mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-24 08:14:24 +03:00
Important bug fix.
Minor code restyling.
This commit is contained in:
parent
1b3717c79c
commit
be6e2d6a31
|
@ -395,7 +395,7 @@ def checkSqlInjection(place, parameter, value):
|
|||
|
||||
# Overwrite 'where' because it can differ
|
||||
# in unionTest()'s vector (1 or 2)
|
||||
where = vector[5]
|
||||
where = vector[6]
|
||||
|
||||
# If the injection test was successful feed the injection
|
||||
# object with the test's details
|
||||
|
|
|
@ -478,7 +478,7 @@ class Agent:
|
|||
|
||||
return concatenatedQuery
|
||||
|
||||
def forgeInbandQuery(self, query, exprPosition=None, count=None, comment=None, prefix=None, suffix=None, multipleUnions=None):
|
||||
def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None):
|
||||
"""
|
||||
Take in input an query (pseudo query) string and return its
|
||||
processed UNION ALL SELECT query.
|
||||
|
@ -501,9 +501,9 @@ class Agent:
|
|||
forged within an UNION ALL SELECT statement
|
||||
@type query: C{str}
|
||||
|
||||
@param exprPosition: it is the NULL position where it is possible
|
||||
@param position: it is the NULL position where it is possible
|
||||
to inject the query
|
||||
@type exprPosition: C{int}
|
||||
@type position: C{int}
|
||||
|
||||
@return: UNION ALL SELECT query string forged
|
||||
@rtype: C{str}
|
||||
|
@ -532,14 +532,14 @@ class Agent:
|
|||
if element > 0:
|
||||
inbandQuery += ", "
|
||||
|
||||
if element == exprPosition:
|
||||
if element == position:
|
||||
if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
|
||||
conditionIndex = query.index(" FROM ")
|
||||
inbandQuery += query[:conditionIndex]
|
||||
else:
|
||||
inbandQuery += query
|
||||
else:
|
||||
inbandQuery += conf.uChar
|
||||
inbandQuery += char
|
||||
|
||||
if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
|
||||
conditionIndex = query.index(" FROM ")
|
||||
|
@ -559,10 +559,10 @@ class Agent:
|
|||
if element > 0:
|
||||
inbandQuery += ", "
|
||||
|
||||
if element == exprPosition:
|
||||
if element == position:
|
||||
inbandQuery += multipleUnions
|
||||
else:
|
||||
inbandQuery += conf.uChar
|
||||
inbandQuery += char
|
||||
|
||||
if kb.dbms == DBMS.ORACLE:
|
||||
inbandQuery += " FROM DUAL"
|
||||
|
|
|
@ -32,14 +32,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
|
|||
# For each column of the table (# of NULL) perform a request using
|
||||
# the UNION ALL SELECT statement to test it the target url is
|
||||
# affected by an exploitable inband SQL injection vulnerability
|
||||
for exprPosition in range(0, count):
|
||||
for position in range(0, count):
|
||||
# Prepare expression with delimiters
|
||||
randQuery = randomStr()
|
||||
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
|
||||
randQueryUnescaped = unescaper.unescape(randQueryProcessed, dbms=dbms)
|
||||
|
||||
# Forge the inband SQL injection request
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
|
||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
||||
|
||||
# Perform the request
|
||||
|
@ -47,7 +47,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
|
|||
|
||||
if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
|
||||
validPayload = payload
|
||||
vector = (exprPosition, count, comment, prefix, suffix, where)
|
||||
vector = (position, count, comment, prefix, suffix, conf.uChar, where)
|
||||
|
||||
if where == 1:
|
||||
# Prepare expression with delimiters
|
||||
|
@ -56,14 +56,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
|
|||
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2, dbms=dbms)
|
||||
|
||||
# Confirm that it is a full inband SQL injection
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix, multipleUnions=randQueryUnescaped2)
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
|
||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)
|
||||
|
||||
# Perform the request
|
||||
resultPage, _ = Request.queryPage(payload, place=place, content=True)
|
||||
|
||||
if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
|
||||
vector = (exprPosition, count, comment, prefix, suffix, 2)
|
||||
vector = (position, count, comment, prefix, suffix, conf.uChar, 2)
|
||||
|
||||
break
|
||||
|
||||
|
|
|
@ -211,7 +211,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
|
|||
else:
|
||||
# Forge the inband SQL injection request
|
||||
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
|
||||
query = agent.forgeInbandQuery(expression, exprPosition=vector[0], count=vector[1], comment=vector[2], prefix=vector[3], suffix=vector[4])
|
||||
query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5])
|
||||
payload = agent.payload(newValue=query)
|
||||
|
||||
# Perform the request
|
||||
|
|
Loading…
Reference in New Issue
Block a user