Bernardo Damele
2471f325b2
minor adjustments
2013-01-18 21:47:25 +00:00
Bernardo Damele
1ad9e26a21
bug fix for ORDER BY users provided statements (issue #354 )
2013-01-18 21:40:50 +00:00
Bernardo Damele
ebd1d3095b
done with test cases for Oracle - issue #312
2013-01-18 21:40:11 +00:00
Bernardo Damele
d594978857
typo fix again
2013-01-18 20:48:37 +00:00
Bernardo Damele
bab9485561
typo fix
2013-01-18 20:48:08 +00:00
Bernardo Damele
2550bbc05e
fix for #353
2013-01-18 20:40:38 +00:00
Bernardo Damele
2463e51e73
added one more test case for DB2 and a few search-related cases for Oracle (issue #312 )
2013-01-18 20:37:20 +00:00
Bernardo Damele
d66f7e22b1
more fixes to test cases
2013-01-18 09:32:05 +00:00
Bernardo Damele
e4ee4f9557
fixed some test cases
2013-01-17 23:17:33 +00:00
Bernardo Damele
ce263b794f
on DB2 there are no users password hashes to dump
2013-01-17 22:17:55 +00:00
Bernardo Damele
d2d3878de1
typo fix
2013-01-17 21:58:53 +00:00
Bernardo Damele
acac8c359b
fixed --current-db query for IBM DB2
2013-01-17 20:47:35 +00:00
Bernardo Damele
74286e339f
test if boolean also works correctly for --os-cmd
2013-01-16 15:36:35 +00:00
Bernardo Damele
6f08d10d07
leftover
2013-01-16 15:16:18 +00:00
Bernardo Damele
1c8bd95e68
more work on Oracle test cases ( #312 )
2013-01-16 15:13:47 +00:00
Bernardo Damele
6b0ed1c581
fixed parsing reg exps to work with Oracle XE ( #312 )
2013-01-16 15:00:45 +00:00
Bernardo Damele
a3493769ca
minor fix
2013-01-16 00:45:18 +00:00
Bernardo Damele
983593510c
ported Oracle checks to express edition
2013-01-15 23:59:29 +00:00
Miroslav Stampar
7a1d484115
Implementation for an Issue #340
2013-01-15 16:05:33 +01:00
Bernardo Damele
3f84cefc77
Merge branch 'master' of github.com:sqlmapproject/sqlmap
2013-01-15 14:59:22 +00:00
Bernardo Damele
1cafe605af
added more Oracle test cases
2013-01-15 14:59:15 +00:00
Miroslav Stampar
02f0e72cc6
Minor update of other/corner case titles
2013-01-15 11:10:03 +01:00
Miroslav Stampar
498a576e39
Removing obsolete data
2013-01-15 10:59:46 +01:00
Bernardo Damele
3fa720e699
added first Oracle test cases
2013-01-14 17:30:42 +00:00
Bernardo Damele
8a2b994b94
added SQLite test cases (issue #312 )
2013-01-14 16:50:24 +00:00
Bernardo Damele
e555c2be30
added support for --search -T for SQLite
2013-01-14 16:26:11 +00:00
Bernardo Damele
48e0154fc3
added SQLite inline queries payload
2013-01-14 15:30:01 +00:00
Bernardo Damele
3e2c3851f3
Make --live-test Metasploit integration cases work, added more test cases for PostgreSQL and code refactoring (issue #312 )
2013-01-14 13:42:50 +00:00
Bernardo Damele
bd89ade02f
minor bug fix for PostgreSQL --file-read
2013-01-14 12:22:00 +00:00
Bernardo Damele
c6d4b89869
minor bug fix for PostgreSQL (issue #338 )
2013-01-14 11:41:30 +00:00
Bernardo Damele
b35b8a4835
fixed regexps for --live-test (issue #312 )
2013-01-14 10:24:11 +00:00
Bernardo Damele
4acb281414
added first test cases for PostgreSQL
2013-01-14 01:11:57 +00:00
Bernardo Damele
b74cfbf336
minor enhancements for debug purposes (issue #312 )
2013-01-13 23:15:56 +00:00
Miroslav Stampar
bc4d8d3e02
Implementation for an Issue #332
2013-01-11 11:17:41 +01:00
Miroslav Stampar
7ea846e111
Removing some junk from queries.xml
2013-01-10 11:46:51 +01:00
Miroslav Stampar
ebde4b190e
Minor update
2013-01-10 11:42:37 +01:00
Miroslav Stampar
55a552ddc4
Update for an Issue #24
2013-01-08 10:55:25 +01:00
Miroslav Stampar
614f4657f1
Removing timedelay tags inside queries.xml as we don't use those outside the payloads.xml anymore (Update for an Issue #24 )
2013-01-08 10:30:01 +01:00
Bernardo Damele
ec7508ec4f
test case to reproduce bug introduced at 76839ff
2013-01-07 17:39:13 +00:00
Miroslav Stampar
a3f9741d6e
Fixed unneeded trimming in --hex for MsSQL
2012-12-21 11:40:18 +01:00
Bernardo Damele
a56e384abb
updated VM..
