Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.

This commit is contained in:
Bernardo Damele 2011-01-12 00:47:39 +00:00
parent 873951ab92
commit 8bdb7ec58c
6 changed files with 16 additions and 65 deletions

View File

@ -280,6 +280,7 @@ def checkSqlInjection(place, parameter, value):
# For each test's <where> # For each test's <where>
for where in test.where: for where in test.where:
templatePayload = None templatePayload = None
vector = None
# Threat the parameter original value according to the # Threat the parameter original value according to the
# test's <where> tag # test's <where> tag
@ -380,7 +381,7 @@ def checkSqlInjection(place, parameter, value):
configUnion(test.request.char, test.request.columns) configUnion(test.request.char, test.request.columns)
dbmsToUnescape = dbms if dbms is not None else injection.dbms dbmsToUnescape = dbms if dbms is not None else injection.dbms
reqPayload, unionVector = unionTest(comment, place, parameter, value, prefix, suffix, dbmsToUnescape) reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix, dbmsToUnescape)
if isinstance(reqPayload, basestring): if isinstance(reqPayload, basestring):
infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title) infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title)
@ -405,17 +406,15 @@ def checkSqlInjection(place, parameter, value):
injection.suffix = suffix injection.suffix = suffix
injection.clause = clause injection.clause = clause
if "vector" in test and test.vector is not None: if vector is None and "vector" in test and test.vector is not None:
vector = "%s%s" % (test.vector, comment) vector = "%s%s" % (test.vector, comment)
else:
vector = None
# Feed with test details every time a test is successful # Feed with test details every time a test is successful
injection.data[stype] = advancedDict() injection.data[stype] = advancedDict()
injection.data[stype].title = title injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False) injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
injection.data[stype].where = where injection.data[stype].where = where
injection.data[stype].vector = agent.cleanupPayload(vector, unionVector=unionVector) injection.data[stype].vector = vector
injection.data[stype].comment = comment injection.data[stype].comment = comment
injection.data[stype].matchRatio = kb.matchRatio injection.data[stype].matchRatio = kb.matchRatio
injection.data[stype].templatePayload = templatePayload injection.data[stype].templatePayload = templatePayload

View File

@ -108,7 +108,6 @@ class Agent:
retValue = paramString.replace("%s=%s" % (parameter, origValue), retValue = paramString.replace("%s=%s" % (parameter, origValue),
"%s=%s" % (parameter, self.addPayloadDelimiters(newValue))) "%s=%s" % (parameter, self.addPayloadDelimiters(newValue)))
# print "retValue:", retValue
return retValue return retValue
def fullPayload(self, query): def fullPayload(self, query):
@ -180,7 +179,7 @@ class Agent:
return string.rstrip() return string.rstrip()
def cleanupPayload(self, payload, origvalue=None, unionVector=None): def cleanupPayload(self, payload, origvalue=None, unionVector=None, query=None):
if payload is None: if payload is None:
return return
@ -199,6 +198,9 @@ class Agent:
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
payload = payload.replace("[UNION]", str(unionVector)) payload = payload.replace("[UNION]", str(unionVector))
if query is not None:
payload = payload.replace("[QUERY]", query.lstrip())
if origvalue is not None: if origvalue is not None:
payload = payload.replace("[ORIGVALUE]", origvalue) payload = payload.replace("[ORIGVALUE]", origvalue)
@ -220,11 +222,10 @@ class Agent:
inferenceQuery = queries[kb.misc.testedDbms].inference.query inferenceQuery = queries[kb.misc.testedDbms].inference.query
payload = payload.replace("[INFERENCE]", inferenceQuery) payload = payload.replace("[INFERENCE]", inferenceQuery)
# NOTE: Leave this commented for the time being else:
#else: errMsg = "invalid usage of inference payload without "
# errMsg = "invalid usage of inference payload without " errMsg += "knowledge of underlying DBMS"
# errMsg += "knowledge of underlying DBMS" raise sqlmapNoneDataException, errMsg
# raise sqlmapNoneDataException, errMsg
return payload return payload

