Removed --error-test, --stacked-test and --time-test switches and adapted the code accordingly. This is due to the fact that the new XML based detection engine already supports all of those tests (and more).

2024-11-25 19:13:48 +03:00 · 2010-11-29 11:47:58 +00:00 · 2010-11-29 11:47:58 +00:00 · c22338ce90
commit c22338ce90
parent e8c6c01e27
12 changed files with 1 additions and 234 deletions
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@ -15,12 +15,9 @@ from lib.core.data import kb
 from lib.core.data import paths
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.settings import SUPPORTED_DBMS
 from lib.techniques.blind.timebased import timeTest
 from lib.techniques.brute.use import columnExists
 from lib.techniques.brute.use import tableExists
 from lib.techniques.error.test import errorTest
 from lib.techniques.inband.union.test import unionTest
 from lib.techniques.outband.stacked import stackedTest
 def action():
    """
@ -60,15 +57,6 @@ def action():
    dataToStdout("%s\n" % conf.dbmsHandler.getFingerprint())
    # Techniques options
    if conf.stackedTest:
        conf.dumper.technic("stacked queries injection payload", stackedTest())
    if conf.errorTest:
        conf.dumper.technic("error-based injection payload", errorTest())
    if conf.timeTest:
        conf.dumper.technic("time-based blind injection payload", timeTest())
    if conf.unionTest and kb.unionPosition is None:
        conf.dumper.technic("inband injection payload", unionTest())
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -75,9 +75,6 @@ optDict = {
                             },
            "Techniques":    {
                               "errorTest":         "boolean",
                               "stackedTest":       "boolean",
                               "timeTest":          "boolean",
                               "timeSec":           "integer",
                               "unionTest":         "boolean",
                               "uTech":             "string",
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -226,19 +226,6 @@ def cmdLineParser():
                                 "the affected parameter(s) rather than using "
                                 "the default blind SQL injection technique.")
        techniques.add_option("--error-test", dest="errorTest",
                          action="store_true", default=False,
                          help="Test for and use error based SQL injection")
        techniques.add_option("--stacked-test", dest="stackedTest",
                              action="store_true", default=False,
                              help="Test for and use stacked queries (multiple "
                                   "statements)")
        techniques.add_option("--time-test", dest="timeTest",
                              action="store_true", default=False,
                              help="Test for time based blind SQL injection")
        techniques.add_option("--time-sec", dest="timeSec",
                              type="int", default=5,
                              help="Seconds to delay the DBMS response "
--- a/lib/takeover/udf.py
+++ b/lib/takeover/udf.py
@ -23,8 +23,6 @@ from lib.core.exception import sqlmapUnsupportedFeatureException
 from lib.core.exception import sqlmapUserQuitException
 from lib.core.unescaper import unescaper
 from lib.request import inject
 from lib.techniques.outband.stacked import stackedTest
 class UDF:
    """
@ -159,8 +157,6 @@ class UDF:
            errMsg = "UDF injection feature is not yet implemented on %s" % kb.dbms
            raise sqlmapUnsupportedFeatureException(errMsg)
        stackedTest()
        if not kb.stackedTest and not conf.direct:
            return
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@ -18,61 +18,6 @@ from lib.core.data import logger
 from lib.request import inject
 from lib.request.connect import Connect as Request
 def timeTest():
    if kb.timeTest is not None:
        return kb.timeTest
    infoMsg  = "testing time-based blind sql injection on parameter "
    infoMsg += "'%s' with %s condition syntax" % (kb.injection.parameter, conf.logic)
    logger.info(infoMsg)
    timeQuery = getDelayQuery(andCond=True)
    query     = agent.prefixQuery("AND %s" % timeQuery)
    query     = agent.suffixQuery(query)
    payload   = agent.payload(newValue=query)
    start     = time.time()
    _         = Request.queryPage(payload)
    duration  = calculateDeltaSeconds(start)
    if duration >= conf.timeSec:
        infoMsg  = "the target url is affected by a time-based blind "
