Commit Graph

544 Commits

Author SHA1 Message Date
Miroslav Stampar
382db1b67a degrading Microsoft Access UNION tests for one level down (it really does take toooooo long to scan a site with no vulnerable parameters and normal level) 2011-08-31 20:35:57 +00:00
Miroslav Stampar
d283e3eb3c adding support for pre-WHERE injections 2011-08-24 09:04:18 +00:00
Miroslav Stampar
13eb20cea1 minor beautification 2011-08-03 10:12:06 +00:00
Bernardo Damele
2e20eb1a88 Minor fix 2011-08-03 10:08:59 +00:00
Bernardo Damele
b8e2d60bfa Added MSSQL 2008 R2 signatures 2011-07-24 23:42:32 +00:00
Bernardo Damele
48f580fb10 Minor adjustments to MSSQL fingerprint 2011-07-24 23:30:23 +00:00
Bernardo Damele
99a0b62d0d Minor adjustments 2011-07-24 22:26:11 +00:00
Miroslav Stampar
ca83305b58 added MySQL updatexml error-based payload 2011-07-24 21:08:32 +00:00
Miroslav Stampar
a89140e1ce revisit of Oracle error-based payloads (added replace for '@' as a problematic char for XMLType function) 2011-07-23 06:07:00 +00:00
Miroslav Stampar
4cb9988243 quick fix 2011-07-12 21:09:33 +00:00
Bernardo Damele
c9ba58acb6 Moved MS Access UNION query tests after generic as generic test must identify MSSQL 2011-07-11 09:47:52 +00:00
Miroslav Stampar
5d31eb5ef7 cosmetics and also tested against testing env - works perfectly 2011-07-10 09:07:07 +00:00
Miroslav Stampar
eb42cedf2a adding extractvalue MySQL >= 5.1 error payload (http://www.notsosecure.com/folder2/2010/06/29/mysql-exploitation-with-error-messages/) - untested (lack of particular ver for testing) and prone to level/risk adjustment 2011-07-10 08:54:22 +00:00
Miroslav Stampar
93219b9e13 i've accidentally left table_schema removed while doing some tests. now it should be ok 2011-07-08 10:24:46 +00:00
Bernardo Damele
b5dd4d4a63 Minor bug fix for Microsoft Access case expressions (like --common-tables) in UNION query SQL injection 2011-07-08 10:19:01 +00:00
Miroslav Stampar
c517e97a44 few fixes and minor cosmetics 2011-07-08 06:02:31 +00:00
Bernardo Damele
067354b97f Revert of last commit and proper fix to detect UNION query SQL injection against Microsoft Access 2011-07-07 13:20:40 +00:00
Bernardo Damele
9eb683531d Minor improvement at blind SQL inj technique for DB2 2011-06-27 22:28:12 +00:00
Bernardo Damele
ed4cfbb6d2 Minor fix 2011-06-27 08:58:59 +00:00
Miroslav Stampar
bedf16b88b adding payloads for time-based injection on SAP MaxDB (heavy query) 2011-06-26 23:46:09 +00:00
Miroslav Stampar
d0490cc4e7 adding payloads for time-based injection on DB2 (heavy query) 2011-06-26 16:38:22 +00:00
Bernardo Damele
36c96ef796 Added DB2 support - patch provided by Sebastian Bittig 2011-06-25 09:44:24 +00:00
Bernardo Damele
b2e6cf3ed9 Enabled --search -C also for Oracle 2011-06-24 14:34:20 +00:00
Miroslav Stampar
4188df0501 fixes for Sybase 2011-06-15 18:49:35 +00:00
Miroslav Stampar
9f6b70f3f9 update 2011-05-26 22:45:33 +00:00
Miroslav Stampar
0baf931669 real generic comment is "-- " not "--" (MySQL doesn't support "--") 2011-05-24 09:16:21 +00:00
Miroslav Stampar
171a4c389b added MySQL >=4.1 <=5.0 error based WHERE/HAVING payload 2011-05-23 06:24:45 +00:00
Miroslav Stampar
939e6541d0 far safer way for dealing with error-based payloads on MySQL (no timeouts with .CHARACTER_SETS on testing platforms versus when used .TABLES) 2011-05-19 23:36:51 +00:00
Miroslav Stampar
bd1b07fbc2 one more parameter replace payload for MySQL and rising level of GENERATE_SERIES for PostgreSQL 2011-05-19 06:32:23 +00:00
Miroslav Stampar
7f086916c0 decent parameter replace payload for PostgreSQL (GENERATE_SERIES) 2011-05-18 23:40:42 +00:00
