mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 04:53:48 +03:00
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now.
Minor code refactoring too.
This commit is contained in:
parent
e9291932e5
commit
8b9706656e
|
@ -45,29 +45,6 @@ from lib.core.session import setTimeBased
|
||||||
from lib.core.target import initTargetEnv
|
from lib.core.target import initTargetEnv
|
||||||
from lib.core.target import setupTargetEnv
|
from lib.core.target import setupTargetEnv
|
||||||
|
|
||||||
def __saveToSessionFile():
|
|
||||||
for inj in kb.injections:
|
|
||||||
setInjection(inj)
|
|
||||||
|
|
||||||
place = inj.place
|
|
||||||
parameter = inj.parameter
|
|
||||||
|
|
||||||
for stype, sdata in inj.data.items():
|
|
||||||
payload = sdata[0]
|
|
||||||
|
|
||||||
if stype == 1:
|
|
||||||
kb.booleanTest = payload
|
|
||||||
setBooleanBased(place, parameter, payload)
|
|
||||||
elif stype == 2:
|
|
||||||
kb.errorTest = payload
|
|
||||||
setError(place, parameter, payload)
|
|
||||||
elif stype == 4:
|
|
||||||
kb.stackedTest = payload
|
|
||||||
setStacked(place, parameter, payload)
|
|
||||||
elif stype == 5:
|
|
||||||
kb.timeTest = payload
|
|
||||||
setTimeBased(place, parameter, payload)
|
|
||||||
|
|
||||||
def __selectInjection():
|
def __selectInjection():
|
||||||
"""
|
"""
|
||||||
Selection function for injection place, parameters and type.
|
Selection function for injection place, parameters and type.
|
||||||
|
@ -144,6 +121,29 @@ def __showInjections():
|
||||||
|
|
||||||
dumper.technic(header, data)
|
dumper.technic(header, data)
|
||||||
|
|
||||||
|
def __saveToSessionFile():
|
||||||
|
for inj in kb.injections:
|
||||||
|
setInjection(inj)
|
||||||
|
|
||||||
|
place = inj.place
|
||||||
|
parameter = inj.parameter
|
||||||
|
|
||||||
|
for stype, sdata in inj.data.items():
|
||||||
|
payload = sdata[0]
|
||||||
|
|
||||||
|
if stype == 1:
|
||||||
|
kb.booleanTest = payload
|
||||||
|
setBooleanBased(place, parameter, payload)
|
||||||
|
elif stype == 2:
|
||||||
|
kb.errorTest = payload
|
||||||
|
setError(place, parameter, payload)
|
||||||
|
elif stype == 4:
|
||||||
|
kb.stackedTest = payload
|
||||||
|
setStacked(place, parameter, payload)
|
||||||
|
elif stype == 5:
|
||||||
|
kb.timeTest = payload
|
||||||
|
setTimeBased(place, parameter, payload)
|
||||||
|
|
||||||
def start():
|
def start():
|
||||||
"""
|
"""
|
||||||
This function calls a function that performs checks on both URL
|
This function calls a function that performs checks on both URL
|
||||||
|
|
|
@ -499,24 +499,6 @@ def __setWriteFile():
|
||||||
conf.wFileType = getFileType(conf.wFile)
|
conf.wFileType = getFileType(conf.wFile)
|
||||||
|
|
||||||
def __setUnion():
|
def __setUnion():
|
||||||
if isinstance(conf.uTech, basestring):
|
|
||||||
debugMsg = "setting the UNION query SQL injection detection technique"
|
|
||||||
logger.debug(debugMsg)
|
|
||||||
|
|
||||||
uTechOriginal = conf.uTech
|
|
||||||
conf.uTech = conf.uTech.lower()
|
|
||||||
|
|
||||||
if conf.uTech and conf.uTech not in ( "char", "orderby" ):
|
|
||||||
infoMsg = "resetting the UNION query detection technique to "
|
|
||||||
infoMsg += "'char', '%s' is not a valid technique" % uTechOriginal
|
|
||||||
logger.info(infoMsg)
|
|
||||||
|
|
||||||
conf.uTech = "char"
|
|
||||||
else:
|
|
||||||
debugMsg = "setting UNION query detection technique to "
|
|
||||||
debugMsg += "'%s'" % uTechOriginal
|
|
||||||
logger.debug(debugMsg)
|
|
||||||
|
|
||||||
if isinstance(conf.uCols, basestring) and conf.uChar != "1-20":
|
if isinstance(conf.uCols, basestring) and conf.uChar != "1-20":
|
||||||
debugMsg = "setting the UNION query SQL injection range of columns"
|
debugMsg = "setting the UNION query SQL injection range of columns"
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
|
