MORPH
SIGN IN SIGN UP
sqlmapproject / sqlmap UNCLAIMED

Automatic SQL injection and database takeover tool

36962 0 0 Python
Normal View History Raw
Last preparations for DREI
2019-05-08 12:47:52 +02:00
#!/usr/bin/env python
After the storm, a restore..
2008-10-15 15:38:22 +00:00
"""
Year and version bump
2023-01-02 23:24:59 +01:00
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
Replacing doc/COPYING to LICENSE
2017-10-11 14:50:46 +02:00
See the file 'LICENSE' for copying permission
After the storm, a restore..
2008-10-15 15:38:22 +00:00
"""
Baby steps
2019-01-22 01:28:24 +01:00
from __future__ import print_function
After the storm, a restore..
2008-10-15 15:38:22 +00:00
import re
import time
from lib.core.agent import agent
minor refactoring
2012-02-16 09:46:41 +00:00
from lib.core.bigarray import BigArray
Patch for #4419
2020-11-05 10:59:36 +01:00
from lib.core.common import applyFunctionRecursively
refactoring (class names should always be Capital cased)
2011-01-28 16:36:09 +00:00
from lib.core.common import Backend
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 11:05:35 +00:00
from lib.core.common import calculateDeltaSeconds
After the storm, a restore..
2008-10-15 15:38:22 +00:00
from lib.core.common import cleanQuery
from lib.core.common import expandAsteriskForColumns
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
from lib.core.common import extractExpectedValue
Minor refactoring (drei stuff)
2019-03-29 02:28:16 +01:00
from lib.core.common import filterNone
quick fix of a fix
2010-12-15 12:10:33 +00:00
from lib.core.common import getPublicTypeMembers
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
from lib.core.common import getTechnique
Minor update regarding 093a93938c47aea0c151705f3828c231d4103011 (for goStacked to work properly with stacked conditional payloads - e.g. proper suffix/prefix)
2013-02-12 17:35:14 +01:00
from lib.core.common import getTechniqueData
added helper function for HashDB data storing/retrieval
2012-02-24 13:07:20 +00:00
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
code refactoring and some fixes
2010-12-18 09:51:34 +00:00
from lib.core.common import initTechnique
Fixes #3948
2019-10-07 14:20:18 +02:00
from lib.core.common import isDigit
few fixes regarding --dns-domain usage (time-based technique should not be used as a failback because of few things, --time-sec should be put to 0 just in case,...)
2012-05-28 14:51:23 +00:00
from lib.core.common import isNoneValue
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
from lib.core.common import isNumPosStrValue
quick fix of a fix
2010-12-15 12:10:33 +00:00
from lib.core.common import isTechniqueAvailable
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 17:23:07 +00:00
from lib.core.common import parseUnionPage
minor cosmetic update
2010-10-11 13:52:32 +00:00
from lib.core.common import popValue
from lib.core.common import pushValue
Update for an Issue #342 and #372
2013-01-31 10:01:52 +01:00
from lib.core.common import randomStr
After the storm, a restore..
2008-10-15 15:38:22 +00:00
from lib.core.common import readInput
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
from lib.core.common import setTechnique
minor update
2012-03-08 15:43:22 +00:00
from lib.core.common import singleTimeWarnMessage
Some more DREI stuff
2019-03-28 16:04:38 +01:00
from lib.core.compat import xrange
After the storm, a restore..
