sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-01-24 00:04:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)

Browse Source
This commit is contained in:
Miroslav Stampar 2010-10-21 13:13:12 +00:00
parent be443c6947
commit bc79eec702
16 changed files with 169 additions and 401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
extra/xmlobject/xmlobject.py
View File

@ -142,6 +142,7 @@ class XMLFile:
fobj = kw.get("file", None)
raw = kw.get("raw", None)
root = kw.get("root", None)
textfilter = kw.get("textfilter", None)
if path:
self.path = path
@ -176,6 +177,11 @@ class XMLFile:
raise IncorrectRootTag("Gave root='%s', input has root='%s'" % (
root, rootnode.nodeName))
if textfilter:
self.textfilter = textfilter
else:
self.textfilter = lambda x: x
# need this for recursion in XMLNode
self._childrenByName = {}
self._children = []
@ -278,7 +284,7 @@ class XMLNode:
self._value = None
if isinstance(node, xml.dom.minidom.Text):
self._type = "text"
self._value = node.nodeValue
self._value = self._root.textfilter(node.nodeValue)
elif isinstance(node, xml.dom.minidom.Element):
self._type = "node"
elif isinstance(node, xml.dom.minidom.Comment):

16
lib/core/agent.py
View File

@ -220,8 +220,8 @@ class Agent:
if field.startswith("(CASE"):
nulledCastedField = field
else:
nulledCastedField = queries[kb.dbms].cast % field
nulledCastedField = queries[kb.dbms].isnull % nulledCastedField
nulledCastedField = queries[kb.dbms].cast.query % field
nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
return nulledCastedField
@ -260,7 +260,7 @@ class Agent:
fields = fields.replace(", ", ",")
fieldsSplitted = fields.split(",")
dbmsDelimiter = queries[kb.dbms].delimiter
dbmsDelimiter = queries[kb.dbms].delimiter.query
nulledCastedFields = []
for field in fieldsSplitted:
@ -516,18 +516,18 @@ class Agent:
"""
limitedQuery = query
limitStr = queries[kb.dbms].limit
limitStr = queries[kb.dbms].limit.query
fromIndex = limitedQuery.index(" FROM ")
untilFrom = limitedQuery[:fromIndex]
fromFrom = limitedQuery[fromIndex+1:]
orderBy = False
if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ):
limitStr = queries[kb.dbms].limit % (num, 1)
limitStr = queries[kb.dbms].limit.query % (num, 1)
limitedQuery += " %s" % limitStr
elif kb.dbms == "Firebird":
limitStr = queries[kb.dbms].limit % (num+1, num+1)
limitStr = queries[kb.dbms].limit.query % (num+1, num+1)
limitedQuery += " %s" % limitStr
elif kb.dbms == "Oracle":
@ -556,7 +556,7 @@ class Agent:
limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
topNums = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I)
topNums = re.search(queries[kb.dbms].limitregexp.query, limitedQuery, re.I)
if topNums:
topNums = topNums.groups()
@ -602,7 +602,7 @@ class Agent:
@rtype: C{str}
"""
return queries[kb.dbms].case % expression
return queries[kb.dbms].case.query % expression
# SQL agent
agent = Agent()

10
lib/core/common.py
View File

@ -909,14 +909,14 @@ def getDelayQuery(andCond=False):
banVer = kb.bannerFp["dbmsVersion"]
if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"):
query = queries[kb.dbms].timedelay % conf.timeSec
query = queries[kb.dbms].timedelay.query % conf.timeSec
else:
query = queries[kb.dbms].timedelay2 % conf.timeSec
query = queries[kb.dbms].timedelay.query2 % conf.timeSec
elif kb.dbms == "Firebird":
query = queries[kb.dbms].timedelay
query = queries[kb.dbms].timedelay.query
else:
query = queries[kb.dbms].timedelay % conf.timeSec
query = queries[kb.dbms].timedelay.query % conf.timeSec
if andCond:
if kb.dbms in ( "MySQL", "SQLite" ):
@ -1078,6 +1078,8 @@ def safeStringFormat(formatStr, params):
if count < len(params):
retVal = retVal[:index] + getUnicode(params[count]) + retVal[index+2:]
else:
import pdb
pdb.set_trace()
raise sqlmapNoneDataException, "wrong number of parameters during string formatting"
count += 1

