From e6c66fa37c8b6fe7474257eca00ea96cdeeaaa09 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Sat, 11 Dec 2010 17:55:28 +0000 Subject: [PATCH] update regarding expectingNone in fingerprinting mode to cancel drop down to other techniques available --- lib/request/inject.py | 10 ++----- plugins/dbms/access/fingerprint.py | 10 +++---- plugins/dbms/firebird/fingerprint.py | 8 +++--- plugins/dbms/maxdb/fingerprint.py | 4 +-- plugins/dbms/mssqlserver/fingerprint.py | 2 +- plugins/dbms/mysql/fingerprint.py | 38 ++++++++++++------------- plugins/dbms/oracle/fingerprint.py | 4 +-- plugins/dbms/postgresql/fingerprint.py | 4 +-- plugins/dbms/sqlite/fingerprint.py | 6 ++-- plugins/dbms/sybase/fingerprint.py | 6 ++-- 10 files changed, 43 insertions(+), 49 deletions(-) diff --git a/lib/request/inject.py b/lib/request/inject.py index 27d4ebe63..2544ff578 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -97,10 +97,6 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl return outputs def __goBooleanProxy(expression, resumeValue=True): - - pushValue(conf.verbose) - conf.verbose = 0 - vector = kb.injection.data[kb.technique].vector kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place) @@ -118,8 +114,6 @@ def __goBooleanProxy(expression, resumeValue=True): if not output: output = Request.queryPage(payload) - conf.verbose = popValue() - return output @@ -404,7 +398,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse (if selected). """ - if suppressOutput: + if suppressOutput or expected == EXPECTED.BOOL: pushValue(conf.verbose) conf.verbose = 0 @@ -478,7 +472,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse errMsg += "leveraged to retrieve queries output" raise sqlmapNotVulnerableException, errMsg finally: - if suppressOutput: + if suppressOutput or expected == EXPECTED.BOOL: conf.verbose = popValue() if value and expected == EXPECTED.BOOL: diff --git a/plugins/dbms/access/fingerprint.py b/plugins/dbms/access/fingerprint.py index c02f66a4d..62485f6e3 100644 --- a/plugins/dbms/access/fingerprint.py +++ b/plugins/dbms/access/fingerprint.py @@ -41,7 +41,7 @@ class Fingerprint(GenericFingerprint): elif kb.dbmsVersion[0] in ("2002-2003", "2007"): table = "MSysAccessStorage" if table: - result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table) + result = inject.checkBooleanExpression("EXISTS(SELECT CURDIR() FROM %s)" % table, expectingNone=True) retVal = "not sandboxed" if result else "sandboxed" return retVal @@ -68,7 +68,7 @@ class Fingerprint(GenericFingerprint): negate = True table = table[1:] randInt = randomInt() - result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt)) + result = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s WHERE %d=%d)" % (table, randInt, randInt), expectingNone=True) if result is None: result = False if negate: @@ -89,7 +89,7 @@ class Fingerprint(GenericFingerprint): randInt = randomInt() randStr = randomStr() - _ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt)) + _ = inject.checkBooleanExpression("EXISTS(SELECT * FROM %s.%s WHERE %d=%d)" % (randStr, randStr, randInt, randInt), expectingNone=True) if wasLastRequestDBMSError(): match = re.search("Could not find file\s+'([^']+?)'", kb.lastErrorPage[1]) @@ -153,13 +153,13 @@ class Fingerprint(GenericFingerprint): logMsg = "testing Microsoft Access" logger.info(logMsg) - result = inject.checkBooleanExpression("VAL(CVAR(1))=1") + result = inject.checkBooleanExpression("VAL(CVAR(1))=1", expectingNone=True) if result: logMsg = "confirming Microsoft Access" logger.info(logMsg) - result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0") + result = inject.checkBooleanExpression("IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not Microsoft Access" diff --git a/plugins/dbms/firebird/fingerprint.py b/plugins/dbms/firebird/fingerprint.py index ff1a7bb7e..e3fe4b747 100644 --- a/plugins/dbms/firebird/fingerprint.py +++ b/plugins/dbms/firebird/fingerprint.py @@ -83,7 +83,7 @@ class Fingerprint(GenericFingerprint): version, checks = table[i] failed = False check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100))) - result = inject.checkBooleanExpression(check) + result = inject.checkBooleanExpression(check, expectingNone=True) if result: retVal = version else: @@ -97,7 +97,7 @@ class Fingerprint(GenericFingerprint): def __dialectCheck(self): retVal = None if kb.dbms: - result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)") + result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_DATE FROM RDB$DATABASE)", expectingNone=True) retVal = "dialect 3" if result else "dialect 1" return retVal @@ -114,13 +114,13 @@ class Fingerprint(GenericFingerprint): logger.info(logMsg) randInt = randomInt() - result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt)) + result = inject.checkBooleanExpression("EXISTS(SELECT * FROM RDB$DATABASE WHERE %d=%d)" % (randInt, randInt), expectingNone=True) if result: logMsg = "confirming Firebird" logger.info(logMsg) - result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)") + result = inject.checkBooleanExpression("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not Firebird" diff --git a/plugins/dbms/maxdb/fingerprint.py b/plugins/dbms/maxdb/fingerprint.py index e053a7073..e750cdadf 100644 --- a/plugins/dbms/maxdb/fingerprint.py +++ b/plugins/dbms/maxdb/fingerprint.py @@ -112,13 +112,13 @@ class Fingerprint(GenericFingerprint): logger.info(logMsg) randInt = randomInt() - result = inject.checkBooleanExpression("NOROUND(%d)=%d" % (randInt, randInt)) + result = inject.checkBooleanExpression("NOROUND(%d)=%d" % (randInt, randInt), expectingNone=True) if result: logMsg = "confirming SAP MaxDB" logger.info(logMsg) - result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL") + result = inject.checkBooleanExpression("MAPCHAR(NULL,1,DEFAULTMAP) IS NULL", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not SAP MaxDB" diff --git a/plugins/dbms/mssqlserver/fingerprint.py b/plugins/dbms/mssqlserver/fingerprint.py index faffe0fb1..f8da87cb7 100644 --- a/plugins/dbms/mssqlserver/fingerprint.py +++ b/plugins/dbms/mssqlserver/fingerprint.py @@ -92,7 +92,7 @@ class Fingerprint(GenericFingerprint): result = True else: randInt = randomInt() - result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt)) + result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt), expectingNone=True) if result: infoMsg = "confirming Microsoft SQL Server" diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py index 0494d14f5..2563dd7f9 100644 --- a/plugins/dbms/mysql/fingerprint.py +++ b/plugins/dbms/mysql/fingerprint.py @@ -163,13 +163,13 @@ class Fingerprint(GenericFingerprint): logger.info(infoMsg) randInt = getUnicode(randomInt(1)) - result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()") + result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()", expectingNone=True) if result: infoMsg = "confirming MySQL" logger.info(infoMsg) - result = inject.checkBooleanExpression("ISNULL(1/0)" if kb.injection.place != PLACE.URI else "ISNULL(1 DIV 0)") + result = inject.checkBooleanExpression("ISNULL(1/0)" if kb.injection.place != PLACE.URI else "ISNULL(1 DIV 0)", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not MySQL" @@ -178,7 +178,7 @@ class Fingerprint(GenericFingerprint): return False # Determine if it is MySQL >= 5.0.0 - if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.TABLES LIMIT 0, 1)" % (randInt, randInt)): + if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.TABLES LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): kb.data.has_information_schema = True kb.dbmsVersion = [">= 5.0.0"] @@ -190,28 +190,28 @@ class Fingerprint(GenericFingerprint): return True # Check if it is MySQL >= 5.5.0 - if inject.checkBooleanExpression("TO_SECONDS(950501)>0"): + if inject.checkBooleanExpression("TO_SECONDS(950501)>0", expectingNone=True): kb.dbmsVersion = [">= 5.5.0"] # Check if it is MySQL >= 5.1.2 and < 5.5.0 - elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"): - if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)): + elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache", expectingNone=True): + if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): kb.dbmsVersion = [">= 5.1.12", "< 5.5.0"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt), expectingNone=True): kb.dbmsVersion = [">= 5.1.7", "< 5.1.12"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): kb.dbmsVersion = ["= 5.1.6"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt)): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PLUGINS LIMIT 0, 1)" % (randInt, randInt), expectingNone=True): kb.dbmsVersion = [">= 5.1.5", "< 5.1.6"] else: kb.dbmsVersion = [">= 5.1.2", "< 5.1.5"] # Check if it is MySQL >= 5.0.0 and < 5.1.2 - elif inject.checkBooleanExpression("@@hostname=@@hostname"): + elif inject.checkBooleanExpression("@@hostname=@@hostname", expectingNone=True): kb.dbmsVersion = [">= 5.0.38", "< 5.1.2"] - elif inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL)" % (randInt, randInt)): + elif inject.checkBooleanExpression("%s=(SELECT %s FROM DUAL)" % (randInt, randInt), expectingNone=True): kb.dbmsVersion = [">= 5.0.11", "< 5.0.38"] - elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()"): + elif inject.checkBooleanExpression("DATABASE() LIKE SCHEMA()", expectingNone=True): kb.dbmsVersion = [">= 5.0.2", "< 5.0.11"] else: kb.dbmsVersion = [">= 5.0.0", "<= 5.0.1"] @@ -228,22 +228,22 @@ class Fingerprint(GenericFingerprint): return True # Check which version of MySQL < 5.0.0 it is - if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))"): + if