Proper return from error-based technique enumeration

This commit is contained in:
Bernardo Damele 2011-01-31 21:13:29 +00:00
parent fa58a9c86b
commit e3a3ae11cc
3 changed files with 13 additions and 12 deletions

View File

@ -97,6 +97,8 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
logger.warn(warnMsg) logger.warn(warnMsg)
output = __oneShotErrorUse(expressionReplaced, field) output = __oneShotErrorUse(expressionReplaced, field)
if output is not None:
logger.info("retrieved: %s" % output) logger.info("retrieved: %s" % output)
if isinstance(num, int): if isinstance(num, int):
@ -145,7 +147,7 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
# entry per time # entry per time
# NOTE: I assume that only queries that get data from a table can # NOTE: I assume that only queries that get data from a table can
# return multiple entries # return multiple entries
if " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) and "EXISTS(" not in expression.upper(): if " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) and "EXISTS(" not in expression.upper() and "(CASE" not in expression.upper():
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
@ -258,6 +260,9 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
try: try:
for num in xrange(startLimit, stopLimit): for num in xrange(startLimit, stopLimit):
output = __errorFields(expression, expressionFields, expressionFieldsList, expected, num, resumeValue) output = __errorFields(expression, expressionFields, expressionFieldsList, expected, num, resumeValue)
if output and isinstance(output, list) and len(output) == 1:
output = output[0]
outputs.append(output) outputs.append(output)
except KeyboardInterrupt: except KeyboardInterrupt:
@ -270,8 +275,10 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
debugMsg = "performed %d queries in %d seconds" % (reqCount, duration) debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
logger.debug(debugMsg) logger.debug(debugMsg)
return outputs if not outputs:
else: outputs = __errorFields(expression, expressionFields, expressionFieldsList)
return __errorFields(expression, expressionFields, expressionFieldsList)
if outputs and isinstance(outputs, list) and len(outputs) == 1:
outputs = outputs[0]
return outputs return outputs

View File

@ -254,7 +254,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, unpack
reqCount += 1 reqCount += 1
if kb.misc.start not in content or kb.misc.stop not in content: if kb.misc.start not in content or kb.misc.stop not in content:
return return None
# Parse the returned page to get the exact inband # Parse the returned page to get the exact inband
# sql injection output # sql injection output

View File

@ -267,9 +267,6 @@ class Enumeration:
if parsedUser: if parsedUser:
user = parsedUser.groups()[0] user = parsedUser.groups()[0]
if isinstance(user, list):
user = user[0]
if not user or user in retrievedUsers: if not user or user in retrievedUsers:
continue continue
@ -539,9 +536,6 @@ class Enumeration:
if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
unescapedUser = unescaper.unescape(user, quote=False) unescapedUser = unescaper.unescape(user, quote=False)
if isinstance(user, list):
user = user[0]
if not user or user in retrievedUsers: if not user or user in retrievedUsers:
continue continue