mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-25 05:01:32 +03:00 
			
		
		
		
	Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20.
This commit is contained in:
		
							parent
							
								
									ad17e9ed2a
								
							
						
					
					
						commit
						c23126547e
					
				|  | @ -488,36 +488,50 @@ def __setWriteFile(): | |||
|     conf.wFileType = getFileType(conf.wFile) | ||||
| 
 | ||||
| def __setUnion(): | ||||
|     if isinstance(conf.uChar, basestring) and conf.uChar != "NULL" and not conf.uChar.isdigit(): | ||||
|         if not conf.uChar.startswith("'") or not conf.uChar.endswith("'"): | ||||
|             debugMsg = "setting the UNION query SQL injection character to '%s'" % conf.uChar | ||||
|     if isinstance(conf.uTech, basestring): | ||||
|         debugMsg = "setting the UNION query SQL injection detection technique" | ||||
|         logger.debug(debugMsg) | ||||
| 
 | ||||
|         uTechOriginal = conf.uTech | ||||
|         conf.uTech = conf.uTech.lower() | ||||
| 
 | ||||
|         if conf.uTech and conf.uTech not in ( "char", "orderby" ): | ||||
|             infoMsg  = "resetting the UNION query detection technique to " | ||||
|             infoMsg += "'char', '%s' is not a valid technique" % uTechOriginal | ||||
|             logger.info(infoMsg) | ||||
| 
 | ||||
|             conf.uTech = "char" | ||||
|         else: | ||||
|             debugMsg  = "setting UNION query detection technique to " | ||||
|             debugMsg += "'%s'" % uTechOriginal | ||||
|             logger.debug(debugMsg) | ||||
| 
 | ||||
|     if isinstance(conf.uCols, basestring) and conf.uChar != "1-20": | ||||
|         debugMsg = "setting the UNION query SQL injection range of columns" | ||||
|         logger.debug(debugMsg) | ||||
| 
 | ||||
|         if "-" not in conf.uCols: | ||||
|             raise sqlmapSyntaxException, "--union-cols must be a range with hyphon" | ||||
| 
 | ||||
|         conf.uCols = conf.uCols.replace(" ", "") | ||||
|         conf.uColsStart, conf.uColsStop = conf.uCols.split("-") | ||||
| 
 | ||||
|         if not conf.uColsStart.isdigit() or not conf.uColsStop.isdigit(): | ||||
|             raise sqlmapSyntaxException, "--union-cols must be a range of integers" | ||||
| 
 | ||||
|         conf.uColsStart = int(conf.uColsStart) | ||||
|         conf.uColsStop = int(conf.uColsStop) | ||||
| 
 | ||||
|     if isinstance(conf.uChar, basestring) and conf.uChar != "NULL": | ||||
|         debugMsg = "setting the UNION query SQL injection character to '%s'" % conf.uChar | ||||
|         logger.debug(debugMsg) | ||||
| 
 | ||||
|         if not conf.uChar.isdigit() and ( not conf.uChar.startswith("'") or not conf.uChar.endswith("'") ): | ||||
|             debugMsg = "forcing the UNION query SQL injection character to '%s'" % conf.uChar | ||||
|             logger.debug(debugMsg) | ||||
| 
 | ||||
|             conf.uChar = "'%s'" % conf.uChar | ||||
| 
 | ||||
|     if conf.uTech is None: | ||||
|         conf.uTech = "NULL" | ||||
| 
 | ||||
|         return | ||||
| 
 | ||||
|     debugMsg = "setting the UNION query SQL injection detection technique" | ||||
|     logger.debug(debugMsg) | ||||
| 
 | ||||
|     uTechOriginal = conf.uTech | ||||
|     conf.uTech    = conf.uTech.lower() | ||||
| 
 | ||||
|     if conf.uTech and conf.uTech not in ( "null", "orderby" ): | ||||
|         infoMsg  = "resetting the UNION query detection technique to " | ||||
|         infoMsg += "'NULL', '%s' is not a valid technique" % uTechOriginal | ||||
|         logger.info(infoMsg) | ||||
| 
 | ||||
|         conf.uTech = "NULL" | ||||
| 
 | ||||
|     else: | ||||
|         debugMsg  = "setting UNION query detection technique to " | ||||
|         debugMsg += "'%s'" % uTechOriginal | ||||
|         logger.debug(debugMsg) | ||||
| 
 | ||||
| def __setOS(): | ||||
|     """ | ||||
|     Force the back-end DBMS operating system option. | ||||
|  |  | |||