2012-12-20 13:18:45 +00:00
Bernardo Damele
e39ac0f092
added OR boolean-based test case
2012-12-20 12:52:26 +00:00
Bernardo Damele
d019f75e63
for this test case verbose has to be set to 2 as we parse a DEBUG message
2012-12-20 11:48:34 +00:00
Bernardo Damele
190e317992
fixed test case and added new one, commented out metasploit integration case as it cannot be handled easily
2012-12-20 11:05:11 +00:00
Miroslav Stampar
19e2f3bb76
Merge branch 'master' of github.com:sqlmapproject/sqlmap
2012-12-20 10:43:54 +01:00
Miroslav Stampar
03215ef209
Proper length function used now (fixing issues with international letters in multi threaded mode)
2012-12-20 10:43:38 +01:00
Bernardo Damele
076b4063e6
these edits got overwritten from last commits
2012-12-20 09:42:44 +00:00
Bernardo Damele
602405c171
added more test cases
2012-12-19 18:30:04 +00:00
Bernardo Damele
a2c58847e6
fixed title
2012-12-19 18:29:00 +00:00
Bernardo Damele
357da43cea
slight improvement of live test engine and added misc test cases to xml
2012-12-19 17:28:41 +00:00
Bernardo Damele
3061eec7d8
added test case for web shell command execution and temporary test case for Metasploit integration (--os-pwn)
2012-12-19 16:39:13 +00:00
Bernardo Damele
282aeb734f
ORDER BY does not play well with UNION query SQLi (related to issue #313 )
2012-12-19 13:21:16 +00:00
Bernardo Damele
e583ba6826
no point retesting all for time-based too as it uses same engine of boolean-based
2012-12-19 12:35:36 +00:00
Bernardo Damele
2bc2c0431c
fixed test cases
2012-12-19 12:33:37 +00:00
Bernardo Damele
5ceadf02ae
fixed test cases now that MySQL test db has two more tables and removed old test cases, soon to be replaced with new ones for other DBMSes
2012-12-19 12:22:45 +00:00
Bernardo Damele
54752a9101
typo fix
2012-12-19 11:44:58 +00:00
Bernardo Damele
dee56b17c3
handle "LIMIT num" as well as "LIMIT num, num" across all techniques - fixes issue #308
2012-12-19 10:50:15 +00:00
Bernardo Damele
2c86022aab
added test cases for --sql-query and improved tests for --search -C
2012-12-18 16:30:46 +00:00
Bernardo Damele
f8267ece0f
added more specific --search -T and -C test cases
2012-12-18 16:13:38 +00:00
Bernardo Damele
61a838bb35
added more test cases
2012-12-18 15:59:48 +00:00
Bernardo Damele
3fa05374bd
added tests for all MySQL techniques now (except stacked queries (S) as it is not supported on MySQL/PHP)
2012-12-18 12:07:19 +00:00
Miroslav Stampar
9b716eb805
Implementation for an Issue #135
2012-12-18 10:13:42 +01:00
Bernardo Damele
b957b4790b
regexp fix
2012-12-17 13:52:00 +00:00
Bernardo Damele
86bca05ab0
improved tests
2012-12-17 13:30:41 +00:00
Bernardo Damele
bbd2adb5fb
improvements to --live-test and added --stop-fail switch
2012-12-17 11:41:43 +00:00
Bernardo Damele
2926c815bf
improved test switch --live-test and minor refactoring
2012-12-17 11:29:33 +00:00
Miroslav Stampar
bc72180a3b
Lowering --limit for inline query technique
2012-12-05 10:58:41 +01:00
Miroslav Stampar
775e0df04b
Update for an Issue #278
2012-12-05 10:45:17 +01:00
Miroslav Stampar
2e2a7a34b6
Minor consistency update
2012-11-29 12:11:53 +01:00
Miroslav Stampar
c0796b4742
Minor bug fix (RLIKE boolean case was using wrong comparison payload)
2012-11-27 12:03:38 +01:00
Miroslav Stampar
919f75db9b
Improvement and fix for pivotDumpTable mechanism
2012-10-28 23:09:35 +01:00
Miroslav Stampar
687f3991de
Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g.