2008-10-15 15:38:22 +00:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
Fixing mess with --common-files --threads>1 (threads in threads - '.shared.' hell)
2019-07-18 14:59:42 +02:00
from lib.core.decorators import lockedmethod
Potential patch for Issues like #3013 and #3017
2018-04-01 12:45:47 +02:00
from lib.core.decorators import stackedmethod
Minor refactoring of dictionaries
2012-08-21 11:19:15 +02:00
from lib.core.dicts import FROM_DUMMY_TABLE
minor update
2012-03-01 10:10:19 +00:00
from lib.core.enums import CHARSET_TYPE
further refactoring (all enumerations are now put into enums.py)
2010-11-08 09:20:02 +00:00
from lib.core.enums import DBMS
minor refactoring
2010-12-10 12:30:36 +00:00
from lib.core.enums import EXPECTED
code beautification
2010-12-08 13:04:48 +00:00
from lib.core.enums import PAYLOAD
Falling back to partial UNION if large dump connects out
2014-10-21 09:23:34 +02:00
from lib.core.exception import SqlmapConnectionException
Fixes #1462
2015-10-11 15:20:10 +02:00
from lib.core.exception import SqlmapDataException
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
from lib.core.exception import SqlmapNotVulnerableException
from lib.core.exception import SqlmapUserQuitException
Minor update
2017-07-05 12:35:48 +02:00
from lib.core.settings import GET_VALUE_UPPERCASE_KEYWORDS
Some more trivial refactoring
2017-10-31 11:05:25 +01:00
from lib.core.settings import INFERENCE_MARKER
cosmetics
2010-12-21 15:26:23 +00:00
from lib.core.settings import MAX_TECHNIQUES_PER_VALUE
improvement for recognition of scalar vs multiple-row commands
2011-05-19 16:45:05 +00:00
from lib.core.settings import SQL_SCALAR_REGEX
Dirty patch for safe-encoded unicode characters
2017-12-27 12:23:35 +01:00
from lib.core.settings import UNICODE_ENCODING
some fixes
2011-01-07 16:39:47 +00:00
from lib.core.threads import getCurrentThreadData
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 00:36:50 +00:00
from lib.request.connect import Connect as Request
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 10:50:47 +00:00
from lib.request.direct import direct
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2008-11-12 23:44:09 +00:00
from lib.techniques.blind.inference import bisection
lots of refactoring regarding removal of already obsolete session file mechanism
2012-06-21 10:09:10 +00:00
from lib.techniques.blind.inference import queryOutputLength
Minor refactoring
2012-04-04 12:42:58 +00:00
from lib.techniques.dns.test import dnsTest
further update of DNS data retrieval mechanism through SQLi
2012-04-02 14:05:30 +00:00
from lib.techniques.dns.use import dnsUse
code refactoring
2010-10-20 09:09:04 +00:00
from lib.techniques.error.use import errorUse
further update of DNS data retrieval mechanism through SQLi
2012-04-02 14:05:30 +00:00
from lib.techniques.union.use import unionUse
Dealing with basesting (one baby step closer to Py3 salvation)
2019-03-28 13:53:54 +01:00
from thirdparty import six
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
def _goDns(payload, expression):
minor refactoring
2012-07-11 11:55:05 +01:00
value = None
Minor refactoring
2016-10-22 21:52:18 +02:00
if conf.dnsDomain and kb.dnsTest is not False and not kb.testMode and Backend.getDbms() is not None:
minor refactoring
2012-07-11 11:55:05 +01:00
if kb.dnsTest is None:
dnsTest(payload)
if kb.dnsTest:
value = dnsUse(payload, expression)
return value
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
def _goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None, dump=False, field=None):
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 00:36:50 +00:00
start = time.time()
further update of DNS data retrieval mechanism through SQLi
2012-04-02 14:05:30 +00:00
value = None
count = 0
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
value = _goDns(payload, expression)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Fixes #3100
2018-05-17 23:07:52 +02:00
if payload is None:
return None
Fix for DNS exfiltration of boolean checks
2014-06-27 13:07:34 +02:00
if value is not None:
minor refactoring
2012-07-11 11:55:05 +01:00
return value
update regarding time based data retrieval
2011-01-16 17:52:42 +00:00
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
timeBasedCompare = (getTechnique() in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Couple of trivial patches
2019-06-04 13:04:31 +02:00
if timeBasedCompare and conf.threads > 1 and kb.forceThreads is None:
msg = "multi-threading is considered unsafe in "
msg += "time-based data retrieval. Are you sure "
msg += "of your choice (breaking warranty) [y/N] "
kb.forceThreads = readInput(msg, default='N', boolean=True)
minor refactoring
2012-07-11 11:55:05 +01:00
if not (timeBasedCompare and kb.dnsTest):
Removing single-thread limit for time-based SQLi
2019-06-01 16:33:27 +02:00
if (conf.eta or conf.threads > 1) and Backend.getIdentifiedDbms() and not re.search(r"(COUNT|LTRIM)\(", expression, re.I) and not (timeBasedCompare and not kb.forceThreads):
Update for an Issue #342 and #372
2013-01-31 10:01:52 +01:00
If it works, don't touch. I touched
2017-10-31 11:38:09 +01:00
if field and re.search(r"\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I):
Finalizing support for Cubrid
2020-02-03 11:33:19 +01:00
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.MONETDB, DBMS.VERTICA, DBMS.CRATEDB, DBMS.CUBRID):
Adding support for MonetDB
2020-01-17 17:14:41 +01:00
alias = randomStr(lowercase=True, seed=hash(expression))
expression = "SELECT %s FROM (%s)" % (field if '.' not in field else re.sub(r".+\.", "%s." % alias, field), expression) # Note: MonetDB as a prime example
expression += " AS %s" % alias
else:
expression = "SELECT %s FROM (%s)" % (field, expression)
Update for an Issue #342 and #372
2013-01-31 10:01:52 +01:00
Support for Raima Database Manager DBMS
2021-01-11 17:36:23 +01:00
if field and conf.hexConvert or conf.binaryFields and field in conf.binaryFields or Backend.getIdentifiedDbms() in (DBMS.RAIMA,):
restored fix for #210 to keep --hex work with --technique B
2013-01-15 17:51:40 +00:00
nulledCastedField = agent.nullAndCastField(field)
injExpression = expression.replace(field, nulledCastedField, 1)
else:
injExpression = expression
length = queryOutputLength(injExpression, payload)
minor refactoring
2012-07-11 11:55:05 +01:00
else:
length = None
After the storm, a restore..
