sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

handle "LIMIT num" as well as "LIMIT num, num" across all techniques - fixes issue #308

Browse Source
This commit is contained in:
Bernardo Damele 2012-12-19 10:50:15 +00:00
parent 155c1eddae
commit dee56b17c3
4 changed files with 42 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/request/inject.py
View File

@ -170,16 +170,20 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
limitCond = True limitCond = True
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
if limitRegExp or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit): if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
if limitRegExp2:
startLimit = 0
stopLimit = limitRegExp2.group(int(limitGroupStart))
else:
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop)) stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1 limitCond = int(stopLimit) > 1
@ -202,14 +206,14 @@ def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, char
limitCond = False limitCond = False
# We assume that only queries NOT containing a "LIMIT #, 1" # We assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return # (or equivalent depending on the back-end DBMS) can return
# multiple entries # multiple entries
if limitCond: if limitCond:
if limitRegExp and stopLimit is not None: if (limitRegExp or limitRegExp2) and stopLimit is not None:
stopLimit = int(stopLimit) stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT " # From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word # (or equivalent, depending on the back-end DBMS) word
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
stopLimit += startLimit stopLimit += startLimit
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query) untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)

21
lib/techniques/error/use.py
View File

@ -254,17 +254,22 @@ def errorUse(expression, dump=False):
and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \ and ("(CASE" not in expression.upper() or ("(CASE" in expression.upper() and "WHEN use" in expression))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I): and not re.search(SQL_SCALAR_REGEX, expression, re.I):
limitCond = True
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
if limitRegExp or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit): if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
if limitRegExp2:
startLimit = 0
stopLimit = limitRegExp2.group(int(limitGroupStart))
else:
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop)) stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1 limitCond = int(stopLimit) > 1
@ -285,19 +290,17 @@ def errorUse(expression, dump=False):
elif Backend.isDbms(DBMS.ORACLE): elif Backend.isDbms(DBMS.ORACLE):
limitCond = False limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1" # I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return # (or equivalent depending on the back-end DBMS) can return
# multiple entries # multiple entries
if limitCond: if limitCond:
if limitRegExp: if (limitRegExp or limitRegExp2) and stopLimit is not None:
stopLimit = int(stopLimit) stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT " # From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word # (or equivalent, depending on the back-end DBMS) word
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
stopLimit += startLimit stopLimit += startLimit
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query) untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
expression = expression[:untilLimitChar] expression = expression[:untilLimitChar]

22
lib/techniques/union/use.py
View File

@ -175,17 +175,22 @@ def unionUse(expression, unpack=True, dump=False):
and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \ and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
and not re.search(SQL_SCALAR_REGEX, expression, re.I): and not re.search(SQL_SCALAR_REGEX, expression, re.I):
limitCond = True
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
limitRegExp2 = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query2, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
if limitRegExp or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit): if (limitRegExp or limitRegExp2) or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
if limitGroupStart.isdigit(): if limitGroupStart.isdigit():
if limitRegExp2:
startLimit = 0
stopLimit = limitRegExp2.group(int(limitGroupStart))
else:
startLimit = int(limitRegExp.group(int(limitGroupStart))) startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop)) stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1 limitCond = int(stopLimit) > 1
@ -199,7 +204,6 @@ def unionUse(expression, unpack=True, dump=False):
stopLimit = limitRegExp.group(int(limitGroupStop)) stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1 limitCond = int(stopLimit) > 1
elif topLimit: elif topLimit:
startLimit = 0 startLimit = 0
stopLimit = int(topLimit.group(1)) stopLimit = int(topLimit.group(1))
@ -207,19 +211,17 @@ def unionUse(expression, unpack=True, dump=False):
elif Backend.isDbms(DBMS.ORACLE): elif Backend.isDbms(DBMS.ORACLE):
limitCond = False limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1" # I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return # (or equivalent depending on the back-end DBMS) can return
# multiple entries # multiple entries
if limitCond: if limitCond:
if limitRegExp: if (limitRegExp or limitRegExp2) and stopLimit is not None:
stopLimit = int(stopLimit) stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT " # From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word # (or equivalent, depending on the back-end DBMS) word
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.SQLITE):
stopLimit += startLimit stopLimit += startLimit
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query) untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
expression = expression[:untilLimitChar] expression = expression[:untilLimitChar]

6
xml/queries.xml
View File

@ -8,7 +8,7 @@
<isnull query="IFNULL(%s,' ')"/> <isnull query="IFNULL(%s,' ')"/>
<delimiter query=","/> <delimiter query=","/>
<limit query="LIMIT %d,%d"/> <limit query="LIMIT %d,%d"/>
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)"/> <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
<limitgroupstart query="1"/> <limitgroupstart query="1"/>
<limitgroupstop query="2"/> <limitgroupstop query="2"/>
<limitstring query=" LIMIT "/> <limitstring query=" LIMIT "/>
@ -82,7 +82,7 @@
<isnull query="COALESCE(%s,' ')"/> <isnull query="COALESCE(%s,' ')"/>
<delimiter query="||"/> <delimiter query="||"/>
<limit query="OFFSET %d LIMIT %d"/> <limit query="OFFSET %d LIMIT %d"/>
<limitregexp query="\s+OFFSET\s+([\d]+)\s+LIMIT\s+([\d]+)"/> <limitregexp query="\s+OFFSET\s+([\d]+)\s+LIMIT\s+([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
<limitgroupstart query="1"/> <limitgroupstart query="1"/>
<limitgroupstop query="2"/> <limitgroupstop query="2"/>
<limitstring query=" OFFSET "/> <limitstring query=" OFFSET "/>
@ -311,7 +311,7 @@
<isnull query="IFNULL(%s,' ')" dbms_version="&gt;=3.0"/> <isnull query="IFNULL(%s,' ')" dbms_version="&gt;=3.0"/>
<delimiter query="||"/> <delimiter query="||"/>
<limit query="LIMIT %d,%d"/> <limit query="LIMIT %d,%d"/>
<limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)"/> <limitregexp query="\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)" query2="\s+LIMIT\s+([\d]+)"/>
<limitgroupstart query="1"/> <limitgroupstart query="1"/>
<limitgroupstop query="2"/> <limitgroupstop query="2"/>
<limitstring query=" LIMIT "/> <limitstring query=" LIMIT "/>