Miroslav Stampar
3bd6e538f8
more appropriate
2011-02-03 16:48:27 +00:00
Miroslav Stampar
3a13fd87fd
new UNION column detection is going into wild
2011-02-03 16:16:38 +00:00
Bernardo Damele
253a8d0679
Minor bug fix
2011-02-03 15:24:36 +00:00
Miroslav Stampar
8134c2154a
adding WHERE enum for payloads
2011-02-02 13:34:09 +00:00
Miroslav Stampar
d6c9515f78
minor update
2011-02-02 13:03:24 +00:00
Miroslav Stampar
847b648e4a
minor update
2011-02-02 12:42:55 +00:00
Miroslav Stampar
e33428b833
adding __findUnionCharCount function
2011-02-02 11:22:35 +00:00
Bernardo Damele
a37f5e05b9
Refactoring
2011-02-01 22:27:36 +00:00
Bernardo Damele
9b342a4c95
Bug fixes and proper packing/unpacking of custom statements and predefined queries for both error-based and UNION query techniques.
...
Now it deals in UNION query also with --start and --stop and resume has been enhanced for both techniques too.
2011-02-01 22:07:42 +00:00
Bernardo Damele
e3a3ae11cc
Proper return from error-based technique enumeration
2011-01-31 21:13:29 +00:00
Miroslav Stampar
60a2364f2b
now union technique parses headers too
2011-01-31 12:41:39 +00:00
Bernardo Damele
71d82e6f57
Minor layout adjustment
2011-01-30 16:19:58 +00:00
Miroslav Stampar
bc8f1142c9
minor revert
2011-01-30 11:41:58 +00:00
Miroslav Stampar
ddf23ba7cc
refactoring
2011-01-30 11:36:03 +00:00
Miroslav Stampar
367d0639f0
refactoring (class names should always be Capital cased)
2011-01-28 16:36:09 +00:00
Miroslav Stampar
8e74c571bc
centralization of urlencoding should be (only) in connect.py and we are from now on handling non-urlencoded data at other levels
2011-01-27 19:44:24 +00:00
Miroslav Stampar
49aeb41be8
quick bug fix for FALSE positives with UNION based technique
2011-01-27 18:49:44 +00:00
Miroslav Stampar
d3ddaba7be
minor refactoring
2011-01-25 13:04:13 +00:00
Miroslav Stampar
5692506131
this was bad thing to have
2011-01-25 01:08:38 +00:00
Miroslav Stampar
ff7707579f
minor improvement
2011-01-23 11:35:24 +00:00
Miroslav Stampar
97f66a87c5
minor improvement over last version - case insensitive and takes in count cases like " UNION ALL selects " from MySQL error message
2011-01-23 10:51:57 +00:00
Bernardo Damele
03a880c6f1
Got rid of progression log message as it overlaps with WARNINGS (like "Got 500") and with --parse-errors
2011-01-20 22:02:20 +00:00
Bernardo Damele
bade0e3124
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
Miroslav Stampar
4bdc19d879
minor cosmetics
2011-01-19 22:48:06 +00:00
Bernardo Damele
daebb0010b
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based.
...
Alignment of SQL statement payload packing/unpacking between all of the techniques.
Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too.
Minor code cleanup.
2011-01-18 23:02:11 +00:00
Bernardo Damele
3822b494ea
Major bug fix to properly deal with EXISTS() when forging query or retrieving the query columns.
2011-01-17 23:43:37 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Bernardo Damele
0fc4ebdc1b
Major bug fix.
...
Minor code refactoring.
2011-01-16 01:17:09 +00:00
Bernardo Damele
c0d5daee99
More refactoring and cleanup
2011-01-16 00:15:30 +00:00
Miroslav Stampar
e105e1ea32
bug fix (some sites raise 404 during union tests)
2011-01-15 16:42:33 +00:00
Miroslav Stampar
e17ac5fdca
update
2011-01-15 15:14:22 +00:00
Miroslav Stampar
5bdb50c224
code review part 3
2011-01-15 13:15:10 +00:00
Miroslav Stampar
1fa8f0cba7
code reviewing part 2
2011-01-15 12:53:40 +00:00
Miroslav Stampar
b2c7ae77d4
minor update
2011-01-14 09:45:47 +00:00
Miroslav Stampar
676b95b30a
minor code refactoring
2011-01-14 09:44:56 +00:00
Bernardo Damele
2ac8debea0
Major code refactoring - moved to one location only (getIdentifiedDBMS() in common.py) the retrieval of identified/fingerprinted DBMS.