Miroslav Stampar
e58d6d2e00 removing (CBRT(LN(0)) because it's nothing special compared to standard 1/0; also, removing parameter replacement with returned value 1 as it doesn't have much sense in comparison to origvalue one (which is far more stable and usable) 2011-05-18 23:20:02 +00:00
Miroslav Stampar
fe50d09cc8 added new payload for PostgreSQL (parameter replace) 2011-05-18 23:01:41 +00:00
Bernardo Damele
3a8309c4b0 Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches 2011-05-10 15:34:54 +00:00
Bernardo Damele
aae140080e SVN roll back, DB2 patch will be recommitted after testing:
$ svn merge https://svn.sqlmap.org/sqlmap/trunk/sqlmap@HEAD https://svn.sqlmap.org/sqlmap/trunk/sqlmap@3847 .
2011-05-06 10:27:43 +00:00
Miroslav Stampar
6e392b6054 applying contributed patch for DB2 2011-05-06 09:30:39 +00:00
Bernardo Damele
36a9ddaacc Minor bug fixes and code restyling for --privileges and --passwords 2011-04-30 14:50:27 +00:00
Bernardo Damele
7df954dd9f paranoy 2011-04-21 23:41:25 +00:00
Miroslav Stampar
0764c4c752 parenthesis were missing; banning OR NOT from payloads 2011-04-21 23:32:53 +00:00
Bernardo Damele
1d61611145 leftover 2011-04-21 22:46:43 +00:00
Bernardo Damele
870f773d70 In some old versions of MySQL (perhaps others DBMS too) the NOT clause is not supported, hence we need also OR tests without NOT - tested and works like this 2011-04-21 20:36:50 +00:00
Miroslav Stampar
05a0e1d3b0 fix for a bug reported by m4l1c3 (TypeError: not all arguments converted during string formatting) 2011-04-15 11:34:14 +00:00
Miroslav Stampar
136e85abf3 little refresh of PHPIDS rules for --check-payload 2011-04-11 15:37:49 +00:00
Miroslav Stampar
75f286cf6d minor update conformant to http://dev.mysql.com/doc/refman/4.1/en/comments.html 2011-04-10 23:41:00 +00:00
Miroslav Stampar
3177c6023d lol. re-revert 2011-04-10 23:30:56 +00:00
Bernardo Damele
9ea4010508 Leave it as is :) 2011-04-10 23:20:35 +00:00
Miroslav Stampar
3e680978a9 revert of that last commit (waiting for some better days) 2011-04-10 23:18:38 +00:00
Miroslav Stampar
f532478a34 update of MySQL comments 2011-04-10 23:08:18 +00:00
Bernardo Damele
af096b2c83 Leave it as is!!! 2011-04-10 21:47:23 +00:00
Miroslav Stampar
d0cef21d9c fix 2011-04-10 21:19:34 +00:00
Miroslav Stampar
6fa2fd139c implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field) 2011-04-08 15:17:57 +00:00
Bernardo Damele
02eeeccd33 Added UNION query SQL injection tests also with a random number for columns (not only NULL) 2011-04-07 13:39:36 +00:00
Miroslav Stampar
ca009e9fe2 minor update 2011-04-07 10:43:19 +00:00
Miroslav Stampar
672abc27fd minor adjustment of livetests for new flavor of --technique 2011-04-07 10:41:12 +00:00
Miroslav Stampar
e27afef6be minor update regarding --current-db on Oracle 2011-04-01 15:56:11 +00:00
Miroslav Stampar
60102209f6 quick fix for a bug reported by Kirill (AttributeError: 'NoneType' object has no attribute 'split') 2011-04-01 11:14:24 +00:00
Miroslav Stampar
b7813f9e68 incrementing level for MySQL stacked payloads 2011-03-29 07:31:56 +00:00
Miroslav Stampar
86f93713d3 fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update 2011-03-29 06:25:17 +00:00
Miroslav Stampar
73e5d20ade bulk commit for safe/unsafe identificator naming (done and tested for all 4 major DBMSes) and one bug fix for --search-column on MSSQL (inside queries) 2011-03-28 11:01:55 +00:00
Miroslav Stampar
5eb7787fc9 adding partial union cases to the live tests 2011-03-25 15:56:15 +00:00
Miroslav Stampar