2008-10-15 15:38:22 +00:00
minor refactoring
2012-07-11 11:55:05 +01:00
kb.inferenceMode = True
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump)
kb.inferenceMode = False
After the storm, a restore..
2008-10-15 15:38:22 +00:00
minor refactoring
2012-07-11 11:55:05 +01:00
if not kb.bruteMode:
Minor cosmetics
2020-10-27 14:57:12 +01:00
debugMsg = "performed %d quer%s in %.2f seconds" % (count, 'y' if count == 1 else "ies", calculateDeltaSeconds(start))
minor refactoring
2012-07-11 11:55:05 +01:00
logger.debug(debugMsg)
minor improvements regarding data retrieval through DNS channel
2012-04-03 09:18:30 +00:00
return value
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
def _goInferenceFields(expression, expressionFields, expressionFieldsList, payload, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
outputs = []
origExpr = None
After the storm, a restore..
2008-10-15 15:38:22 +00:00
for field in expressionFieldsList:
output = None
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-23 23:34:50 +00:00
if field.startswith("ROWNUM "):
continue
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 19:36:01 +00:00
if isinstance(num, int):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
origExpr = expression
Patch for an Issue #434
2013-04-15 15:57:28 +02:00
expression = agent.limitQuery(num, expression, field, expressionFieldsList[0])
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 19:36:01 +00:00
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-23 23:34:50 +00:00
if "ROWNUM" in expressionFieldsList:
expressionReplaced = expression
Major bug fixes
2009-01-22 22:28:27 +00:00
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-23 23:34:50 +00:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
output = _goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump, field)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 19:36:01 +00:00
if isinstance(num, int):
expression = origExpr
After the storm, a restore..
2008-10-15 15:38:22 +00:00
outputs.append(output)
return outputs
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
After the storm, a restore..
2008-10-15 15:38:22 +00:00
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
Minor code adjustments
2010-10-25 14:11:47 +00:00
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
initTechnique(getTechnique())
code refactoring and some fixes
2010-12-18 09:51:34 +00:00
Minor refactoring
2019-07-18 11:27:00 +02:00
query = agent.prefixQuery(getTechniqueData().vector)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-13 21:33:42 +00:00
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
hello big tables, this is sqlmap, sqlmap this is big tables
2011-07-24 09:19:33 +00:00
outputs = BigArray()
After the storm, a restore..
2008-10-15 15:38:22 +00:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 02:02:12 +00:00
if not unpack:
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
return _goInference(payload, expression, charsetType, firstChar, lastChar, dump)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 11:48:07 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
If it works, don't touch. I touched
2017-10-31 11:38:09 +01:00
rdbRegExp = re.search(r"RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
More code refactoring of Backend class methods used
2011-04-30 14:54:29 +00:00
if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
expressionFieldsList = [expressionFields]
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
if len(expressionFieldsList) > 1:
minor cosmetics
2012-04-04 23:34:08 +00:00
infoMsg = "the SQL query provided has more than one field. "
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
removed duplicate code - fixes issue #310
2012-12-19 12:17:56 +00:00
# forge the SQL limiting the query output one entry at a time
# NOTE: we assume that only queries that get data from a table
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
# can return multiple entries
Fixes #4579
2021-02-14 14:47:28 +01:00
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I) and hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query"):
removed duplicate code - fixes issue #310
2012-12-19 12:17:56 +00:00
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression)
Refactoring
2011-02-01 22:27:36 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
if limitCond:
Fix for an Issue #209
2012-10-20 13:17:45 +02:00
test = True
removed duplicate code - fixes issue #310
2012-12-19 12:17:56 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
if not stopLimit or stopLimit <= 1:
minor fix
2012-02-07 14:57:48 +00:00
if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
test = False
if test:
# Count the number of SQL query entries output
refactoring (class names should always be Capital cased)
2011-01-28 16:36:09 +00:00
countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
countedExpression = expression.replace(expressionFields, countFirstField, 1)
Fixes #1474
2015-10-19 10:38:38 +02:00
if " ORDER BY " in countedExpression.upper():
removed duplicate code - fixes issue #310
2012-12-19 12:17:56 +00:00
_ = countedExpression.upper().rindex(" ORDER BY ")
countedExpression = countedExpression[:_]
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
if not stopLimit:
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
count = _goInference(payload, countedExpression, charsetType=CHARSET_TYPE.DIGITS, firstChar=firstChar, lastChar=lastChar)
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
if isNumPosStrValue(count):
count = int(count)
minor improvement
2013-11-19 00:24:47 +00:00
if batch or count == 1:
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
stopLimit = count
else:
message = "the SQL query provided can return "
message += "%d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
Minor cleanup and one bug fix
2017-04-19 14:46:27 +02:00
choice = readInput(message, default='A').upper()
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
Some code refactoring
2017-04-18 15:48:05 +02:00
if choice == 'A':
After the storm, a restore..
