Implementing option '--where' (Issue #605)

2025-01-23 15:54:24 +03:00 · 2014-02-11 16:20:45 +01:00 · 2014-02-11 16:20:45 +01:00 · d05bfdd7dd
commit d05bfdd7dd
parent be6767b3b0
5 changed files with 33 additions and 0 deletions
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@ -129,6 +129,7 @@ optDict = {
                               "tbl":               "string",
                               "col":               "string",
                               "excludeCol":        "string",
+                               "dumpWhere":         "string",
                               "user":              "string",
                               "excludeSysDbs":     "boolean",
                               "limitStart":        "integer",
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -424,6 +424,9 @@ def cmdLineParser():
                               help="Exclude DBMS system databases when "
                                    "enumerating tables")

+        enumeration.add_option("--where", dest="dumpWhere",
+                               help="Use WHERE condition while table dumping")
+
        enumeration.add_option("--start", dest="limitStart", type="int",
                               help="First query output entry to retrieve")

--- a/lib/utils/pivotdumptable.py
+++ b/lib/utils/pivotdumptable.py
@ -38,6 +38,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):

    if count is None:
        query = dumpNode.count % table
+        query = whereQuery(query)
        count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)

    if isinstance(count, basestring) and count.isdigit():
@ -83,6 +84,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
            logger.info(infoMsg)

            query = dumpNode.count2 % (column, table)
+            query = whereQuery(query)
            value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

            if isNumPosStrValue(value):
@ -122,6 +124,8 @@ def pivotDumpTable(table, colList, count=None, blind=True):
                    else:
                        query = dumpNode.query2.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, colList[0]), unescaper.escape(pivotValue, False))

+                    query = whereQuery(query)
+
                    return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))

                value = _(pivotValue)
@ -163,3 +167,18 @@ def pivotDumpTable(table, colList, count=None, blind=True):
        logger.critical(errMsg)

    return entries, lengths
+
+def whereQuery(query):
+    if conf.dumpWhere and query:
+        prefix, suffix = query.split(" ORDER BY ") if " ORDER BY " in query else (query, "")
+
+        if "%s)" % conf.tbl.upper() in prefix.upper():
+            prefix = re.sub(r"(?i)%s\)" % conf.tbl, "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
+        elif re.search(r"(?i)\bWHERE\b", prefix):
+            prefix += " AND %s" % conf.dumpWhere
+        else:
+            prefix += " WHERE %s" % conf.dumpWhere
+
+        query = "%s ORDER BY %s" % (prefix, suffix) if suffix else prefix
+
+    return query
--- a/plugins/generic/entries.py
+++ b/plugins/generic/entries.py
@ -42,6 +42,7 @@ from lib.core.settings import NULL
 from lib.request import inject
 from lib.utils.hash import attackDumpedTable
 from lib.utils.pivotdumptable import pivotDumpTable
+from lib.utils.pivotdumptable import whereQuery

 class Entries:
    """
@ -175,6 +176,8 @@ class Entries:
                    else:
                        query = rootQuery.inband.query % (colString, conf.db, tbl)

+                    query = whereQuery(query)
+
                    if not entries and query:
                        entries = inject.getValue(query, blind=False, time=False, dump=True)

@ -226,6 +229,8 @@ class Entries:
                    else:
                        query = rootQuery.blind.count % (conf.db, tbl)

+                    query = whereQuery(query)
+
                    count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

                    lengths = {}
@ -300,6 +305,8 @@ class Entries:
                                    elif Backend.isDbms(DBMS.FIREBIRD):
                                        query = rootQuery.blind.query % (index, agent.preprocessField(tbl, column), tbl)

+                                    query = whereQuery(query)
+
                                    value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
                                    value = '' if value is None else value

--- a/sqlmap.conf
+++ b/sqlmap.conf
@ -458,6 +458,9 @@ col =
 # Back-end database management system database table column(s) to not enumerate.
 excludeCol = 

+# Use WHERE condition while table dumping (e.g. "id=1").
+dumpWhere = 
+
 # Back-end database management system database user to enumerate.
 user =