sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-03 13:14:13 +03:00
Code Issues Packages Projects Releases Wiki Activity

improvement of UNION based injection detection (with non-NULL kb.uChar values searching of the content inside -1 UNION.. pages is used)

Browse Source
This commit is contained in:
Miroslav Stampar 2011-08-22 21:43:46 +00:00
parent dafc4d93bd
commit f4127a80d7
1 changed files with 33 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/techniques/union/test.py
View File

@ -110,13 +110,22 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar) query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar)
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
if kb.uChar:
pages[count] = page
else:
ratio = comparison(page, headers, getRatioValue=True) or MIN_RATIO ratio = comparison(page, headers, getRatioValue=True) or MIN_RATIO
ratios.append(ratio) ratios.append(ratio)
min_, max_ = min(min_, ratio), max(max_, ratio) min_, max_ = min(min_, ratio), max(max_, ratio)
items.append((count, ratio)) items.append((count, ratio))
if kb.uChar:
pages[count] = page
if kb.uChar:
for regex in (kb.uChar, r'>\s*%s\s*<' % kb.uChar):
contains = [(count, re.search(regex, page, re.IGNORECASE) is not None) for count, page in pages.items()]
if len(filter(lambda x: x[1], contains)) == 1:
retVal = filter(lambda x: x[1], contains)[0][0]
break
else:
ratios.pop(ratios.index(min_)) ratios.pop(ratios.index(min_))
ratios.pop(ratios.index(max_)) ratios.pop(ratios.index(max_))
@ -145,13 +154,6 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
if retVal is None or abs(max_ - upper) > abs(min_ - lower): if retVal is None or abs(max_ - upper) > abs(min_ - lower):
retVal = maxItem[0] retVal = maxItem[0]
if not retVal and kb.uChar:
for count, page in pages.items():
if not re.search(r'>\s*%s\s*<' % kb.uChar, page):
del pages[count]
if len(pages) == 1:
retVal = pages.keys()[0]
kb.errorIsNone = popValue() kb.errorIsNone = popValue()
if retVal: if retVal:
@ -254,7 +256,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
if conf.uColsStop == conf.uColsStart: if conf.uColsStop == conf.uColsStart:
count = conf.uColsStart count = conf.uColsStart
else: else:
count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix) count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix, PAYLOAD.WHERE.NEGATIVE if kb.uChar else PAYLOAD.WHERE.ORIGINAL)
if count: if count:
if Backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[Backend.getIdentifiedDbms()]): if Backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[Backend.getIdentifiedDbms()]):