This commit is contained in:
Miroslav Stampar 2017-06-07 11:22:06 +02:00
parent 864711b434
commit 9da8d55128
6 changed files with 241 additions and 200 deletions

View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.1.6.4" VERSION = "1.1.6.5"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

View File

@ -352,6 +352,7 @@ def errorUse(expression, dump=False):
value = [] # for empty tables value = [] # for empty tables
return value return value
if isNumPosStrValue(count) and int(count) > 1:
if " ORDER BY " in expression and (stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD: if " ORDER BY " in expression and (stopLimit - startLimit) > SLOW_ORDER_COUNT_THRESHOLD:
message = "due to huge table size do you want to remove " message = "due to huge table size do you want to remove "
message += "ORDER BY clause gaining speed over consistency? [y/N] " message += "ORDER BY clause gaining speed over consistency? [y/N] "

View File

@ -284,6 +284,7 @@ def unionUse(expression, unpack=True, dump=False):
value = [] # for empty tables value = [] # for empty tables
return value return value
if isNumPosStrValue(count) and int(count) > 1:
threadData = getCurrentThreadData() threadData = getCurrentThreadData()
try: try:

View File

@ -170,6 +170,26 @@ class Entries:
if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL): if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL):
table = "%s.%s" % (conf.db, tbl) table = "%s.%s" % (conf.db, tbl)
if Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.count % table
query = agent.whereQuery(query)
count = inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(count):
indexRange = getLimitRange(count, plusOne=True)
for index in indexRange:
row = []
for column in colList:
query = rootQuery.blind.query3 % (column, column, table, index)
query = agent.whereQuery(query)
value = inject.getValue(query, blind=False, time=False, dump=True) or ""
row.append(value)
entries.append(row)
if not entries:
try: try:
retVal = pivotDumpTable(table, colList, blind=False) retVal = pivotDumpTable(table, colList, blind=False)
except KeyboardInterrupt: except KeyboardInterrupt:
@ -285,6 +305,25 @@ class Entries:
elif Backend.isDbms(DBMS.MAXDB): elif Backend.isDbms(DBMS.MAXDB):
table = "%s.%s" % (conf.db, tbl) table = "%s.%s" % (conf.db, tbl)
if Backend.isDbms(DBMS.MSSQL):
indexRange = getLimitRange(count, plusOne=True)
for index in indexRange:
for column in colList:
query = rootQuery.blind.query3 % (column, column, table, index)
query = agent.whereQuery(query)
value = inject.getValue(query, union=False, error=False, dump=True) or ""
if column not in lengths:
lengths[column] = 0
if column not in entries:
entries[column] = BigArray()
lengths[column] = max(lengths[column], len(DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))))
entries[column].append(value)
if not entries:
try: try:
retVal = pivotDumpTable(table, colList, count, blind=True) retVal = pivotDumpTable(table, colList, count, blind=True)
except KeyboardInterrupt: except KeyboardInterrupt:

