec)'--time-sec=-'[Seconds to delay the DBMS response (default 5)]:TIMESEC' \
|
'(--time-sec)'--time-sec=-'[Seconds to delay the DBMS response (default 5)]:TIMESEC' \
|
||||||
'(--union-cols)'--union-cols=-'[Range of columns to test for UNION query SQL injection]:UCOLS' \
|
'(--union-cols)'--union-cols=-'[Range of columns to test for UNION query SQL injection]:UCOLS' \
|
||||||
'(--union-char)'--union-char=-'[Character to use for bruteforcing number of columns]:UCHAR' \
|
'(--union-char)'--union-char=-'[Character to use for bruteforcing number of columns]:UCHAR' \
|
||||||
|
|
|
@ -138,7 +138,7 @@ def __formatInjection(inj):
|
||||||
title = title.replace("columns", "column")
|
title = title.replace("columns", "column")
|
||||||
elif comment:
|
elif comment:
|
||||||
vector = "%s%s" % (vector, comment)
|
vector = "%s%s" % (vector, comment)
|
||||||
data += " Type: %s\n" % (PAYLOAD.SQLINJECTION[stype] if "inline" not in title else "inline query")
|
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
|
||||||
data += " Title: %s\n" % title
|
data += " Title: %s\n" % title
|
||||||
data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)
|
data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)
|
||||||
data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
|
data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
|
||||||
|
|
|
@ -21,7 +21,7 @@ _defaults = {
|
||||||
"level": 1,
|
"level": 1,
|
||||||
"risk": 1,
|
"risk": 1,
|
||||||
"dumpFormat": "CSV",
|
"dumpFormat": "CSV",
|
||||||
"tech": "BEUST",
|
"tech": "BEUSTQ",
|
||||||
"torType": "HTTP"
|
"torType": "HTTP"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -177,7 +177,8 @@ class PAYLOAD:
|
||||||
2: "error-based",
|
2: "error-based",
|
||||||
3: "UNION query",
|
3: "UNION query",
|
||||||
4: "stacked queries",
|
4: "stacked queries",
|
||||||
5: "AND/OR time-based blind"
|
5: "AND/OR time-based blind",
|
||||||
|
6: "inline query"
|
||||||
}
|
}
|
||||||
|
|
||||||
PARAMETER = {
|
PARAMETER = {
|
||||||
|
@ -219,6 +220,7 @@ class PAYLOAD:
|
||||||
UNION = 3
|
UNION = 3
|
||||||
STACKED = 4
|
STACKED = 4
|
||||||
TIME = 5
|
TIME = 5
|
||||||
|
QUERY = 6
|
||||||
|
|
||||||
class WHERE:
|
class WHERE:
|
||||||
ORIGINAL = 1
|
ORIGINAL = 1
|
||||||
|
|
|
@ -105,7 +105,7 @@ def runThreads(numThreads, threadFunction, cleanupFunction=None, forwardExceptio
|
||||||
kb.threadContinue = True
|
kb.threadContinue = True
|
||||||
kb.threadException = False
|
kb.threadException = False
|
||||||
|
|
||||||
if threadChoice and numThreads == 1 and any(map(lambda x: x in kb.injection.data, [PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION])):
|
if threadChoice and numThreads == 1 and any(map(lambda _: _ in kb.injection.data, (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY, PAYLOAD.TECHNIQUE.UNION))):
|
||||||
while True:
|
while True:
|
||||||
message = "please enter number of threads? [Enter for %d (current)] " % numThreads
|
message = "please enter number of threads? [Enter for %d (current)] " % numThreads
|
||||||
choice = readInput(message, default=str(numThreads))
|
choice = readInput(message, default=str(numThreads))
|
||||||
|
|
|
@ -407,14 +407,14 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
|
||||||
count += 1
|
count += 1
|
||||||
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
||||||
|
|
||||||
if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
|
if error and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) and not found:
|
||||||
kb.technique = PAYLOAD.TECHNIQUE.ERROR
|
kb.technique = PAYLOAD.TECHNIQUE.ERROR if isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) else PAYLOAD.TECHNIQUE.QUERY
|
||||||
value = errorUse(forgeCaseExpression if expected == EXPECTED.BOOL else query, dump)
|
value = errorUse(forgeCaseExpression if expected == EXPECTED.BOOL else query, dump)
|
||||||
count += 1
|
count += 1
|
||||||
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
||||||
|
|
||||||
if found and conf.dnsName:
|
if found and conf.dnsName:
|
||||||
_ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E":PAYLOAD.TECHNIQUE.ERROR, "U":PAYLOAD.TECHNIQUE.UNION}.items())))
|
_ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E":PAYLOAD.TECHNIQUE.ERROR, "Q":PAYLOAD.TECHNIQUE.QUERY, "U":PAYLOAD.TECHNIQUE.UNION}.items())))
|
||||||
warnMsg = "option '--dns-domain' will be ignored "
|
warnMsg = "option '--dns-domain' will be ignored "
|
||||||
warnMsg += "as faster techniques are usable "
|
warnMsg += "as faster techniques are usable "
|
||||||
warnMsg += "(%s) " % _
|
warnMsg += "(%s) " % _
|
||||||
|
|
|
@ -209,7 +209,7 @@ class xp_cmdshell:
|
||||||
|
|
||||||
query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
|
query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
|
||||||
|
|
||||||
if conf.direct or any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)):
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
output = inject.getValue(query, resumeValue=False, blind=False, time=False)
|
output = inject.getValue(query, resumeValue=False, blind=False, time=False)
|
||||||
else:
|
else:
|
||||||
output = []
|
output = []
|
||||||
|
|
|
@ -83,7 +83,7 @@ def __oneShotErrorUse(expression, field=None):
|
||||||
nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
|
nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
|
||||||
|
|
||||||
# Forge the error-based SQL injection request
|
# Forge the error-based SQL injection request
|
||||||
vector = kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector
|
vector = kb.injection.data[kb.technique].vector
|
||||||
query = agent.prefixQuery(vector)
|
query = agent.prefixQuery(vector)
|
||||||
query = agent.suffixQuery(query)
|
query = agent.suffixQuery(query)
|
||||||
injExpression = expression.replace(field, nulledCastedField, 1) if field else expression
|
injExpression = expression.replace(field, nulledCastedField, 1) if field else expression
|
||||||
|
@ -94,7 +94,7 @@ def __oneShotErrorUse(expression, field=None):
|
||||||
# Perform the request
|
# Perform the request
|
||||||
page, headers = Request.queryPage(payload, content=True)
|
page, headers = Request.queryPage(payload, content=True)
|
||||||
|
|
||||||
incrementCounter(PAYLOAD.TECHNIQUE.ERROR)
|
incrementCounter(kb.technique)
|
||||||
|
|
||||||
# Parse the returned page to get the exact error-based
|
# Parse the returned page to get the exact error-based
|
||||||
# SQL injection output
|
# SQL injection output
|
||||||
|
@ -227,7 +227,7 @@ def errorUse(expression, dump=False):
|
||||||
SQL injection vulnerability on the affected parameter.
|
SQL injection vulnerability on the affected parameter.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
initTechnique(PAYLOAD.TECHNIQUE.ERROR)
|
initTechnique(kb.technique)
|
||||||
|
|
||||||
abortedFlag = False
|
abortedFlag = False
|
||||||
count = None
|
count = None
|
||||||
|
@ -416,7 +416,7 @@ def errorUse(expression, dump=False):
|
||||||
duration = calculateDeltaSeconds(start)
|
duration = calculateDeltaSeconds(start)
|
||||||
|
|
||||||
if not kb.bruteMode:
|
if not kb.bruteMode:
|
||||||
debugMsg = "performed %d queries in %d seconds" % (kb.counters[PAYLOAD.TECHNIQUE.ERROR], duration)
|
debugMsg = "performed %d queries in %d seconds" % (kb.counters[kb.technique], duration)
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
return outputs
|
return outputs
|
||||||
|
|
|
@ -86,7 +86,7 @@ class Enumeration(GenericEnumeration):
|
||||||
|
|
||||||
rootQuery = queries[Backend.getIdentifiedDbms()].tables
|
rootQuery = queries[Backend.getIdentifiedDbms()].tables
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
for db in dbs:
|
for db in dbs:
|
||||||
if conf.excludeSysDbs and db in self.excludeDbsList:
|
if conf.excludeSysDbs and db in self.excludeDbsList:
|
||||||
infoMsg = "skipping system database '%s'" % db
|
infoMsg = "skipping system database '%s'" % db
|
||||||
|
@ -196,7 +196,7 @@ class Enumeration(GenericEnumeration):
|
||||||
|
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
query = rootQuery.inband.query.replace("%s", db)
|
query = rootQuery.inband.query.replace("%s", db)
|
||||||
query += tblQuery
|
query += tblQuery
|
||||||
values = inject.getValue(query, blind=False, time=False)
|
values = inject.getValue(query, blind=False, time=False)
|
||||||
|
@ -317,7 +317,7 @@ class Enumeration(GenericEnumeration):
|
||||||
if conf.excludeSysDbs and db in self.excludeDbsList:
|
if conf.excludeSysDbs and db in self.excludeDbsList:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
query = rootQuery.inband.query % (db, db, db, db, db, db)
|
query = rootQuery.inband.query % (db, db, db, db, db, db)
|
||||||
query += " AND %s" % colQuery.replace("[DB]", db)
|
query += " AND %s" % colQuery.replace("[DB]", db)
|
||||||
query += whereTblsQuery.replace("[DB]", db)
|
query += whereTblsQuery.replace("[DB]", db)
|
||||||
|
|
|
@ -41,7 +41,7 @@ class Enumeration(GenericEnumeration):
|
||||||
# Set containing the list of DBMS administrators
|
# Set containing the list of DBMS administrators
|
||||||
areAdmins = set()
|
areAdmins = set()
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if query2:
|
if query2:
|
||||||
query = rootQuery.inband.query2
|
query = rootQuery.inband.query2
|
||||||
condition = rootQuery.inband.condition2
|
condition = rootQuery.inband.condition2
|
||||||
|
|
|
@ -36,7 +36,7 @@ class Enumeration(GenericEnumeration):
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
query = rootQuery.inband.query
|
query = rootQuery.inband.query
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
blinds = (False, True)
|
blinds = (False, True)
|
||||||
else:
|
else:
|
||||||
blinds = (True,)
|
blinds = (True,)
|
||||||
|
@ -90,7 +90,7 @@ class Enumeration(GenericEnumeration):
|
||||||
randStr = randomStr()
|
randStr = randomStr()
|
||||||
query = rootQuery.inband.query
|
query = rootQuery.inband.query
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
blinds = [False, True]
|
blinds = [False, True]
|
||||||
else:
|
else:
|
||||||
blinds = [True]
|
blinds = [True]
|
||||||
|
@ -130,7 +130,7 @@ class Enumeration(GenericEnumeration):
|
||||||
infoMsg += "%s: %s" % ("s" if len(dbs) > 1 else "", ", ".join(db if isinstance(db, basestring) else db[0] for db in sorted(dbs)))
|
infoMsg += "%s: %s" % ("s" if len(dbs) > 1 else "", ", ".join(db if isinstance(db, basestring) else db[0] for db in sorted(dbs)))
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
blinds = [False, True]
|
blinds = [False, True]
|
||||||
else:
|
else:
|
||||||
blinds = [True]
|
blinds = [True]
|
||||||
|
@ -204,7 +204,7 @@ class Enumeration(GenericEnumeration):
|
||||||
|
|
||||||
rootQuery = queries[Backend.getIdentifiedDbms()].columns
|
rootQuery = queries[Backend.getIdentifiedDbms()].columns
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