670aa7f99b update for live tests (added dumping of columns and table values) 2011-03-25 15:37:11 +00:00
Miroslav Stampar
e80c9e08d8 minor update regarding --live-test 2011-03-25 09:03:08 +00:00
Miroslav Stampar
82ab4c8dc2 minor fix (ORDER BY 1 screws things up in blind mode) 2011-03-24 14:19:32 +00:00
Miroslav Stampar
06a5c39efe fix related to the bug reported by Alone Shell 2011-03-24 14:03:40 +00:00
Miroslav Stampar
cef2c0879d adding live test cases for --technique=1 too 2011-03-24 12:19:40 +00:00
Miroslav Stampar
33c01726dd adding basic live tests for MSSQL too 2011-03-24 12:01:53 +00:00
Miroslav Stampar
2b15ad57c2 basic live tests against 3 major DBMSes 2011-03-24 11:47:01 +00:00
Miroslav Stampar
b72cdfe9e6 fix for mssql regarding usage of schema names reported by jabra@spl0it.org 2011-03-23 10:40:34 +00:00
Miroslav Stampar
b5c9ccb755 Oracle XML based error payload has problems with char $ as with space 2011-03-21 13:13:12 +00:00
Miroslav Stampar
4889764114 minor update regarding last commit 2011-03-21 11:40:27 +00:00
Miroslav Stampar
5291fe35c9 proper implementation of --dbs on Oracle (we are using now schema names as a counterpart to dbs in other DBMSes) 2011-03-21 11:29:43 +00:00
Miroslav Stampar
0535225fe7 throwing out obsolete ORDER BY 1 from inband queries 2011-03-16 14:18:12 +00:00
Miroslav Stampar
eedd6a990d removing space after , for our payloads 2011-03-08 14:29:22 +00:00
Miroslav Stampar
3dc31f6273 removing spaces after , in our queries 2011-03-08 14:07:26 +00:00
Miroslav Stampar
ff9080de48 MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL 2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9 added some Microsoft Access payloads 2011-02-21 20:04:50 +00:00
Bernardo Damele
3e8c204121 Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba 2011-02-21 16:00:56 +00:00
Miroslav Stampar
68a95fd1b1 minor update 2011-02-20 22:45:23 +00:00
Miroslav Stampar
aac817935a further improvement of MaxDB support 2011-02-20 22:41:42 +00:00
Miroslav Stampar
a3ba8b6928 --dump now works on MaxDB too 2011-02-20 22:07:12 +00:00
Miroslav Stampar
59e666d16e --is-dba (related) update for Sybase 2011-02-20 17:28:06 +00:00
Miroslav Stampar
67ec691eb1 more updates regarding Sybase 2011-02-20 16:28:48 +00:00
Miroslav Stampar
823e4351b5 minor change 2011-02-20 12:34:09 +00:00
Miroslav Stampar
f30dea74f3 more Sybase updates 2011-02-19 18:36:26 +00:00
Miroslav Stampar
b71bb321dd some more Sybase updates 2011-02-19 18:04:27 +00:00
Miroslav Stampar
e0efe453ab minor update regarding Sybase support 2011-02-19 14:07:08 +00:00
Miroslav Stampar
5f4ffc9287 update regarding Sybase dumping 2011-02-19 00:36:47 +00:00
Miroslav Stampar
5fb11fd173 update regarding multiple DBMS payloads 2011-02-13 21:20:21 +00:00
Bernardo Damele
394ccb5cc5 Added query for MSSQL/--privileges 2011-02-10 15:52:55 +00:00
Miroslav Stampar
5050a76b59 update regarding reading of table names from access system tables 2011-02-09 10:33:29 +00:00
Miroslav Stampar
1a5a66870e problem fixed 2011-02-07 11:57:41 +00:00
Bernardo Damele
7dcfcca87f Tests' titles adjustments 2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56 minor update 2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded. 2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119 bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values 2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4 Minor adjustments to levels of boundaries 2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f revert of r3203 2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f i believe that this one should be the first level 1 boundary 2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad new default UNION test(s) ranges 2011-02-03 16:26:35 +00:00