2012-09-26 11:27:43 +02:00
Miroslav Stampar
67cfc3b492
Removing boundaries (it were meant to be used as 'parameter replace' logic but it's not doable for boundaries)
2012-09-17 22:36:40 +02:00
Miroslav Stampar
acad7a34a2
Minor update
2012-09-17 22:23:44 +02:00
Miroslav Stampar
f26ea04e38
Fix for an Issue #175
2012-09-07 17:06:38 +02:00
Miroslav Stampar
59ab3c7bdc
Updating server.xml with fresh banners
2012-08-23 11:01:57 +02:00
Miroslav Stampar
d7cf0de090
Fixing INSERT/UPDATE generic boundaries (those previous few were junkies)
2012-08-22 14:12:51 +02:00
Miroslav Stampar
8ee9feafb9
Making payloads a bit shorter (removing redundant space after comma character - e.g. in inband queries)
2012-08-20 21:57:25 +02:00
Miroslav Stampar
6fdbe4eb89
Fix by zhouhx@knownsec.com (better LIKE boundaries)
2012-08-06 19:04:23 +02:00
Miroslav Stampar
57f2fccc24
Revert of a previous commit (actually missing mysql.db is a bonus in this kind of attack :)
2012-07-26 11:40:47 +02:00
Miroslav Stampar
ec96689556
Safer for provoking 'Subquery returns more than 1 row' state than potentially missing mysql.db
2012-07-26 11:39:51 +02:00
Miroslav Stampar
6878ef92b2
Style update
2012-07-26 11:22:00 +02:00
Miroslav Stampar
ab3160316f
Implementation of payloads for Issue #122
2012-07-26 11:17:09 +02:00
Miroslav Stampar
95e0d46e3e
Fix for an Issue #110
2012-07-21 09:15:54 +02:00
Bernardo Damele
1928d5464d
fixes issue #97
2012-07-20 15:56:14 +01:00
Bernardo Damele
243a905788
more on issue #97
2012-07-17 23:07:16 +01:00
Bernardo Damele
c483e91445
added payloads for ORDER BY/GROUP BY time-based injections - issue #97
2012-07-17 22:52:28 +01:00
Bernardo Damele
771e7a9fc3
Initial commit for issue #97
2012-07-17 10:13:09 +01:00
Bernardo Damele
53c0336b48
added --hostname switch to retrieve DBMS server hostname - closes issue #69
2012-07-12 00:01:57 +01:00
Miroslav Stampar
27fdccc858
Update for Issue #55 (falling back to SELECT DB_NAME(N))
2012-07-03 20:15:17 +02:00
Miroslav Stampar
5d35d255ba
minor refactoring
2012-06-11 22:27:33 +00:00
Miroslav Stampar
2538e2d5b4
fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring
2012-05-22 09:33:22 +00:00
Miroslav Stampar
3a9e266d78
adding revisited wildcard LIKE payloads
2012-05-21 21:49:54 +00:00
Miroslav Stampar
602369c762
reverting last changes on boundaries
2012-05-21 09:20:46 +00:00
Miroslav Stampar
1500b3fccd
adding a new payload boundaries by smcintyre@securestate.com
2012-05-21 08:31:37 +00:00
Miroslav Stampar
37f2709197
making a generic solution for all "Generic comment"/MsAccess cases (it's the only DBMS which doesn't accept --, hence replacing generic comment with %00 for it)
2012-05-09 09:08:23 +00:00
Miroslav Stampar
deec97dfe3
adding Frontbase to error message regexes
2012-05-08 17:02:58 +00:00
Miroslav Stampar
57234e1ff5
fix for proper (international character) inference on MsAccess
2012-05-03 23:13:48 +00:00
Miroslav Stampar
1e45ee9ab6
reverting back to smaller UNION ranges as that mechanism for automatic extending was implemented few days ago
2012-04-25 20:37:39 +00:00
Bernardo Damele
eb73cab636
increased UNION test ranges
2012-04-23 11:54:52 +00:00
Miroslav Stampar
414c74b8aa
new payload
2012-04-13 08:16:33 +00:00
Bernardo Damele
1f82d29a36
switch two conditional payloads for proper detection
2012-04-04 10:11:48 +00:00
Bernardo Damele
d5b4b7996a
minor revert
2012-04-04 00:09:47 +00:00
Bernardo Damele
049c27c739
improved detection for INSERT and UPDATE statements
2012-04-03 23:29:06 +00:00
Bernardo Damele
40a7232de6
Minor fix to avoid useless tests (FROM DUAL is Oracle specific so no point using + to concatenate strings)
2012-03-30 16:27:08 +00:00
Miroslav Stampar
637a8d8273
improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism
2012-03-29 14:33:27 +00:00
Miroslav Stampar
772ead8d03
fixed support for error-based injection on MySQL 4.1 (help table a needs more than 2 items inside); also, fixed some border issues with reflective values
2012-03-29 12:44:20 +00:00
Miroslav Stampar
84479eebe9
minor fix
2012-03-15 08:55:42 +00:00
Bernardo Damele
890bf708bc
Minor fixes to make --os-* switch work again against MySQL/Windows/ASP.NET (where stacked queries are supported)
2012-03-15 00:19:57 +00:00
Bernardo Damele
012fc21b49
Improvements to column(s) search: now it's possible to search column(s) in provided table(s) across all databases, search column(s) across all tables in provided database(s) or let sqlmap alone identify the databases' tables - this is now implemented for error-based, union query and direct connection. Work is still required for boolean-based and time-based.