11
lib/core/option.py
View File

@ -37,6 +37,7 @@ from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.data import queries
from lib.core.datatype import advancedDict
from lib.core.exception import sqlmapFilePathException
from lib.core.exception import sqlmapGenericException
@ -55,7 +56,6 @@ from lib.core.settings import SUPPORTED_OS
from lib.core.settings import VERSION_STRING
from lib.core.update import update
from lib.parse.configfile import configFileParser
from lib.parse.queriesfile import queriesParser
from lib.request.proxy import ProxyHTTPSHandler
from lib.request.certhandler import HTTPSCertAuthHandler
from lib.request.redirecthandler import SmartRedirectHandler
@ -195,6 +195,13 @@ def __feedTargetsDict(reqFile, addedTargetUrls):
kb.targetUrls.add((url, method, data, cookie))
addedTargetUrls.add(url)
def __loadQueries():
"""
Loads queries from 'xml/queries.xml' file.
"""
for node in xmlobject.XMLFile(path=paths.QUERIES_XML, textfilter=sanitizeStr).root.dbms:
queries[node.value] = node
def __setMultipleTargets():
"""
Define a configuration parameter if we are running in multiple target
@ -1258,4 +1265,4 @@ def init(inputOptions=advancedDict()):
__setMetasploit()
update()
queriesParser()
__loadQueries()

240
lib/parse/queriesfile.py
View File

@ -1,240 +0,0 @@
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from xml.sax.handler import ContentHandler
from lib.core.common import checkFile
from lib.core.common import parseXmlFile
from lib.core.common import sanitizeStr
from lib.core.data import logger
from lib.core.data import queries
from lib.core.data import paths
from lib.core.datatype import advancedDict
class queriesHandler(ContentHandler):
"""
This class defines methods to parse the default DBMS queries
from an XML file
"""
def __init__(self):
self.__dbms = ''
self.__queries = advancedDict()
def startElement(self, name, attrs):
if name == "dbms":
data = sanitizeStr(attrs.get("value"))
self.__dbms = data
elif name == "cast":
data = sanitizeStr(attrs.get("query"))
self.__queries.cast = data
elif name == "length":
data = sanitizeStr(attrs.get("query"))
self.__queries.length = data
elif name == "isnull":
data = sanitizeStr(attrs.get("query"))
self.__queries.isnull = data
elif name == "delimiter":
data = sanitizeStr(attrs.get("query"))
self.__queries.delimiter = data
elif name == "limit":
data = sanitizeStr(attrs.get("query"))
self.__queries.limit = data
elif name == "limitregexp":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitregexp = data
elif name == "limitgroupstart":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitgroupstart = data
elif name == "limitgroupstop":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitgroupstop = data
elif name == "limitstring":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitstring = data
elif name == "order":
data = sanitizeStr(attrs.get("query"))
self.__queries.order = data
elif name == "count":
data = sanitizeStr(attrs.get("query"))
self.__queries.count = data
elif name == "comment":
data = sanitizeStr(attrs.get("query"))
self.__queries.comment = data
elif name == "timedelay":
data = sanitizeStr(attrs.get("query"))
self.__queries.timedelay = data
data = sanitizeStr(attrs.get("query2"))
self.__queries.timedelay2 = data
elif name == "substring":
data = sanitizeStr(attrs.get("query"))
self.__queries.substring = data
elif name == "case":
data = sanitizeStr(attrs.get("query"))
self.__queries.case = data
elif name == "error":
data = sanitizeStr(attrs.get("query"))
self.__queries.error = data
elif name == "inference":
data = sanitizeStr(attrs.get("query"))
self.__queries.inference = data
elif name == "banner":
data = sanitizeStr(attrs.get("query"))
self.__queries.banner = data
elif name == "current_user":
data = sanitizeStr(attrs.get("query"))
self.__queries.currentUser = data
elif name == "current_db":
data = sanitizeStr(attrs.get("query"))
self.__queries.currentDb = data
elif name == "is_dba":
data = sanitizeStr(attrs.get("query"))
self.__queries.isDba = data
elif name == "check_udf":
data = sanitizeStr(attrs.get("query"))
self.__queries.checkUdf = data
elif name == "inband":
self.__inband = sanitizeStr(attrs.get("query"))
self.__inband2 = sanitizeStr(attrs.get("query2"))
self.__conditionInband = sanitizeStr(attrs.get("condition"))
self.__conditionInband2 = sanitizeStr(attrs.get("condition2"))
elif name == "blind":
self.__blind = sanitizeStr(attrs.get("query"))
self.__blind2 = sanitizeStr(attrs.get("query2"))
self.__count = sanitizeStr(attrs.get("count"))
self.__count2 = sanitizeStr(attrs.get("count2"))
self.__conditionBlind = sanitizeStr(attrs.get("condition"))
self.__conditionBlind2 = sanitizeStr(attrs.get("condition2"))
def endElement(self, name):
if name == "dbms":
queries[self.__dbms] = self.__queries
self.__queries = advancedDict()
elif name == "users":
self.__users = {}
self.__users["inband"] = { "query": self.__inband, "query2": self.__inband2 }
self.__users["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.users = self.__users
elif name == "passwords":
self.__passwords = {}
self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband }
self.__passwords["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.passwords = self.__passwords
elif name == "privileges":
self.__privileges = {}
self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__privileges["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.privileges = self.__privileges
elif name == "roles":
self.__roles = {}
self.__roles["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__roles["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.roles = self.__roles
elif name == "dbs":
self.__dbs = {}
self.__dbs["inband"] = { "query": self.__inband, "query2": self.__inband2 }
self.__dbs["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.dbs = self.__dbs
elif name == "tables":
self.__tables = {}
self.__tables["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
self.__tables["blind"] = { "query": self.__blind, "count": self.__count }
self.__queries.tables = self.__tables
elif name == "columns":
self.__columns = {}
self.__columns["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
self.__columns["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "condition": self.__conditionBlind }
self.__queries.columns = self.__columns
elif name == "dump_table":
self.__dumpTable = {}
self.__dumpTable["inband"] = { "query": self.__inband }
self.__dumpTable["blind"] = { "query": self.__blind, "count": self.__count }
self.__queries.dumpTable = self.__dumpTable
elif name == "search_db":
self.__searchDb = {}
self.__searchDb["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__searchDb["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
self.__queries.searchDb = self.__searchDb
elif name == "search_table":
self.__searchTable = {}
self.__searchTable["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__searchTable["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
self.__queries.searchTable = self.__searchTable
elif name == "search_column":
self.__searchColumn = {}
self.__searchColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__searchColumn["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
self.__queries.searchColumn = self.__searchColumn
def queriesParser():
"""
This function calls a class to parse the default DBMS queries
from an XML file
"""
debugMsg = "parsing XML queries file"
logger.debug(debugMsg)
xmlfile = paths.QUERIES_XML
checkFile(xmlfile)
handler = queriesHandler()
parseXmlFile(xmlfile, handler)

