sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-04-25 11:23:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

More bug fixes to properly distinguish between full inband and single-entry inband sql injections

Browse Source
This commit is contained in:
Bernardo Damele 2010-12-22 15:47:52 +00:00
parent b3da473840
commit c1f2534e9a
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/core/agent.py
View File

@ -483,7 +483,7 @@ class Agent:
return concatenatedQuery return concatenatedQuery
def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None): def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None, multipleUnions=None):
""" """
Take in input an query (pseudo query) string and return its Take in input an query (pseudo query) string and return its
processed UNION ALL SELECT query. processed UNION ALL SELECT query.
@ -569,6 +569,22 @@ class Agent:
if intoRegExp: if intoRegExp:
inbandQuery += intoRegExp inbandQuery += intoRegExp
if multipleUnions:
inbandQuery += " UNION ALL SELECT "
for element in range(count):
if element > 0:
inbandQuery += ", "
if element == exprPosition:
inbandQuery += multipleUnions
else:
inbandQuery += nullChar
if kb.dbms == DBMS.ORACLE:
inbandQuery += " FROM DUAL"
inbandQuery = self.suffixQuery(inbandQuery, comment) inbandQuery = self.suffixQuery(inbandQuery, comment)
return inbandQuery return inbandQuery

18
lib/techniques/inband/union/test.py
View File

@ -8,6 +8,8 @@ See the file 'doc/COPYING' for copying permission
""" """
from lib.core.agent import agent from lib.core.agent import agent
from lib.core.common import getUnicode
from lib.core.common import parseUnionPage
from lib.core.common import randomStr from lib.core.common import randomStr
from lib.core.data import conf from lib.core.data import conf
from lib.core.data import kb from lib.core.data import kb
@ -46,6 +48,22 @@ def __unionPosition(negative=False, count=None, comment=None):
setUnion(position=exprPosition) setUnion(position=exprPosition)
validPayload = payload validPayload = payload
if not negative:
# Prepare expression with delimiters
randQuery2 = randomStr()
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
# Confirm that it is a full inband SQL injection
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, multipleUnions=randQueryUnescaped2)
payload = agent.payload(newValue=query, negative=negative)
# Perform the request
resultPage, _ = Request.queryPage(payload, content=True)
if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
setUnion(negative=True)
break break
return validPayload return validPayload