Miroslav Stampar
4bb7ffcb3a minor update 2011-02-03 13:18:43 +00:00
Bernardo Damele
8397c526d8 Minor adjustment 2011-01-31 21:20:23 +00:00
Miroslav Stampar
f9eac97fe8 refactoring of MSSQL XML banner parsing 2011-01-31 11:38:00 +00:00
Miroslav Stampar
14de5809ea update 2011-01-31 11:08:58 +00:00
Miroslav Stampar
5aa958a146 ASCII & CHR is quite common, so removing this one 2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6 changing level of last payload 2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82 new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted") 2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005 another premiere, yeeej. IDSes, watch yourself :) 2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2 minor update 2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4 world premiere :) 2011-01-24 21:21:11 +00:00
Miroslav Stampar
440264341c minor update 2011-01-24 17:43:25 +00:00
Miroslav Stampar
0eea5665b2 minor update 2011-01-24 17:41:36 +00:00
Bernardo Damele
b0dc6c24eb Moved 2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627 patch for possible query optimization (avoid precalculation of 1/0) 2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04 Minor fix and cosmetics 2011-01-24 11:12:33 +00:00
Miroslav Stampar
db76bcb327 fix for cases when mixing ingres dbms with spanish word "ingresa" 2011-01-23 11:19:10 +00:00
Miroslav Stampar
7bf05bf2cb minor update 2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda implemented Johannes Dahse / Reiners' technique 2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879 minor update 2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5 more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked) 2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql) 2011-01-21 18:32:10 +00:00
Miroslav Stampar
79e4b1efd5 added new signature for SQLite error messages 2011-01-20 22:47:03 +00:00
Bernardo Damele
6c490bfc8f Avoid a traceback elsewhere 2011-01-20 21:43:41 +00:00
Bernardo Damele
7ce49bcf0d Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
f6d79f58bc another fix (LIMIT is not a good idea to have in inband queries) 2011-01-20 21:13:28 +00:00
Miroslav Stampar
ff1a44c335 probably a fix for that SQLite bug reported by Ahmed Shawky 2011-01-20 20:30:18 +00:00
Miroslav Stampar
a1d77737f5 minor grammar update (this should be a better form) 2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e Confirmed HAVING payloads work as WHERE ones.
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510 because other major DBMSes have at least one level 1 time based payload 2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab added MSSQL time based vector 2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f Proper support for --union-cols 2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445 adding USER_LOCK stacked query support for ORACLE (older versions) 2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232 Oracle stacked vector based on DBMS_LOCK.SLEEP (https://foro.undersecurity.net/read.php?46,1436) 2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c Improvement to make time-based blind to work also against login forms 2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d Minor comment fix 2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb Added generic and mysql UNION tests from 1 to 25 columns.