19
lib/request/inject.py
View File

@ -96,8 +96,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference.query)
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
count = None
@ -139,13 +138,13 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
# NOTE: I assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression:
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ):
if kb.dbms in ( "MySQL", "PostgreSQL" ):
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -155,8 +154,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
elif kb.dbms == "Microsoft SQL Server":
if limitRegExp:
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -184,7 +183,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
# (or similar, depending on the back-end DBMS) word
if kb.dbms in ( "MySQL", "PostgreSQL" ):
stopLimit += startLimit
untilLimitChar = expression.index(queries[kb.dbms].limitstring)
untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
expression = expression[:untilLimitChar]
elif kb.dbms == "Microsoft SQL Server":
@ -202,7 +201,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
if not test or test[0] in ("y", "Y"):
# Count the number of SQL query entries output
countFirstField = queries[kb.dbms].count % expressionFieldsList[0]
countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):
@ -398,7 +397,7 @@ def goStacked(expression, silent=False):
debugMsg = "query: %s" % expression
logger.debug(debugMsg)
comment = queries[kb.dbms].comment
comment = queries[kb.dbms].comment.query
query = agent.prefixQuery("; %s" % expression)
query = agent.postfixQuery("%s;%s" % (query, comment))
payload = agent.payload(newValue=query)

2
lib/techniques/blind/inference.py
View File

@ -461,7 +461,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# check it via equal against the substring-query output
if commonPattern is not None:
# Substring-query containing equals commonPattern
subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern))
subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue)))
query = agent.postfixQuery(query)

2
lib/techniques/error/test.py
View File

@ -30,7 +30,7 @@ def errorTest():
logger.info(infoMsg)
randInt = getUnicode(randomInt(1))
query = queries[kb.dbms].case % ("%s=%s" % (randInt, randInt))
query = queries[kb.dbms].case.query % ("%s=%s" % (randInt, randInt))
result = inject.goError(query)
if result:

13
lib/techniques/error/use.py
View File

@ -30,14 +30,15 @@ from lib.core.settings import ERROR_EMPTY_CHAR
from lib.core.settings import ERROR_START_CHAR
from lib.core.settings import ERROR_END_CHAR
def errorUse(expression, resumeValue=True):
def errorUse(expression):
"""
Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter.
"""
output = None
logic = conf.logic
randInt = randomInt(1)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error.query)
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
startLimiter = ""
@ -45,14 +46,6 @@ def errorUse(expression, resumeValue=True):
expressionUnescaped = expression
if resumeValue:
output = resume(expression, payload)
else:
output = None
if output:
return output
if kb.dbmsDetected:
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)