@ -77,7 +77,6 @@ optDict = {
|
||||||
"Techniques": {
|
"Techniques": {
|
||||||
"timeSec": "integer",
|
"timeSec": "integer",
|
||||||
"unionTest": "boolean",
|
"unionTest": "boolean",
|
||||||
"uTech": "string",
|
|
||||||
"uCols": "integer",
|
"uCols": "integer",
|
||||||
"uChar": "string"
|
"uChar": "string"
|
||||||
},
|
},
|
||||||
|
|
|
@ -235,9 +235,6 @@ def cmdLineParser():
|
||||||
action="store_true", default=False,
|
action="store_true", default=False,
|
||||||
help="Test for and use UNION query (inband) SQL injection")
|
help="Test for and use UNION query (inband) SQL injection")
|
||||||
|
|
||||||
techniques.add_option("--union-tech", dest="uTech", default="char",
|
|
||||||
help="Technique to test for UNION query SQL injection")
|
|
||||||
|
|
||||||
techniques.add_option("--union-cols", dest="uCols", default="1-20",
|
techniques.add_option("--union-cols", dest="uCols", default="1-20",
|
||||||
help="Range of columns to test for UNION query SQL injection")
|
help="Range of columns to test for UNION query SQL injection")
|
||||||
|
|
||||||
|
|
|
@ -117,26 +117,6 @@ def __unionTestByCharBruteforce(comment):
|
||||||
|
|
||||||
return validPayload
|
return validPayload
|
||||||
|
|
||||||
def __unionTestByOrderBy(comment):
|
|
||||||
columns = None
|
|
||||||
prevPayload = ""
|
|
||||||
|
|
||||||
for count in range(conf.uColsStart, conf.uColsStop+1):
|
|
||||||
query = agent.prefixQuery("ORDER BY %d" % count)
|
|
||||||
orderByQuery = agent.suffixQuery(query, comment)
|
|
||||||
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
|
|
||||||
_, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
|
|
||||||
|
|
||||||
if seqMatcher >= 0.6:
|
|
||||||
columns = count
|
|
||||||
setUnion(count=count)
|
|
||||||
elif columns:
|
|
||||||
break
|
|
||||||
|
|
||||||
prevPayload = payload
|
|
||||||
|
|
||||||
return columns
|
|
||||||
|
|
||||||
def unionTest():
|
def unionTest():
|
||||||
"""
|
"""
|
||||||
This method tests if the target url is affected by an inband
|
This method tests if the target url is affected by an inband
|
||||||
|
@ -149,9 +129,7 @@ def unionTest():
|
||||||
if kb.unionTest is not None:
|
if kb.unionTest is not None:
|
||||||
return kb.unionTest
|
return kb.unionTest
|
||||||
|
|
||||||
if conf.uTech == "orderby":
|
if conf.uChar == "NULL":
|
||||||
technique = "ORDER BY clause bruteforcing"
|
|
||||||
elif conf.uChar == "NULL":
|
|
||||||
technique = "NULL bruteforcing"
|
technique = "NULL bruteforcing"
|
||||||
else:
|
else:
|
||||||
technique = "char (%s) bruteforcing" % conf.uChar
|
technique = "char (%s) bruteforcing" % conf.uChar
|
||||||
|
@ -163,10 +141,7 @@ def unionTest():
|
||||||
validPayload = None
|
validPayload = None
|
||||||
comment = queries[kb.dbms].comment.query
|
comment = queries[kb.dbms].comment.query
|
||||||
|
|
||||||
if conf.uTech == "orderby":
|
validPayload = __unionTestByCharBruteforce(comment)
|
||||||
validPayload = __unionTestByOrderBy(comment)
|
|
||||||
else:
|
|
||||||
validPayload = __unionTestByCharBruteforce(comment)
|
|
||||||
|
|
||||||
if validPayload:
|
if validPayload:
|
||||||
setUnion(comment=comment)
|
setUnion(comment=comment)
|
||||||
|
|
|
@ -255,13 +255,6 @@ timeSec = 5
|
||||||
# Valid: True or False
|
# Valid: True or False
|
||||||
unionTest = False
|
unionTest = False
|
||||||
|
|
||||||
# Technique to test for UNION query SQL injection
|
|
||||||
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
|
|
||||||
# clause (ob)
|
|
||||||
# Valid: char, OrderBy
|
|
||||||
# Default: char
|
|
||||||
uTech = char
|
|
||||||
|
|
||||||
# Range of columns to test for
|
# Range of columns to test for
|
||||||
# Valid: range of integers
|
# Valid: range of integers
|
||||||
# Default: 1-20
|
# Default: 1-20
|
||||||
|
|
Loading…
Reference in New Issue
Block a user