2008-10-15 15:38:22 +00:00
stopLimit = count
Some code refactoring
2017-04-18 15:48:05 +02:00
elif choice == 'Q':
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
raise SqlmapUserQuitException
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Fixes #3948
2019-10-07 14:20:18 +02:00
elif isDigit(choice) and int(choice) > 0 and int(choice) <= count:
Some code refactoring
2017-04-18 15:48:05 +02:00
stopLimit = int(choice)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Some code refactoring
2017-04-18 15:48:05 +02:00
elif choice in ('#', 'S'):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
message = "how many? "
stopLimit = readInput(message, default="10")
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Fixes #3948
2019-10-07 14:20:18 +02:00
if not isDigit(stopLimit):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
errMsg = "invalid choice"
Updated to sqlmap 0.7 release candidate 1
2009-04-22 11:48:07 +00:00
logger.error(errMsg)
return None
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
else:
stopLimit = int(stopLimit)
else:
errMsg = "invalid choice"
logger.error(errMsg)
Minor adjustments and bug fixes
2008-12-17 20:11:18 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
return None
Minor adjustments and bug fixes
2008-12-17 20:11:18 +00:00
Fixes #3948
2019-10-07 14:20:18 +02:00
elif count and not isDigit(count):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
Fixing DeprecationWarning (logger.warn)
2022-06-22 12:04:34 +02:00
logger.warning(warnMsg)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
stopLimit = 1
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Fixes #5521
2023-09-07 11:03:01 +02:00
elif not isNumPosStrValue(count):
more concise language
2012-01-07 17:45:45 +00:00
if not count:
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
Fixing DeprecationWarning (logger.warn)
2022-06-22 12:04:34 +02:00
logger.warning(warnMsg)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
return None
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
elif (not stopLimit or stopLimit == 0):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
return None
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
try:
Fixes #1462
2015-10-11 15:20:10 +02:00
try:
Fixes #4423
2020-11-16 10:28:53 +01:00
for num in xrange(startLimit or 0, stopLimit or 0):
Fixes #1462
2015-10-11 15:20:10 +02:00
output = _goInferenceFields(expression, expressionFields, expressionFieldsList, payload, num=num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
outputs.append(output)
except OverflowError:
errMsg = "boundary limits (%d,%d) are too large. Please rerun " % (startLimit, stopLimit)
errMsg += "with switch '--fresh-queries'"
raise SqlmapDataException(errMsg)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
except KeyboardInterrupt:
Baby steps
2019-01-22 01:28:24 +01:00
print()
cosmeticados ;)
2011-04-08 10:39:07 +00:00
warnMsg = "user aborted during dumping phase"
Fixing DeprecationWarning (logger.warn)
2022-06-22 12:04:34 +02:00
logger.warning(warnMsg)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
return outputs
just a makeup
2012-02-07 12:05:23 +00:00
elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-19 23:06:15 +00:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
outputs = _goInferenceFields(expression, expressionFields, expressionFieldsList, payload, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Fixes #1943
2016-06-13 15:30:38 +02:00
return ", ".join(output or "" for output in outputs) if not isNoneValue(outputs) else None
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
def _goBooleanProxy(expression):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
"""
Retrieve the output of a boolean based SQL query
"""
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
initTechnique(getTechnique())
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
Minor refactoring
2016-10-22 21:52:18 +02:00
if conf.dnsDomain:
Minor refactoring
2019-07-18 11:27:00 +02:00
query = agent.prefixQuery(getTechniqueData().vector)
Minor bug fix
2014-07-19 23:17:23 +02:00
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
output = _goDns(payload, expression)
if output is not None:
return output
Fix for DNS exfiltration of boolean checks
2014-06-27 13:07:34 +02:00
Minor refactoring
2019-07-18 11:27:00 +02:00
vector = getTechniqueData().vector
Some more trivial refactoring