View File

@ -46,7 +46,7 @@ a09c6ceee8dbb624cc3ca1d17749c8a5 lib/core/option.py
d8e9250f3775119df07e9070eddccd16 lib/core/replication.py d8e9250f3775119df07e9070eddccd16 lib/core/replication.py
785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py
40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py
6e7731aa5bc04ef76a597c91e0701665 lib/core/settings.py d556e1cf87bd101aa7f0a46fdbbbdff3 lib/core/settings.py
d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py
2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py
8136241fdbdb99a5dc0e51ba72918f6e lib/core/target.py 8136241fdbdb99a5dc0e51ba72918f6e lib/core/target.py
@ -93,11 +93,11 @@ b7dd3a2697a08108ddc9a4264922c2e8 lib/takeover/web.py
ab1601a7f429b47637c4fb8af703d0f1 lib/techniques/dns/test.py ab1601a7f429b47637c4fb8af703d0f1 lib/techniques/dns/test.py
d3da4c7ceaf57c4687a052d58722f6bb lib/techniques/dns/use.py d3da4c7ceaf57c4687a052d58722f6bb lib/techniques/dns/use.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/error/__init__.py 310efc965c862cfbd7b0da5150a5ad36 lib/techniques/error/__init__.py
c7e6589ef171819c4630ca8434f0250b lib/techniques/error/use.py 84b729215fd00e789ed75d9c00c97761 lib/techniques/error/use.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/__init__.py 310efc965c862cfbd7b0da5150a5ad36 lib/techniques/__init__.py
310efc965c862cfbd7b0da5150a5ad36 lib/techniques/union/__init__.py 310efc965c862cfbd7b0da5150a5ad36 lib/techniques/union/__init__.py
d71e48e6fd08f75cc612bf8b260994ce lib/techniques/union/test.py d71e48e6fd08f75cc612bf8b260994ce lib/techniques/union/test.py
36194e6c0a8dd14139f57ebf87bb80f9 lib/techniques/union/use.py db3090ff9a740ba096ba676fcf44ebfc lib/techniques/union/use.py
67f0ad96ec2207d7e59c788b858afd6d lib/utils/api.py 67f0ad96ec2207d7e59c788b858afd6d lib/utils/api.py
7d10ba0851da8ee9cd3c140dcd18798e lib/utils/brute.py 7d10ba0851da8ee9cd3c140dcd18798e lib/utils/brute.py
ed70f1ca9113664043ec9e6778e48078 lib/utils/crawler.py ed70f1ca9113664043ec9e6778e48078 lib/utils/crawler.py
@ -203,7 +203,7 @@ deed74334b637767fc9de8f74b37647a plugins/dbms/sybase/fingerprint.py
be7481a96214220bcd8f51ca00239bed plugins/generic/connector.py be7481a96214220bcd8f51ca00239bed plugins/generic/connector.py
5390591ca955036d492de11355b52e8f plugins/generic/custom.py 5390591ca955036d492de11355b52e8f plugins/generic/custom.py
4ad4bccc03256b8f3d21ba4f8f759404 plugins/generic/databases.py 4ad4bccc03256b8f3d21ba4f8f759404 plugins/generic/databases.py
5eae2e0992a719bfce9cf78ed0a0ea2f plugins/generic/entries.py 12b0420d9588828e4a83fe8e89bef162 plugins/generic/entries.py
55802d1d5d65938414c77ccc27731cab plugins/generic/enumeration.py 55802d1d5d65938414c77ccc27731cab plugins/generic/enumeration.py
0d10a0410c416fece51c26a935e68568 plugins/generic/filesystem.py 0d10a0410c416fece51c26a935e68568 plugins/generic/filesystem.py
2e397afd83939889d1a7a07893b19ae7 plugins/generic/fingerprint.py 2e397afd83939889d1a7a07893b19ae7 plugins/generic/fingerprint.py
@ -459,4 +459,4 @@ a279656ea3fcb85c727249b02f828383 xml/livetests.xml
3194e2688a7576e1f877d5b137f7c260 xml/payloads/stacked_queries.xml 3194e2688a7576e1f877d5b137f7c260 xml/payloads/stacked_queries.xml
c2d8dd03db5a663e79eabb4495dd0723 xml/payloads/time_blind.xml c2d8dd03db5a663e79eabb4495dd0723 xml/payloads/time_blind.xml
ac649aff0e7db413e4937e446e398736 xml/payloads/union_query.xml ac649aff0e7db413e4937e446e398736 xml/payloads/union_query.xml
5bd467d86d7cb55fbe5f66e4ff9a6bec xml/queries.xml 7fa7db2c2296baa5e9ea381d4880492f xml/queries.xml

View File

@ -194,7 +194,7 @@
</columns> </columns>
<dump_table> <dump_table>
<inband query="SELECT %s FROM %s.%s"/> <inband query="SELECT %s FROM %s.%s"/>
<blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/> <blind query="SELECT MIN(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s)>'%s'" query2="SELECT MAX(%s) FROM %s WHERE CONVERT(NVARCHAR(4000),%s) LIKE '%s'" query3="SELECT %s FROM (SELECT %s, ROW_NUMBER() OVER (ORDER BY (SELECT 1)) AS LIMIT FROM %s)x WHERE LIMIT=%d" count="SELECT LTRIM(STR(COUNT(*))) FROM %s" count2="SELECT LTRIM(STR(COUNT(DISTINCT(%s)))) FROM %s"/>
</dump_table> </dump_table>
<search_db> <search_db>
<inband query="SELECT name FROM master..sysdatabases WHERE %s" condition="name"/> <inband query="SELECT name FROM master..sysdatabases WHERE %s" condition="name"/>