sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-11-04 01:47:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Implements option --union-values (#5508)

Browse Source
This commit is contained in:
Miroslav Stampar 2023-09-04 18:34:21 +02:00
parent 4f2a883544
commit be118e861c
7 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/core/agent.py
View File

@ -45,6 +45,7 @@ from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import BOUNDED_BASE64_MARKER from lib.core.settings import BOUNDED_BASE64_MARKER
from lib.core.settings import BOUNDARY_BACKSLASH_MARKER from lib.core.settings import BOUNDARY_BACKSLASH_MARKER
from lib.core.settings import BOUNDED_INJECTION_MARKER from lib.core.settings import BOUNDED_INJECTION_MARKER
from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
from lib.core.settings import DEFAULT_COOKIE_DELIMITER from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import GENERIC_SQL_COMMENT from lib.core.settings import GENERIC_SQL_COMMENT
@ -890,11 +891,16 @@ class Agent(object):
if element > 0: if element > 0:
unionQuery += ',' unionQuery += ','
if element == position: if conf.uValues:
unionQuery += conf.uValues.split(',')[element]
elif element == position:
unionQuery += query unionQuery += query
else: else:
unionQuery += char unionQuery += char
if conf.uValues:
unionQuery = unionQuery.replace(CUSTOM_INJECTION_MARK_CHAR, query)
if fromTable and not unionQuery.endswith(fromTable): if fromTable and not unionQuery.endswith(fromTable):
unionQuery += fromTable unionQuery += fromTable

12
lib/core/option.py
View File

@ -1801,6 +1801,9 @@ def _cleanupOptions():
conf.dbms = dbms if conf.dbms and ',' not in conf.dbms else None conf.dbms = dbms if conf.dbms and ',' not in conf.dbms else None
break break
if conf.uValues:
conf.uCols = "%d-%d" % (1 + conf.uValues.count(','), 1 + conf.uValues.count(','))
if conf.testFilter: if conf.testFilter:
conf.testFilter = conf.testFilter.strip('*+') conf.testFilter = conf.testFilter.strip('*+')
conf.testFilter = re.sub(r"([^.])([*+])", r"\g<1>.\g<2>", conf.testFilter) conf.testFilter = re.sub(r"([^.])([*+])", r"\g<1>.\g<2>", conf.testFilter)
@ -2582,6 +2585,10 @@ def _basicOptionValidation():
errMsg = "switch '--text-only' is incompatible with switch '--null-connection'" errMsg = "switch '--text-only' is incompatible with switch '--null-connection'"
raise SqlmapSyntaxException(errMsg) raise SqlmapSyntaxException(errMsg)
if conf.uValues and conf.uChar:
errMsg = "option '--union-values' is incompatible with option '--union-char'"
raise SqlmapSyntaxException(errMsg)
if conf.base64Parameter and conf.tamper: if conf.base64Parameter and conf.tamper:
errMsg = "option '--base64' is incompatible with option '--tamper'" errMsg = "option '--base64' is incompatible with option '--tamper'"
raise SqlmapSyntaxException(errMsg) raise SqlmapSyntaxException(errMsg)
@ -2804,6 +2811,11 @@ def _basicOptionValidation():
errMsg = "option '--dump-format' accepts one of following values: %s" % ", ".join(getPublicTypeMembers(DUMP_FORMAT, True)) errMsg = "option '--dump-format' accepts one of following values: %s" % ", ".join(getPublicTypeMembers(DUMP_FORMAT, True))
raise SqlmapSyntaxException(errMsg) raise SqlmapSyntaxException(errMsg)
if conf.uValues and (not re.search(r"\A['\w\s.,()%s-]+\Z" % CUSTOM_INJECTION_MARK_CHAR, conf.uValues) or conf.uValues.count(CUSTOM_INJECTION_MARK_CHAR) != 1):
errMsg = "option '--union-values' must contain valid UNION column values, along with the injection position "
errMsg += "(e.g. 'NULL,1,%s,NULL')" % CUSTOM_INJECTION_MARK_CHAR
raise SqlmapSyntaxException(errMsg)
if conf.skip and conf.testParameter: if conf.skip and conf.testParameter:
if intersect(conf.skip, conf.testParameter): if intersect(conf.skip, conf.testParameter):
errMsg = "option '--skip' is incompatible with option '-p'" errMsg = "option '--skip' is incompatible with option '-p'"

1
lib/core/optiondict.py
View File

@ -118,6 +118,7 @@ optDict = {
"uCols": "string", "uCols": "string",
"uChar": "string", "uChar": "string",
"uFrom": "string", "uFrom": "string",
"uValues": "string",
"dnsDomain": "string", "dnsDomain": "string",
"secondUrl": "string", "secondUrl": "string",
"secondReq": "string", "secondReq": "string",

2
lib/core/settings.py
View File

@ -20,7 +20,7 @@ from thirdparty import six
from thirdparty.six import unichr as _unichr from thirdparty.six import unichr as _unichr
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.7.8.11" VERSION = "1.7.9.0"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

3
lib/parse/cmdline.py
View File

@ -414,6 +414,9 @@ def cmdLineParser(argv=None):
techniques.add_argument("--union-from", dest="uFrom", techniques.add_argument("--union-from", dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection") help="Table to use in FROM part of UNION query SQL injection")
techniques.add_argument("--union-values", dest="uValues",
help="Column values to use for UNION query SQL injection")
techniques.add_argument("--dns-domain", dest="dnsDomain", techniques.add_argument("--dns-domain", dest="dnsDomain",
help="Domain name used for DNS exfiltration attack") help="Domain name used for DNS exfiltration attack")

2
lib/techniques/union/test.py
View File

@ -340,7 +340,7 @@ def _unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix)
warnMsg = "if UNION based SQL injection is not detected, " warnMsg = "if UNION based SQL injection is not detected, "
warnMsg += "please consider " warnMsg += "please consider "
if not conf.uChar and count > 1 and kb.uChar == NULL: if not conf.uChar and count > 1 and kb.uChar == NULL and conf.uValues is None:
message = "injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] " message = "injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] "
if not readInput(message, default='Y', boolean=True): if not readInput(message, default='Y', boolean=True):

5
sqlmap.conf
View File

@ -412,6 +412,11 @@ uChar =
# Example: INFORMATION_SCHEMA.COLLATIONS # Example: INFORMATION_SCHEMA.COLLATIONS
uFrom = uFrom =
# Column values to use for UNION query SQL injection.
# Valid: string
# Example: NULL,1,*,NULL
uChar =
# Domain name used for DNS exfiltration attack. # Domain name used for DNS exfiltration attack.
# Valid: string # Valid: string
dnsDomain = dnsDomain =