2017-10-31 11:05:25 +01:00
vector = vector.replace(INFERENCE_MARKER, expression)
Another patch for DNS exfiltration and boolean checks
2014-06-27 14:22:00 +02:00
query = agent.prefixQuery(vector)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
timeBasedCompare = getTechnique() in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
I think we should not resume checkBooleanExpression() calls if --fresh-queries or --flush-session is provided
2012-07-12 01:39:15 +01:00
output = hashDBRetrieve(expression, checkConf=True)
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
minor patch
2012-05-09 08:41:05 +00:00
if output is None:
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
output = Request.queryPage(payload, timeBasedCompare=timeBasedCompare, raise404=False)
minor patch
2012-05-09 08:41:05 +00:00
if output is not None:
hashDBWrite(expression, output)
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
return output
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
def _goUnion(expression, unpack=True, dump=False):
After the storm, a restore..
2008-10-15 15:38:22 +00:00
"""
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
2012-10-28 00:36:09 +02:00
Retrieve the output of a SQL query taking advantage of an union SQL
After the storm, a restore..
2008-10-15 15:38:22 +00:00
injection vulnerability on the affected parameter.
"""
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
output = unionUse(expression, unpack=unpack, dump=dump)
cleanup for issue #68
2012-07-12 15:38:43 +01:00
Dealing with basesting (one baby step closer to Py3 salvation)
2019-03-28 13:53:54 +01:00
if isinstance(output, six.string_types):
few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test)
2012-06-15 20:41:53 +00:00
output = parseUnionPage(output)
After the storm, a restore..
2008-10-15 15:38:22 +00:00
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
return output
After the storm, a restore..
2008-10-15 15:38:22 +00:00
Fixing mess with --common-files --threads>1 (threads in threads - '.shared.' hell)
2019-07-18 14:59:42 +02:00
@lockedmethod
Potential patch for Issues like #3013 and #3017
2018-04-01 12:45:47 +02:00
@stackedmethod
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
2012-10-28 00:36:09 +02:00
def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
After the storm, a restore..
2008-10-15 15:38:22 +00:00
"""
Called each time sqlmap inject a SQL query on the SQL injection
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
2012-10-28 00:36:09 +02:00
affected parameter.
After the storm, a restore..
2008-10-15 15:38:22 +00:00
"""
Minor fix
2012-10-28 00:19:00 +02:00
Fixes #3503
2019-02-28 01:05:23 +01:00
if conf.hexConvert and expected != EXPECTED.BOOL and Backend.getIdentifiedDbms():
Couple of patches related to the #3473
2019-02-07 16:45:16 +01:00
if not hasattr(queries[Backend.getIdentifiedDbms()], "hex"):
warnMsg = "switch '--hex' is currently not supported on DBMS %s" % Backend.getIdentifiedDbms()
singleTimeWarnMessage(warnMsg)
conf.hexConvert = False
else:
charsetType = CHARSET_TYPE.HEXADECIMAL
Bug fix for --hex/--technique=B (especially MsSQL)
2012-10-28 12:22:33 +01:00
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-25 20:40:31 +00:00
kb.safeCharEncode = safeCharEncode
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
kb.resumeValues = resumeValue
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-25 20:40:31 +00:00
Minor update
2017-07-05 12:35:48 +02:00
for keyword in GET_VALUE_UPPERCASE_KEYWORDS:
If it works, don't touch. I touched
2017-10-31 11:38:09 +01:00
expression = re.sub(r"(?i)(\A|\(|\)|\s)%s(\Z|\(|\)|\s)" % keyword, r"\g<1>%s\g<2>" % keyword, expression)
Patch for an Issue reported privately via email
2017-07-05 12:15:14 +02:00
minor fix
2011-02-20 12:20:44 +00:00
if suppressOutput is not None:
pushValue(getCurrentThreadData().disableStdOut)
getCurrentThreadData().disableStdOut = suppressOutput
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 12:02:04 +00:00
update
2010-12-08 22:38:26 +00:00
try:
expandAsteriskForColumns changes value of conf.db and conf.tbl potentially causing problems in further work
2014-08-26 22:57:08 +02:00
pushValue(conf.db)
pushValue(conf.tbl)
Fixed annoying bug that prevented proper checkBooleanExpression() function to work with direct connection (-d). Now DBMS fingerprint should work properly with -d
2012-02-14 17:29:00 +00:00
if expected == EXPECTED.BOOL:
