diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index c5a444023..7bd1e9871 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -67,6 +67,7 @@ optDict = { "regexp": "string", "eString": "string", "eRegexp": "string", + "useBetween": "boolean", }, "Techniques": { diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 7db4834a3..5e27bded4 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -182,6 +182,10 @@ def cmdLineParser(): help="Matches to be excluded before " "comparing page contents") + injection.add_option("--use-between", dest="useBetween", + action="store_true", + help="Use operator BETWEEN instead of default '>'") + # Techniques options techniques = OptionGroup(parser, "Techniques", "These options can " "be used to test for specific SQL injection " diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index d6d09c6b2..445f6a3d2 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -158,18 +158,30 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None posValueOld = posValue posValue = chr(posValue) - forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue)) + if not conf.useBetween: + forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue)) + else: + forgedPayload = safeStringFormat(payload.replace('%3E', 'BETWEEN 0 AND '), (expressionUnescaped, idx, posValue)) + result = Request.queryPage(urlencode(forgedPayload)) if kb.dbms == "SQLite": posValue = posValueOld - if result: - minValue = posValue - asciiTbl = asciiTbl[position:] - else: - maxValue = posValue - asciiTbl = asciiTbl[:position] + if not conf.useBetween: #normal + if result: + minValue = posValue + asciiTbl = asciiTbl[position:] + else: + maxValue = posValue + asciiTbl = asciiTbl[:position] + else: #reversed + if result: + maxValue = posValue + asciiTbl = asciiTbl[:position] + else: + minValue = posValue + asciiTbl = asciiTbl[position:] if len(asciiTbl) == 1: if maxValue == 1: diff --git a/sqlmap.conf b/sqlmap.conf index 2dfc98272..8c2ccd57f 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -184,6 +184,9 @@ eString = # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) eRegexp = +# Use operator BETWEEN instead of default '>' +# Valid: True or False +useBetween = False # These options can be used to test for specific SQL injection technique # or to use one of them to exploit the affected parameter(s) rather than