...
Minor bug fixes thanks to previous refactoring too.
2011-01-13 17:36:54 +00:00
Miroslav Stampar
a1d1f69c3f
revert
2011-01-13 15:28:08 +00:00
Miroslav Stampar
d937e27b19
minor fix
2011-01-13 15:19:37 +00:00
Bernardo Damele
ee4727850c
Minor bug fix
2011-01-13 10:29:47 +00:00
Bernardo Damele
ca33728fbc
Minor fix to avoid query splitting/unpacking when the statement is EXISTS()
2011-01-13 10:00:40 +00:00
Bernardo Damele
be6e2d6a31
Important bug fix.
...
Minor code restyling.
2011-01-13 09:41:55 +00:00
Bernardo Damele
af9725214a
Properly deal with partial (single entry) UNION injections.
...
Got rid of kb.union*, now it's all stored/used from kb.injection.
Minor bug fix with where=2 detection phase.
2011-01-12 12:01:32 +00:00
Bernardo Damele
8a67aea754
One more step to fully working UNION exploitation after merge into detection phase
2011-01-12 01:13:32 +00:00
Bernardo Damele
8bdb7ec58c
Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.
2011-01-12 00:47:39 +00:00
Bernardo Damele
873951ab92
Proper fix to avoid UNION test false positives
2011-01-11 23:59:02 +00:00
Bernardo Damele
5c7c3c76c3
Fixed previous bug in getErrorParsedDBMSes() call in detection phase.
...
Added minor support to escape quotes in UNION payloads during detection phase.
2011-01-11 23:47:32 +00:00
Bernardo Damele
aa49aa579f
Major bug fix
2011-01-11 23:09:06 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Miroslav Stampar
c968b438f2
Ctrl+C added to union dump
2011-01-06 09:48:04 +00:00
Miroslav Stampar
0616edcc44
adding progress to --union-test
2011-01-06 09:26:01 +00:00
Miroslav Stampar
8b9a624546
added progress into union based entry retrieval
2011-01-06 09:10:20 +00:00
Bernardo Damele
c1f2534e9a
More bug fixes to properly distinguish between full inband and single-entry inband sql injections
2010-12-22 15:47:52 +00:00
Miroslav Stampar
5be9c04e44
update regarding Sybase syntax
2010-12-22 10:39:56 +00:00
Miroslav Stampar
af22679605
minor update
2010-12-08 13:09:27 +00:00
Bernardo Damele
17449754fe
Got rid of UNION false cond
2010-12-05 16:16:15 +00:00
Miroslav Stampar
5764816891
minor cosmetics
2010-12-03 22:28:09 +00:00
Bernardo Damele
126a1479d8
Bug fix for --union-test
2010-12-03 14:57:30 +00:00
Bernardo Damele
c00ea7f5e5
Store and resume also UNION char to session file (--union-char)
2010-12-01 10:59:58 +00:00
Bernardo Damele
8b9706656e
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now.
...
Minor code refactoring too.
2010-11-29 17:18:38 +00:00
Bernardo Damele
7e3b24afe6
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own.
...
All (hopefully) functionalities should still be working.
Added two switches, --level and --risk to specify which injection tests and boundaries to use.
The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 18:10:54 +00:00
Miroslav Stampar
4af000e699
minor language update (in testing phase "used" is more preferable than "provided")
2010-11-23 15:11:15 +00:00
Bernardo Damele
c23126547e
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20.
2010-11-19 15:48:24 +00:00
Bernardo Damele
ad17e9ed2a
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any)
2010-11-19 14:56:20 +00:00
Bernardo Damele
4a9bd3a240
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well!
2010-11-18 17:55:43 +00:00
Bernardo Damele
17486e472a
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-17 22:00:09 +00:00
Bernardo Damele
71cb982039
Another bug fix to --union-test
2010-11-15 21:42:56 +00:00
Bernardo Damele
0bfc1b411a
Another bug fix for --union-test
2010-11-14 15:39:57 +00:00
Bernardo Damele
8d07272c82
Added --union-cols switch to specify the max number of columns to test for UNION query sql injection.