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e Code refactoring and cosmetics 2011-01-07 15:41:09 +00:00
Miroslav Stampar
2efe7928c0 more concise than previously 2011-01-02 17:06:13 +00:00
Miroslav Stampar
a56934e68b one more MSSQL/ASPX error banner regex 2011-01-02 15:36:57 +00:00
Miroslav Stampar
e6f0c4d857 minor update 2011-01-02 15:32:35 +00:00
Miroslav Stampar
c1d0dde769 added support for .NET banners (http://msdn.microsoft.com/en-us/library/system.data.sqlclient.aspx) 2011-01-02 14:46:31 +00:00
Miroslav Stampar
93cb75ff65 added Nginx 2011-01-02 08:50:27 +00:00
Miroslav Stampar
ded9798e3d minor bug fix 2011-01-01 23:07:50 +00:00
Miroslav Stampar
c3065f6ecc minor fix 2010-12-29 20:38:56 +00:00
Miroslav Stampar
96c3ffd3d7 changing risk level to 0 - lots of MySQL databases around have information_schema unreadable, thus disabling first AND based error payload 2010-12-27 19:02:13 +00:00
Miroslav Stampar
2c8115eed9 further improvement for ms access table dumping 2010-12-26 01:04:30 +00:00
Miroslav Stampar
fb099615e2 minor update 2010-12-25 11:16:35 +00:00
Miroslav Stampar
272476773f getPageTextWordsSet on tableExists is pretty powerful stuff 2010-12-25 09:37:33 +00:00
Miroslav Stampar
706d8e0b88 development update (basic ms access dumping implemented) 2010-12-24 19:53:11 +00:00
Miroslav Stampar
edcf1a0872 few bug fixes 2010-12-24 18:40:48 +00:00
Miroslav Stampar
3043ed095a bug fix (those two regexes where too generic making false MS ACCESS positives here and there) 2010-12-24 00:11:10 +00:00
Miroslav Stampar
5a0aef0f33 fix for a case: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [MySQL][ODBC 3.51 Driver][mysqld-5.1.31-community] - it was wrongly error message recognized as MS SQL Server 2010-12-23 09:53:13 +00:00
Miroslav Stampar
8fc60215ed lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called. 2010-12-22 19:12:46 +00:00
Bernardo Damele
c9ab8ae60e Bug fix to properly identify if current user is DBA (--is-dba) on MySQL 2010-12-22 14:06:01 +00:00
Bernardo Damele
e791f8f2b7 Minor fix 2010-12-20 10:33:24 +00:00
Miroslav Stampar
bfdc4fa000 new error vector for MS SQL (from David Guimaraes' mail) 2010-12-17 19:00:20 +00:00
Miroslav Stampar
3ee44584d4 i've found a way! thank you hesus! fyea (ASC(MID) was just crashing when MID returned 'empty string') 2010-12-14 12:57:59 +00:00
Bernardo Damele
207f63cebc Prepare for UNION query tests at detection phase 2010-12-13 21:31:34 +00:00
Miroslav Stampar
33639578ee minor update for MS Access 2010-12-12 15:25:19 +00:00
Miroslav Stampar
b1babeefe5 update regarding dumping of tables with blind on Sqlite 2010-12-11 22:00:16 +00:00
Miroslav Stampar
acc7d6d40c fix 2010-12-11 11:03:32 +00:00
Miroslav Stampar
ac9080c07b update 2010-12-11 08:24:29 +00:00
Miroslav Stampar
fe2039f5ba coollyy little commits 2010-12-10 11:32:46 +00:00
Miroslav Stampar
7e2984b4b6 added stacked query support for Oracle 2010-12-09 15:24:48 +00:00
Bernardo Damele
4bb40c0a06 Higher the level for Oracle stacked tests just in case the SQL inj is within a PL/SQL function ('cause of no support for stacked queries by design on Oracle) 2010-12-09 15:14:18 +00:00