...
Adapted the queries.xml file accordingly
2012-03-09 17:47:50 +00:00
Miroslav Stampar
ac5a752b12
Oracle's XMLType doesn't like '#' char too
2012-03-01 11:59:37 +00:00
Miroslav Stampar
686eacda9a
minor update regarding --hex
2012-02-21 13:38:18 +00:00
Miroslav Stampar
77723a7aee
minor update
2012-02-21 10:24:04 +00:00
Miroslav Stampar
d70f4b7150
adding hex conversion functions to queries.xml for 4 major DBMSes
2012-02-21 10:10:43 +00:00
Miroslav Stampar
6632aa7308
some more refactoring
2012-02-16 13:46:01 +00:00
Miroslav Stampar
7bca926a0b
fixes, updates, patches
2012-02-09 10:16:58 +00:00
Miroslav Stampar
f86c365694
added one more failsafe for MSSQL --tables
2012-02-03 10:56:39 +00:00
Miroslav Stampar
f4e7bf1d51
minor update regarding support for Unicode characters in Oracle
2012-02-01 14:17:27 +00:00
Miroslav Stampar
704488a4e4
proper retrieval of unicode characters in inference mode on MSSQL
2012-02-01 13:01:46 +00:00
Miroslav Stampar
a6c2fc7ecc
some refactoring on MSSQL support
2012-02-01 12:53:07 +00:00
Bernardo Damele
ec9cc19951
Minor bug fixes for -d
2012-01-13 21:46:21 +00:00
Miroslav Stampar
f1147035cf
minor concision/beautification update
2012-01-10 11:50:26 +00:00
Miroslav Stampar
fecdce5801
implemented --tables over information_schema for MSSQL as a failover option for BOOLEAN technique too
2012-01-09 21:09:05 +00:00
Miroslav Stampar
f412706fee
minor update for MSSQL --tables (fallback to other method)
2012-01-03 18:01:14 +00:00
Miroslav Stampar
7d2fce16dc
minor fix
2011-12-16 11:40:23 +00:00
Miroslav Stampar
cff21814bb
minor patch for MSSQL 2008
2011-12-16 11:23:41 +00:00
Miroslav Stampar
2adf358524
minor update
2011-12-03 13:17:43 +00:00
Miroslav Stampar
39b406c5c1
fix for --search on Oracle
2011-12-02 18:13:27 +00:00
Miroslav Stampar
94790bf08a
minor update (removing reference to Microsoft Access for Generic payload)
2011-12-01 13:25:27 +00:00
Miroslav Stampar
df4e3be191
using MySQL comments in explicit MySQL payloads where not comments stated in title (as we already use in MySQL UNION payloads; in lots of cases minus character is either filtered or "exploded" - seen in lots of WP vulnerabilites; also, it was a false claim by myself previously that # is no longer a valid MySQL comment syntax in never versions)
2011-11-23 22:57:02 +00:00
Miroslav Stampar
d8047c79f3
reverting back last two commits
2011-11-22 15:28:31 +00:00
Miroslav Stampar
73276c0785
even better (added long before plugins table)
2011-11-22 15:23:31 +00:00
Miroslav Stampar
ff07031170
better choice than character_sets (lesser rows in start and avoiding one rare problem - description column name based)
2011-11-22 15:20:12 +00:00
Miroslav Stampar
bbb7e1562d
adding AGAINST full-text search boundaries
2011-11-12 14:16:43 +00:00
Miroslav Stampar
2e5222bfd8
adding INSERT/UPDATE generic boundaries
2011-10-28 11:00:09 +00:00
Miroslav Stampar
b6ccc0cc43
minor update
2011-10-18 14:35:42 +00:00
Miroslav Stampar
597d554153
minor update
2011-10-18 13:05:49 +00:00
Miroslav Stampar
382db1b67a
degrading Microsoft Access UNION tests for one level down (it really does take toooooo long to scan a site with no vulnerable parameters and normal level)
2011-08-31 20:35:57 +00:00
Miroslav Stampar
d283e3eb3c
adding support for pre-WHERE injections
2011-08-24 09:04:18 +00:00
Miroslav Stampar
13eb20cea1
minor beautification
2011-08-03 10:12:06 +00:00
Bernardo Damele
2e20eb1a88
Minor fix
2011-08-03 10:08:59 +00:00
Bernardo Damele
b8e2d60bfa
Added MSSQL 2008 R2 signatures
2011-07-24 23:42:32 +00:00
Bernardo Damele
48f580fb10
