mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-29 04:53:48 +03:00
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now.
Minor code refactoring too.
This commit is contained in:
parent
e9291932e5
commit
8b9706656e
|
@ -45,29 +45,6 @@ from lib.core.session import setTimeBased
|
|||
from lib.core.target import initTargetEnv
|
||||
from lib.core.target import setupTargetEnv
|
||||
|
||||
def __saveToSessionFile():
|
||||
for inj in kb.injections:
|
||||
setInjection(inj)
|
||||
|
||||
place = inj.place
|
||||
parameter = inj.parameter
|
||||
|
||||
for stype, sdata in inj.data.items():
|
||||
payload = sdata[0]
|
||||
|
||||
if stype == 1:
|
||||
kb.booleanTest = payload
|
||||
setBooleanBased(place, parameter, payload)
|
||||
elif stype == 2:
|
||||
kb.errorTest = payload
|
||||
setError(place, parameter, payload)
|
||||
elif stype == 4:
|
||||
kb.stackedTest = payload
|
||||
setStacked(place, parameter, payload)
|
||||
elif stype == 5:
|
||||
kb.timeTest = payload
|
||||
setTimeBased(place, parameter, payload)
|
||||
|
||||
def __selectInjection():
|
||||
"""
|
||||
Selection function for injection place, parameters and type.
|
||||
|
@ -144,6 +121,29 @@ def __showInjections():
|
|||
|
||||
dumper.technic(header, data)
|
||||
|
||||
def __saveToSessionFile():
|
||||
for inj in kb.injections:
|
||||
setInjection(inj)
|
||||
|
||||
place = inj.place
|
||||
parameter = inj.parameter
|
||||
|
||||
for stype, sdata in inj.data.items():
|
||||
payload = sdata[0]
|
||||
|
||||
if stype == 1:
|
||||
kb.booleanTest = payload
|
||||
setBooleanBased(place, parameter, payload)
|
||||
elif stype == 2:
|
||||
kb.errorTest = payload
|
||||
setError(place, parameter, payload)
|
||||
elif stype == 4:
|
||||
kb.stackedTest = payload
|
||||
setStacked(place, parameter, payload)
|
||||
elif stype == 5:
|
||||
kb.timeTest = payload
|
||||
setTimeBased(place, parameter, payload)
|
||||
|
||||
def start():
|
||||
"""
|
||||
This function calls a function that performs checks on both URL
|
||||
|
|
|
@ -499,24 +499,6 @@ def __setWriteFile():
|
|||
conf.wFileType = getFileType(conf.wFile)
|
||||
|
||||
def __setUnion():
|
||||
if isinstance(conf.uTech, basestring):
|
||||
debugMsg = "setting the UNION query SQL injection detection technique"
|
||||
logger.debug(debugMsg)
|
||||
|
||||
uTechOriginal = conf.uTech
|
||||
conf.uTech = conf.uTech.lower()
|
||||
|
||||
if conf.uTech and conf.uTech not in ( "char", "orderby" ):
|
||||
infoMsg = "resetting the UNION query detection technique to "
|
||||
infoMsg += "'char', '%s' is not a valid technique" % uTechOriginal
|
||||
logger.info(infoMsg)
|
||||
|
||||
conf.uTech = "char"
|
||||
else:
|
||||
debugMsg = "setting UNION query detection technique to "
|
||||
debugMsg += "'%s'" % uTechOriginal
|
||||
logger.debug(debugMsg)
|
||||
|
||||
if isinstance(conf.uCols, basestring) and conf.uChar != "1-20":
|
||||
debugMsg = "setting the UNION query SQL injection range of columns"
|
||||
logger.debug(debugMsg)
|
||||
|
|
|
@ -77,7 +77,6 @@ optDict = {
|
|||
"Techniques": {
|
||||
"timeSec": "integer",
|
||||
"unionTest": "boolean",
|
||||
"uTech": "string",
|
||||
"uCols": "integer",
|
||||
"uChar": "string"
|
||||
},
|
||||
|
|
|
@ -235,9 +235,6 @@ def cmdLineParser():
|
|||
action="store_true", default=False,
|
||||
help="Test for and use UNION query (inband) SQL injection")
|
||||
|
||||
techniques.add_option("--union-tech", dest="uTech", default="char",
|
||||
help="Technique to test for UNION query SQL injection")
|
||||
|
||||
techniques.add_option("--union-cols", dest="uCols", default="1-20",
|
||||
help="Range of columns to test for UNION query SQL injection")
|
||||
|
||||
|
|
|
@ -117,26 +117,6 @@ def __unionTestByCharBruteforce(comment):
|
|||
|
||||
return validPayload
|
||||
|
||||
def __unionTestByOrderBy(comment):
|
||||
columns = None
|
||||
prevPayload = ""
|
||||
|
||||
for count in range(conf.uColsStart, conf.uColsStop+1):
|
||||
query = agent.prefixQuery("ORDER BY %d" % count)
|
||||
orderByQuery = agent.suffixQuery(query, comment)
|
||||
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
|
||||
_, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
|
||||
|
||||
if seqMatcher >= 0.6:
|
||||
columns = count
|
||||
setUnion(count=count)
|
||||
elif columns:
|
||||
break
|
||||
|
||||
prevPayload = payload
|
||||
|
||||
return columns
|
||||
|
||||
def unionTest():
|
||||
"""
|
||||
This method tests if the target url is affected by an inband
|
||||
|
@ -149,9 +129,7 @@ def unionTest():
|
|||
if kb.unionTest is not None:
|
||||
return kb.unionTest
|
||||
|
||||
if conf.uTech == "orderby":
|
||||
technique = "ORDER BY clause bruteforcing"
|
||||
elif conf.uChar == "NULL":
|
||||
if conf.uChar == "NULL":
|
||||
technique = "NULL bruteforcing"
|
||||
else:
|
||||
technique = "char (%s) bruteforcing" % conf.uChar
|
||||
|
@ -163,10 +141,7 @@ def unionTest():
|
|||
validPayload = None
|
||||
comment = queries[kb.dbms].comment.query
|
||||
|
||||
if conf.uTech == "orderby":
|
||||
validPayload = __unionTestByOrderBy(comment)
|
||||
else:
|
||||
validPayload = __unionTestByCharBruteforce(comment)
|
||||
validPayload = __unionTestByCharBruteforce(comment)
|
||||
|
||||
if validPayload:
|
||||
setUnion(comment=comment)
|
||||
|
|
|
@ -255,13 +255,6 @@ timeSec = 5
|
|||
# Valid: True or False
|
||||
unionTest = False
|
||||
|
||||
# Technique to test for UNION query SQL injection
|
||||
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
|
||||
# clause (ob)
|
||||
# Valid: char, OrderBy
|
||||
# Default: char
|
||||
uTech = char
|
||||
|
||||
# Range of columns to test for
|
||||
# Valid: range of integers
|
||||
# Default: 1-20
|
||||
|
|
Loading…
Reference in New Issue
Block a user