|  | @ -240,11 +240,11 @@ def cmdLineParser(): | |||
|                               action="store_true", default=False, | ||||
|                               help="Test for and use UNION query (inband) SQL injection") | ||||
| 
 | ||||
|         techniques.add_option("--union-tech", dest="uTech", | ||||
|         techniques.add_option("--union-tech", dest="uTech", default="char", | ||||
|                               help="Technique to test for UNION query SQL injection") | ||||
| 
 | ||||
|         techniques.add_option("--union-cols", dest="uCols", type="int", default=20, | ||||
|                               help="Maximum number of columns to test for") | ||||
|         techniques.add_option("--union-cols", dest="uCols", default="1-20", | ||||
|                               help="Range of columns to test for UNION query SQL injection") | ||||
| 
 | ||||
|         techniques.add_option("--union-char", dest="uChar", default="NULL", | ||||
|                               help="Character to use to bruteforce number of columns") | ||||
|  |  | |||
|  | @ -99,7 +99,7 @@ def __unionTestByCharBruteforce(comment): | |||
| 
 | ||||
|     query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar) | ||||
| 
 | ||||
|     for count in range(1, conf.uCols+1): | ||||
|     for count in range(conf.uColsStart, conf.uColsStop+1): | ||||
|         if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"): | ||||
|             query = query[:-len(" FROM DUAL")] | ||||
| 
 | ||||
|  | @ -121,7 +121,7 @@ def __unionTestByOrderBy(comment): | |||
|     columns = None | ||||
|     prevPayload = "" | ||||
| 
 | ||||
|     for count in range(1, conf.uCols+2): | ||||
|     for count in range(conf.uColsStart, conf.uColsStop+1): | ||||
|         query = agent.prefixQuery("ORDER BY %d" % count) | ||||
|         orderByQuery = agent.suffixQuery(query, comment) | ||||
|         payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond) | ||||
|  | @ -161,17 +161,15 @@ def unionTest(): | |||
|     logger.info(infoMsg) | ||||
| 
 | ||||
|     validPayload = None | ||||
|     comment = queries[kb.dbms].comment.query | ||||
| 
 | ||||
|     for comment in (queries[kb.dbms].comment.query, ""): | ||||
|         if conf.uTech == "orderby": | ||||
|             validPayload = __unionTestByOrderBy(comment) | ||||
|         else: | ||||
|             validPayload = __unionTestByCharBruteforce(comment) | ||||
|     if conf.uTech == "orderby": | ||||
|         validPayload = __unionTestByOrderBy(comment) | ||||
|     else: | ||||
|         validPayload = __unionTestByCharBruteforce(comment) | ||||
| 
 | ||||
|         if validPayload: | ||||
|             setUnion(comment=comment) | ||||
| 
 | ||||
|             break | ||||
|     if validPayload: | ||||
|         setUnion(comment=comment) | ||||
| 
 | ||||
|     if isinstance(kb.unionPosition, int): | ||||
|         infoMsg  = "the target url is affected by an exploitable " | ||||
|  |  | |||
							
								
								
									
										14
									
								
								sqlmap.conf
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								sqlmap.conf
									
									
									
									
									
								
							|  | @ -256,14 +256,14 @@ unionTest = False | |||
| # Technique to test for UNION query SQL injection | ||||
| # The possible techniques are by NULL bruteforcing (bf) or by ORDER BY | ||||
| # clause (ob) | ||||
| # Valid: NULL, OrderBy | ||||
| # Default: NULL | ||||
| uTech = NULL | ||||
| # Valid: char, OrderBy | ||||
| # Default: char | ||||
| uTech = char | ||||
| 
 | ||||
| # Maximum number of columns to test for | ||||
| # Valid: integer | ||||
| # Default: 20 | ||||
| uCols = 20 | ||||
| # Range of columns to test for | ||||
| # Valid: range of integers | ||||
| # Default: 1-20 | ||||
| uCols = 1-20 | ||||
| 
 | ||||
| # Character to use to bruteforce number of columns | ||||
| # Valid: string | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	Block a user