sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-18 04:20:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added --union-cols switch to specify the max number of columns to test for UNION query sql injection.

Browse Source 
Now stores/resumes also the exact UNION payload to session file.
This commit is contained in:
Bernardo Damele 2010-11-13 23:24:41 +00:00
parent df5dc10111
commit 8d07272c82
6 changed files with 36 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/core/optiondict.py
View File

@ -78,7 +78,8 @@ optDict = {
"timeTest": "boolean", "timeTest": "boolean",
"timeSec": "integer", "timeSec": "integer",
"unionTest": "boolean", "unionTest": "boolean",
"uTech": "string" "uTech": "string",
"uCols": "integer"
}, },
"Fingerprint": { "Fingerprint": {
@ -115,7 +116,7 @@ optDict = {
"Brute": { "Brute": {
"commonTables": "boolean", "commonTables": "boolean",
"commonColumns": "boolean", "commonColumns": "boolean"
}, },
"User-defined function": { "User-defined function": {

21
lib/core/session.py
View File

@ -207,7 +207,7 @@ def setError():
if condition: if condition:
dataToSessionFile("[%s][%s][%s][Error based injection][Yes]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]))) dataToSessionFile("[%s][%s][%s][Error based injection][Yes]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace])))
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False): def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, payload=None):
""" """
@param comment: union comment to save in session file @param comment: union comment to save in session file
@type comment: C{str} @type comment: C{str}
@ -270,6 +270,18 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
kb.unionFalseCond = True kb.unionFalseCond = True
if payload:
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
( not kb.resumedQueries[conf.url].has_key("Union payload")
) )
)
if condition:
dataToSessionFile("[%s][%s][%s][Union payload][%s]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), payload))
kb.unionTest = payload
def setRemoteTempPath(): def setRemoteTempPath():
condition = ( condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@ -483,6 +495,13 @@ def resumeConfKb(expression, url, value):
logMsg += "%s from session file" % kb.unionPosition logMsg += "%s from session file" % kb.unionPosition
logger.info(logMsg) logger.info(logMsg)
elif expression == "Union payload" and url == conf.url:
kb.unionTest = value[:-1]
logMsg = "resuming union payload "
logMsg += "%s from session file" % kb.unionTest
logger.info(logMsg)
elif expression == "Remote temp path" and url == conf.url: elif expression == "Remote temp path" and url == conf.url:
conf.tmpPath = unSafeFormatString(value[:-1]) conf.tmpPath = unSafeFormatString(value[:-1])

3
lib/parse/cmdline.py
View File

@ -243,6 +243,9 @@ def cmdLineParser():
techniques.add_option("--union-tech", dest="uTech", techniques.add_option("--union-tech", dest="uTech",
help="Technique to test for UNION query SQL injection") help="Technique to test for UNION query SQL injection")
techniques.add_option("--union-cols", dest="uCols", type="int", default=50,
help="Maximum number of columns to test for")
# Fingerprint options # Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint") fingerprint = OptionGroup(parser, "Fingerprint")

10
lib/techniques/inband/union/test.py
View File

@ -124,7 +124,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
columns = None columns = None
query = agent.prefixQuery("UNION ALL SELECT NULL") query = agent.prefixQuery("UNION ALL SELECT NULL")
for count in range(0, 50): for count in range(0, conf.uCols+1):
if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"): if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
query = query[:-len(" FROM DUAL")] query = query[:-len(" FROM DUAL")]
@ -149,7 +149,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):
columns = None columns = None
prevPayload = "" prevPayload = ""
for count in range(1, 51): for count in range(1, conf.uCols+2):
query = agent.prefixQuery("ORDER BY %d" % count) query = agent.prefixQuery("ORDER BY %d" % count)
orderByQuery = agent.postfixQuery(query, comment) orderByQuery = agent.postfixQuery(query, comment)
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond) payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
@ -224,9 +224,7 @@ def unionTest():
warnMsg += "inband sql injection vulnerability" warnMsg += "inband sql injection vulnerability"
logger.warn(warnMsg) logger.warn(warnMsg)
if validPayload is None: validPayload = agent.removePayloadDelimiters(validPayload, False)
validPayload = "" setUnion(payload=validPayload)
elif isinstance(validPayload, basestring):
kb.unionTest = agent.removePayloadDelimiters(validPayload, False)
return kb.unionTest return kb.unionTest

2
lib/techniques/inband/union/use.py
View File

@ -46,7 +46,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
if resetCounter: if resetCounter:
reqCount = 0 reqCount = 0
if not kb.unionCount: if not kb.unionTest:
unionTest() unionTest()
if not kb.unionCount: if not kb.unionCount:

5
sqlmap.conf
View File

@ -262,6 +262,11 @@ unionTest = False
# Default: NULL # Default: NULL
uTech = NULL uTech = NULL
# Maximum number of columns to test for
# Valid: integer
# Default: 50
uCols = 50
[Fingerprint] [Fingerprint]