diff --git a/lib/controller/checks.py b/lib/controller/checks.py index a8f4cc35a..146178be6 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -253,15 +253,15 @@ def checkSqlInjection(place, parameter, value): # Threat the parameter original value according to the # test's tag - if where == 1: + if where == PAYLOAD.WHERE.ORIGINAL: origValue = value - elif where == 2: + elif where == PAYLOAD.WHERE.NEGATIVE: # Use different page template than the original # one as we are changing parameters value, which # will likely result in a different content origValue = "-%s" % randomInt() templatePayload = agent.payload(place, parameter, newValue=origValue, where=where) - elif where == 3: + elif where == PAYLOAD.WHERE.REPLACE: origValue = "" kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place) diff --git a/lib/core/agent.py b/lib/core/agent.py index 1a34f0299..5afcd61ec 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -80,14 +80,14 @@ class Agent: origValue = origValue[origValue.rfind('/') + 1:] if value is None: - if where == 1: + if where == PAYLOAD.WHERE.ORIGINAL: value = origValue - elif where == 2: + elif where == PAYLOAD.WHERE.NEGATIVE: if newValue.startswith("-"): value = "" else: value = "-%s" % randomInt() - elif where == 3: + elif where == PAYLOAD.WHERE.REPLACE: value = "" else: value = origValue @@ -144,7 +144,7 @@ class Agent: # If we are replacing () the parameter original value with # our payload do not prepend with the prefix - if where == 3: + if where == PAYLOAD.WHERE.REPLACE: query = "" # If the technique is stacked queries () do not put a space @@ -185,7 +185,7 @@ class Agent: # If we are replacing () the parameter original value with # our payload do not append the suffix - if where == 3: + if where == PAYLOAD.WHERE.REPLACE: pass elif kb.injection.suffix is not None: diff --git a/lib/core/enums.py b/lib/core/enums.py index 02103dbbc..59a4bee52 100644 --- a/lib/core/enums.py +++ b/lib/core/enums.py @@ -115,3 +115,8 @@ class PAYLOAD: UNION = 3 STACKED = 4 TIME = 5 + + class WHERE: + ORIGINAL = 1 + NEGATIVE = 2 + REPLACE = 3 diff --git a/lib/takeover/web.py b/lib/takeover/web.py index 12ea4a317..692a20b29 100644 --- a/lib/takeover/web.py +++ b/lib/takeover/web.py @@ -31,6 +31,7 @@ from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger from lib.core.data import paths +from lib.core.enums import PAYLOAD from lib.core.exception import sqlmapUnsupportedDBMSException from lib.core.shell import autoCompletion from lib.request.connect import Connect as Request @@ -108,7 +109,7 @@ class Web: if isTechniqueAvailable(kb.technique): where = kb.injection.data[kb.technique].where - if where == 2: + if where == PAYLOAD.WHERE.NEGATIVE: randInt = randomInt() query += "OR %d=%d " % (randInt, randInt) diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index a0671b804..6a0e21187 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -37,7 +37,7 @@ from lib.parse.html import htmlParser from lib.request.comparison import comparison from lib.request.connect import Connect as Request -def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=1): +def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=PAYLOAD.WHERE.ORIGINAL): """ Finds number of columns affected by UNION based injection """ @@ -83,7 +83,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where return retVal -def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=1): +def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL): validPayload = None vector = None @@ -109,7 +109,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe validPayload = payload vector = (position, count, comment, prefix, suffix, conf.uChar, where) - if where == 1: + if where == PAYLOAD.WHERE.ORIGINAL: # Prepare expression with delimiters randQuery2 = randomStr() phrase2 = "%s%s%s" % (kb.misc.start, randQuery2, kb.misc.stop) @@ -118,14 +118,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe # Confirm that it is a full inband SQL injection query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2) - payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2) + payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE) # Perform the request page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "") if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)): - vector = (position, count, comment, prefix, suffix, conf.uChar, 2) + vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE) break diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index d2cd2a926..311d00e45 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -41,7 +41,7 @@ def __oneShotUnionUse(expression, unpack=True, unescape=True): expression = unescaper.unescape(expression) if conf.limitStart or conf.limitStop: - where = 2 + where = PAYLOAD.WHERE.NEGATIVE else: where = None @@ -129,7 +129,7 @@ def unionUse(expression, unescape=True, unpack=True, dump=False): # entry per time # NOTE: I assume that only queries that get data from a table can # return multiple entries - if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == 2 or \ + if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \ (dump and (conf.limitStart or conf.limitStop))) and \ " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \ not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \