sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

adding WHERE enum for payloads

Browse Source
This commit is contained in:
Miroslav Stampar 2011-02-02 13:34:09 +00:00
parent d6c9515f78
commit 8134c2154a
6 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/controller/checks.py
View File

@ -253,15 +253,15 @@ def checkSqlInjection(place, parameter, value):
# Threat the parameter original value according to the # Threat the parameter original value according to the
# test's <where> tag # test's <where> tag
if where == 1: if where == PAYLOAD.WHERE.ORIGINAL:
origValue = value origValue = value
elif where == 2: elif where == PAYLOAD.WHERE.NEGATIVE:
# Use different page template than the original # Use different page template than the original
# one as we are changing parameters value, which # one as we are changing parameters value, which
# will likely result in a different content # will likely result in a different content
origValue = "-%s" % randomInt() origValue = "-%s" % randomInt()
templatePayload = agent.payload(place, parameter, newValue=origValue, where=where) templatePayload = agent.payload(place, parameter, newValue=origValue, where=where)
elif where == 3: elif where == PAYLOAD.WHERE.REPLACE:
origValue = "" origValue = ""
kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place) kb.pageTemplate, kb.errorIsNone = getPageTemplate(templatePayload, place)

10
lib/core/agent.py
View File

@ -80,14 +80,14 @@ class Agent:
origValue = origValue[origValue.rfind('/') + 1:] origValue = origValue[origValue.rfind('/') + 1:]
if value is None: if value is None:
if where == 1: if where == PAYLOAD.WHERE.ORIGINAL:
value = origValue value = origValue
elif where == 2: elif where == PAYLOAD.WHERE.NEGATIVE:
if newValue.startswith("-"): if newValue.startswith("-"):
value = "" value = ""
else: else:
value = "-%s" % randomInt() value = "-%s" % randomInt()
elif where == 3: elif where == PAYLOAD.WHERE.REPLACE:
value = "" value = ""
else: else:
value = origValue value = origValue
@ -144,7 +144,7 @@ class Agent:
# If we are replacing (<where>) the parameter original value with # If we are replacing (<where>) the parameter original value with
# our payload do not prepend with the prefix # our payload do not prepend with the prefix
if where == 3: if where == PAYLOAD.WHERE.REPLACE:
query = "" query = ""
# If the technique is stacked queries (<stype>) do not put a space # If the technique is stacked queries (<stype>) do not put a space
@ -185,7 +185,7 @@ class Agent:
# If we are replacing (<where>) the parameter original value with # If we are replacing (<where>) the parameter original value with
# our payload do not append the suffix # our payload do not append the suffix
if where == 3: if where == PAYLOAD.WHERE.REPLACE:
pass pass
elif kb.injection.suffix is not None: elif kb.injection.suffix is not None:

5
lib/core/enums.py
View File

@ -115,3 +115,8 @@ class PAYLOAD:
UNION = 3 UNION = 3
STACKED = 4 STACKED = 4
TIME = 5 TIME = 5
class WHERE:
ORIGINAL = 1
NEGATIVE = 2
REPLACE = 3

3
lib/takeover/web.py
View File

@ -31,6 +31,7 @@ from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
from lib.core.data import paths from lib.core.data import paths
from lib.core.enums import PAYLOAD
from lib.core.exception import sqlmapUnsupportedDBMSException from lib.core.exception import sqlmapUnsupportedDBMSException
from lib.core.shell import autoCompletion from lib.core.shell import autoCompletion
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
@ -108,7 +109,7 @@ class Web:
if isTechniqueAvailable(kb.technique): if isTechniqueAvailable(kb.technique):
where = kb.injection.data[kb.technique].where where = kb.injection.data[kb.technique].where
if where == 2: if where == PAYLOAD.WHERE.NEGATIVE:
randInt = randomInt() randInt = randomInt()
query += "OR %d=%d " % (randInt, randInt) query += "OR %d=%d " % (randInt, randInt)

10
lib/techniques/inband/union/test.py
View File

@ -37,7 +37,7 @@ from lib.parse.html import htmlParser
from lib.request.comparison import comparison from lib.request.comparison import comparison
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=1): def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=PAYLOAD.WHERE.ORIGINAL):
""" """
Finds number of columns affected by UNION based injection Finds number of columns affected by UNION based injection
""" """
@ -83,7 +83,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
return retVal return retVal
def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=1): def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL):
validPayload = None validPayload = None
vector = None vector = None
@ -109,7 +109,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
validPayload = payload validPayload = payload
vector = (position, count, comment, prefix, suffix, conf.uChar, where) vector = (position, count, comment, prefix, suffix, conf.uChar, where)
if where == 1: if where == PAYLOAD.WHERE.ORIGINAL:
# Prepare expression with delimiters # Prepare expression with delimiters
randQuery2 = randomStr() randQuery2 = randomStr()
phrase2 = "%s%s%s" % (kb.misc.start, randQuery2, kb.misc.stop) phrase2 = "%s%s%s" % (kb.misc.start, randQuery2, kb.misc.stop)
@ -118,14 +118,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
# Confirm that it is a full inband SQL injection # Confirm that it is a full inband SQL injection
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2) query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)
# Perform the request # Perform the request
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "") content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "")
if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)): if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)):
vector = (position, count, comment, prefix, suffix, conf.uChar, 2) vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE)
break break

4
lib/techniques/inband/union/use.py
View File

@ -41,7 +41,7 @@ def __oneShotUnionUse(expression, unpack=True, unescape=True):
expression = unescaper.unescape(expression) expression = unescaper.unescape(expression)
if conf.limitStart or conf.limitStop: if conf.limitStart or conf.limitStop:
where = 2 where = PAYLOAD.WHERE.NEGATIVE
else: else:
where = None where = None
@ -129,7 +129,7 @@ def unionUse(expression, unescape=True, unpack=True, dump=False):
# entry per time # entry per time
# NOTE: I assume that only queries that get data from a table can # NOTE: I assume that only queries that get data from a table can
# return multiple entries # return multiple entries
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == 2 or \ if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
(dump and (conf.limitStart or conf.limitStop))) and \ (dump and (conf.limitStart or conf.limitStop))) and \
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \ " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \ not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \