sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor bug fix to properly deal --prefix and --suffix and parameter replace payloads

Browse Source
This commit is contained in:
Bernardo Damele 2011-01-24 12:25:45 +00:00
parent 8d0c2efbe2
commit e1db2700f0
3 changed files with 59 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/controller/checks.py
View File

@ -189,32 +189,6 @@ def checkSqlInjection(place, parameter, value):
fstPayload = agent.cleanupPayload(test.request.payload, value)
fstPayload = unescaper.unescape(fstPayload, dbms=dbms)
if conf.prefix is not None and conf.suffix is not None:
# Create a custom boundary object for user's supplied prefix
# and suffix
boundary = advancedDict()
boundary.level = 1
boundary.clause = [ 0 ]
boundary.where = [ 1, 2, 3 ]
boundary.prefix = conf.prefix
boundary.suffix = conf.suffix
if " like" in boundary.suffix.lower():
if "'" in boundary.suffix.lower():
boundary.ptype = 3
elif '"' in boundary.suffix.lower():
boundary.ptype = 5
elif "'" in boundary.suffix:
boundary.ptype = 2
elif '"' in boundary.suffix:
boundary.ptype = 4
else:
boundary.ptype = 1
# Prepend user's provided boundaries to all others boundaries
conf.boundaries.insert(0, boundary)
for boundary in conf.boundaries:
injectable = False
@ -287,7 +261,7 @@ def checkSqlInjection(place, parameter, value):
# prefix and appending the boundary's suffix to the
# test's ' <payload><comment> ' string
boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
boundPayload = agent.cleanupPayload(boundPayload, value)
reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
@ -307,7 +281,7 @@ def checkSqlInjection(place, parameter, value):
# suffix to the test's ' <payload><comment> '
# string
boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix)
boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
boundPayload = agent.cleanupPayload(boundPayload, value)
cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)

45
lib/core/agent.py
View File

@ -139,25 +139,28 @@ class Agent:
query = None
# Either if the technique is stacked queries (<stype>) or we are
# replacing (<where>) the parameter original value with our
# payload, do not put a space after the prefix
if kb.technique == PAYLOAD.TECHNIQUE.STACKED:
query = kb.injection.prefix
elif where == 3 or clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]:
query = prefix
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]:
query = kb.injection.prefix
elif kb.technique and kb.technique in kb.injection.data:
if where is None and kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where
# If we are replacing (<where>) the parameter original value with
# our payload do not prepend with the prefix
if where == 3:
query = ""
# If the technique is stacked queries (<stype>) do not put a space
# after the prefix or it is in GROUP BY / ORDER BY (<clause>)
elif kb.technique == PAYLOAD.TECHNIQUE.STACKED:
query = kb.injection.prefix
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]:
query = kb.injection.prefix
elif clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]:
query = prefix
if query is None:
query = kb.injection.prefix or prefix or ''
# In any other case prepend with the full prefix
else:
query = kb.injection.prefix or prefix or ""
if not (string and string[0] == ';'):
if not (string and string[0] == ";"):
query += " "
query = "%s%s" % (query, string)
@ -165,7 +168,7 @@ class Agent:
return query
def suffixQuery(self, string, comment=None, suffix=None):
def suffixQuery(self, string, comment=None, suffix=None, where=None):
"""
This method appends the DBMS comment to the
SQL injection request
@ -177,10 +180,18 @@ class Agent:
if comment is not None:
string += comment
if kb.injection.suffix is None and suffix is not None:
string += " %s" % suffix
else:
if where is None and kb.technique and kb.technique in kb.injection.data:
where = kb.injection.data[kb.technique].where
# If we are replacing (<where>) the parameter original value with
# our payload do not append the suffix
if where == 3:
pass
elif kb.injection.suffix is not None:
string += " %s" % kb.injection.suffix
elif suffix is not None:
string += " %s" % suffix
string = self.cleanupPayload(string)

28
lib/core/option.py
View File

@ -785,6 +785,32 @@ def __setPrefixSuffix():
errMsg += "the payload prefix"
raise sqlmapSyntaxException, errMsg
if conf.prefix is not None and conf.suffix is not None:
# Create a custom boundary object for user's supplied prefix
# and suffix
boundary = advancedDict()
boundary.level = 1
boundary.clause = [ 0 ]
boundary.where = [ 1, 2, 3 ]
boundary.prefix = conf.prefix
boundary.suffix = conf.suffix
if " like" in boundary.suffix.lower():
if "'" in boundary.suffix.lower():
boundary.ptype = 3
elif '"' in boundary.suffix.lower():
boundary.ptype = 5
elif "'" in boundary.suffix:
boundary.ptype = 2
elif '"' in boundary.suffix:
boundary.ptype = 4
else:
boundary.ptype = 1
# Prepend user's provided boundaries to all others boundaries
conf.boundaries.insert(0, boundary)
def __setHTTPAuthentication():
"""
Check and set the HTTP(s) authentication method (Basic, Digest, NTLM or Certificate),
@ -1415,7 +1441,6 @@ def init(inputOptions=advancedDict()):
__setHTTPAuthentication()
__setHTTPProxy()
__setSafeUrl()
__setPrefixSuffix()
__setGoogleDorking()
__urllib2Opener()
__findPageForms()
@ -1428,5 +1453,6 @@ def init(inputOptions=advancedDict()):
__setMetasploit()
loadPayloads()
__setPrefixSuffix()
update()
__loadQueries()