PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-06 20:51:31 +00:00
Code Issues Projects Releases Wiki Activity

some bug fixes

Browse Source
This commit is contained in:
Miroslav Stampar
2010-10-13 20:54:18 +00:00
parent 1b3b916587
commit 43a3ac2c3a
5 changed files with 112 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/parse/cmdline.py
View File

@@ -526,7 +526,13 @@ def cmdLineParser():
parser.add_option_group(windows)
parser.add_option_group(miscellaneous)
(args, _) = parser.parse_args([utf8decode(arg) for arg in sys.argv])
args = []
for arg in sys.argv:
try:
args.append(utf8decode(arg))
except:
args.append(unicode(arg, sys.getfilesystemencoding()))
(args, _) = parser.parse_args(args)
if not args.direct and not args.url and not args.list and not args.googleDork and not args.configFile\
and not args.requestFile and not args.updateAll and not args.smokeTest and not args.liveTest:

200
lib/utils/resume.py
View File

@@ -103,104 +103,108 @@ def resume(expression, payload):
This function can be called to resume part or entire output of a
SQL injection query output.
"""
if "sqlmapfile" in expression or "sqlmapoutput" in expression:
return None
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
if not condition:
return None
resumedValue = kb.resumedQueries[conf.url][expression]
if not resumedValue:
return None
resumedValue = resumedValue.replace("__NEWLINE__", "\n").replace("__TAB__", "\t")
if resumedValue[-1] == "]":
resumedValue = resumedValue[:-1]
infoMsg = "read from file '%s': " % conf.sessionFile
logValue = re.findall("__START__(.*?)__STOP__", resumedValue, re.S)
if logValue:
logValue = ", ".join([value.replace("__DEL__", ", ") for value in logValue])
else:
logValue = resumedValue
if "\n" in logValue:
infoMsg += "%s..." % logValue.split("\n")[0]
else:
infoMsg += logValue
logger.info(infoMsg)
return resumedValue
# If we called this function without providing a payload it means that
# we have called it from lib/request/inject __goInband() function
# in UNION query (inband) SQL injection so we return to the calling
# function so that the query output will be retrieved taking advantage
# of the inband SQL injection vulnerability.
if not payload:
return None
if not kb.dbms:
return None
substringQuery = queries[kb.dbms].substring
select = re.search("\ASELECT ", expression, re.I)
_, length, regExpr = queryOutputLength(expression, payload)
if not length:
return None
if len(resumedValue) == int(length):
infoMsg = "read from file '%s': " % conf.sessionFile
infoMsg += "%s" % resumedValue.split("\n")[0]
logger.info(infoMsg)
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, replaceNewlineTabs(resumedValue)))
return resumedValue
elif len(resumedValue) < int(length):
infoMsg = "resumed from file '%s': " % conf.sessionFile
infoMsg += "%s..." % resumedValue.split("\n")[0]
logger.info(infoMsg)
dataToSessionFile("[%s][%s][%s][%s][%s" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, replaceNewlineTabs(resumedValue)))
if select:
newExpr = expression.replace(regExpr, safeStringFormat(substringQuery, (regExpr, len(resumedValue) + 1, int(length))), 1)
else:
newExpr = safeStringFormat(substringQuery, (expression, len(resumedValue) + 1, int(length)))
missingCharsLength = int(length) - len(resumedValue)
infoMsg = "retrieving pending %d query " % missingCharsLength
infoMsg += "output characters"
logger.info(infoMsg)
start = time.time()
count, finalValue = bisection(payload, newExpr, length=missingCharsLength)
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
logger.debug(debugMsg)
if len(finalValue) != ( int(length) - len(resumedValue) ):
warnMsg = "the total length of the query is not "
warnMsg += "right, sqlmap is going to retrieve the "
warnMsg += "query value from the beginning now"
logger.warn(warnMsg)
try:
if "sqlmapfile" in expression or "sqlmapoutput" in expression:
return None
return "%s%s" % (resumedValue, finalValue)
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
return None
if not condition:
return None
resumedValue = kb.resumedQueries[conf.url][expression]
if not resumedValue:
return None
resumedValue = resumedValue.replace("__NEWLINE__", "\n").replace("__TAB__", "\t")
if resumedValue[-1] == "]":
resumedValue = resumedValue[:-1]
infoMsg = "read from file '%s': " % conf.sessionFile
logValue = re.findall("__START__(.*?)__STOP__", resumedValue, re.S)
if logValue:
logValue = ", ".join([value.replace("__DEL__", ", ") for value in logValue])
else:
logValue = resumedValue
if "\n" in logValue:
infoMsg += "%s..." % logValue.split("\n")[0]
else:
infoMsg += logValue
logger.info(infoMsg)
return resumedValue
# If we called this function without providing a payload it means that
# we have called it from lib/request/inject __goInband() function
# in UNION query (inband) SQL injection so we return to the calling
# function so that the query output will be retrieved taking advantage
# of the inband SQL injection vulnerability.
if not payload:
return None
if not kb.dbms:
return None
substringQuery = queries[kb.dbms].substring
select = re.search("\ASELECT ", expression, re.I)
_, length, regExpr = queryOutputLength(expression, payload)
if not length:
return None
if len(resumedValue) == int(length):
infoMsg = "read from file '%s': " % conf.sessionFile
infoMsg += "%s" % resumedValue.split("\n")[0]
logger.info(infoMsg)
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, replaceNewlineTabs(resumedValue)))
return resumedValue
elif len(resumedValue) < int(length):
infoMsg = "resumed from file '%s': " % conf.sessionFile
infoMsg += "%s..." % resumedValue.split("\n")[0]
logger.info(infoMsg)
dataToSessionFile("[%s][%s][%s][%s][%s" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, replaceNewlineTabs(resumedValue)))
if select:
newExpr = expression.replace(regExpr, safeStringFormat(substringQuery, (regExpr, len(resumedValue) + 1, int(length))), 1)
else:
newExpr = safeStringFormat(substringQuery, (expression, len(resumedValue) + 1, int(length)))
missingCharsLength = int(length) - len(resumedValue)
infoMsg = "retrieving pending %d query " % missingCharsLength
infoMsg += "output characters"
logger.info(infoMsg)
start = time.time()
count, finalValue = bisection(payload, newExpr, length=missingCharsLength)
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
logger.debug(debugMsg)
if len(finalValue) != ( int(length) - len(resumedValue) ):
warnMsg = "the total length of the query is not "
warnMsg += "right, sqlmap is going to retrieve the "
warnMsg += "query value from the beginning now"
logger.warn(warnMsg)
return None
return "%s%s" % (resumedValue, finalValue)
return None
except:
errMsg = "invalid resume value for expression: '%s'" % expression
logger.error(errMsg)
return None

1
tamper/charencode.py
View File

@@ -8,6 +8,7 @@ from lib.core.exception import sqlmapUnsupportedFeatureException
value -> urlencode of nonencoded chars in value
"""
def tamper(place, value):
raise sqlmapUnsupportedFeatureException, "can't use tampering module 'charencode.py' with 'URI' type injections"
retVal = value
if value:
if place != "URI":

2
tamper/randomcase.py
View File

@@ -6,7 +6,7 @@ from lib.core.common import randomRange
from lib.core.exception import sqlmapUnsupportedFeatureException
"""
value -> random case of chars in value
value -> chars from value with random case
"""
def tamper(place, value):
retVal = value

3
tamper/space2comment.py
View File

@@ -10,8 +10,7 @@ def tamper(place, value):
if value:
if place != "URI":
value = urldecode(value)
while value.find(" ") > -1:
value = value.replace(" ", "/**/")
value = value.replace(" ", "/**/")
if place != "URI":
value = urlencode(value)
return value