View File

@ -215,9 +215,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, char=None,
if negative: if negative:
kb.unionNegative = True kb.unionNegative = True
if payload:
kb.unionTest = payload
def setRemoteTempPath(): def setRemoteTempPath():
condition = ( condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@ -390,46 +387,6 @@ def resumeConfKb(expression, url, value):
kb.brute.columns.append((db, table, colName, colType)) kb.brute.columns.append((db, table, colName, colType))
elif expression == "Union comment" and url == conf.url:
kb.unionComment = unSafeFormatString(value[:-1])
logMsg = "resuming union comment "
logMsg += "'%s' from session file" % kb.unionComment
logger.info(logMsg)
elif expression == "Union count" and url == conf.url:
kb.unionCount = int(value[:-1])
logMsg = "resuming union count "
logMsg += "%s from session file" % kb.unionCount
logger.info(logMsg)
elif expression == "Union position" and url == conf.url:
kb.unionPosition = int(value[:-1])
logMsg = "resuming union position "
logMsg += "%s from session file" % kb.unionPosition
logger.info(logMsg)
elif expression == "Union negative" and url == conf.url:
kb.unionNegative = True if value[:-1] == "Yes" else False
logMsg = "resuming union negative from session file"
logger.info(logMsg)
elif expression == "Union char" and url == conf.url:
conf.uChar = value[:-1]
logMsg = "resuming union char %s from session file" % conf.uChar
logger.info(logMsg)
elif expression == "Union payload" and url == conf.url:
kb.unionTest = value[:-1]
logMsg = "resuming union payload "
logMsg += "%s from session file" % kb.unionTest
logger.info(logMsg)
elif expression == "Remote temp path" and url == conf.url: elif expression == "Remote temp path" and url == conf.url:
conf.tmpPath = unSafeFormatString(value[:-1]) conf.tmpPath = unSafeFormatString(value[:-1])

View File

@ -52,7 +52,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage: if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
setUnion(position=exprPosition) setUnion(position=exprPosition)
validPayload = payload validPayload = payload
unionVector = agent.forgeInbandQuery("[PAYLOAD]", exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix) unionVector = agent.forgeInbandQuery("[QUERY]", exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
if where == 1: if where == 1:
# Prepare expression with delimiters # Prepare expression with delimiters

View File

@ -211,12 +211,10 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
else: else:
# Forge the inband SQL injection request # Forge the inband SQL injection request
query = agent.forgeInbandQuery(expression, nullChar=nullChar) query = unescaper.unescape(expression)
query = agent.cleanupPayload(kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector, query=query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
debugMsg = "query: %s" % query
logger.debug(debugMsg)
# Perform the request # Perform the request
resultPage, _ = Request.queryPage(payload, content=True) resultPage, _ = Request.queryPage(payload, content=True)
reqCount += 1 reqCount += 1

View File

@ -52,7 +52,6 @@ from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from lib.techniques.brute.use import columnExists from lib.techniques.brute.use import columnExists
from lib.techniques.brute.use import tableExists from lib.techniques.brute.use import tableExists
from lib.techniques.inband.union.test import unionTest
from lib.utils.hash import attackDumpedTable from lib.utils.hash import attackDumpedTable
from lib.utils.hash import attackCachedUsersPasswords from lib.utils.hash import attackCachedUsersPasswords
@ -87,9 +86,6 @@ class Enumeration:
infoMsg = "fetching banner" infoMsg = "fetching banner"
logger.info(infoMsg) logger.info(infoMsg)
if conf.unionTest:
conf.dumper.technic("inband injection payload", unionTest())
query = queries[kb.dbms].banner.query query = queries[kb.dbms].banner.query
kb.data.banner = inject.getValue(query) kb.data.banner = inject.getValue(query)
bannerParser(kb.data.banner) bannerParser(kb.data.banner)