forgeCaseExpression = booleanExpression = expression
Patch for an Issue reported privately via email
2017-07-05 12:15:14 +02:00
if expression.startswith("SELECT "):
fix for #349 (compatible with all others DBMSes too)
2013-01-17 21:03:03 +00:00
booleanExpression = "(%s)=%s" % (booleanExpression, "'1'" if "'1'" in booleanExpression else "1")
Fixed annoying bug that prevented proper checkBooleanExpression() function to work with direct connection (-d). Now DBMS fingerprint should work properly with -d
2012-02-14 17:29:00 +00:00
else:
forgeCaseExpression = agent.forgeCaseStatement(expression)
update
2010-12-08 22:38:26 +00:00
if conf.direct:
cleanup for issue #68
2012-07-12 15:38:43 +01:00
value = direct(forgeCaseExpression if expected == EXPECTED.BOOL else expression)
minor cosmetics
2010-12-15 12:15:43 +00:00
Some refactoring
2016-12-19 23:47:39 +01:00
elif any(isTechniqueAvailable(_) for _ in getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True)):
fix
2010-12-10 15:06:53 +00:00
query = cleanQuery(expression)
query = expandAsteriskForColumns(query)
cosmetics
2010-12-10 15:24:25 +00:00
value = None
found = False
cleanup for issue #68
2012-07-12 15:38:43 +01:00
count = 0
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
Minor refactoring
2012-11-29 12:21:12 +01:00
if query and not re.search(r"COUNT.*FROM.*\(.*DISTINCT", query, re.I):
resume of brute forced data is now available
2010-12-27 14:17:20 +00:00
query = query.replace("DISTINCT ", "")
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-18 23:02:11 +00:00
Implementation of an Issue #131
2012-07-30 21:50:46 +02:00
if not conf.forceDns:
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
2012-10-28 00:36:09 +02:00
if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(PAYLOAD.TECHNIQUE.UNION)
Fix for an Issue #794
2014-08-22 15:08:05 +02:00
kb.forcePartialUnion = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector[8]
Falling back to partial UNION if large dump connects out
2014-10-21 09:23:34 +02:00
fallback = not expected and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL and not kb.forcePartialUnion
Patch for couple of bugs found during bed-testing
2020-02-07 14:02:45 +01:00
if expected == EXPECTED.BOOL:
# Note: some DBMSes (e.g. Altibase) don't support implicit conversion of boolean check result during concatenation with prefix and suffix (e.g. 'qjjvq'||(1=1)||'qbbbq')
if not any(_ in forgeCaseExpression for _ in ("SELECT", "CASE")):
forgeCaseExpression = "(CASE WHEN (%s) THEN '1' ELSE '0' END)" % forgeCaseExpression
Falling back to partial UNION if large dump connects out
2014-10-21 09:23:34 +02:00
try:
value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
except SqlmapConnectionException:
if not fallback:
raise
Implementation of an Issue #131
2012-07-30 21:50:46 +02:00
count += 1
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
Falling back to partial UNION if large dump connects out
2014-10-21 09:23:34 +02:00
if not found and fallback:
Implementation for an Issue #496
2013-07-31 21:15:03 +02:00
warnMsg = "something went wrong with full UNION "
Language update
2014-08-20 23:47:57 +02:00
warnMsg += "technique (could be because of "
Fix for falling back to partial union (excluding scalar queries)
2014-08-20 23:53:15 +02:00
warnMsg += "limitation on retrieved number of entries)"
if " FROM " in query.upper():
warnMsg += ". Falling back to partial UNION technique"
singleTimeWarnMessage(warnMsg)
Fixes #1305
2015-07-18 17:01:34 +02:00
try:
pushValue(kb.forcePartialUnion)
kb.forcePartialUnion = True
value = _goUnion(query, unpack, dump)
found = (value is not None) or (value is None and expectingNone)
finally:
kb.forcePartialUnion = popValue()
Fix for falling back to partial union (excluding scalar queries)
2014-08-20 23:53:15 +02:00
else:
singleTimeWarnMessage(warnMsg)
Implementation for an Issue #496
2013-07-31 21:15:03 +02:00
Update for an Issue #278
2012-12-05 10:45:17 +01:00
if error and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) and not found:
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(PAYLOAD.TECHNIQUE.ERROR if isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) else PAYLOAD.TECHNIQUE.QUERY)
Implementation of an Issue #131
2012-07-30 21:50:46 +02:00
value = errorUse(forgeCaseExpression if expected == EXPECTED.BOOL else query, dump)
count += 1
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
Minor refactoring
2016-10-22 21:52:18 +02:00
if found and conf.dnsDomain:
Minor refactoring (drei stuff)
2019-03-29 02:28:16 +01:00
_ = "".join(filterNone(key if isTechniqueAvailable(value) else None for key, value in {'E': PAYLOAD.TECHNIQUE.ERROR, 'Q': PAYLOAD.TECHNIQUE.QUERY, 'U': PAYLOAD.TECHNIQUE.UNION}.items()))
Implementation of an Issue #131
2012-07-30 21:50:46 +02:00
warnMsg = "option '--dns-domain' will be ignored "
warnMsg += "as faster techniques are usable "
warnMsg += "(%s) " % _
singleTimeWarnMessage(warnMsg)
Adding a warn message when --dns-domain is ignored (because of faster techniques)
2012-07-27 09:48:48 +02:00
quick fix of a fix
2010-12-15 12:10:33 +00:00
if blind and isTechniqueAvailable(PAYLOAD.TECHNIQUE.BOOLEAN) and not found:
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(PAYLOAD.TECHNIQUE.BOOLEAN)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-13 21:33:42 +00:00
minor refactoring
2010-12-10 12:30:36 +00:00
if expected == EXPECTED.BOOL:
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
value = _goBooleanProxy(booleanExpression)
update regarding boolean based expressions
2010-12-09 21:15:18 +00:00
else:
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
value = _goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-13 21:33:42 +00:00
minor tuning (2 techniques MAX per value used)
2010-12-21 15:24:14 +00:00
count += 1
minor bug fix
2010-12-31 12:04:39 +00:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
now resume is available for time-based blinds too
2010-12-08 12:49:26 +00:00
quick fix of a fix
2010-12-15 12:10:33 +00:00
if time and (isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED)) and not found:
Fix of a pesky often 'statistical model' retrieval
2018-06-29 23:57:20 +02:00
match = re.search(r"\bFROM\b ([^ ]+).+ORDER BY ([^ ]+)", expression)
kb.responseTimeMode = "%s|%s" % (match.group(1), match.group(2)) if match else None
Another (better) patch for #1636
2016-01-09 17:32:19 +01:00
quick fix of a fix
2010-12-15 12:10:33 +00:00
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME):
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(PAYLOAD.TECHNIQUE.TIME)
quick fix of a fix
2010-12-15 12:10:33 +00:00
else:
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(PAYLOAD.TECHNIQUE.STACKED)
sqlmap premiere of blind time based query/bisection
2010-12-08 12:28:54 +00:00
fix
2010-12-10 16:03:32 +00:00
if expected == EXPECTED.BOOL:
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
value = _goBooleanProxy(booleanExpression)
fix
2010-12-10 16:03:32 +00:00
else:
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods)
2012-12-06 14:14:19 +01:00
value = _goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump)
update
2010-12-08 22:38:26 +00:00
else:
errMsg = "none of the injection types identified can be "
errMsg += "leveraged to retrieve queries output"
Replacing old and deprecated raise Exception style (PEP8)
2013-01-03 23:20:55 +01:00
raise SqlmapNotVulnerableException(errMsg)
minor cosmetics
2010-12-15 12:34:14 +00:00
update
2010-12-08 22:38:26 +00:00
finally:
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
kb.resumeValues = True
Another (better) patch for #1636
2016-01-09 17:32:19 +01:00
kb.responseTimeMode = None
cleanup for issue #68
2012-07-12 15:38:43 +01:00
expandAsteriskForColumns changes value of conf.db and conf.tbl potentially causing problems in further work
2014-08-26 22:57:08 +02:00
conf.tbl = popValue()
conf.db = popValue()
Bug fix
2014-08-28 12:50:39 +02:00
if suppressOutput is not None:
getCurrentThreadData().disableStdOut = popValue()
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-25 20:40:31 +00:00
kb.safeCharEncode = False
added support for handling binary data values (no more garbish chars)
2011-04-09 23:13:16 +00:00
Minor update
2020-03-26 14:58:58 +01:00
if not any((kb.testMode, conf.dummy, conf.offline, conf.noCast, conf.hexConvert)) and value is None and Backend.getDbms() and conf.dbmsHandler and kb.fingerprinted:
Implements #5295
2023-01-23 16:40:41 +01:00
if conf.abortOnEmpty:
errMsg = "aborting due to empty data retrieval"
logger.critical(errMsg)
raise SystemExit
else:
warnMsg = "in case of continuous data retrieval problems you are advised to try "
warnMsg += "a switch '--no-cast' "
warnMsg += "or switch '--hex'" if hasattr(queries[Backend.getIdentifiedDbms()], "hex") else ""
singleTimeWarnMessage(warnMsg)
