From e1db2700f0697e774b62d61651c2ad4da9906fc7 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 24 Jan 2011 12:25:45 +0000 Subject: [PATCH] Minor bug fix to properly deal --prefix and --suffix and parameter replace payloads --- lib/controller/checks.py | 30 ++---------------------- lib/core/agent.py | 49 ++++++++++++++++++++++++---------------- lib/core/option.py | 28 ++++++++++++++++++++++- 3 files changed, 59 insertions(+), 48 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index e6e38ba6c..87a7ad275 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -189,32 +189,6 @@ def checkSqlInjection(place, parameter, value): fstPayload = agent.cleanupPayload(test.request.payload, value) fstPayload = unescaper.unescape(fstPayload, dbms=dbms) - if conf.prefix is not None and conf.suffix is not None: - # Create a custom boundary object for user's supplied prefix - # and suffix - boundary = advancedDict() - - boundary.level = 1 - boundary.clause = [ 0 ] - boundary.where = [ 1, 2, 3 ] - boundary.prefix = conf.prefix - boundary.suffix = conf.suffix - - if " like" in boundary.suffix.lower(): - if "'" in boundary.suffix.lower(): - boundary.ptype = 3 - elif '"' in boundary.suffix.lower(): - boundary.ptype = 5 - elif "'" in boundary.suffix: - boundary.ptype = 2 - elif '"' in boundary.suffix: - boundary.ptype = 4 - else: - boundary.ptype = 1 - - # Prepend user's provided boundaries to all others boundaries - conf.boundaries.insert(0, boundary) - for boundary in conf.boundaries: injectable = False @@ -287,7 +261,7 @@ def checkSqlInjection(place, parameter, value): # prefix and appending the boundary's suffix to the # test's ' ' string boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause) - boundPayload = agent.suffixQuery(boundPayload, comment, suffix) + boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where) boundPayload = agent.cleanupPayload(boundPayload, value) reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where) @@ -307,7 +281,7 @@ def checkSqlInjection(place, parameter, value): # suffix to the test's ' ' # string boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause) - boundPayload = agent.suffixQuery(boundPayload, comment, suffix) + boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where) boundPayload = agent.cleanupPayload(boundPayload, value) cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where) diff --git a/lib/core/agent.py b/lib/core/agent.py index 1b2fad4e1..baeb8502f 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -139,25 +139,28 @@ class Agent: query = None - # Either if the technique is stacked queries () or we are - # replacing () the parameter original value with our - # payload, do not put a space after the prefix - if kb.technique == PAYLOAD.TECHNIQUE.STACKED: - query = kb.injection.prefix - elif where == 3 or clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]: - query = prefix - elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]: - query = kb.injection.prefix - elif kb.technique and kb.technique in kb.injection.data: + if where is None and kb.technique and kb.technique in kb.injection.data: where = kb.injection.data[kb.technique].where - if where == 3: - query = kb.injection.prefix + # If we are replacing () the parameter original value with + # our payload do not prepend with the prefix + if where == 3: + query = "" - if query is None: - query = kb.injection.prefix or prefix or '' + # If the technique is stacked queries () do not put a space + # after the prefix or it is in GROUP BY / ORDER BY () + elif kb.technique == PAYLOAD.TECHNIQUE.STACKED: + query = kb.injection.prefix + elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]: + query = kb.injection.prefix + elif clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]: + query = prefix - if not (string and string[0] == ';'): + # In any other case prepend with the full prefix + else: + query = kb.injection.prefix or prefix or "" + + if not (string and string[0] == ";"): query += " " query = "%s%s" % (query, string) @@ -165,7 +168,7 @@ class Agent: return query - def suffixQuery(self, string, comment=None, suffix=None): + def suffixQuery(self, string, comment=None, suffix=None, where=None): """ This method appends the DBMS comment to the SQL injection request @@ -177,10 +180,18 @@ class Agent: if comment is not None: string += comment - if kb.injection.suffix is None and suffix is not None: - string += " %s" % suffix - else: + if where is None and kb.technique and kb.technique in kb.injection.data: + where = kb.injection.data[kb.technique].where + + # If we are replacing () the parameter original value with + # our payload do not append the suffix + if where == 3: + pass + + elif kb.injection.suffix is not None: string += " %s" % kb.injection.suffix + elif suffix is not None: + string += " %s" % suffix string = self.cleanupPayload(string) diff --git a/lib/core/option.py b/lib/core/option.py index f0bf084ff..4b7110ded 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -785,6 +785,32 @@ def __setPrefixSuffix(): errMsg += "the payload prefix" raise sqlmapSyntaxException, errMsg + if conf.prefix is not None and conf.suffix is not None: + # Create a custom boundary object for user's supplied prefix + # and suffix + boundary = advancedDict() + + boundary.level = 1 + boundary.clause = [ 0 ] + boundary.where = [ 1, 2, 3 ] + boundary.prefix = conf.prefix + boundary.suffix = conf.suffix + + if " like" in boundary.suffix.lower(): + if "'" in boundary.suffix.lower(): + boundary.ptype = 3 + elif '"' in boundary.suffix.lower(): + boundary.ptype = 5 + elif "'" in boundary.suffix: + boundary.ptype = 2 + elif '"' in boundary.suffix: + boundary.ptype = 4 + else: + boundary.ptype = 1 + + # Prepend user's provided boundaries to all others boundaries + conf.boundaries.insert(0, boundary) + def __setHTTPAuthentication(): """ Check and set the HTTP(s) authentication method (Basic, Digest, NTLM or Certificate), @@ -1415,7 +1441,6 @@ def init(inputOptions=advancedDict()): __setHTTPAuthentication() __setHTTPProxy() __setSafeUrl() - __setPrefixSuffix() __setGoogleDorking() __urllib2Opener() __findPageForms() @@ -1428,5 +1453,6 @@ def init(inputOptions=advancedDict()): __setMetasploit() loadPayloads() + __setPrefixSuffix() update() __loadQueries()