...
Now stores/resumes also the exact UNION payload to session file.
2010-11-13 23:24:41 +00:00
Bernardo Damele
df5dc10111
Major enhancement to --union-test check
2010-11-13 22:47:37 +00:00
Bernardo Damele
45ec8c169a
Consistency between --*-test switches/output
2010-11-08 16:46:25 +00:00
Miroslav Stampar
862395ced1
further refactoring (all enumerations are now put into enums.py)
2010-11-08 09:20:02 +00:00
Bernardo Damele
b6da946883
Added one new verbose level, -v 3 now shows the full injected payload.
...
Fixed also -d verbose output.
2010-11-07 22:34:29 +00:00
Miroslav Stampar
d3e7e89e60
major improvement with display of payloads (all payloads are displayed now) and removal of "pesky" spaces
2010-11-07 21:18:09 +00:00
Miroslav Stampar
63af5444fd
fix (NameError: global name 'DBMS' is not defined)
2010-11-04 12:47:34 +00:00
Miroslav Stampar
685a8e7d2c
refactoring of hard coded dbms names
2010-11-02 11:59:24 +00:00
Bernardo Damele
486a113560
Consolidate logger messages for --*-test switches
2010-10-31 16:58:38 +00:00
Bernardo Damele
f5904d0bc0
Major bug fix to --union-test
2010-10-25 23:39:55 +00:00
Bernardo Damele
215175e3b7
Minor code adjustments
2010-10-25 14:11:47 +00:00
Miroslav Stampar
bc79eec702
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 13:13:12 +00:00
Miroslav Stampar
1b376c99a6
removed temp dictionary and replaced with kb.misc
2010-10-19 23:00:19 +00:00
Miroslav Stampar
4f7f20b94f
sorry, cosmetics
2010-10-14 23:18:29 +00:00
Miroslav Stampar
8b48833136
large commit with copyright header modifications
2010-10-14 14:41:14 +00:00
Miroslav Stampar
827cd1d56b
minor fix
2010-09-13 15:22:29 +00:00
Miroslav Stampar
12a5ec9f3d
more unicode refactoring
2010-06-02 12:45:40 +00:00
Miroslav Stampar
a3db3c03c1
str() -> unicode()
2010-05-28 13:05:02 +00:00
Bernardo Damele
72fda2a3e4
Minor bug fix to correctly resuming --union-test results from session file.
2010-05-19 14:21:59 +00:00
Miroslav Stampar
ca3e12ae73
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 11:05:35 +00:00
Bernardo Damele
90d9900371
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 15:48:40 +00:00
Bernardo Damele
b72ddb6f1e
Fixes non-deterministic unsorted results for most of the DBMSes - see #185
2010-04-09 15:48:53 +00:00
Bernardo Damele
1416cd0d86
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158 . This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module).
...
Minor layout adjustments.
2010-03-26 23:23:25 +00:00
Bernardo Damele
d13ad8b2d7
fixes #181 - proper save/resume information about single entry UNION SQL injection
2010-03-22 15:39:29 +00:00
Bernardo Damele
156fdd96ef
Updated copyright
2010-03-03 15:26:27 +00:00
Bernardo Damele
4ce3abc56d
Minor adjustments
2010-01-15 17:42:46 +00:00
Miroslav Stampar
1a764e1f08
minor commit
2010-01-15 16:10:21 +00:00
Miroslav Stampar
5f171340f5
introduced safe string formatting
2010-01-15 16:06:59 +00:00
Bernardo Damele
ce022a3b6e
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 02:02:12 +00:00
Bernardo Damele
d905e5ef9f
Minor bug fix to --os-cmd/--os-shell for Microsoft SQL Server
2009-07-25 11:45:23 +00:00
Bernardo Damele
16b4530bbe
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed).
...
Minor common library code refactoring.
Code cleanup.
Set back the default User-Agent to sqlmap for comparison algorithm reasons.
Updated THANKS.
2009-04-27 23:05:11 +00:00
Bernardo Damele
8c0ac767f4
Updated to sqlmap 0.7 release candidate 1
2009-04-22 11:48:07 +00:00