minor update
2012-03-08 15:43:22 +00:00
Patch for #4419
2020-11-05 10:59:36 +01:00
# Dirty patch (MSSQL --binary-fields with 0x31003200...)
if Backend.isDbms(DBMS.MSSQL) and conf.binaryFields:
def _(value):
if isinstance(value, six.text_type):
if value.startswith(u"0x"):
value = value[2:]
if value and len(value) % 4 == 0:
candidate = ""
for i in xrange(len(value)):
if i % 4 < 2:
candidate += value[i]
elif value[i] != '0':
candidate = None
break
if candidate:
value = candidate
return value
value = applyFunctionRecursively(value, _)
Dirty patch for safe-encoded unicode characters
2017-12-27 12:23:35 +01:00
# Dirty patch (safe-encoded unicode characters)
Some more DREI stuff
2019-04-19 11:24:34 +02:00
if isinstance(value, six.text_type) and "\\x" in value:
Dirty patch for safe-encoded unicode characters
2017-12-27 12:23:35 +01:00
try:
Minor patch related to the #2856
2017-12-30 16:35:45 +01:00
candidate = eval(repr(value).replace("\\\\x", "\\x").replace("u'", "'", 1)).decode(conf.encoding or UNICODE_ENCODING)
Dirty patch for safe-encoded unicode characters
2017-12-27 12:23:35 +01:00
if "\\x" not in candidate:
value = candidate
except:
pass
gazillion changes, nothing will work, muhahaha
2012-02-17 14:22:48 +00:00
return extractExpectedValue(value, expected)
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 00:36:50 +00:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 11:48:07 +00:00
def goStacked(expression, silent=False):
Minor update regarding 093a93938c47aea0c151705f3828c231d4103011 (for goStacked to work properly with stacked conditional payloads - e.g. proper suffix/prefix)
2013-02-12 17:35:14 +01:00
if PAYLOAD.TECHNIQUE.STACKED in kb.injection.data:
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(PAYLOAD.TECHNIQUE.STACKED)
Minor update regarding 093a93938c47aea0c151705f3828c231d4103011 (for goStacked to work properly with stacked conditional payloads - e.g. proper suffix/prefix)
2013-02-12 17:35:14 +01:00
else:
for technique in getPublicTypeMembers(PAYLOAD.TECHNIQUE, True):
_ = getTechniqueData(technique)
if _ and "stacked" in _["title"].lower():
Patching silent per-thread issue with technique switching (fixes #3784)
2019-07-01 10:43:05 +02:00
setTechnique(technique)
Minor update regarding 093a93938c47aea0c151705f3828c231d4103011 (for goStacked to work properly with stacked conditional payloads - e.g. proper suffix/prefix)
2013-02-12 17:35:14 +01:00
break
Ahead with the improvements to the comparison algorithm. Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2008-12-19 20:09:46 +00:00
expression = cleanQuery(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-26 23:23:25 +00:00
if conf.direct:
Minor adjustments Cosmetics
2011-01-31 21:22:39 +00:00
return direct(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-26 23:23:25 +00:00
added skeleton code for issue #34, still not usable
2012-07-02 00:22:34 +01:00
query = agent.prefixQuery(";%s" % expression)
Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g.
2012-09-26 11:27:43 +02:00
query = agent.suffixQuery(query)
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-16 21:30:24 +00:00
payload = agent.payload(newValue=query)
Minor update
2015-02-16 11:48:53 +01:00
Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare="SELECT" in (payload or "").upper())
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
2010-12-06 18:20:57 +00:00
just in case as maybe there will be some boolean expression to check where we won't expect None, but explicitly True/False
2010-12-14 09:05:00 +00:00
def checkBooleanExpression(expression, expectingNone=True):
Fix for an Issue #202
2012-10-15 12:24:30 +02:00
return getValue(expression, expected=EXPECTED.BOOL, charsetType=CHARSET_TYPE.BINARY, suppressOutput=True, expectingNone=expectingNone)
Reference in New Issue Copy Permalink