        infoMsg += "sql injection with AND condition syntax on parameter "
        infoMsg += "'%s'" % kb.injection.parameter
        logger.info(infoMsg)
        kb.timeTest = agent.removePayloadDelimiters(payload, False)
    else:
        warnMsg  = "the target url is not affected by a time-based blind "
        warnMsg += "sql injection with AND condition syntax on parameter "
        warnMsg += "'%s'" % kb.injection.parameter
        logger.warn(warnMsg)
        infoMsg  = "testing time-based blind sql injection on parameter "
        infoMsg += "'%s' with stacked queries syntax" % kb.injection.parameter
        logger.info(infoMsg)
        timeQuery  = getDelayQuery(andCond=True)
        start      = time.time()
        payload, _ = inject.goStacked(timeQuery)
        duration   = calculateDeltaSeconds(start)
        if duration >= conf.timeSec:
            infoMsg  = "the target url is affected by a time-based blind sql "
            infoMsg += "injection with stacked queries syntax on parameter "
            infoMsg += "'%s'" % kb.injection.parameter
            logger.info(infoMsg)
            kb.timeTest = agent.removePayloadDelimiters(payload, False)
        else:
            warnMsg  = "the target url is not affected by a time-based blind "
            warnMsg += "sql injection with stacked queries syntax on parameter "
            warnMsg += "'%s'" % kb.injection.parameter
            logger.warn(warnMsg)
            kb.timeTest = False
    return kb.timeTest
 def timeUse(query):
    start      = time.time()
    _, _       = inject.goStacked(query)
--- a/lib/techniques/error/test.py
+++ b/lib/techniques/error/test.py
@ -1,52 +0,0 @@
 #!/usr/bin/env python
 """
 $Id$
 Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import time
 from lib.core.agent import agent
 from lib.core.common import getUnicode
 from lib.core.common import randomInt
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.session import setError
 from lib.request import inject
 def errorTest():
    if conf.direct:
        return
    if kb.errorTest is not None:
        return kb.errorTest
    infoMsg  = "testing error-based sql injection on parameter "
    infoMsg += "'%s' with %s condition syntax" % (kb.injection.parameter, conf.logic)
    logger.info(infoMsg)
    randInt = getUnicode(randomInt(1))
    query = queries[kb.dbms].case.query % ("%s=%s" % (randInt, randInt))
    result, usedPayload = inject.goError(query, suppressOutput=True, returnPayload=True)
    if result:
        infoMsg  = "the target url is affected by an error-based sql "
        infoMsg += "injection on parameter '%s'" % kb.injection.parameter
        logger.info(infoMsg)
        kb.errorTest = agent.removePayloadDelimiters(usedPayload, False)
    else:
        warnMsg  = "the target url is not affected by an error-based sql "
        warnMsg += "injection on parameter '%s'" % kb.injection.parameter
        logger.warn(warnMsg)
        kb.errorTest = False
    setError()
    return kb.errorTest
--- a/lib/techniques/outband/stacked.py
+++ b/lib/techniques/outband/stacked.py
@ -1,53 +0,0 @@
 #!/usr/bin/env python
 """
 $Id$
 Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import time
 from lib.core.agent import agent
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import getDelayQuery
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.session import setStacked
 from lib.request import inject
 def stackedTest():
    if conf.direct:
        return
    if kb.stackedTest is not None:
        return kb.stackedTest
    infoMsg  = "testing stacked queries sql injection on parameter "
    infoMsg += "'%s'" % kb.injection.parameter
    logger.info(infoMsg)
    query      = getDelayQuery()
    start      = time.time()
    payload, _ = inject.goStacked(query)
    duration   = calculateDeltaSeconds(start)
    if duration >= conf.timeSec:
        infoMsg  = "the target url is affected by a stacked queries "
        infoMsg += "sql injection on parameter '%s'" % kb.injection.parameter
        logger.info(infoMsg)
        kb.stackedTest = agent.removePayloadDelimiters(payload, False)
    else:
        warnMsg  = "the target url is not affected by a stacked queries "
        warnMsg += "sql injection on parameter '%s'" % kb.injection.parameter
        logger.warn(warnMsg)
        kb.stackedTest = False
    if kb.stackedTest:
        setStacked(kb.injection.place, kb.injection.parameter, payload)
    return kb.stackedTest
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -44,9 +44,7 @@ from lib.request import inject
 from lib.request.connect import Connect as Request
