sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 08:14:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

adding WHERE enum for payloads

Browse Source
This commit is contained in:
Miroslav Stampar 2011-02-02 13:34:09 +00:00
parent d6c9515f78
commit 8134c2154a
6 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/controller/checks.py
View File

@ -253,15 +253,15 @@ def checkSqlInjection(place, parameter, value):
# Threat the parameter original value according to the
# test's <where> tag
if where == 1:
if where == PAYLOAD.WHERE.ORIGINAL:
origValue = value
elif where == 2:
elif where == PAYLOAD.WHERE.NEGATIVE:
# Use different page template than the original
# one as we are changing parameters value, which
# will likely result in a different content
origValue = "-%s" % randomInt()
templatePayload = agent.payload(place, parameter, newValue=origValue, where=where)
elif where == 3:
elif where == PAYLOAD.WHERE.REPLACE:
origValue = ""
kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place)

10
lib/core/agent.py
View File

@ -80,14 +80,14 @@ class Agent:
origValue = origValue[origValue.rfind('/') + 1:]
if value is None:
if where == 1:
if where == PAYLOAD.WHERE.ORIGINAL:
value = origValue
elif where == 2:
elif where == PAYLOAD.WHERE.NEGATIVE:
if newValue.startswith("-"):
value = ""
else:
value = "-%s" % randomInt()
elif where == 3:
elif where == PAYLOAD.WHERE.REPLACE:
value = ""
else:
value = origValue
@ -144,7 +144,7 @@ class Agent:
# If we are replacing (<where>) the parameter original value with
# our payload do not prepend with the prefix
if where == 3:
if where == PAYLOAD.WHERE.REPLACE:
query = ""
# If the technique is stacked queries (<stype>) do not put a space
@ -185,7 +185,7 @@ class Agent:
# If we are replacing (<where>) the parameter original value with
# our payload do not append the suffix
if where == 3:
if where == PAYLOAD.WHERE.REPLACE:
pass
elif kb.injection.suffix is not None:

5
lib/core/enums.py
View File

@ -115,3 +115,8 @@ class PAYLOAD:
UNION = 3
STACKED = 4
TIME = 5
class WHERE:
ORIGINAL = 1
NEGATIVE = 2
REPLACE = 3

3
lib/takeover/web.py
View File

@ -31,6 +31,7 @@ from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.enums import PAYLOAD
from lib.core.exception import sqlmapUnsupportedDBMSException
from lib.core.shell import autoCompletion
from lib.request.connect import Connect as Request
@ -108,7 +109,7 @@ class Web:
if isTechniqueAvailable(kb.technique):
where = kb.injection.data[kb.technique].where
if where == 2:
if where == PAYLOAD.WHERE.NEGATIVE:
randInt = randomInt()
query += "OR %d=%d " % (randInt, randInt)

10
lib/techniques/inband/union/test.py
View File

@ -37,7 +37,7 @@ from lib.parse.html import htmlParser
from lib.request.comparison import comparison
from lib.request.connect import Connect as Request
def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=1):
def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=PAYLOAD.WHERE.ORIGINAL):
"""
Finds number of columns affected by UNION based injection
"""
@ -83,7 +83,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
return retVal
def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=1):
def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL):
validPayload = None
vector = None
@ -109,7 +109,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
validPayload = payload
vector = (position, count, comment, prefix, suffix, conf.uChar, where)
if where == 1:
if where == PAYLOAD.WHERE.ORIGINAL:
# Prepare expression with delimiters
randQuery2 = randomStr()
phrase2 = "%s%s%s" % (kb.misc.start, randQuery2, kb.misc.stop)
@ -118,14 +118,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
# Confirm that it is a full inband SQL injection
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)
# Perform the request
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "")
if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)):
vector = (position, count, comment, prefix, suffix, conf.uChar, 2)
vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE)
break

4
lib/techniques/inband/union/use.py
View File

@ -41,7 +41,7 @@ def __oneShotUnionUse(expression, unpack=True, unescape=True):
expression = unescaper.unescape(expression)
if conf.limitStart or conf.limitStop:
where = 2
where = PAYLOAD.WHERE.NEGATIVE
else:
where = None
@ -129,7 +129,7 @@ def unionUse(expression, unescape=True, unpack=True, dump=False):
# entry per time
# NOTE: I assume that only queries that get data from a table can
# return multiple entries
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == 2 or \
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
(dump and (conf.limitStart or conf.limitStop))) and \
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \