sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-06-17 03:23:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)

Browse Source
This commit is contained in:
Miroslav Stampar 2010-10-21 13:13:12 +00:00
parent be443c6947
commit bc79eec702
16 changed files with 169 additions and 401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
extra/xmlobject/xmlobject.py
View File

@ -142,6 +142,7 @@ class XMLFile:
fobj = kw.get("file", None) fobj = kw.get("file", None)
raw = kw.get("raw", None) raw = kw.get("raw", None)
root = kw.get("root", None) root = kw.get("root", None)
textfilter = kw.get("textfilter", None)
if path: if path:
self.path = path self.path = path
@ -176,6 +177,11 @@ class XMLFile:
raise IncorrectRootTag("Gave root='%s', input has root='%s'" % ( raise IncorrectRootTag("Gave root='%s', input has root='%s'" % (
root, rootnode.nodeName)) root, rootnode.nodeName))
if textfilter:
self.textfilter = textfilter
else:
self.textfilter = lambda x: x
# need this for recursion in XMLNode # need this for recursion in XMLNode
self._childrenByName = {} self._childrenByName = {}
self._children = [] self._children = []
@ -278,7 +284,7 @@ class XMLNode:
self._value = None self._value = None
if isinstance(node, xml.dom.minidom.Text): if isinstance(node, xml.dom.minidom.Text):
self._type = "text" self._type = "text"
self._value = node.nodeValue self._value = self._root.textfilter(node.nodeValue)
elif isinstance(node, xml.dom.minidom.Element): elif isinstance(node, xml.dom.minidom.Element):
self._type = "node" self._type = "node"
elif isinstance(node, xml.dom.minidom.Comment): elif isinstance(node, xml.dom.minidom.Comment):

16
lib/core/agent.py
View File

@ -220,8 +220,8 @@ class Agent:
if field.startswith("(CASE"): if field.startswith("(CASE"):
nulledCastedField = field nulledCastedField = field
else: else:
nulledCastedField = queries[kb.dbms].cast % field nulledCastedField = queries[kb.dbms].cast.query % field
nulledCastedField = queries[kb.dbms].isnull % nulledCastedField nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
return nulledCastedField return nulledCastedField
@ -260,7 +260,7 @@ class Agent:
fields = fields.replace(", ", ",") fields = fields.replace(", ", ",")
fieldsSplitted = fields.split(",") fieldsSplitted = fields.split(",")
dbmsDelimiter = queries[kb.dbms].delimiter dbmsDelimiter = queries[kb.dbms].delimiter.query
nulledCastedFields = [] nulledCastedFields = []
for field in fieldsSplitted: for field in fieldsSplitted:
@ -516,18 +516,18 @@ class Agent:
""" """
limitedQuery = query limitedQuery = query
limitStr = queries[kb.dbms].limit limitStr = queries[kb.dbms].limit.query
fromIndex = limitedQuery.index(" FROM ") fromIndex = limitedQuery.index(" FROM ")
untilFrom = limitedQuery[:fromIndex] untilFrom = limitedQuery[:fromIndex]
fromFrom = limitedQuery[fromIndex+1:] fromFrom = limitedQuery[fromIndex+1:]
orderBy = False orderBy = False
if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ): if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ):
limitStr = queries[kb.dbms].limit % (num, 1) limitStr = queries[kb.dbms].limit.query % (num, 1)
limitedQuery += " %s" % limitStr limitedQuery += " %s" % limitStr
elif kb.dbms == "Firebird": elif kb.dbms == "Firebird":
limitStr = queries[kb.dbms].limit % (num+1, num+1) limitStr = queries[kb.dbms].limit.query % (num+1, num+1)
limitedQuery += " %s" % limitStr limitedQuery += " %s" % limitStr
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
@ -556,7 +556,7 @@ class Agent:
limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct) limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "): if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
topNums = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I) topNums = re.search(queries[kb.dbms].limitregexp.query, limitedQuery, re.I)
if topNums: if topNums:
topNums = topNums.groups() topNums = topNums.groups()
@ -602,7 +602,7 @@ class Agent:
@rtype: C{str} @rtype: C{str}
""" """
return queries[kb.dbms].case % expression return queries[kb.dbms].case.query % expression
# SQL agent # SQL agent
agent = Agent() agent = Agent()

10
lib/core/common.py
View File

@ -909,14 +909,14 @@ def getDelayQuery(andCond=False):
banVer = kb.bannerFp["dbmsVersion"] banVer = kb.bannerFp["dbmsVersion"]
if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"): if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"):
query = queries[kb.dbms].timedelay % conf.timeSec query = queries[kb.dbms].timedelay.query % conf.timeSec
else: else:
query = queries[kb.dbms].timedelay2 % conf.timeSec query = queries[kb.dbms].timedelay.query2 % conf.timeSec
elif kb.dbms == "Firebird": elif kb.dbms == "Firebird":
query = queries[kb.dbms].timedelay query = queries[kb.dbms].timedelay.query
else: else:
query = queries[kb.dbms].timedelay % conf.timeSec query = queries[kb.dbms].timedelay.query % conf.timeSec
if andCond: if andCond:
if kb.dbms in ( "MySQL", "SQLite" ): if kb.dbms in ( "MySQL", "SQLite" ):
@ -1078,6 +1078,8 @@ def safeStringFormat(formatStr, params):
if count < len(params): if count < len(params):
retVal = retVal[:index] + getUnicode(params[count]) + retVal[index+2:] retVal = retVal[:index] + getUnicode(params[count]) + retVal[index+2:]
else: else:
import pdb
pdb.set_trace()
raise sqlmapNoneDataException, "wrong number of parameters during string formatting" raise sqlmapNoneDataException, "wrong number of parameters during string formatting"
count += 1 count += 1

11
lib/core/option.py
View File

@ -37,6 +37,7 @@ from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
from lib.core.data import logger from lib.core.data import logger
from lib.core.data import paths from lib.core.data import paths
from lib.core.data import queries
from lib.core.datatype import advancedDict from lib.core.datatype import advancedDict
from lib.core.exception import sqlmapFilePathException from lib.core.exception import sqlmapFilePathException
from lib.core.exception import sqlmapGenericException from lib.core.exception import sqlmapGenericException
@ -55,7 +56,6 @@ from lib.core.settings import SUPPORTED_OS
from lib.core.settings import VERSION_STRING from lib.core.settings import VERSION_STRING
from lib.core.update import update from lib.core.update import update
from lib.parse.configfile import configFileParser from lib.parse.configfile import configFileParser
from lib.parse.queriesfile import queriesParser
from lib.request.proxy import ProxyHTTPSHandler from lib.request.proxy import ProxyHTTPSHandler
from lib.request.certhandler import HTTPSCertAuthHandler from lib.request.certhandler import HTTPSCertAuthHandler
from lib.request.redirecthandler import SmartRedirectHandler from lib.request.redirecthandler import SmartRedirectHandler
@ -195,6 +195,13 @@ def __feedTargetsDict(reqFile, addedTargetUrls):
kb.targetUrls.add((url, method, data, cookie)) kb.targetUrls.add((url, method, data, cookie))
addedTargetUrls.add(url) addedTargetUrls.add(url)
def __loadQueries():
"""
Loads queries from 'xml/queries.xml' file.
"""
for node in xmlobject.XMLFile(path=paths.QUERIES_XML, textfilter=sanitizeStr).root.dbms:
queries[node.value] = node
def __setMultipleTargets(): def __setMultipleTargets():
""" """
Define a configuration parameter if we are running in multiple target Define a configuration parameter if we are running in multiple target
@ -1258,4 +1265,4 @@ def init(inputOptions=advancedDict()):
__setMetasploit() __setMetasploit()
update() update()
queriesParser() __loadQueries()

240
lib/parse/queriesfile.py
View File

@ -1,240 +0,0 @@
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
from xml.sax.handler import ContentHandler
from lib.core.common import checkFile
from lib.core.common import parseXmlFile
from lib.core.common import sanitizeStr
from lib.core.data import logger
from lib.core.data import queries
from lib.core.data import paths
from lib.core.datatype import advancedDict
class queriesHandler(ContentHandler):
"""
This class defines methods to parse the default DBMS queries
from an XML file
"""
def __init__(self):
self.__dbms = ''
self.__queries = advancedDict()
def startElement(self, name, attrs):
if name == "dbms":
data = sanitizeStr(attrs.get("value"))
self.__dbms = data
elif name == "cast":
data = sanitizeStr(attrs.get("query"))
self.__queries.cast = data
elif name == "length":
data = sanitizeStr(attrs.get("query"))
self.__queries.length = data
elif name == "isnull":
data = sanitizeStr(attrs.get("query"))
self.__queries.isnull = data
elif name == "delimiter":
data = sanitizeStr(attrs.get("query"))
self.__queries.delimiter = data
elif name == "limit":
data = sanitizeStr(attrs.get("query"))
self.__queries.limit = data
elif name == "limitregexp":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitregexp = data
elif name == "limitgroupstart":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitgroupstart = data
elif name == "limitgroupstop":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitgroupstop = data
elif name == "limitstring":
data = sanitizeStr(attrs.get("query"))
self.__queries.limitstring = data
elif name == "order":
data = sanitizeStr(attrs.get("query"))
self.__queries.order = data
elif name == "count":
data = sanitizeStr(attrs.get("query"))
self.__queries.count = data
elif name == "comment":
data = sanitizeStr(attrs.get("query"))
self.__queries.comment = data
elif name == "timedelay":
data = sanitizeStr(attrs.get("query"))
self.__queries.timedelay = data
data = sanitizeStr(attrs.get("query2"))
self.__queries.timedelay2 = data
elif name == "substring":
data = sanitizeStr(attrs.get("query"))
self.__queries.substring = data
elif name == "case":
data = sanitizeStr(attrs.get("query"))
self.__queries.case = data
elif name == "error":
data = sanitizeStr(attrs.get("query"))
self.__queries.error = data
elif name == "inference":
data = sanitizeStr(attrs.get("query"))
self.__queries.inference = data
elif name == "banner":
data = sanitizeStr(attrs.get("query"))
self.__queries.banner = data
elif name == "current_user":
data = sanitizeStr(attrs.get("query"))
self.__queries.currentUser = data
elif name == "current_db":
data = sanitizeStr(attrs.get("query"))
self.__queries.currentDb = data
elif name == "is_dba":
data = sanitizeStr(attrs.get("query"))
self.__queries.isDba = data
elif name == "check_udf":
data = sanitizeStr(attrs.get("query"))
self.__queries.checkUdf = data
elif name == "inband":
self.__inband = sanitizeStr(attrs.get("query"))
self.__inband2 = sanitizeStr(attrs.get("query2"))
self.__conditionInband = sanitizeStr(attrs.get("condition"))
self.__conditionInband2 = sanitizeStr(attrs.get("condition2"))
elif name == "blind":
self.__blind = sanitizeStr(attrs.get("query"))
self.__blind2 = sanitizeStr(attrs.get("query2"))
self.__count = sanitizeStr(attrs.get("count"))
self.__count2 = sanitizeStr(attrs.get("count2"))
self.__conditionBlind = sanitizeStr(attrs.get("condition"))
self.__conditionBlind2 = sanitizeStr(attrs.get("condition2"))
def endElement(self, name):
if name == "dbms":
queries[self.__dbms] = self.__queries
self.__queries = advancedDict()
elif name == "users":
self.__users = {}
self.__users["inband"] = { "query": self.__inband, "query2": self.__inband2 }
self.__users["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.users = self.__users
elif name == "passwords":
self.__passwords = {}
self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband }
self.__passwords["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.passwords = self.__passwords
elif name == "privileges":
self.__privileges = {}
self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__privileges["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.privileges = self.__privileges
elif name == "roles":
self.__roles = {}
self.__roles["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__roles["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.roles = self.__roles
elif name == "dbs":
self.__dbs = {}
self.__dbs["inband"] = { "query": self.__inband, "query2": self.__inband2 }
self.__dbs["blind"] = { "query": self.__blind, "query2": self.__blind2,
"count": self.__count, "count2": self.__count2 }
self.__queries.dbs = self.__dbs
elif name == "tables":
self.__tables = {}
self.__tables["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
self.__tables["blind"] = { "query": self.__blind, "count": self.__count }
self.__queries.tables = self.__tables
elif name == "columns":
self.__columns = {}
self.__columns["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
self.__columns["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "condition": self.__conditionBlind }
self.__queries.columns = self.__columns
elif name == "dump_table":
self.__dumpTable = {}
self.__dumpTable["inband"] = { "query": self.__inband }
self.__dumpTable["blind"] = { "query": self.__blind, "count": self.__count }
self.__queries.dumpTable = self.__dumpTable
elif name == "search_db":
self.__searchDb = {}
self.__searchDb["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__searchDb["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
self.__queries.searchDb = self.__searchDb
elif name == "search_table":
self.__searchTable = {}
self.__searchTable["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__searchTable["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
self.__queries.searchTable = self.__searchTable
elif name == "search_column":
self.__searchColumn = {}
self.__searchColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
self.__searchColumn["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }
self.__queries.searchColumn = self.__searchColumn
def queriesParser():
"""
This function calls a class to parse the default DBMS queries
from an XML file
"""
debugMsg = "parsing XML queries file"
logger.debug(debugMsg)
xmlfile = paths.QUERIES_XML
checkFile(xmlfile)
handler = queriesHandler()
parseXmlFile(xmlfile, handler)

19
lib/request/inject.py
View File

@ -96,8 +96,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
advantage of an blind SQL injection vulnerability on the affected advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm. parameter through a bisection algorithm.
""" """
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference.query)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference)
query = agent.postfixQuery(query) query = agent.postfixQuery(query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
count = None count = None
@ -139,13 +138,13 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
# NOTE: I assume that only queries that get data from a table # NOTE: I assume that only queries that get data from a table
# can return multiple entries # can return multiple entries
if fromUser and " FROM " in expression: if fromUser and " FROM " in expression:
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I) limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ): if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ):
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
limitGroupStart = queries[kb.dbms].limitgroupstart limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -155,8 +154,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
if limitRegExp: if limitRegExp:
limitGroupStart = queries[kb.dbms].limitgroupstart limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -184,7 +183,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
# (or similar, depending on the back-end DBMS) word # (or similar, depending on the back-end DBMS) word
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
stopLimit += startLimit stopLimit += startLimit
untilLimitChar = expression.index(queries[kb.dbms].limitstring) untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
expression = expression[:untilLimitChar] expression = expression[:untilLimitChar]
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
@ -202,7 +201,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
if not test or test[0] in ("y", "Y"): if not test or test[0] in ("y", "Y"):
# Count the number of SQL query entries output # Count the number of SQL query entries output
countFirstField = queries[kb.dbms].count % expressionFieldsList[0] countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields, countFirstField, 1) countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I): if re.search(" ORDER BY ", expression, re.I):
@ -398,7 +397,7 @@ def goStacked(expression, silent=False):
debugMsg = "query: %s" % expression debugMsg = "query: %s" % expression
logger.debug(debugMsg) logger.debug(debugMsg)
comment = queries[kb.dbms].comment comment = queries[kb.dbms].comment.query
query = agent.prefixQuery("; %s" % expression) query = agent.prefixQuery("; %s" % expression)
query = agent.postfixQuery("%s;%s" % (query, comment)) query = agent.postfixQuery("%s;%s" % (query, comment))
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)

2
lib/techniques/blind/inference.py
View File

@ -461,7 +461,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# check it via equal against the substring-query output # check it via equal against the substring-query output
if commonPattern is not None: if commonPattern is not None:
# Substring-query containing equals commonPattern # Substring-query containing equals commonPattern
subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern)) subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False) testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue))) query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue)))
query = agent.postfixQuery(query) query = agent.postfixQuery(query)

2
lib/techniques/error/test.py
View File

@ -30,7 +30,7 @@ def errorTest():
logger.info(infoMsg) logger.info(infoMsg)
randInt = getUnicode(randomInt(1)) randInt = getUnicode(randomInt(1))
query = queries[kb.dbms].case % ("%s=%s" % (randInt, randInt)) query = queries[kb.dbms].case.query % ("%s=%s" % (randInt, randInt))
result = inject.goError(query) result = inject.goError(query)
if result: if result:

13
lib/techniques/error/use.py
View File

@ -30,14 +30,15 @@ from lib.core.settings import ERROR_EMPTY_CHAR
from lib.core.settings import ERROR_START_CHAR from lib.core.settings import ERROR_START_CHAR
from lib.core.settings import ERROR_END_CHAR from lib.core.settings import ERROR_END_CHAR
def errorUse(expression, resumeValue=True): def errorUse(expression):
""" """
Retrieve the output of a SQL query taking advantage of an error SQL Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter. injection vulnerability on the affected parameter.
""" """
output = None
logic = conf.logic logic = conf.logic
randInt = randomInt(1) randInt = randomInt(1)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error) query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error.query)
query = agent.postfixQuery(query) query = agent.postfixQuery(query)
payload = agent.payload(newValue=query) payload = agent.payload(newValue=query)
startLimiter = "" startLimiter = ""
@ -45,14 +46,6 @@ def errorUse(expression, resumeValue=True):
expressionUnescaped = expression expressionUnescaped = expression
if resumeValue:
output = resume(expression, payload)
else:
output = None
if output:
return output
if kb.dbmsDetected: if kb.dbmsDetected:
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression) _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr) nulledCastedField = agent.nullAndCastField(fieldToCastStr)

2
lib/techniques/inband/union/test.py
View File

@ -203,7 +203,7 @@ def unionTest():
value = None value = None
columns = None columns = None
for comment in (queries[kb.dbms].comment, ""): for comment in (queries[kb.dbms].comment.query, ""):
if conf.uTech == "orderby": if conf.uTech == "orderby":
columns = __unionTestByOrderBy(comment) columns = __unionTestByOrderBy(comment)
else: else:

14
lib/techniques/inband/union/use.py
View File

@ -65,12 +65,12 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
# NOTE: I assume that only queries that get data from a table can # NOTE: I assume that only queries that get data from a table can
# return multiple entries # return multiple entries
if " FROM " in expression: if " FROM " in expression:
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I) limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
if limitRegExp: if limitRegExp:
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
limitGroupStart = queries[kb.dbms].limitgroupstart limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -79,8 +79,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
limitCond = int(stopLimit) > 1 limitCond = int(stopLimit) > 1
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
limitGroupStart = queries[kb.dbms].limitgroupstart limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop limitGroupStop = queries[kb.dbms].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
@ -104,7 +104,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
# (or similar, depending on the back-end DBMS) word # (or similar, depending on the back-end DBMS) word
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
stopLimit += startLimit stopLimit += startLimit
untilLimitChar = expression.index(queries[kb.dbms].limitstring) untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
expression = expression[:untilLimitChar] expression = expression[:untilLimitChar]
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
@ -123,7 +123,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
if test: if test:
# Count the number of SQL query entries output # Count the number of SQL query entries output
countFirstField = queries[kb.dbms].count % expressionFieldsList[0] countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
countedExpression = origExpr.replace(expressionFields, countFirstField, 1) countedExpression = origExpr.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I): if re.search(" ORDER BY ", expression, re.I):

5
lib/utils/resume.py
View File

@ -14,6 +14,7 @@ from lib.core.common import calculateDeltaSeconds
from lib.core.common import dataToSessionFile from lib.core.common import dataToSessionFile
from lib.core.common import safeStringFormat from lib.core.common import safeStringFormat
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.common import replaceNewlineTabs
from lib.core.common import restoreDumpMarkedChars from lib.core.common import restoreDumpMarkedChars
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
@ -30,7 +31,7 @@ def queryOutputLength(expression, payload):
Returns the query output length. Returns the query output length.
""" """
lengthQuery = queries[kb.dbms].length lengthQuery = queries[kb.dbms].length.query
select = re.search("\ASELECT\s+", expression, re.I) select = re.search("\ASELECT\s+", expression, re.I)
selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I) selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
@ -141,7 +142,7 @@ def resume(expression, payload):
if not kb.dbms: if not kb.dbms:
return None return None
substringQuery = queries[kb.dbms].substring substringQuery = queries[kb.dbms].substring.query
select = re.search("\ASELECT ", expression, re.I) select = re.search("\ASELECT ", expression, re.I)
_, length, regExpr = queryOutputLength(expression, payload) _, length, regExpr = queryOutputLength(expression, payload)

12
plugins/dbms/mssqlserver/enumeration.py
View File

@ -56,7 +56,7 @@ class Enumeration(GenericEnumeration):
continue continue
query = rootQuery["inband"]["query"] % db query = rootQuery.inband.query % db
value = inject.getValue(query, blind=False) value = inject.getValue(query, blind=False)
if value: if value:
@ -74,7 +74,7 @@ class Enumeration(GenericEnumeration):
infoMsg += "database '%s'" % db infoMsg += "database '%s'" % db
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count"] % db query = rootQuery.blind.count % db
count = inject.getValue(query, inband=False, charsetType=2) count = inject.getValue(query, inband=False, charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -86,7 +86,7 @@ class Enumeration(GenericEnumeration):
tables = [] tables = []
for index in range(int(count)): for index in range(int(count)):
query = rootQuery["blind"]["query"] % (db, index, db) query = rootQuery.blind.query % (db, index, db)
table = inject.getValue(query, inband=False) table = inject.getValue(query, inband=False)
tables.append(table) tables.append(table)
kb.hintValue = table kb.hintValue = table
@ -108,8 +108,8 @@ class Enumeration(GenericEnumeration):
rootQuery = queries[kb.dbms].searchTable rootQuery = queries[kb.dbms].searchTable
foundTbls = {} foundTbls = {}
tblList = conf.tbl.split(",") tblList = conf.tbl.split(",")
tblCond = rootQuery["inband"]["condition"] tblCond = rootQuery.inband.condition
dbCond = rootQuery["inband"]["condition2"] dbCond = rootQuery.inband.condition2
tblConsider, tblCondParam = self.likeOrExact("table") tblConsider, tblCondParam = self.likeOrExact("table")
@ -193,7 +193,7 @@ class Enumeration(GenericEnumeration):
foundCols = {} foundCols = {}
dbs = {} dbs = {}
colList = conf.col.split(",") colList = conf.col.split(",")
colCond = rootQuery["inband"]["condition"] colCond = rootQuery.inband.condition
colConsider, colCondParam = self.likeOrExact("column") colConsider, colCondParam = self.likeOrExact("column")
if not len(kb.data.cachedDbs): if not len(kb.data.cachedDbs):

24
plugins/dbms/oracle/enumeration.py
View File

@ -38,11 +38,11 @@ class Enumeration(GenericEnumeration):
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if query2: if query2:
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
condition = rootQuery["inband"]["condition2"] condition = rootQuery.inband.condition2
else: else:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
condition = rootQuery["inband"]["condition"] condition = rootQuery.inband.condition
if conf.user: if conf.user:
users = conf.user.split(",") users = conf.user.split(",")
@ -111,9 +111,9 @@ class Enumeration(GenericEnumeration):
queryUser = user queryUser = user
if query2: if query2:
query = rootQuery["blind"]["count2"] % queryUser query = rootQuery.blind.count2 % queryUser
else: else:
query = rootQuery["blind"]["count"] % queryUser query = rootQuery.blind.count % queryUser
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -137,9 +137,9 @@ class Enumeration(GenericEnumeration):
for index in indexRange: for index in indexRange:
if query2: if query2:
query = rootQuery["blind"]["query2"] % (queryUser, index) query = rootQuery.blind.query2 % (queryUser, index)
else: else:
query = rootQuery["blind"]["query"] % (queryUser, index) query = rootQuery.blind.query % (queryUser, index)
role = inject.getValue(query, inband=False) role = inject.getValue(query, inband=False)
# In Oracle we get the list of roles as string # In Oracle we get the list of roles as string
@ -178,7 +178,7 @@ class Enumeration(GenericEnumeration):
foundCols = {} foundCols = {}
dbs = { "USERS": {} } dbs = { "USERS": {} }
colList = conf.col.split(",") colList = conf.col.split(",")
colCond = rootQuery["inband"]["condition"] colCond = rootQuery.inband.condition
colConsider, colCondParam = self.likeOrExact("column") colConsider, colCondParam = self.likeOrExact("column")
for column in colList: for column in colList:
@ -197,7 +197,7 @@ class Enumeration(GenericEnumeration):
for db in dbs.keys(): for db in dbs.keys():
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
query += colQuery query += colQuery
values = inject.getValue(query, blind=False) values = inject.getValue(query, blind=False)
@ -234,7 +234,7 @@ class Enumeration(GenericEnumeration):
infoMsg += " '%s' in database '%s'" % (column, db) infoMsg += " '%s' in database '%s'" % (column, db)
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count2"] query = rootQuery.blind.count2
query += " WHERE %s" % colQuery query += " WHERE %s" % colQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -251,7 +251,7 @@ class Enumeration(GenericEnumeration):
indexRange = getRange(count) indexRange = getRange(count)
for index in indexRange: for index in indexRange:
query = rootQuery["blind"]["query2"] query = rootQuery.blind.query2
query += " WHERE %s" % colQuery query += " WHERE %s" % colQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
tbl = inject.getValue(query, inband=False) tbl = inject.getValue(query, inband=False)

188
plugins/generic/enumeration.py
View File

@ -76,7 +76,7 @@ class Enumeration:
if conf.unionUse or conf.unionTest: if conf.unionUse or conf.unionTest:
conf.dumper.technic("valid union", unionTest()) conf.dumper.technic("valid union", unionTest())
query = queries[kb.dbms].banner query = queries[kb.dbms].banner.query
kb.data.banner = inject.getValue(query) kb.data.banner = inject.getValue(query)
bannerParser(kb.data.banner) bannerParser(kb.data.banner)
@ -97,7 +97,7 @@ class Enumeration:
infoMsg = "fetching current user" infoMsg = "fetching current user"
logger.info(infoMsg) logger.info(infoMsg)
query = queries[kb.dbms].currentUser query = queries[kb.dbms].currentUser.query
if not kb.data.currentUser: if not kb.data.currentUser:
kb.data.currentUser = inject.getValue(query) kb.data.currentUser = inject.getValue(query)
@ -108,7 +108,7 @@ class Enumeration:
infoMsg = "fetching current database" infoMsg = "fetching current database"
logger.info(infoMsg) logger.info(infoMsg)
query = queries[kb.dbms].currentDb query = queries[kb.dbms].currentDb.query
if not kb.data.currentDb: if not kb.data.currentDb:
kb.data.currentDb = inject.getValue(query) kb.data.currentDb = inject.getValue(query)
@ -119,7 +119,7 @@ class Enumeration:
infoMsg = "testing if current user is DBA" infoMsg = "testing if current user is DBA"
logger.info(infoMsg) logger.info(infoMsg)
query = agent.forgeCaseStatement(queries[kb.dbms].isDba) query = agent.forgeCaseStatement(queries[kb.dbms].isDba.query)
kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1) kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1)
@ -136,9 +136,9 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if condition: if condition:
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
else: else:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
value = inject.getValue(query, blind=False) value = inject.getValue(query, blind=False)
if value: if value:
@ -149,9 +149,9 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if condition: if condition:
query = rootQuery["blind"]["count2"] query = rootQuery.blind.count2
else: else:
query = rootQuery["blind"]["count"] query = rootQuery.blind.count
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -166,9 +166,9 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if condition: if condition:
query = rootQuery["blind"]["query2"] % index query = rootQuery.blind.query2 % index
else: else:
query = rootQuery["blind"]["query"] % index query = rootQuery.blind.query % index
user = inject.getValue(query, inband=False) user = inject.getValue(query, inband=False)
if user: if user:
@ -193,11 +193,11 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
else: else:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
condition = rootQuery["inband"]["condition"] condition = rootQuery.inband.condition
if conf.user: if conf.user:
if "," in conf.user: if "," in conf.user:
@ -256,9 +256,9 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["blind"]["count2"] % user query = rootQuery.blind.count2 % user
else: else:
query = rootQuery["blind"]["count"] % user query = rootQuery.blind.count % user
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -281,11 +281,11 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if kb.dbms == "Microsoft SQL Server": if kb.dbms == "Microsoft SQL Server":
if kb.dbmsVersion[0] in ( "2005", "2008" ): if kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["blind"]["query2"] % (user, index, user) query = rootQuery.blind.query2 % (user, index, user)
else: else:
query = rootQuery["blind"]["query"] % (user, index, user) query = rootQuery.blind.query % (user, index, user)
else: else:
query = rootQuery["blind"]["query"] % (user, index) query = rootQuery.blind.query % (user, index)
password = inject.getValue(query, inband=False) password = inject.getValue(query, inband=False)
password = parsePasswordHash(password) password = parsePasswordHash(password)
passwords.append(password) passwords.append(password)
@ -390,14 +390,14 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
condition = rootQuery["inband"]["condition2"] condition = rootQuery.inband.condition2
elif kb.dbms == "Oracle" and query2: elif kb.dbms == "Oracle" and query2:
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
condition = rootQuery["inband"]["condition2"] condition = rootQuery.inband.condition2
else: else:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
condition = rootQuery["inband"]["condition"] condition = rootQuery.inband.condition
if conf.user: if conf.user:
users = conf.user.split(",") users = conf.user.split(",")
@ -506,13 +506,13 @@ class Enumeration:
queryUser = user queryUser = user
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["count2"] % queryUser query = rootQuery.blind.count2 % queryUser
elif kb.dbms == "MySQL" and kb.data.has_information_schema: elif kb.dbms == "MySQL" and kb.data.has_information_schema:
query = rootQuery["blind"]["count"] % (conditionChar, queryUser) query = rootQuery.blind.count % (conditionChar, queryUser)
elif kb.dbms == "Oracle" and query2: elif kb.dbms == "Oracle" and query2:
query = rootQuery["blind"]["count2"] % queryUser query = rootQuery.blind.count2 % queryUser
else: else:
query = rootQuery["blind"]["count"] % queryUser query = rootQuery.blind.count % queryUser
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -540,15 +540,15 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["query2"] % (queryUser, index) query = rootQuery.blind.query2 % (queryUser, index)
elif kb.dbms == "MySQL" and kb.data.has_information_schema: elif kb.dbms == "MySQL" and kb.data.has_information_schema:
query = rootQuery["blind"]["query"] % (conditionChar, queryUser, index) query = rootQuery.blind.query % (conditionChar, queryUser, index)
elif kb.dbms == "Oracle" and query2: elif kb.dbms == "Oracle" and query2:
query = rootQuery["blind"]["query2"] % (queryUser, index) query = rootQuery.blind.query2 % (queryUser, index)
elif kb.dbms == "Firebird": elif kb.dbms == "Firebird":
query = rootQuery["blind"]["query"] % (index, queryUser) query = rootQuery.blind.query % (index, queryUser)
else: else:
query = rootQuery["blind"]["query"] % (queryUser, index) query = rootQuery.blind.query % (queryUser, index)
privilege = inject.getValue(query, inband=False) privilege = inject.getValue(query, inband=False)
# In PostgreSQL we get 1 if the privilege is True, # In PostgreSQL we get 1 if the privilege is True,
@ -636,9 +636,9 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
else: else:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
value = inject.getValue(query, blind=False) value = inject.getValue(query, blind=False)
if value: if value:
@ -649,9 +649,9 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["count2"] query = rootQuery.blind.count2
else: else:
query = rootQuery["blind"]["count"] query = rootQuery.blind.count
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -662,9 +662,9 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["query2"] % index query = rootQuery.blind.query2 % index
else: else:
query = rootQuery["blind"]["query"] % index query = rootQuery.blind.query % index
db = inject.getValue(query, inband=False) db = inject.getValue(query, inband=False)
if db: if db:
@ -702,8 +702,8 @@ class Enumeration:
rootQuery = queries[kb.dbms].tables rootQuery = queries[kb.dbms].tables
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
condition = rootQuery["inband"]["condition"] condition = rootQuery.inband.condition
if conf.db and kb.dbms != "SQLite": if conf.db and kb.dbms != "SQLite":
if "," in conf.db: if "," in conf.db:
@ -762,9 +762,9 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if kb.dbms in ("SQLite", "Firebird"): if kb.dbms in ("SQLite", "Firebird"):
query = rootQuery["blind"]["count"] query = rootQuery.blind.count
else: else:
query = rootQuery["blind"]["count"] % db query = rootQuery.blind.count % db
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -783,9 +783,9 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if kb.dbms in ("SQLite", "Firebird"): if kb.dbms in ("SQLite", "Firebird"):
query = rootQuery["blind"]["query"] % index query = rootQuery.blind.query % index
else: else:
query = rootQuery["blind"]["query"] % (db, index) query = rootQuery.blind.query % (db, index)
table = inject.getValue(query, inband=False) table = inject.getValue(query, inband=False)
tables.append(table) tables.append(table)
kb.hintValue = table kb.hintValue = table
@ -880,7 +880,7 @@ class Enumeration:
} }
rootQuery = queries[kb.dbms].columns rootQuery = queries[kb.dbms].columns
condition = rootQuery["blind"]["condition"] condition = rootQuery.blind.condition
infoMsg = "fetching columns " infoMsg = "fetching columns "
@ -899,19 +899,19 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["inband"]["query"] % (conf.tbl, conf.db) query = rootQuery.inband.query % (conf.tbl, conf.db)
query += condQuery query += condQuery
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
query = rootQuery["inband"]["query"] % conf.tbl.upper() query = rootQuery.inband.query % conf.tbl.upper()
query += condQuery query += condQuery
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["inband"]["query"] % (conf.db, conf.db, query = rootQuery.inband.query % (conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.db, conf.tbl) conf.db, conf.tbl)
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
elif kb.dbms == "SQLite": elif kb.dbms == "SQLite":
query = rootQuery["inband"]["query"] % conf.tbl query = rootQuery.inband.query % conf.tbl
value = inject.getValue(query, blind=False) value = inject.getValue(query, blind=False)
@ -936,16 +936,16 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["count"] % (conf.tbl, conf.db) query = rootQuery.blind.count % (conf.tbl, conf.db)
query += condQuery query += condQuery
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
query = rootQuery["blind"]["count"] % conf.tbl.upper() query = rootQuery.blind.count % conf.tbl.upper()
query += condQuery query += condQuery
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["count"] % (conf.db, conf.db, conf.tbl) query = rootQuery.blind.count % (conf.db, conf.db, conf.tbl)
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
elif kb.dbms == "Firebird": elif kb.dbms == "Firebird":
query = rootQuery["blind"]["count"] % (conf.tbl) query = rootQuery.blind.count % (conf.tbl)
query += condQuery query += condQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -963,22 +963,22 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["query"] % (conf.tbl, conf.db) query = rootQuery.blind.query % (conf.tbl, conf.db)
query += condQuery query += condQuery
field = None field = None
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
query = rootQuery["blind"]["query"] % (conf.tbl.upper()) query = rootQuery.blind.query % (conf.tbl.upper())
query += condQuery query += condQuery
field = None field = None
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["query"] % (conf.db, conf.db, query = rootQuery.blind.query % (conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.db, conf.db, conf.db, conf.db,
conf.tbl) conf.tbl)
query += condQuery.replace("[DB]", conf.db) query += condQuery.replace("[DB]", conf.db)
field = condition.replace("[DB]", conf.db) field = condition.replace("[DB]", conf.db)
elif kb.dbms == "Firebird": elif kb.dbms == "Firebird":
query = rootQuery["blind"]["query"] % (conf.tbl) query = rootQuery.blind.query % (conf.tbl)
query += condQuery query += condQuery
field = None field = None
@ -987,15 +987,15 @@ class Enumeration:
if not onlyColNames: if not onlyColNames:
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["query2"] % (conf.tbl, column, conf.db) query = rootQuery.blind.query2 % (conf.tbl, column, conf.db)
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
query = rootQuery["blind"]["query2"] % (conf.tbl.upper(), column) query = rootQuery.blind.query2 % (conf.tbl.upper(), column)
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["query2"] % (conf.db, conf.db, conf.db, query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db,
conf.db, column, conf.db, conf.db, column, conf.db,
conf.db, conf.db, conf.tbl) conf.db, conf.db, conf.tbl)
elif kb.dbms == "Firebird": elif kb.dbms == "Firebird":
query = rootQuery["blind"]["query2"] % (conf.tbl, column) query = rootQuery.blind.query2 % (conf.tbl, column)
colType = inject.getValue(query, inband=False) colType = inject.getValue(query, inband=False)
@ -1078,11 +1078,11 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if kb.dbms == "Oracle": if kb.dbms == "Oracle":
query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper()) query = rootQuery.inband.query % (colString, conf.tbl.upper())
elif kb.dbms == "SQLite": elif kb.dbms == "SQLite":
query = rootQuery["inband"]["query"] % (colString, conf.tbl) query = rootQuery.inband.query % (colString, conf.tbl)
else: else:
query = rootQuery["inband"]["query"] % (colString, conf.db, conf.tbl) query = rootQuery.inband.query % (colString, conf.db, conf.tbl)
entries = inject.getValue(query, blind=False, dump=True) entries = inject.getValue(query, blind=False, dump=True)
if entries: if entries:
@ -1126,11 +1126,11 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if kb.dbms == "Oracle": if kb.dbms == "Oracle":
query = rootQuery["blind"]["count"] % conf.tbl.upper() query = rootQuery.blind.count % conf.tbl.upper()
elif kb.dbms == "SQLite": elif kb.dbms == "SQLite":
query = rootQuery["blind"]["count"] % conf.tbl query = rootQuery.blind.count % conf.tbl
else: else:
query = rootQuery["blind"]["count"] % (conf.db, conf.tbl) query = rootQuery.blind.count % (conf.db, conf.tbl)
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
if not count.isdigit() or not len(count) or count == "0": if not count.isdigit() or not len(count) or count == "0":
@ -1162,19 +1162,19 @@ class Enumeration:
entries[column] = [] entries[column] = []
if kb.dbms in ( "MySQL", "PostgreSQL" ): if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["blind"]["query"] % (column, conf.db, query = rootQuery.blind.query % (column, conf.db,
conf.tbl, index) conf.tbl, index)
elif kb.dbms == "Oracle": elif kb.dbms == "Oracle":
query = rootQuery["blind"]["query"] % (column, column, query = rootQuery.blind.query % (column, column,
conf.tbl.upper(), conf.tbl.upper(),
index) index)
elif kb.dbms == "Microsoft SQL Server": elif kb.dbms == "Microsoft SQL Server":
query = rootQuery["blind"]["query"] % (column, conf.db, query = rootQuery.blind.query % (column, conf.db,
conf.tbl, column, conf.tbl, column,
index, column, index, column,
conf.db, conf.tbl) conf.db, conf.tbl)
elif kb.dbms == "SQLite": elif kb.dbms == "SQLite":
query = rootQuery["blind"]["query"] % (column, conf.tbl, index) query = rootQuery.blind.query % (column, conf.tbl, index)
value = inject.getValue(query, inband=False) value = inject.getValue(query, inband=False)
@ -1311,9 +1311,9 @@ class Enumeration:
dbList = conf.db.split(",") dbList = conf.db.split(",")
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
dbCond = rootQuery["inband"]["condition2"] dbCond = rootQuery.inband.condition2
else: else:
dbCond = rootQuery["inband"]["condition"] dbCond = rootQuery.inband.condition
dbConsider, dbCondParam = self.likeOrExact("database") dbConsider, dbCondParam = self.likeOrExact("database")
@ -1336,9 +1336,9 @@ class Enumeration:
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"] query = rootQuery.inband.query2
else: else:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
query += dbQuery query += dbQuery
query += exclDbsQuery query += exclDbsQuery
values = inject.getValue(query, blind=False) values = inject.getValue(query, blind=False)
@ -1357,9 +1357,9 @@ class Enumeration:
logger.info(infoMsg) logger.info(infoMsg)
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["count2"] query = rootQuery.blind.count2
else: else:
query = rootQuery["blind"]["count"] query = rootQuery.blind.count
query += dbQuery query += dbQuery
query += exclDbsQuery query += exclDbsQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1377,9 +1377,9 @@ class Enumeration:
for index in indexRange: for index in indexRange:
if kb.dbms == "MySQL" and not kb.data.has_information_schema: if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["blind"]["query2"] query = rootQuery.blind.query2
else: else:
query = rootQuery["blind"]["query"] query = rootQuery.blind.query
query += dbQuery query += dbQuery
query += exclDbsQuery query += exclDbsQuery
query = agent.limitQuery(index, query, dbCond) query = agent.limitQuery(index, query, dbCond)
@ -1397,8 +1397,8 @@ class Enumeration:
rootQuery = queries[kb.dbms].searchTable rootQuery = queries[kb.dbms].searchTable
foundTbls = {} foundTbls = {}
tblList = conf.tbl.split(",") tblList = conf.tbl.split(",")
tblCond = rootQuery["inband"]["condition"] tblCond = rootQuery.inband.condition
dbCond = rootQuery["inband"]["condition2"] dbCond = rootQuery.inband.condition2
tblConsider, tblCondParam = self.likeOrExact("table") tblConsider, tblCondParam = self.likeOrExact("table")
@ -1423,7 +1423,7 @@ class Enumeration:
tblQuery = tblQuery % tbl tblQuery = tblQuery % tbl
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
query += tblQuery query += tblQuery
query += exclDbsQuery query += exclDbsQuery
values = inject.getValue(query, blind=False) values = inject.getValue(query, blind=False)
@ -1444,7 +1444,7 @@ class Enumeration:
infoMsg += " '%s'" % tbl infoMsg += " '%s'" % tbl
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count"] query = rootQuery.blind.count
query += tblQuery query += tblQuery
query += exclDbsQuery query += exclDbsQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1461,7 +1461,7 @@ class Enumeration:
indexRange = getRange(count) indexRange = getRange(count)
for index in indexRange: for index in indexRange:
query = rootQuery["blind"]["query"] query = rootQuery.blind.query
query += tblQuery query += tblQuery
query += exclDbsQuery query += exclDbsQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
@ -1481,7 +1481,7 @@ class Enumeration:
infoMsg += " '%s' in database '%s'" % (tbl, db) infoMsg += " '%s' in database '%s'" % (tbl, db)
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count2"] query = rootQuery.blind.count2
query = query % db query = query % db
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1499,7 +1499,7 @@ class Enumeration:
indexRange = getRange(count) indexRange = getRange(count)
for index in indexRange: for index in indexRange:
query = rootQuery["blind"]["query2"] query = rootQuery.blind.query2
query = query % db query = query % db
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
@ -1519,8 +1519,8 @@ class Enumeration:
foundCols = {} foundCols = {}
dbs = {} dbs = {}
colList = conf.col.split(",") colList = conf.col.split(",")
colCond = rootQuery["inband"]["condition"] colCond = rootQuery.inband.condition
dbCond = rootQuery["inband"]["condition2"] dbCond = rootQuery.inband.condition2
colConsider, colCondParam = self.likeOrExact("column") colConsider, colCondParam = self.likeOrExact("column")
@ -1544,7 +1544,7 @@ class Enumeration:
colQuery = colQuery % column colQuery = colQuery % column
if kb.unionPosition or conf.direct: if kb.unionPosition or conf.direct:
query = rootQuery["inband"]["query"] query = rootQuery.inband.query
query += colQuery query += colQuery
query += exclDbsQuery query += exclDbsQuery
values = inject.getValue(query, blind=False) values = inject.getValue(query, blind=False)
@ -1583,7 +1583,7 @@ class Enumeration:
infoMsg += " '%s'" % column infoMsg += " '%s'" % column
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count"] query = rootQuery.blind.count
query += colQuery query += colQuery
query += exclDbsQuery query += exclDbsQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1600,7 +1600,7 @@ class Enumeration:
indexRange = getRange(count) indexRange = getRange(count)
for index in indexRange: for index in indexRange:
query = rootQuery["blind"]["query"] query = rootQuery.blind.query
query += colQuery query += colQuery
query += exclDbsQuery query += exclDbsQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
@ -1623,7 +1623,7 @@ class Enumeration:
infoMsg += " '%s' in database '%s'" % (column, db) infoMsg += " '%s' in database '%s'" % (column, db)
logger.info(infoMsg) logger.info(infoMsg)
query = rootQuery["blind"]["count2"] query = rootQuery.blind.count2
query = query % db query = query % db
query += " AND %s" % colQuery query += " AND %s" % colQuery
count = inject.getValue(query, inband=False, expected="int", charsetType=2) count = inject.getValue(query, inband=False, expected="int", charsetType=2)
@ -1641,7 +1641,7 @@ class Enumeration:
indexRange = getRange(count) indexRange = getRange(count)
for index in indexRange: for index in indexRange:
query = rootQuery["blind"]["query2"] query = rootQuery.blind.query2
query = query % db query = query % db
query += " AND %s" % colQuery query += " AND %s" % colQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)

2
plugins/generic/misc.py
View File

@ -67,7 +67,7 @@ class Miscellaneous:
else: else:
raise sqlmapUnsupportedFeatureException, "unsupported DBMS" raise sqlmapUnsupportedFeatureException, "unsupported DBMS"
query = queries[kb.dbms].substring % (queries[kb.dbms].banner, first, last) query = queries[kb.dbms].substring.query % (queries[kb.dbms].banner.query, first, last)
if conf.direct: if conf.direct:
query = "SELECT %s" % query query = "SELECT %s" % query