 from lib.techniques.brute.use import columnExists
 from lib.techniques.brute.use import tableExists
 from lib.techniques.error.test import errorTest
 from lib.techniques.inband.union.test import unionTest
 from lib.techniques.outband.stacked import stackedTest
 from lib.utils.hash import dictionaryAttack
 class Enumeration:
@ -80,9 +78,7 @@ class Enumeration:
        logger.info(infoMsg)
        if not kb.data.banner:
-            if conf.errorTest:
+            if conf.unionTest:
                conf.dumper.technic("error-based injection payload", errorTest())
            elif conf.unionTest:
                conf.dumper.technic("inband injection payload", unionTest())
            query          = queries[kb.dbms].banner.query
@ -1745,9 +1741,6 @@ class Enumeration:
            return output
        else:
            if kb.stackedTest is None:
                stackedTest()
            if not kb.stackedTest and not conf.direct:
                warnMsg  = "execution of custom SQL queries is only "
                warnMsg += "available when stacked queries are supported"
--- a/plugins/generic/filesystem.py
+++ b/plugins/generic/filesystem.py
@ -21,7 +21,6 @@ from lib.core.data import logger
 from lib.core.enums import DBMS
 from lib.core.exception import sqlmapUndefinedMethod
 from lib.request import inject
 from lib.techniques.outband.stacked import stackedTest
 class Filesystem:
    """
@ -253,8 +252,6 @@ class Filesystem:
    def readFile(self, rFile):
        fileContent = None
        stackedTest()
        self.checkDbmsOs()
        if conf.direct or kb.stackedTest:
@ -295,8 +292,6 @@ class Filesystem:
        return rFilePath
    def writeFile(self, wFile, dFile, fileType=None, confirm=True):
        stackedTest()
        self.checkDbmsOs()
        if conf.direct or kb.stackedTest:
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@ -23,8 +23,6 @@ from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapUnsupportedFeatureException
 from lib.core.session import setRemoteTempPath
 from lib.request import inject
 from lib.techniques.outband.stacked import stackedTest
 class Miscellaneous:
    """
@ -96,8 +94,6 @@ class Miscellaneous:
        Cleanup database from sqlmap create tables and functions
        """
        stackedTest()
        if not kb.stackedTest and not conf.direct:
            return
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@ -25,7 +25,6 @@ from lib.takeover.abstraction import Abstraction
 from lib.takeover.icmpsh import ICMPsh
 from lib.takeover.metasploit import Metasploit
 from lib.takeover.registry import Registry
 from lib.techniques.outband.stacked import stackedTest
 from plugins.generic.misc import Miscellaneous
@ -41,8 +40,6 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
        Abstraction.__init__(self)
    def osCmd(self):
        stackedTest()
        if kb.stackedTest or conf.direct:
            web = False
        elif not kb.stackedTest and kb.dbms == DBMS.MYSQL:
@ -64,8 +61,6 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
            self.cleanup()
    def osShell(self):
        stackedTest()
        if kb.stackedTest or conf.direct:
            web = False
        elif not kb.stackedTest and kb.dbms == DBMS.MYSQL:
@ -89,8 +84,6 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
    def osPwn(self):
        goUdf = False
        stackedTest()
        self.checkDbmsOs()
        msg  = "how do you want to establish the tunnel?"
@ -251,8 +244,6 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
            self.cleanup()
    def osSmb(self):
        stackedTest()
        self.checkDbmsOs()
        if kb.os != "Windows":
@ -303,8 +294,6 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
        self.smb()
    def osBof(self):
        stackedTest()
        if not kb.stackedTest and not conf.direct:
            return
@ -331,8 +320,6 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
        raise sqlmapUndefinedMethod, errMsg
    def __regInit(self):
        stackedTest()
        if not kb.stackedTest and not conf.direct:
            return
--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -246,18 +246,6 @@ longestCommon = False
 # using the default blind SQL injection technique.
 [Techniques]
 # Test for and use error based SQL injection.
 # Valid: True or False
 errorTest = False
 # Test for and use stacked queries (multiple statements).
 # Valid: True or False
 stackedTest = False
 # Test for time based blind SQL injection.
 # Valid: True or False
 timeTest = False
 # Seconds to delay the response from the DBMS.
 # Valid: integer
 # Default: 5