2
lib/techniques/inband/union/test.py
View File

@ -203,7 +203,7 @@ def unionTest():
value = None
columns = None
for comment in (queries[kb.dbms].comment, ""):
for comment in (queries[kb.dbms].comment.query, ""):
if conf.uTech == "orderby":
columns = __unionTestByOrderBy(comment)
else:

14
lib/techniques/inband/union/use.py
View File

@ -65,12 +65,12 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
# NOTE: I assume that only queries that get data from a table can
# return multiple entries
if " FROM " in expression:
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
if limitRegExp:
if kb.dbms in ( "MySQL", "PostgreSQL" ):
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -79,8 +79,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
limitCond = int(stopLimit) > 1
elif kb.dbms == "Microsoft SQL Server":
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -104,7 +104,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
# (or similar, depending on the back-end DBMS) word
if kb.dbms in ( "MySQL", "PostgreSQL" ):
stopLimit += startLimit
untilLimitChar = expression.index(queries[kb.dbms].limitstring)
untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
expression = expression[:untilLimitChar]
elif kb.dbms == "Microsoft SQL Server":
@ -123,7 +123,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
if test:
# Count the number of SQL query entries output
countFirstField = queries[kb.dbms].count % expressionFieldsList[0]
countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
countedExpression = origExpr.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):

7
lib/utils/resume.py
View File

@ -14,6 +14,7 @@ from lib.core.common import calculateDeltaSeconds
from lib.core.common import dataToSessionFile
from lib.core.common import safeStringFormat
from lib.core.common import randomStr
from lib.core.common import replaceNewlineTabs
from lib.core.common import restoreDumpMarkedChars
from lib.core.data import conf
from lib.core.data import kb
@ -30,7 +31,7 @@ def queryOutputLength(expression, payload):
Returns the query output length.
"""
lengthQuery = queries[kb.dbms].length
lengthQuery = queries[kb.dbms].length.query
select = re.search("\ASELECT\s+", expression, re.I)
selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
@ -83,7 +84,7 @@ def queryOutputLength(expression, payload):
if length == " ":
length = 0
return count, length, regExpr
def resume(expression, payload):
@ -141,7 +142,7 @@ def resume(expression, payload):
if not kb.dbms:
return None
substringQuery = queries[kb.dbms].substring
substringQuery = queries[kb.dbms].substring.query
select = re.search("\ASELECT ", expression, re.I)
_, length, regExpr = queryOutputLength(expression, payload)

12
plugins/dbms/mssqlserver/enumeration.py
View File

@ -56,7 +56,7 @@ class Enumeration(GenericEnumeration):
continue
query = rootQuery["inband"]["query"] % db
query = rootQuery.inband.query % db
value = inject.getValue(query, blind=False)
if value:
@ -74,7 +74,7 @@ class Enumeration(GenericEnumeration):
infoMsg += "database '%s'" % db
logger.info(infoMsg)
query = rootQuery["blind"]["count"] % db
query = rootQuery.blind.count % db
count = inject.getValue(query, inband=False, charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -86,7 +86,7 @@ class Enumeration(GenericEnumeration):
tables = []
for index in range(int(count)):
query = rootQuery["blind"]["query"] % (db, index, db)
query = rootQuery.blind.query % (db, index, db)
table = inject.getValue(query, inband=False)
tables.append(table)
kb.hintValue = table
@ -108,8 +108,8 @@ class Enumeration(GenericEnumeration):
rootQuery = queries[kb.dbms].searchTable
foundTbls = {}
tblList = conf.tbl.split(",")
tblCond = rootQuery["inband"]["condition"]
dbCond = rootQuery["inband"]["condition2"]
tblCond = rootQuery.inband.condition
dbCond = rootQuery.inband.condition2
tblConsider, tblCondParam = self.likeOrExact("table")
@ -193,7 +193,7 @@ class Enumeration(GenericEnumeration):
foundCols = {}
dbs = {}
colList = conf.col.split(",")
colCond = rootQuery["inband"]["condition"]
colCond = rootQuery.inband.condition
colConsider, colCondParam = self.likeOrExact("column")
if not len(kb.data.cachedDbs):

