From 7e8ac16245adff0090bef2903af566be5e4a20ab Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 19 Dec 2008 20:48:33 +0000 Subject: [PATCH] Added preventive check for stacked queries support when executing DDL, DML & co. statements in SQL query and SQL shell. Minor improvements on this new feature. Increased default connection timeout to 30 seconds (needed for vmware machine not correctly synched). --- doc/ChangeLog | 4 +++ lib/core/option.py | 2 +- lib/parse/cmdline.py | 2 +- plugins/generic/enumeration.py | 45 +++++++++++++++++++++++----------- sqlmap.conf | 4 +-- 5 files changed, 39 insertions(+), 18 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index ab7c2d10f..463543992 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -2,6 +2,10 @@ sqlmap (0.6.4-1) stable; urgency=low * Major improvement to the comparison algorithm to make it work also if the page content changes at each refresh; (work in progress) + * Major enhancement to support SQL data definition statements, SQL data + manipulation statements, etc from user in SQL query and SQL shell if + stacked queries are supported by the web application technology in + use; * Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator; * Added support internally to forge CASE statements, used only by diff --git a/lib/core/option.py b/lib/core/option.py index c1989968e..c2d79cd0b 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -522,7 +522,7 @@ def __setHTTPTimeout(): conf.timeout = 3.0 else: - conf.timeout = 10.0 + conf.timeout = 30.0 socket.setdefaulttimeout(conf.timeout) diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 857a8500c..f3349f130 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -109,7 +109,7 @@ def cmdLineParser(): request.add_option("--timeout", dest="timeout", type="float", help="Seconds to wait before timeout connection " - "(default 10)") + "(default 30)") # Injection options diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index be4c056ce..7e73bce4b 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -45,6 +45,7 @@ from lib.core.unescaper import unescaper from lib.parse.banner import bannerParser from lib.request import inject from lib.request.connect import Connect as Request +from lib.techniques.outband.stacked import stackedTest class Enumeration: @@ -1053,24 +1054,36 @@ class Enumeration: break - if sqlType: + if selectQuery == True: infoMsg = "fetching %s query output: '%s'" % (sqlType, query) - else: - infoMsg = "fetching SQL query output: '%s'" % query + logger.info(infoMsg) - logger.info(infoMsg) - - if selectQuery == False: - # TODO: test if stacked queries are supported by the web - # application before injecting - inject.goStacked(query) - else: output = inject.getValue(query, fromUser=True) - - if output == "Quit": - return None else: - return output + if kb.stackedTest == None: + stackedTest() + + if kb.stackedTest == False: + warnMsg = "the web application does not support " + warnMsg += "stacked queries" + logger.warn(warnMsg) + + return None + else: + if sqlType: + infoMsg = "executing %s query: '%s'" % (sqlType, query) + else: + infoMsg = "executing unknown SQL type query: '%s'" % query + logger.info(infoMsg) + + inject.goStacked(query) + + infoMsg = "done" + logger.info(infoMsg) + + output = False + + return output def sqlShell(self): @@ -1105,5 +1118,9 @@ class Enumeration: if output and output != "Quit": dumper.string(query, output) + + elif output == False: + pass + elif output != "Quit": print "No output" diff --git a/sqlmap.conf b/sqlmap.conf index 47d07cef3..9b350dd0f 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -79,8 +79,8 @@ delay = 0 # Seconds to wait before timeout connection. # Valid: float -# Default: 10 -timeout = 10 +# Default: 30 +timeout = 30 [Injection]