sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixes #3797

Browse Source
This commit is contained in:
Miroslav Stampar 2019-07-11 12:40:56 +02:00
parent c1ae1b432e
commit c3a95e81f5
3 changed files with 26 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/settings.py
View File

@ -18,7 +18,7 @@ from lib.core.enums import OS
from thirdparty.six import unichr as _unichr from thirdparty.six import unichr as _unichr
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.3.7.18" VERSION = "1.3.7.19"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

50
tamper/plus2concat.py
View File

@ -10,7 +10,6 @@ import re
from lib.core.common import singleTimeWarnMessage from lib.core.common import singleTimeWarnMessage
from lib.core.common import zeroDepthSearch from lib.core.common import zeroDepthSearch
from lib.core.compat import xrange
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.enums import PRIORITY from lib.core.enums import PRIORITY
@ -35,51 +34,22 @@ def tamper(payload, **kwargs):
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL') >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL' 'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL') >>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL' '1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe'
""" """
retVal = payload retVal = payload
if payload: if payload:
prefix, suffix = '+' * len(re.search(r"\A(\+*)", payload).group(0)), '+' * len(re.search(r"(\+*)\Z", payload).group(0)) match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal)
retVal = retVal.strip('+') if match:
part = match.group(0)
while True: chars = [char for char in part]
indexes = zeroDepthSearch(retVal, '+') for index in zeroDepthSearch(part, '+'):
chars[index] = ','
if indexes: replacement = "CONCAT(%s)" % "".join(chars)
first, last = 0, 0 retVal = retVal.replace(part, replacement)
for i in xrange(1, len(indexes)):
if ' ' in retVal[indexes[0]:indexes[i]]:
break
else:
last = i
start = retVal[:indexes[first]].rfind(' ') + 1
end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1
chars = [char for char in retVal]
for index in indexes[first:last + 1]:
chars[index] = ','
retVal = "%sCONCAT(%s)%s" % (retVal[:start], ''.join(chars)[start:end], retVal[end:])
else:
match = re.search(r"\((CHAR\(\d+.+\bCHAR\(\d+\))\)", retVal)
if match:
part = match.group(0)
indexes = set(zeroDepthSearch(match.group(1), '+'))
if not indexes:
break
chars = [char for char in part]
for i in xrange(1, len(chars)):
if i - 1 in indexes:
chars[i] = ','
replacement = "CONCAT%s" % "".join(chars)
retVal = retVal.replace(part, replacement)
else:
break
retVal = "%s%s%s" % (prefix, retVal, suffix)
return retVal return retVal

64
tamper/plus2fnconcat.py
View File

@ -36,63 +36,29 @@ def tamper(payload, **kwargs):
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL') >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL' 'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL') >>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL' '1 UNION ALL SELECT NULL,NULL,{fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe'
""" """
retVal = payload retVal = payload
if payload: if payload:
prefix, suffix = '+' * len(re.search(r"\A(\+*)", payload).group(0)), '+' * len(re.search(r"(\+*)\Z", payload).group(0)) match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal)
retVal = retVal.strip('+') if match:
old = match.group(0)
parts = []
last = 0
while True: for index in zeroDepthSearch(old, '+'):
indexes = zeroDepthSearch(retVal, '+') parts.append(old[last:index].strip('+'))
last = index
if indexes: parts.append(old[last:].strip('+'))
first, last = 0, 0 replacement = parts[0]
for i in xrange(1, len(indexes)):
if ' ' in retVal[indexes[0]:indexes[i]]:
break
else:
last = i
start = retVal[:indexes[first]].rfind(' ') + 1 for i in xrange(1, len(parts)):
end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1 replacement = "{fn CONCAT(%s,%s)}" % (replacement, parts[i])
count = 0 retVal = retVal.replace(old, replacement)
chars = [char for char in retVal]
for index in indexes[first:last + 1]:
if count == 0:
chars[index] = ','
else:
chars[index] = '\x01'
count += 1
retVal = "%s%s%s)}%s" % (retVal[:start], "{fn CONCAT(" * count, ''.join(chars)[start:end].replace('\x01', ")},"), retVal[end:])
else:
match = re.search(r"\((CHAR\(\d+.+\bCHAR\(\d+\))\)", retVal)
if match:
part = match.group(0)
indexes = set(zeroDepthSearch(match.group(1), '+'))
if not indexes:
break
count = 0
chars = [char for char in part]
for i in xrange(1, len(chars)):
if i - 1 in indexes:
if count == 0:
chars[i] = ','
else:
chars[i] = '\x01'
count += 1
replacement = "%s%s}" % (("{fn CONCAT(" * count)[:-1], "".join(chars).replace('\x01', ")},"))
retVal = retVal.replace(part, replacement)
else:
break
retVal = "%s%s%s" % (prefix, retVal, suffix)
return retVal return retVal