several MySQL fixes/enhancements pointed out by Anton Mogilin

2024-11-22 01:26:42 +03:00 · 2010-10-24 22:05:14 +00:00 · 2010-10-24 22:05:14 +00:00 · aa931efd4d
commit aa931efd4d
parent 52f910f752
4 changed files with 10 additions and 10 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -220,7 +220,7 @@ Enrico Milanese <enricomilanese@gmail.com>
    for providing me with some ideas for the PHP backdoor

 Anton Mogilin <azarmaster81@yahoo.com>
-    for reporting a minor bug
+    for reporting couple of bugs

 Alejo Murillo Moya <alex@65535.com>
    for suggesting a feature
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -212,6 +212,10 @@ def cmdLineParser():
                              help="Test for stacked queries (multiple "
                                   "statements) support")

+        techniques.add_option("--error-test", dest="errorTest",
+                          action="store_true", default=False,
+                          help="Test for error based SQL injection support (beta)")
+
        techniques.add_option("--time-test", dest="timeTest",
                              action="store_true", default=False,
                              help="Test for time based blind SQL injection")
@ -492,10 +496,6 @@ def cmdLineParser():
        parser.add_option("--profile", dest="profile", action="store_true",
                          default=False, help=SUPPRESS_HELP)

-        parser.add_option("--error-test", dest="errorTest",
-                          action="store_true", default=False,
-                          help=SUPPRESS_HELP)
-
        parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int", default=10,
                          help=SUPPRESS_HELP)

--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -51,7 +51,7 @@ def errorUse(expression):
        nulledCastedField                = agent.nullAndCastField(fieldToCastStr)

        if kb.dbms == "MySQL":
-            nulledCastedField            = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row'
+            nulledCastedField            = nulledCastedField.replace("AS CHAR)", "AS CHAR(255))") #fix for that 'Subquery returns more than 1 row'

        expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
        expressionUnescaped              = unescaper.unescape(expressionReplaced)
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -3,7 +3,7 @@
 <root>
    <!-- MySQL -->
    <dbms value="MySQL">
-        <cast query="CAST(%s AS CHAR(10000))"/>
+        <cast query="CAST(%s AS CHAR)"/>
        <length query="LENGTH(%s)"/>
        <isnull query="IFNULL(%s, ' ')"/>
        <delimiter query=","/>
@ -26,9 +26,9 @@
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
        <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
        <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
-        <banner query="SELECT VERSION()"/>
-        <current_user query="SELECT CURRENT_USER()"/>
-        <current_db query="SELECT DATABASE()"/>
+        <banner query="VERSION()"/>
+        <current_user query="CURRENT_USER()"/>
+        <current_db query="DATABASE()"/>
        <is_dba query="(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'"/>
        <check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0, 1)='%s'"/>
        <users>