Miroslav Stampar
d8edc5b244 adding stacked-query vector for Firebird 2010-12-09 15:11:21 +00:00
Bernardo Damele
13b522efc2 Added error-based support for MySQL < 5.0 - closes #14 2010-12-09 15:09:03 +00:00
Miroslav Stampar
5aafd19957 added vector for SQLite's stacked query payload 2010-12-09 15:06:40 +00:00
Miroslav Stampar
71761ba9a5 another fix for another beautiful heavy query payload which took a few 100 megs and 5 mins to run 2010-12-09 10:35:18 +00:00
Miroslav Stampar
094baadc5b bug fix (in SELECT based heavy queries COUNT(*) should be used; otherwise multiple row error happens without proper delay) 2010-12-09 10:17:04 +00:00
Bernardo Damele
3b293c4ea7 Added possible stacked queries time-based blind vector for MSSQL 2010-12-08 23:55:42 +00:00
Bernardo Damele
f5ce739bdf Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet. 2010-12-08 23:52:31 +00:00
Miroslav Stampar
69c4f94980 update 2010-12-08 15:40:01 +00:00
Miroslav Stampar
ad00fe13c1 another fix for MySQL time based payloads 2010-12-08 12:00:27 +00:00
Miroslav Stampar
8227e6d3cf bug fix for BENCHMARK time-based vectors 2010-12-08 11:49:55 +00:00
Bernardo Damele
8ff7c9a5a1 Works on Oracle's GROUP BY too 2010-12-07 17:17:01 +00:00
Miroslav Stampar
4f01d4c109 number crunching based time payloads are now affected by conf.timeSec 2010-12-07 13:24:18 +00:00
Miroslav Stampar
d0936bc8ed adding vectors for SQLite time-based payloads 2010-12-07 13:14:56 +00:00
Bernardo Damele
54b8cb76a1 Messed up with my last merge, all fixed now 2010-12-07 12:59:53 +00:00
Miroslav Stampar
b38a634d95 bug fix 2010-12-07 12:55:31 +00:00
Bernardo Damele
7c32db6e9d Forgot when merged with my last commit 2010-12-07 12:52:09 +00:00
Bernardo Damele
acac0d346f Minor bug fixes and adjustments 2010-12-07 12:45:45 +00:00
Miroslav Stampar
2b2b7dc3a6 added vectors for time-based Firebird payloads 2010-12-07 12:20:48 +00:00
Miroslav Stampar
36a7fca8d5 added time-based payload vector for MSSQL 2010-12-07 12:06:25 +00:00
Miroslav Stampar
485981c619 added vectors for PostgresSQL time-based payloads 2010-12-07 11:57:33 +00:00
Miroslav Stampar
f9085e01e7 added vectors for Oracle time-based payloads 2010-12-07 11:47:29 +00:00
Miroslav Stampar
3d87489de5 minor update 2010-12-07 08:05:03 +00:00
Miroslav Stampar
90b776c1a2 update 2010-12-07 00:58:54 +00:00
Miroslav Stampar
0da1ebde7d introducing PostgreSQL time based blind 2010-12-07 00:51:14 +00:00
Miroslav Stampar
1ba98dc9ec found a fix for a OR time-based MySQL payload :) 2010-12-07 00:31:46 +00:00
Miroslav Stampar
61f82fd274 introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic 2010-12-07 00:27:26 +00:00
Bernardo Damele
32f1909131 Some more "advanced" boundaries 2010-12-06 23:15:41 +00:00
Miroslav Stampar
84a038d0a3 added one more subtag 2010-12-06 23:10:38 +00:00
Miroslav Stampar
1031723c89 added one more time based blind for Oracle 2010-12-06 23:05:53 +00:00
Miroslav Stampar
7697d19292 space replace is not needed in other two Oracle error based payloads; removing incorrect dbms_version for ctxsys.drithsx.sn as it also works on 10g 2010-12-06 22:52:18 +00:00
Miroslav Stampar
2735848ab6 removed ERROR_SPACE 2010-12-06 22:40:07 +00:00
Miroslav Stampar
f516c18a2a minor update 2010-12-06 21:39:57 +00:00
Miroslav Stampar
0c5c2aa807 adding one more error based payload for Oracle 2010-12-06 21:20:26 +00:00
Miroslav Stampar
956a155377 adding one more error based payload for Oracle 2010-12-06 20:43:23 +00:00
Miroslav Stampar
ff43a4a955 minor update to preserve consistency of payload naming 2010-12-06 20:28:26 +00:00
Miroslav Stampar
c0e05d6869 update 2010-12-06 19:11:05 +00:00
Miroslav Stampar
e4b51dd549 proper way of handling OR based injections (completely compatible with current AND based inference engine) 2010-12-06 17:23:21 +00:00
Bernardo Damele
a1e89d3e94 Minor tweak 2010-12-05 13:12:12 +00:00
Bernardo Damele
bf425d90bc More tweaking 2010-12-05 12:23:18 +00:00
Bernardo Damele
41e1b95c6c Minor code refactoring and finally make exploitation work also on OR boolean-based injections 2010-12-05 11:25:44 +00:00
Bernardo Damele
191ba3118f Cosmetics 2010-12-05 11:08:52 +00:00
Bernardo Damele
1b17bac494 Sorted out 2010-12-05 11:06:37 +00:00
Bernardo Damele
8066610217 Minor improvements to OR based injections 2010-12-05 10:55:19 +00:00
Bernardo Damele
2612615978 Major improvements 2010-12-04 16:40:08 +00:00
Miroslav Stampar
9e5f933ace some updates 2010-12-04 15:47:02 +00:00
Bernardo Damele
95a3f4b52f Rudimental OR boolean-based tests for login forms 2010-12-03 22:58:35 +00:00
Bernardo Damele
9d55c4da87 Done with support for injection in ORDER BY and GROUP BY (hopefully) 2010-12-03 16:12:47 +00:00
Bernardo Damele
072835e04b Removed for time being 2010-12-03 14:48:31 +00:00
Bernardo Damele
11058667e4 Better naming 2010-12-03 14:45:13 +00:00
Miroslav Stampar
73dfb69308 minor update for OR based time injection (Firebird) 2010-12-03 12:15:41 +00:00
Bernardo Damele
4dec049c22 Major bug fix for test on ORDER BY and GROUP BY clauses.
Minor bug fix to skip following tests if they do not match any of the clause previously identified (injection.clause value).
2010-12-03 12:00:03 +00:00
Miroslav Stampar
23a86ed612 minor bug fix related to Firebird time based test vectors 2010-12-03 11:05:16 +00:00
Bernardo Damele
0069a21a0d Added also OR error-based checks, tweaked some TODOs and added some new boundaries for login forms (yet to test) 2010-12-03 10:52:24 +00:00
Miroslav Stampar
bf09b8a6d9 added Firebird error based (WHERE) attack vector 2010-12-02 15:09:21 +00:00
Bernardo Damele
df4cb1a601 On the way to get full support for injection on ORDER BY and GROUP BY clauses 2010-12-01 23:30:38 +00:00
Bernardo Damele
089c16a1b8 Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
Removed some useless tests.
Moved <error> from queries.xml to payloads.xml as it makes more sense.
Beeps at sql inj found only if --beep is provided.
Minor fix in order to be able to pickle advancedDict() objects.
Minor code refactoring.
Removed useless folders.
2010-12-01 17:09:52 +00:00
Bernardo Damele
2708aad504 Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests. 2010-12-01 10:31:50 +00:00
Bernardo Damele
c8f943f5e4 Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase.