24
plugins/dbms/oracle/enumeration.py
View File

@ -38,11 +38,11 @@ class Enumeration(GenericEnumeration):
if kb.unionPosition or conf.direct:
if query2:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
query = rootQuery.inband.query2
condition = rootQuery.inband.condition2
else:
query = rootQuery["inband"]["query"]
condition = rootQuery["inband"]["condition"]
query = rootQuery.inband.query
condition = rootQuery.inband.condition
if conf.user:
users = conf.user.split(",")
@ -111,9 +111,9 @@ class Enumeration(GenericEnumeration):
queryUser = user
if query2:
query = rootQuery["blind"]["count2"] % queryUser
query = rootQuery.blind.count2 % queryUser
else:
query = rootQuery["blind"]["count"] % queryUser
query = rootQuery.blind.count % queryUser
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -137,9 +137,9 @@ class Enumeration(GenericEnumeration):
for index in indexRange:
if query2:
query = rootQuery["blind"]["query2"] % (queryUser, index)
query = rootQuery.blind.query2 % (queryUser, index)
else:
query = rootQuery["blind"]["query"] % (queryUser, index)
query = rootQuery.blind.query % (queryUser, index)
role = inject.getValue(query, inband=False)
# In Oracle we get the list of roles as string
@ -178,7 +178,7 @@ class Enumeration(GenericEnumeration):
foundCols = {}
dbs = { "USERS": {} }
colList = conf.col.split(",")
colCond = rootQuery["inband"]["condition"]
colCond = rootQuery.inband.condition
colConsider, colCondParam = self.likeOrExact("column")
for column in colList:
@ -197,7 +197,7 @@ class Enumeration(GenericEnumeration):
for db in dbs.keys():
if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
query += colQuery
values = inject.getValue(query, blind=False)
@ -234,7 +234,7 @@ class Enumeration(GenericEnumeration):
infoMsg += " '%s' in database '%s'" % (column, db)
logger.info(infoMsg)
query = rootQuery["blind"]["count2"]
query = rootQuery.blind.count2
query += " WHERE %s" % colQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -251,7 +251,7 @@ class Enumeration(GenericEnumeration):
indexRange = getRange(count)
for index in indexRange:
query = rootQuery["blind"]["query2"]
query = rootQuery.blind.query2
query += " WHERE %s" % colQuery
query = agent.limitQuery(index, query)
tbl = inject.getValue(query, inband=False)

188
plugins/generic/enumeration.py
View File

@ -76,7 +76,7 @@ class Enumeration:
if conf.unionUse or conf.unionTest:
conf.dumper.technic("valid union", unionTest())
query = queries[kb.dbms].banner
query = queries[kb.dbms].banner.query
kb.data.banner = inject.getValue(query)
bannerParser(kb.data.banner)
@ -97,7 +97,7 @@ class Enumeration:
infoMsg = "fetching current user"
logger.info(infoMsg)
query = queries[kb.dbms].currentUser
query = queries[kb.dbms].currentUser.query
if not kb.data.currentUser:
kb.data.currentUser = inject.getValue(query)
@ -108,7 +108,7 @@ class Enumeration:
infoMsg = "fetching current database"
logger.info(infoMsg)
query = queries[kb.dbms].currentDb
query = queries[kb.dbms].currentDb.query
if not kb.data.currentDb:
kb.data.currentDb = inject.getValue(query)
@ -119,7 +119,7 @@ class Enumeration:
infoMsg = "testing if current user is DBA"
logger.info(infoMsg)
query = agent.forgeCaseStatement(queries[kb.dbms].isDba)
query = agent.forgeCaseStatement(queries[kb.dbms].isDba.query)
kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1)
@ -136,9 +136,9 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if condition:
query = rootQuery["inband"]["query2"]
query = rootQuery.inband.query2
else:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
value = inject.getValue(query, blind=False)
if value:
@ -149,9 +149,9 @@ class Enumeration:
logger.info(infoMsg)
if condition:
query = rootQuery["blind"]["count2"]
query = rootQuery.blind.count2
else:
query = rootQuery["blind"]["count"]
query = rootQuery.blind.count
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -166,9 +166,9 @@ class Enumeration:
for index in indexRange:
if condition:
query = rootQuery["blind"]["query2"] % index
query = rootQuery.blind.query2 % index
else:
query = rootQuery["blind"]["query"] % index
query = rootQuery.blind.query % index
user = inject.getValue(query, inband=False)
if user:
@ -193,11 +193,11 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["inband"]["query2"]
query = rootQuery.inband.query2
else:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
condition = rootQuery["inband"]["condition"]
condition = rootQuery.inband.condition
if conf.user:
if "," in conf.user:
@ -256,9 +256,9 @@ class Enumeration:
logger.info(infoMsg)
if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["blind"]["count2"] % user
query = rootQuery.blind.count2 % user
else:
query = rootQuery["blind"]["count"] % user
query = rootQuery.blind.count % user
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -281,11 +281,11 @@ class Enumeration:
for index in indexRange:
if kb.dbms == "Microsoft SQL Server":
if kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["blind"]["query2"] % (user, index, user)
query = rootQuery.blind.query2 % (user, index, user)
else:
query = rootQuery["blind"]["query"] % (user, index, user)
query = rootQuery.blind.query % (user, index, user)
else:
query = rootQuery["blind"]["query"] % (user, index)
query = rootQuery.blind.query % (user, index)
password = inject.getValue(query, inband=False)
password = parsePasswordHash(password)
passwords.append(password)
@ -390,14 +390,14 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
query = rootQuery.inband.query2
condition = rootQuery.inband.condition2
elif kb.dbms == "Oracle" and query2:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
query = rootQuery.inband.query2
condition = rootQuery.inband.condition2
else:
query = rootQuery["inband"]["query"]
condition = rootQuery["inband"]["condition"]
query = rootQuery.inband.query
condition = rootQuery.inband.condition
if conf.user:
users = conf.user.split(",")
@ -506,13 +506,13 @@ class Enumeration:
queryUser = user
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["count2"] % queryUser
query = rootQuery.blind.count2 % queryUser
elif kb.dbms == "MySQL" and kb.data.has_information_schema:
query = rootQuery["blind"]["count"] % (conditionChar, queryUser)
query = rootQuery.blind.count % (conditionChar, queryUser)
elif kb.dbms == "Oracle" and query2:
query = rootQuery["blind"]["count2"] % queryUser
query = rootQuery.blind.count2 % queryUser
else:
query = rootQuery["blind"]["count"] % queryUser
query = rootQuery.blind.count % queryUser
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -540,15 +540,15 @@ class Enumeration:
for index in indexRange:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["query2"] % (queryUser, index)
query = rootQuery.blind.query2 % (queryUser, index)
elif kb.dbms == "MySQL" and kb.data.has_information_schema:
query = rootQuery["blind"]["query"] % (conditionChar, queryUser, index)
query = rootQuery.blind.query % (conditionChar, queryUser, index)
elif kb.dbms == "Oracle" and query2:
query = rootQuery["blind"]["query2"] % (queryUser, index)
query = rootQuery.blind.query2 % (queryUser, index)
elif kb.dbms == "Firebird":
query = rootQuery["blind"]["query"] % (index, queryUser)
query = rootQuery.blind.query % (index, queryUser)
else:
query = rootQuery["blind"]["query"] % (queryUser, index)
query = rootQuery.blind.query % (queryUser, index)
privilege = inject.getValue(query, inband=False)
# In PostgreSQL we get 1 if the privilege is True,
@ -636,9 +636,9 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
query = rootQuery.inband.query2
else:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
value = inject.getValue(query, blind=False)
if value:
@ -649,9 +649,9 @@ class Enumeration:
logger.info(infoMsg)
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["count2"]
query = rootQuery.blind.count2
else:
query = rootQuery["blind"]["count"]
