Implementation for an Issue #423

2024-11-25 02:53:46 +03:00 · 2013-03-21 11:28:44 +01:00 · 2013-03-21 11:28:44 +01:00 · ad039c335d
commit ad039c335d
parent 3740a97cc9
4 changed files with 13 additions and 1 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -647,7 +647,10 @@ class Agent(object):
        @rtype: C{str}
        """

-        fromTable = fromTable or FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "")
+        if conf.uFrom:
+            fromTable = " FROM %s" % conf.uFrom
+        else:
+            fromTable = fromTable or FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "")

        if query.startswith("SELECT "):
            query = query[len("SELECT "):]
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -88,6 +88,7 @@ optDict = {
                               "timeSec":           "integer",
                               "uCols":             "string",
                               "uChar":             "string",
+                               "uFrom":             "string",
                               "dnsName":           "string",
                               "secondOrder":       "string",
                             },
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -287,6 +287,9 @@ def cmdLineParser():
        techniques.add_option("--union-char", dest="uChar",
                              help="Character to use for bruteforcing number of columns")

+        techniques.add_option("--union-from", dest="uFrom",
+                              help="Table to use in FROM part of UNION query SQL injection")
+
        techniques.add_option("--dns-domain", dest="dnsName",
                              help="Domain name used for DNS exfiltration attack")

--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -303,6 +303,11 @@ uCols =
 # Example: NULL
 uChar = 

+# Table to use in FROM part of UNION query SQL injection
+# Valid: string
+# Example: INFORMATION_SCHEMA.COLLATIONS
+uFrom = 
+
 # Domain name used for DNS exfiltration attack
 # Valid: string
 dnsName =