Minor adjustments to MSSQL fingerprint
2011-07-24 23:30:23 +00:00
Bernardo Damele
99a0b62d0d
Minor adjustments
2011-07-24 22:26:11 +00:00
Miroslav Stampar
ca83305b58
added MySQL updatexml error-based payload
2011-07-24 21:08:32 +00:00
Miroslav Stampar
a89140e1ce
revisit of Oracle error-based payloads (added replace for '@' as a problematic char for XMLType function)
2011-07-23 06:07:00 +00:00
Miroslav Stampar
4cb9988243
quick fix
2011-07-12 21:09:33 +00:00
Bernardo Damele
c9ba58acb6
Moved MS Access UNION query tests after generic as generic test must identify MSSQL
2011-07-11 09:47:52 +00:00
Miroslav Stampar
5d31eb5ef7
cosmetics and also tested against testing env - works perfectly
2011-07-10 09:07:07 +00:00
Miroslav Stampar
eb42cedf2a
adding extractvalue MySQL >= 5.1 error payload ( http://www.notsosecure.com/folder2/2010/06/29/mysql-exploitation-with-error-messages/ ) - untested (lack of particular ver for testing) and prone to level/risk adjustment
2011-07-10 08:54:22 +00:00
Miroslav Stampar
93219b9e13
i've accidentally left table_schema removed while doing some tests. now it should be ok
2011-07-08 10:24:46 +00:00
Bernardo Damele
b5dd4d4a63
Minor bug fix for Microsoft Access case expressions (like --common-tables) in UNION query SQL injection
2011-07-08 10:19:01 +00:00
Miroslav Stampar
c517e97a44
few fixes and minor cosmetics
2011-07-08 06:02:31 +00:00
Bernardo Damele
067354b97f
Revert of last commit and proper fix to detect UNION query SQL injection against Microsoft Access
2011-07-07 13:20:40 +00:00
Bernardo Damele
9eb683531d
Minor improvement at blind SQL inj technique for DB2
2011-06-27 22:28:12 +00:00
Bernardo Damele
ed4cfbb6d2
Minor fix
2011-06-27 08:58:59 +00:00
Miroslav Stampar
bedf16b88b
adding payloads for time-based injection on SAP MaxDB (heavy query)
2011-06-26 23:46:09 +00:00
Miroslav Stampar
d0490cc4e7
adding payloads for time-based injection on DB2 (heavy query)
2011-06-26 16:38:22 +00:00
Bernardo Damele
36c96ef796
Added DB2 support - patch provided by Sebastian Bittig
2011-06-25 09:44:24 +00:00
Bernardo Damele
b2e6cf3ed9
Enabled --search -C also for Oracle
2011-06-24 14:34:20 +00:00
Miroslav Stampar
4188df0501
fixes for Sybase
2011-06-15 18:49:35 +00:00
Miroslav Stampar
9f6b70f3f9
update
2011-05-26 22:45:33 +00:00
Miroslav Stampar
0baf931669
real generic comment is "-- " not "--" (MySQL doesn't support "--")
2011-05-24 09:16:21 +00:00
Miroslav Stampar
171a4c389b
added MySQL >=4.1 <=5.0 error based WHERE/HAVING payload
2011-05-23 06:24:45 +00:00
Miroslav Stampar
939e6541d0
far safer way for dealing with error-based payloads on MySQL (no timeouts with .CHARACTER_SETS on testing platforms versus when used .TABLES)
2011-05-19 23:36:51 +00:00
Miroslav Stampar
bd1b07fbc2
one more parameter replace payload for MySQL and rising level of GENERATE_SERIES for PostgreSQL
2011-05-19 06:32:23 +00:00
Miroslav Stampar
7f086916c0
decent parameter replace payload for PostgreSQL (GENERATE_SERIES)
2011-05-18 23:40:42 +00:00
Miroslav Stampar
e58d6d2e00
removing (CBRT(LN(0)) because it's nothing special compared to standard 1/0; also, removing parameter replacement with returned value 1 as it doesn't have much sense in comparison to origvalue one (which is far more stable and usable)
2011-05-18 23:20:02 +00:00
Miroslav Stampar
fe50d09cc8
added new payload for PostgreSQL (parameter replace)
2011-05-18 23:01:41 +00:00
Bernardo Damele
3a8309c4b0
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 15:34:54 +00:00
Bernardo Damele
aae140080e
SVN roll back, DB2 patch will be recommitted after testing:
...
