changes regarding Feature #157 (Evaluate BETWEEN for inference algorithm)

2024-11-22 09:36:35 +03:00 · 2010-05-12 11:30:32 +00:00 · 2010-05-12 11:30:32 +00:00 · 893bc04fe4
commit 893bc04fe4
parent 8b74c405f5
4 changed files with 27 additions and 7 deletions
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -67,6 +67,7 @@ optDict = {
                               "regexp":            "string",
                               "eString":           "string",
                               "eRegexp":           "string",
+                               "useBetween":        "boolean",
                             },

            "Techniques":    {
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -182,6 +182,10 @@ def cmdLineParser():
                             help="Matches to be excluded before "
                                  "comparing page contents")

+        injection.add_option("--use-between", dest="useBetween",
+                             action="store_true",
+                             help="Use operator BETWEEN instead of default '>'")
+
        # Techniques options
        techniques = OptionGroup(parser, "Techniques", "These options can "
                                 "be used to test for specific SQL injection "
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -158,18 +158,30 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                posValueOld = posValue
                posValue = chr(posValue)

-            forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            if not conf.useBetween:
+                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            else:
+                forgedPayload = safeStringFormat(payload.replace('%3E', 'BETWEEN 0 AND '), (expressionUnescaped, idx, posValue))
+
            result        = Request.queryPage(urlencode(forgedPayload))

            if kb.dbms == "SQLite":
                posValue = posValueOld

-            if result:
-                minValue = posValue
-                asciiTbl = asciiTbl[position:]
-            else:
-                maxValue = posValue
-                asciiTbl = asciiTbl[:position]
+            if not conf.useBetween:     #normal
+                if result:
+                    minValue = posValue
+                    asciiTbl = asciiTbl[position:]
+                else:
+                    maxValue = posValue
+                    asciiTbl = asciiTbl[:position]
+            else:                       #reversed
+                if result:
+                    maxValue = posValue
+                    asciiTbl = asciiTbl[:position]
+                else:
+                    minValue = posValue
+                    asciiTbl = asciiTbl[position:]

            if len(asciiTbl) == 1:
                if maxValue == 1:
--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -184,6 +184,9 @@ eString =
 # (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
 eRegexp = 

+# Use operator BETWEEN instead of default '>'
+# Valid: True or False
+useBetween = False

 # These options can be used to test for specific SQL injection technique
 # or to use one of them to exploit the affected parameter(s) rather than