diff --git a/lib/core/agent.py b/lib/core/agent.py index 89e216c59..604e39b13 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -647,7 +647,10 @@ class Agent(object): @rtype: C{str} """ - fromTable = fromTable or FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "") + if conf.uFrom: + fromTable = " FROM %s" % conf.uFrom + else: + fromTable = fromTable or FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "") if query.startswith("SELECT "): query = query[len("SELECT "):] diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py index 3cc17bb5e..5757c200e 100644 --- a/lib/core/optiondict.py +++ b/lib/core/optiondict.py @@ -88,6 +88,7 @@ optDict = { "timeSec": "integer", "uCols": "string", "uChar": "string", + "uFrom": "string", "dnsName": "string", "secondOrder": "string", }, diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py index 3f2644779..f619c9c83 100644 --- a/lib/parse/cmdline.py +++ b/lib/parse/cmdline.py @@ -287,6 +287,9 @@ def cmdLineParser(): techniques.add_option("--union-char", dest="uChar", help="Character to use for bruteforcing number of columns") + techniques.add_option("--union-from", dest="uFrom", + help="Table to use in FROM part of UNION query SQL injection") + techniques.add_option("--dns-domain", dest="dnsName", help="Domain name used for DNS exfiltration attack") diff --git a/sqlmap.conf b/sqlmap.conf index ce87a5d58..9428ecd3a 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -303,6 +303,11 @@ uCols = # Example: NULL uChar = +# Table to use in FROM part of UNION query SQL injection +# Valid: string +# Example: INFORMATION_SCHEMA.COLLATIONS +uFrom = + # Domain name used for DNS exfiltration attack # Valid: string dnsName =