$ svn merge https://svn.sqlmap.org/sqlmap/trunk/sqlmap@HEAD https://svn.sqlmap.org/sqlmap/trunk/sqlmap@3847 .
2011-05-06 10:27:43 +00:00
Miroslav Stampar
6e392b6054
applying contributed patch for DB2
2011-05-06 09:30:39 +00:00
Bernardo Damele
36a9ddaacc
Minor bug fixes and code restyling for --privileges and --passwords
2011-04-30 14:50:27 +00:00
Bernardo Damele
7df954dd9f
paranoy
2011-04-21 23:41:25 +00:00
Miroslav Stampar
0764c4c752
parenthesis were missing; banning OR NOT from payloads
2011-04-21 23:32:53 +00:00
Bernardo Damele
1d61611145
leftover
2011-04-21 22:46:43 +00:00
Bernardo Damele
870f773d70
In some old versions of MySQL (perhaps others DBMS too) the NOT clause is not supported, hence we need also OR tests without NOT - tested and works like this
2011-04-21 20:36:50 +00:00
Miroslav Stampar
05a0e1d3b0
fix for a bug reported by m4l1c3 (TypeError: not all arguments converted during string formatting)
2011-04-15 11:34:14 +00:00
Miroslav Stampar
136e85abf3
little refresh of PHPIDS rules for --check-payload
2011-04-11 15:37:49 +00:00
Miroslav Stampar
75f286cf6d
minor update conformant to http://dev.mysql.com/doc/refman/4.1/en/comments.html
2011-04-10 23:41:00 +00:00
Miroslav Stampar
3177c6023d
lol. re-revert
2011-04-10 23:30:56 +00:00
Bernardo Damele
9ea4010508
Leave it as is :)
2011-04-10 23:20:35 +00:00
Miroslav Stampar
3e680978a9
revert of that last commit (waiting for some better days)
2011-04-10 23:18:38 +00:00
Miroslav Stampar
f532478a34
update of MySQL comments
2011-04-10 23:08:18 +00:00
Bernardo Damele
af096b2c83
Leave it as is!!!
2011-04-10 21:47:23 +00:00
Miroslav Stampar
d0cef21d9c
fix
2011-04-10 21:19:34 +00:00
Miroslav Stampar
6fa2fd139c
implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field)
2011-04-08 15:17:57 +00:00
Bernardo Damele
02eeeccd33
Added UNION query SQL injection tests also with a random number for columns (not only NULL)
2011-04-07 13:39:36 +00:00
Miroslav Stampar
ca009e9fe2
minor update
2011-04-07 10:43:19 +00:00
Miroslav Stampar
672abc27fd
minor adjustment of livetests for new flavor of --technique
2011-04-07 10:41:12 +00:00
Miroslav Stampar
e27afef6be
minor update regarding --current-db on Oracle
2011-04-01 15:56:11 +00:00
Miroslav Stampar
60102209f6
quick fix for a bug reported by Kirill (AttributeError: 'NoneType' object has no attribute 'split')
2011-04-01 11:14:24 +00:00
Miroslav Stampar
b7813f9e68
incrementing level for MySQL stacked payloads
2011-03-29 07:31:56 +00:00
Miroslav Stampar
86f93713d3
fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update
2011-03-29 06:25:17 +00:00
Miroslav Stampar
73e5d20ade
bulk commit for safe/unsafe identificator naming (done and tested for all 4 major DBMSes) and one bug fix for --search-column on MSSQL (inside queries)
2011-03-28 11:01:55 +00:00
Miroslav Stampar
5eb7787fc9
adding partial union cases to the live tests
2011-03-25 15:56:15 +00:00
Miroslav Stampar
670aa7f99b
update for live tests (added dumping of columns and table values)
2011-03-25 15:37:11 +00:00
Miroslav Stampar
e80c9e08d8
minor update regarding --live-test
2011-03-25 09:03:08 +00:00
Miroslav Stampar
82ab4c8dc2
minor fix (ORDER BY 1 screws things up in blind mode)
2011-03-24 14:19:32 +00:00
Miroslav Stampar
06a5c39efe
fix related to the bug reported by Alone Shell
2011-03-24 14:03:40 +00:00
Miroslav Stampar
cef2c0879d
adding live test cases for --technique=1 too
2011-03-24 12:19:40 +00:00
Miroslav Stampar
33c01726dd
adding basic live tests for MSSQL too
2011-03-24 12:01:53 +00:00
Miroslav Stampar
2b15ad57c2
basic live tests against 3 major DBMSes
2011-03-24 11:47:01 +00:00
Miroslav Stampar
b72cdfe9e6
fix for mssql regarding usage of schema names reported by jabra@spl0it.org
2011-03-23 10:40:34 +00:00
Miroslav Stampar
b5c9ccb755
Oracle XML based error payload has problems with char $ as with space
2011-03-21 13:13:12 +00:00
Miroslav Stampar
4889764114
minor update regarding last commit
2011-03-21 11:40:27 +00:00
Miroslav Stampar
5291fe35c9
proper implementation of --dbs on Oracle (we are using now schema names as a counterpart to dbs in other DBMSes)
2011-03-21 11:29:43 +00:00
Miroslav Stampar
0535225fe7
throwing out obsolete ORDER BY 1 from inband queries
2011-03-16 14:18:12 +00:00
Miroslav Stampar
eedd6a990d
removing space after , for our payloads
2011-03-08 14:29:22 +00:00
Miroslav Stampar
3dc31f6273
removing spaces after , in our queries
2011-03-08 14:07:26 +00:00
Miroslav Stampar
ff9080de48
MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL
2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9
added some Microsoft Access payloads
2011-02-21 20:04:50 +00:00
Bernardo Damele
3e8c204121
Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba
2011-02-21 16:00:56 +00:00
Miroslav Stampar
68a95fd1b1
minor update
2011-02-20 22:45:23 +00:00
Miroslav Stampar
aac817935a
further improvement of MaxDB support
2011-02-20 22:41:42 +00:00
Miroslav Stampar
a3ba8b6928
--dump now works on MaxDB too
2011-02-20 22:07:12 +00:00
Miroslav Stampar
59e666d16e
--is-dba (related) update for Sybase
2011-02-20 17:28:06 +00:00
Miroslav Stampar
67ec691eb1
more updates regarding Sybase
2011-02-20 16:28:48 +00:00
Miroslav Stampar
823e4351b5
minor change
2011-02-20 12:34:09 +00:00
Miroslav Stampar
f30dea74f3
more Sybase updates
2011-02-19 18:36:26 +00:00
Miroslav Stampar
b71bb321dd
some more Sybase updates
2011-02-19 18:04:27 +00:00
Miroslav Stampar
e0efe453ab
minor update regarding Sybase support
2011-02-19 14:07:08 +00:00
Miroslav Stampar
5f4ffc9287
update regarding Sybase dumping
2011-02-19 00:36:47 +00:00
Miroslav Stampar
5fb11fd173
update regarding multiple DBMS payloads
2011-02-13 21:20:21 +00:00
Bernardo Damele
394ccb5cc5
Added query for MSSQL/--privileges
2011-02-10 15:52:55 +00:00
Miroslav Stampar
5050a76b59
update regarding reading of table names from access system tables
2011-02-09 10:33:29 +00:00
Miroslav Stampar
1a5a66870e
problem fixed
2011-02-07 11:57:41 +00:00
Bernardo Damele
7dcfcca87f
Tests' titles adjustments
2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56
minor update
2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f
reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded.
2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119
bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values
2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4
Minor adjustments to levels of boundaries
2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f
revert of r3203
2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f
i believe that this one should be the first level 1 boundary
2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad
new default UNION test(s) ranges
2011-02-03 16:26:35 +00:00
Miroslav Stampar
4bb7ffcb3a
minor update
2011-02-03 13:18:43 +00:00
Bernardo Damele
8397c526d8
Minor adjustment
2011-01-31 21:20:23 +00:00
Miroslav Stampar
f9eac97fe8
refactoring of MSSQL XML banner parsing
2011-01-31 11:38:00 +00:00
Miroslav Stampar
14de5809ea
update
2011-01-31 11:08:58 +00:00
Miroslav Stampar
5aa958a146
ASCII & CHR is quite common, so removing this one
2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6
changing level of last payload
2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82
new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted")
2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005
another premiere, yeeej. IDSes, watch yourself :)
2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2
minor update
2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4
world premiere :)
2011-01-24 21:21:11 +00:00
Miroslav Stampar
440264341c
minor update
2011-01-24 17:43:25 +00:00
Miroslav Stampar
0eea5665b2
minor update
2011-01-24 17:41:36 +00:00
Bernardo Damele
b0dc6c24eb
Moved
2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627
patch for possible query optimization (avoid precalculation of 1/0)
2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04
Minor fix and cosmetics
2011-01-24 11:12:33 +00:00
Miroslav Stampar
db76bcb327
fix for cases when mixing ingres dbms with spanish word "ingresa"
2011-01-23 11:19:10 +00:00
Miroslav Stampar
7bf05bf2cb
minor update
2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda
implemented Johannes Dahse / Reiners' technique
2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879
minor update
2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5
more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked)
2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 18:32:10 +00:00
Miroslav Stampar
79e4b1efd5
added new signature for SQLite error messages
2011-01-20 22:47:03 +00:00
Bernardo Damele
6c490bfc8f
Avoid a traceback elsewhere
2011-01-20 21:43:41 +00:00
Bernardo Damele
7ce49bcf0d
Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
...
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
f6d79f58bc
another fix (LIMIT is not a good idea to have in inband queries)
2011-01-20 21:13:28 +00:00
Miroslav Stampar
ff1a44c335
probably a fix for that SQLite bug reported by Ahmed Shawky
2011-01-20 20:30:18 +00:00
Miroslav Stampar
a1d77737f5
minor grammar update (this should be a better form)
2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e
Confirmed HAVING payloads work as WHERE ones.
...
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510
because other major DBMSes have at least one level 1 time based payload
2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab
added MSSQL time based vector
2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445
adding USER_LOCK stacked query support for ORACLE (older versions)
2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232
Oracle stacked vector based on DBMS_LOCK.SLEEP ( https://foro.undersecurity.net/read.php?46,1436 )
2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c
Improvement to make time-based blind to work also against login forms
2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d
Minor comment fix
2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e
Code refactoring and cosmetics
2011-01-07 15:41:09 +00:00
Miroslav Stampar
2efe7928c0
more concise than previously
2011-01-02 17:06:13 +00:00
Miroslav Stampar
a56934e68b
one more MSSQL/ASPX error banner regex
2011-01-02 15:36:57 +00:00
Miroslav Stampar
e6f0c4d857
minor update
2011-01-02 15:32:35 +00:00
Miroslav Stampar
c1d0dde769
added support for .NET banners ( http://msdn.microsoft.com/en-us/library/system.data.sqlclient.aspx )
2011-01-02 14:46:31 +00:00
Miroslav Stampar
93cb75ff65
added Nginx
2011-01-02 08:50:27 +00:00
Miroslav Stampar
ded9798e3d
minor bug fix
2011-01-01 23:07:50 +00:00
Miroslav Stampar
c3065f6ecc
minor fix
2010-12-29 20:38:56 +00:00
Miroslav Stampar
96c3ffd3d7
changing risk level to 0 - lots of MySQL databases around have information_schema unreadable, thus disabling first AND based error payload
2010-12-27 19:02:13 +00:00
Miroslav Stampar
2c8115eed9
further improvement for ms access table dumping
2010-12-26 01:04:30 +00:00
Miroslav Stampar
fb099615e2
minor update
2010-12-25 11:16:35 +00:00
Miroslav Stampar
272476773f
getPageTextWordsSet on tableExists is pretty powerful stuff
2010-12-25 09:37:33 +00:00
Miroslav Stampar
706d8e0b88
development update (basic ms access dumping implemented)
2010-12-24 19:53:11 +00:00
Miroslav Stampar
edcf1a0872
few bug fixes
2010-12-24 18:40:48 +00:00
Miroslav Stampar
3043ed095a
bug fix (those two regexes where too generic making false MS ACCESS positives here and there)
2010-12-24 00:11:10 +00:00
Miroslav Stampar
5a0aef0f33
fix for a case: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [MySQL][ODBC 3.51 Driver][mysqld-5.1.31-community] - it was wrongly error message recognized as MS SQL Server
2010-12-23 09:53:13 +00:00
Miroslav Stampar
8fc60215ed
lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called.
2010-12-22 19:12:46 +00:00
Bernardo Damele
c9ab8ae60e
Bug fix to properly identify if current user is DBA (--is-dba) on MySQL
2010-12-22 14:06:01 +00:00
Bernardo Damele
e791f8f2b7
Minor fix
2010-12-20 10:33:24 +00:00
Miroslav Stampar
bfdc4fa000
new error vector for MS SQL (from David Guimaraes' mail)
2010-12-17 19:00:20 +00:00
Miroslav Stampar
3ee44584d4
i've found a way! thank you hesus! fyea (ASC(MID) was just crashing when MID returned 'empty string')
2010-12-14 12:57:59 +00:00
Bernardo Damele
207f63cebc
Prepare for UNION query tests at detection phase
2010-12-13 21:31:34 +00:00
Miroslav Stampar
33639578ee
minor update for MS Access
2010-12-12 15:25:19 +00:00
Miroslav Stampar
b1babeefe5
update regarding dumping of tables with blind on Sqlite
2010-12-11 22:00:16 +00:00
Miroslav Stampar
acc7d6d40c
fix
2010-12-11 11:03:32 +00:00
Miroslav Stampar
ac9080c07b
update
2010-12-11 08:24:29 +00:00
Miroslav Stampar
fe2039f5ba
coollyy little commits
2010-12-10 11:32:46 +00:00
Miroslav Stampar
7e2984b4b6
added stacked query support for Oracle
2010-12-09 15:24:48 +00:00