Major code refactoring and commenting to detection engine.
Ask user whether or not to proceed to test remaining parameters after an injection point has been identified.
Restore beep at SQL injection find.
Avoid reuse of same variable in DBMS handler code.
Minor adjustment of payloads XML file.
2010-11-30 22:40:25 +00:00
Bernardo Damele
6525e08d6b Minor adjustment to detect the proper parameter type based upon --prefix and --suffix values 2010-11-29 12:13:42 +00:00
Bernardo Damele
75f7df75b6 Minor fix 2010-11-28 23:33:51 +00:00
Bernardo Damele
7e3b24afe6 Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own.
All (hopefully) functionalities should still be working.
Added two switches, --level and --risk to specify which injection tests and boundaries to use.
The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 18:10:54 +00:00
Bernardo Damele
e32be2b4e7 Minor adjustment 2010-11-23 15:06:40 +00:00
Miroslav Stampar
c6545f5c9f we had a bug (nooooooooo!!!! :)) 2010-11-19 10:36:47 +00:00
Bernardo Damele
17486e472a Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only! 2010-11-17 22:00:09 +00:00
Miroslav Stampar
42272ca78c minor update 2010-11-11 22:26:36 +00:00
Miroslav Stampar
1a708cf12d update for ASP/Ingres 2010-11-05 16:21:22 +00:00
Miroslav Stampar
173e893d11 added error message support for Ingres 2010-11-05 16:19:41 +00:00
Miroslav Stampar
3f0a443b83 some updates 2010-11-04 23:08:59 +00:00
Miroslav Stampar
d5fcc9d8b5 few updates/fixes here and there 2010-11-04 08:03:59 +00:00
Miroslav Stampar
977df7276d minor update 2010-11-03 06:25:24 +00:00
Miroslav Stampar
4b56fa4f8f now --tables work for MaxDB 2010-11-02 22:11:45 +00:00
Miroslav Stampar
b761523f3f now --users works for MaxDB too 2010-11-02 21:52:48 +00:00
Miroslav Stampar
cd0d4135ac implemented --banner for MaxDB and some minor fixes 2010-11-02 20:51:55 +00:00
Miroslav Stampar
49bf34ffd9 minor fix 2010-11-02 18:43:20 +00:00
Bernardo Damele
720e235d9a Fixed Windows 2003/2008 signatures. Added more old RedHat Server header signatures. Added old Debian etch signature too. 2010-10-31 18:18:49 +00:00
Miroslav Stampar
f7d42af046 some fixes regarding --check-payload 2010-10-29 11:00:23 +00:00
Bernardo Damele
0efecde248 Minor update to properly differentiate Windows 2003 by 2008 via HTTP response headers 2010-10-27 10:09:47 +00:00
Miroslav Stampar
749e25a217 Implementation of --passwords for Sybase 2010-10-26 21:35:30 +00:00
Miroslav Stampar
1b90c1d131 added FreeBSD 2010-10-26 20:48:52 +00:00
Miroslav Stampar
4da2046492 massive update of server fingerprints 2010-10-26 20:00:29 +00:00
Miroslav Stampar
080c5aef80 minor update 2010-10-26 19:08:11 +00:00
Miroslav Stampar
8a9a57c709 update for Sybase and major bug fix for --passwords on MSSQL 2010-10-25 22:11:38 +00:00
Miroslav Stampar
9b56fbafbe that Sybase is going to be pain in the ass 2010-10-25 21:43:13 +00:00
Miroslav Stampar
228ac0cde5 refactoring regarding --check-payload 2010-10-25 18:38:54 +00:00
Miroslav Stampar
378653a1ec added IDS payload testing 2010-10-25 15:37:43 +00:00
Miroslav Stampar
aa931efd4d several MySQL fixes/enhancements pointed out by Anton Mogilin 2010-10-24 22:05:14 +00:00