blinds = [False, True]
|
blinds = [False, True]
|
||||||
else:
|
else:
|
||||||
blinds = [True]
|
blinds = [True]
|
||||||
|
|
|
@ -98,7 +98,7 @@ class Databases:
|
||||||
|
|
||||||
rootQuery = queries[Backend.getIdentifiedDbms()].dbs
|
rootQuery = queries[Backend.getIdentifiedDbms()].dbs
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
||||||
query = rootQuery.inband.query2
|
query = rootQuery.inband.query2
|
||||||
else:
|
else:
|
||||||
|
@ -138,7 +138,7 @@ class Databases:
|
||||||
kb.data.cachedDbs.append(safeSQLIdentificatorNaming(db))
|
kb.data.cachedDbs.append(safeSQLIdentificatorNaming(db))
|
||||||
|
|
||||||
if not kb.data.cachedDbs and Backend.isDbms(DBMS.MSSQL):
|
if not kb.data.cachedDbs and Backend.isDbms(DBMS.MSSQL):
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
blinds = (False, True)
|
blinds = (False, True)
|
||||||
else:
|
else:
|
||||||
blinds = (True,)
|
blinds = (True,)
|
||||||
|
@ -249,7 +249,7 @@ class Databases:
|
||||||
|
|
||||||
rootQuery = queries[Backend.getIdentifiedDbms()].tables
|
rootQuery = queries[Backend.getIdentifiedDbms()].tables
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
query = rootQuery.inband.query
|
query = rootQuery.inband.query
|
||||||
condition = rootQuery.inband.condition if 'condition' in rootQuery.inband else None
|
condition = rootQuery.inband.condition if 'condition' in rootQuery.inband else None
|
||||||
|
|
||||||
|
@ -473,7 +473,7 @@ class Databases:
|
||||||
rootQuery = queries[Backend.getIdentifiedDbms()].columns
|
rootQuery = queries[Backend.getIdentifiedDbms()].columns
|
||||||
condition = rootQuery.blind.condition if 'condition' in rootQuery.blind else None
|
condition = rootQuery.blind.condition if 'condition' in rootQuery.blind else None
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
for tbl in tblList:
|
for tbl in tblList:
|
||||||
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
|
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
|
||||||
and conf.db in kb.data.cachedColumns and tbl in \
|
and conf.db in kb.data.cachedColumns and tbl in \
|
||||||
|
|
|
@ -134,7 +134,7 @@ class Entries:
|
||||||
|
|
||||||
entriesCount = 0
|
entriesCount = 0
|
||||||
|
|
||||||
if any([isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION), isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR), conf.direct]):
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
entries = []
|
entries = []
|
||||||
query = None
|
query = None
|
||||||
|
|
||||||
|
|
|
@ -74,7 +74,7 @@ class Search:
|
||||||
dbQuery = "%s%s" % (dbCond, dbCondParam)
|
dbQuery = "%s%s" % (dbCond, dbCondParam)
|
||||||
dbQuery = dbQuery % unsafeSQLIdentificatorNaming(db)
|
dbQuery = dbQuery % unsafeSQLIdentificatorNaming(db)
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
||||||
query = rootQuery.inband.query2
|
query = rootQuery.inband.query2
|
||||||
else:
|
else:
|
||||||
|
@ -186,7 +186,7 @@ class Search:
|
||||||
tblQuery = "%s%s" % (tblCond, tblCondParam)
|
tblQuery = "%s%s" % (tblCond, tblCondParam)
|
||||||
tblQuery = tblQuery % tbl
|
tblQuery = tblQuery % tbl
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
query = rootQuery.inband.query
|
query = rootQuery.inband.query
|
||||||
query += tblQuery
|
query += tblQuery
|
||||||
query += whereDbsQuery
|
query += whereDbsQuery
|
||||||
|
@ -370,7 +370,7 @@ class Search:
|
||||||
colQuery = "%s%s" % (colCond, colCondParam)
|
colQuery = "%s%s" % (colCond, colCondParam)
|
||||||
colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
|
colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if not all((conf.db, conf.tbl)):
|
if not all((conf.db, conf.tbl)):
|
||||||
# Enumerate tables containing the column provided if
|
# Enumerate tables containing the column provided if
|
||||||
# either of database(s) or table(s) is not provided
|
# either of database(s) or table(s) is not provided
|
||||||
|
|
|
@ -93,7 +93,7 @@ class Users:
|
||||||
condition = (Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")))
|
condition = (Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")))
|
||||||
condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema)
|
condition |= (Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema)