query = rootQuery.blind.count
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -662,9 +662,9 @@ class Enumeration:
for index in indexRange:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["query2"] % index
query = rootQuery.blind.query2 % index
else:
query = rootQuery["blind"]["query"] % index
query = rootQuery.blind.query % index
db = inject.getValue(query, inband=False)
if db:
@ -702,8 +702,8 @@ class Enumeration:
rootQuery = queries[kb.dbms].tables
if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"]
condition = rootQuery["inband"]["condition"]
query = rootQuery.inband.query
condition = rootQuery.inband.condition
if conf.db and kb.dbms != "SQLite":
if "," in conf.db:
@ -762,9 +762,9 @@ class Enumeration:
logger.info(infoMsg)
if kb.dbms in ("SQLite", "Firebird"):
query = rootQuery["blind"]["count"]
query = rootQuery.blind.count
else:
query = rootQuery["blind"]["count"] % db
query = rootQuery.blind.count % db
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -783,9 +783,9 @@ class Enumeration:
for index in indexRange:
if kb.dbms in ("SQLite", "Firebird"):
query = rootQuery["blind"]["query"] % index
query = rootQuery.blind.query % index
else:
query = rootQuery["blind"]["query"] % (db, index)
query = rootQuery.blind.query % (db, index)
table = inject.getValue(query, inband=False)
tables.append(table)
kb.hintValue = table
@ -880,7 +880,7 @@ class Enumeration:
}
rootQuery = queries[kb.dbms].columns
condition = rootQuery["blind"]["condition"]
condition = rootQuery.blind.condition
infoMsg = "fetching columns "
@ -899,19 +899,19 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["inband"]["query"] % (conf.tbl, conf.db)
query = rootQuery.inband.query % (conf.tbl, conf.db)
query += condQuery
elif kb.dbms == "Oracle":
query = rootQuery["inband"]["query"] % conf.tbl.upper()
query = rootQuery.inband.query % conf.tbl.upper()
query += condQuery
elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["inband"]["query"] % (conf.db, conf.db,
query = rootQuery.inband.query % (conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.tbl)
query += condQuery.replace("[DB]", conf.db)
elif kb.dbms == "SQLite":
query = rootQuery["inband"]["query"] % conf.tbl
query = rootQuery.inband.query % conf.tbl
value = inject.getValue(query, blind=False)
@ -936,16 +936,16 @@ class Enumeration:
logger.info(infoMsg)
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["count"] % (conf.tbl, conf.db)
query = rootQuery.blind.count % (conf.tbl, conf.db)
query += condQuery
elif kb.dbms == "Oracle":
query = rootQuery["blind"]["count"] % conf.tbl.upper()
query = rootQuery.blind.count % conf.tbl.upper()
query += condQuery
elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["count"] % (conf.db, conf.db, conf.tbl)
query = rootQuery.blind.count % (conf.db, conf.db, conf.tbl)
query += condQuery.replace("[DB]", conf.db)
elif kb.dbms == "Firebird":
query = rootQuery["blind"]["count"] % (conf.tbl)
query = rootQuery.blind.count % (conf.tbl)
query += condQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -963,22 +963,22 @@ class Enumeration:
for index in indexRange:
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["query"] % (conf.tbl, conf.db)
query = rootQuery.blind.query % (conf.tbl, conf.db)
query += condQuery
field = None
elif kb.dbms == "Oracle":
query = rootQuery["blind"]["query"] % (conf.tbl.upper())
query = rootQuery.blind.query % (conf.tbl.upper())
query += condQuery
field = None
elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["query"] % (conf.db, conf.db,
query = rootQuery.blind.query % (conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.db,
conf.tbl)
query += condQuery.replace("[DB]", conf.db)
field = condition.replace("[DB]", conf.db)
elif kb.dbms == "Firebird":
query = rootQuery["blind"]["query"] % (conf.tbl)
query = rootQuery.blind.query % (conf.tbl)
query += condQuery
field = None
@ -987,15 +987,15 @@ class Enumeration:
if not onlyColNames:
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["query2"] % (conf.tbl, column, conf.db)
query = rootQuery.blind.query2 % (conf.tbl, column, conf.db)
elif kb.dbms == "Oracle":
query = rootQuery["blind"]["query2"] % (conf.tbl.upper(), column)
query = rootQuery.blind.query2 % (conf.tbl.upper(), column)
elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["query2"] % (conf.db, conf.db, conf.db,
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db,
conf.db, column, conf.db,
conf.db, conf.db, conf.tbl)
elif kb.dbms == "Firebird":
query = rootQuery["blind"]["query2"] % (conf.tbl, column)
query = rootQuery.blind.query2 % (conf.tbl, column)
colType = inject.getValue(query, inband=False)
@ -1078,11 +1078,11 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if kb.dbms == "Oracle":
query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper())
query = rootQuery.inband.query % (colString, conf.tbl.upper())
elif kb.dbms == "SQLite":
query = rootQuery["inband"]["query"] % (colString, conf.tbl)
query = rootQuery.inband.query % (colString, conf.tbl)
else:
query = rootQuery["inband"]["query"] % (colString, conf.db, conf.tbl)
query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
entries = inject.getValue(query, blind=False, dump=True)
if entries:
@ -1126,11 +1126,11 @@ class Enumeration:
logger.info(infoMsg)
if kb.dbms == "Oracle":
query = rootQuery["blind"]["count"] % conf.tbl.upper()
query = rootQuery.blind.count % conf.tbl.upper()
elif kb.dbms == "SQLite":
query = rootQuery["blind"]["count"] % conf.tbl
query = rootQuery.blind.count % conf.tbl
else:
query = rootQuery["blind"]["count"] % (conf.db, conf.tbl)