inject.checkBooleanExpression("3=(SELECT COERCIBILITY(USER()))", expectingNone=True): kb.dbmsVersion = [">= 4.1.11", "< 5.0.0"] - elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))"): + elif inject.checkBooleanExpression("2=(SELECT COERCIBILITY(USER()))", expectingNone=True): kb.dbmsVersion = [">= 4.1.1", "< 4.1.11"] - elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()"): + elif inject.checkBooleanExpression("CURRENT_USER()=CURRENT_USER()", expectingNone=True): kb.dbmsVersion = [">= 4.0.6", "< 4.1.1"] - if inject.checkBooleanExpression("(SELECT CHARSET(CURRENT_USER()))='utf8'"): + if inject.checkBooleanExpression("(SELECT CHARSET(CURRENT_USER()))='utf8'", expectingNone=True): kb.dbmsVersion = ["= 4.1.0"] else: kb.dbmsVersion = [">= 4.0.6", "< 4.1.0"] - elif inject.checkBooleanExpression("0=(SELECT FOUND_ROWS()"): + elif inject.checkBooleanExpression("0=(SELECT FOUND_ROWS()", expectingNone=True): kb.dbmsVersion = [">= 4.0.0", "< 4.0.6"] - elif inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()"): + elif inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()", expectingNone=True): kb.dbmsVersion = [">= 3.23.14", "< 4.0.0"] - elif inject.checkBooleanExpression("USER()=USER()"): + elif inject.checkBooleanExpression("USER()=USER()", expectingNone=True): kb.dbmsVersion = [">= 3.22.11", "< 3.23.14"] else: kb.dbmsVersion = ["< 3.22.11"] diff --git a/plugins/dbms/oracle/fingerprint.py b/plugins/dbms/oracle/fingerprint.py index ccaf22473..408b85632 100644 --- a/plugins/dbms/oracle/fingerprint.py +++ b/plugins/dbms/oracle/fingerprint.py @@ -80,7 +80,7 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - result = inject.checkBooleanExpression("ROWNUM=ROWNUM") + result = inject.checkBooleanExpression("ROWNUM=ROWNUM", expectingNone=True) if result: logMsg = "confirming Oracle" @@ -91,7 +91,7 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)") + result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not Oracle" diff --git a/plugins/dbms/postgresql/fingerprint.py b/plugins/dbms/postgresql/fingerprint.py index 3f76505d9..053cc2eb9 100644 --- a/plugins/dbms/postgresql/fingerprint.py +++ b/plugins/dbms/postgresql/fingerprint.py @@ -86,13 +86,13 @@ class Fingerprint(GenericFingerprint): randInt = getUnicode(randomInt(1)) - result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt)) + result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt), expectingNone=True) if result: infoMsg = "confirming PostgreSQL" logger.info(infoMsg) - result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt)) + result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt), expectingNone=True) if not result: warnMsg = "the back-end DBMS is not PostgreSQL" diff --git a/plugins/dbms/sqlite/fingerprint.py b/plugins/dbms/sqlite/fingerprint.py index 3a8f6f301..e612e1552 100644 --- a/plugins/dbms/sqlite/fingerprint.py +++ b/plugins/dbms/sqlite/fingerprint.py @@ -80,13 +80,13 @@ class Fingerprint(GenericFingerprint): logMsg = "testing SQLite" logger.info(logMsg) - result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()") + result = inject.checkBooleanExpression("LAST_INSERT_ROWID()=LAST_INSERT_ROWID()", expectingNone=True) if result: logMsg = "confirming SQLite" logger.info(logMsg) - result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()") + result = inject.checkBooleanExpression("SQLITE_VERSION()=SQLITE_VERSION()", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not SQLite" @@ -94,7 +94,7 @@ class Fingerprint(GenericFingerprint): return False else: - result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0") + result = inject.checkBooleanExpression("RANDOMBLOB(-1)>0", expectingNone=True) kb.dbmsVersion = [ '3' if result else '2' ] setDbms(DBMS.SQLITE) diff --git a/plugins/dbms/sybase/fingerprint.py b/plugins/dbms/sybase/fingerprint.py index 8b87e799a..ca5bc2771 100644 --- a/plugins/dbms/sybase/fingerprint.py +++ b/plugins/dbms/sybase/fingerprint.py @@ -81,13 +81,13 @@ class Fingerprint(GenericFingerprint): if conf.direct: result = True else: - result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()") + result = inject.checkBooleanExpression("tempdb_id()=tempdb_id()", expectingNone=True) if result: logMsg = "confirming Sybase" logger.info(logMsg) - result = inject.checkBooleanExpression("suser_id()=suser_id()") + result = inject.checkBooleanExpression("suser_id()=suser_id()", expectingNone=True) if not result: warnMsg = "the back-end DBMS is not Sybase" @@ -103,7 +103,7 @@ class Fingerprint(GenericFingerprint): return True for version in range(12, 16): - result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version) + result = inject.checkBooleanExpression("@@VERSION_NUMBER/1000=%d" % version, expectingNone=True) if result: kb.dbmsVersion = ["%d" % version] break