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if condition:
|
if condition:
|
||||||
query = rootQuery.inband.query2
|
query = rootQuery.inband.query2
|
||||||
else:
|
else:
|
||||||
|
@ -167,7 +167,7 @@ class Users:
|
||||||
|
|
||||||
users = filter(None, users)
|
users = filter(None, users)
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
|
if Backend.isDbms(DBMS.MSSQL) and Backend.isVersionWithin(("2005", "2008")):
|
||||||
query = rootQuery.inband.query2
|
query = rootQuery.inband.query2
|
||||||
else:
|
else:
|
||||||
|
@ -347,7 +347,7 @@ class Users:
|
||||||
# Set containing the list of DBMS administrators
|
# Set containing the list of DBMS administrators
|
||||||
areAdmins = set()
|
areAdmins = set()
|
||||||
|
|
||||||
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)) or conf.direct:
|
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
|
||||||
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
|
||||||
query = rootQuery.inband.query2
|
query = rootQuery.inband.query2
|
||||||
condition = rootQuery.inband.condition2
|
condition = rootQuery.inband.condition2
|
||||||
|
|
|
@ -288,8 +288,8 @@ titles = False
|
||||||
# T: Time-based blind SQL injection
|
# T: Time-based blind SQL injection
|
||||||
# Example: ES (means test for error-based and stacked queries SQL
|
# Example: ES (means test for error-based and stacked queries SQL
|
||||||
# injection types only)
|
# injection types only)
|
||||||
# Default: BEUST (means test for all SQL injection types - recommended)
|
# Default: BEUSTQ (means test for all SQL injection types - recommended)
|
||||||
tech = BEUST
|
tech = BEUSTQ
|
||||||
|
|
||||||
# Seconds to delay the response from the DBMS.
|
# Seconds to delay the response from the DBMS.
|
||||||
# Valid: integer
|
# Valid: integer
|
||||||
|
|
|
@ -73,10 +73,11 @@ Tag: <test>
|
||||||
Valid values:
|
Valid values:
|
||||||
0: Heuristic check to parse response errors
|
0: Heuristic check to parse response errors
|
||||||
1: Boolean-based blind SQL injection
|
1: Boolean-based blind SQL injection
|
||||||
2: Error-based/Inline queries SQL injection
|
2: Error-based queries SQL injection
|
||||||
3: UNION query SQL injection
|
3: UNION query SQL injection
|
||||||
4: Stacked queries SQL injection
|
4: Stacked queries SQL injection
|
||||||
5: Time-based blind SQL injection
|
5: Time-based blind SQL injection
|
||||||
|
6: Inline queries SQL injection
|
||||||
|
|
||||||
Sub-tag: <level>
|
Sub-tag: <level>
|
||||||
From which level check for this test.
|
From which level check for this test.
|
||||||
|
@ -1883,8 +1884,8 @@ Formats:
|
||||||
<!-- Inline queries tests -->
|
<!-- Inline queries tests -->
|
||||||
<test>
|
<test>
|
||||||
<title>MySQL inline queries</title>
|
<title>MySQL inline queries</title>
|
||||||
<stype>2</stype>
|
<stype>6</stype>
|
||||||
<level>5</level>
|
<level>2</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,2,3,8</clause>
|
<clause>1,2,3,8</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
@ -1902,8 +1903,8 @@ Formats:
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>PostgreSQL inline queries</title>
|
<title>PostgreSQL inline queries</title>
|
||||||
<stype>2</stype>
|
<stype>6</stype>
|
||||||
<level>5</level>
|
<level>2</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,2,3,8</clause>
|
<clause>1,2,3,8</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
@ -1921,8 +1922,8 @@ Formats:
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>Microsoft SQL Server/Sybase inline queries</title>
|
<title>Microsoft SQL Server/Sybase inline queries</title>
|
||||||
<stype>2</stype>
|
<stype>6</stype>
|
||||||
<level>5</level>
|
<level>2</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,2,3,8</clause>
|
<clause>1,2,3,8</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
@ -1942,8 +1943,8 @@ Formats:
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>Oracle inline queries</title>
|
<title>Oracle inline queries</title>
|
||||||
<stype>2</stype>
|
<stype>6</stype>
|
||||||
<level>5</level>
|
<level>2</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,2,3,8</clause>
|
<clause>1,2,3,8</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user