query = rootQuery.blind.count % (conf.db, conf.tbl)
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
@ -1162,19 +1162,19 @@ class Enumeration:
entries[column] = []
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["query"] % (column, conf.db,
query = rootQuery.blind.query % (column, conf.db,
conf.tbl, index)
elif kb.dbms == "Oracle":
query = rootQuery["blind"]["query"] % (column, column,
query = rootQuery.blind.query % (column, column,
conf.tbl.upper(),
index)
elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["query"] % (column, conf.db,
query = rootQuery.blind.query % (column, conf.db,
conf.tbl, column,
index, column,
conf.db, conf.tbl)
elif kb.dbms == "SQLite":
query = rootQuery["blind"]["query"] % (column, conf.tbl, index)
query = rootQuery.blind.query % (column, conf.tbl, index)
value = inject.getValue(query, inband=False)
@ -1311,9 +1311,9 @@ class Enumeration:
dbList = conf.db.split(",")
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
dbCond = rootQuery["inband"]["condition2"]
dbCond = rootQuery.inband.condition2
else:
dbCond = rootQuery["inband"]["condition"]
dbCond = rootQuery.inband.condition
dbConsider, dbCondParam = self.likeOrExact("database")
@ -1336,9 +1336,9 @@ class Enumeration:
if kb.unionPosition or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
query = rootQuery.inband.query2
else:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
query += dbQuery
query += exclDbsQuery
values = inject.getValue(query, blind=False)
@ -1357,9 +1357,9 @@ class Enumeration:
logger.info(infoMsg)
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["count2"]
query = rootQuery.blind.count2
else:
query = rootQuery["blind"]["count"]
query = rootQuery.blind.count
query += dbQuery
query += exclDbsQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1377,9 +1377,9 @@ class Enumeration:
for index in indexRange:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["query2"]
query = rootQuery.blind.query2
else:
query = rootQuery["blind"]["query"]
query = rootQuery.blind.query
query += dbQuery
query += exclDbsQuery
query = agent.limitQuery(index, query, dbCond)
@ -1397,8 +1397,8 @@ class Enumeration:
rootQuery = queries[kb.dbms].searchTable
foundTbls = {}
tblList = conf.tbl.split(",")
tblCond = rootQuery["inband"]["condition"]
dbCond = rootQuery["inband"]["condition2"]
tblCond = rootQuery.inband.condition
dbCond = rootQuery.inband.condition2
tblConsider, tblCondParam = self.likeOrExact("table")
@ -1423,7 +1423,7 @@ class Enumeration:
tblQuery = tblQuery % tbl
if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
query += tblQuery
query += exclDbsQuery
values = inject.getValue(query, blind=False)
@ -1444,7 +1444,7 @@ class Enumeration:
infoMsg += " '%s'" % tbl
logger.info(infoMsg)
query = rootQuery["blind"]["count"]
query = rootQuery.blind.count
query += tblQuery
query += exclDbsQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1461,7 +1461,7 @@ class Enumeration:
indexRange = getRange(count)
for index in indexRange:
query = rootQuery["blind"]["query"]
query = rootQuery.blind.query
query += tblQuery
query += exclDbsQuery
query = agent.limitQuery(index, query)
@ -1481,7 +1481,7 @@ class Enumeration:
infoMsg += " '%s' in database '%s'" % (tbl, db)
logger.info(infoMsg)
query = rootQuery["blind"]["count2"]
query = rootQuery.blind.count2
query = query % db
query += " AND %s" % tblQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1499,7 +1499,7 @@ class Enumeration:
indexRange = getRange(count)
for index in indexRange:
query = rootQuery["blind"]["query2"]
query = rootQuery.blind.query2
query = query % db
query += " AND %s" % tblQuery
query = agent.limitQuery(index, query)
@ -1519,8 +1519,8 @@ class Enumeration:
foundCols = {}
dbs = {}
colList = conf.col.split(",")
colCond = rootQuery["inband"]["condition"]
dbCond = rootQuery["inband"]["condition2"]
colCond = rootQuery.inband.condition
dbCond = rootQuery.inband.condition2
colConsider, colCondParam = self.likeOrExact("column")
@ -1544,7 +1544,7 @@ class Enumeration:
colQuery = colQuery % column
if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"]
query = rootQuery.inband.query
query += colQuery
query += exclDbsQuery
values = inject.getValue(query, blind=False)
@ -1583,7 +1583,7 @@ class Enumeration:
infoMsg += " '%s'" % column
logger.info(infoMsg)
query = rootQuery["blind"]["count"]
query = rootQuery.blind.count
query += colQuery
query += exclDbsQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1600,7 +1600,7 @@ class Enumeration:
indexRange = getRange(count)
for index in indexRange:
query = rootQuery["blind"]["query"]
query = rootQuery.blind.query
query += colQuery
query += exclDbsQuery
query = agent.limitQuery(index, query)
@ -1623,7 +1623,7 @@ class Enumeration:
infoMsg += " '%s' in database '%s'" % (column, db)
logger.info(infoMsg)
query = rootQuery["blind"]["count2"]
query = rootQuery.blind.count2
query = query % db
query += " AND %s" % colQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1641,7 +1641,7 @@ class Enumeration:
indexRange = getRange(count)
for index in indexRange:
query = rootQuery["blind"]["query2"]
query = rootQuery.blind.query2
query = query % db
query += " AND %s" % colQuery
query = agent.limitQuery(index, query)

2
plugins/generic/misc.py
View File

@ -67,7 +67,7 @@ class Miscellaneous:
else:
raise sqlmapUnsupportedFeatureException, "unsupported DBMS"
query = queries[kb.dbms].substring % (queries[kb.dbms].banner, first, last)
query = queries[kb.dbms].substring.query % (queries[kb.dbms].banner.query, first, last)
if conf.direct:
query = "SELECT %s" % query