From 4bb58854136f4d3fabc02e0d4fb6b4c4fae98b2d Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 31 May 2010 09:41:41 +0000 Subject: [PATCH] some changes regarding --common-outputs feature --- lib/core/common.py | 32 ++++++++++----------- lib/techniques/blind/inference.py | 15 +++++----- txt/common-outputs.txt | 47 +++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 25 deletions(-) diff --git a/lib/core/common.py b/lib/core/common.py index 3e7ea6d00..76f20273e 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -54,6 +54,8 @@ from lib.core.data import logger from lib.core.data import paths from lib.core.data import queries from lib.core.data import temp +from lib.core.convert import md5hash +from lib.core.convert import sha1hash from lib.core.convert import urlencode from lib.core.convert import utf8decode from lib.core.exception import sqlmapFilePathException @@ -1224,7 +1226,9 @@ def initCommonOutputs(): if key not in kb.commonOutputs: kb.commonOutputs[key] = [] - kb.commonOutputs[key].append(line.strip()) + item = line.strip() + if item not in kb.commonOutputs[key]: + kb.commonOutputs[key].append(item) cfile.close() @@ -1252,29 +1256,23 @@ def goGoodSamaritan(part, prevValue, originalCharset): predictionSet = set() wildIndexes = [] singleValue = None - reObj = getCompiledRegex('\A%s' % prevValue) - - if prevValue[-1] != '.': - prevValue += '.' - - charIndex = 0 - findIndex = prevValue.find('.', charIndex) - - while findIndex != -1: - wildIndexes.append(findIndex) - charIndex += 1 - findIndex = prevValue.find('.', charIndex) # If the header we are looking for has common outputs defined if part in kb.commonOutputs: for item in kb.commonOutputs[part]: + #if part == 'Passwords': + #if prevValue.startswith('*'): #MySQL_160bit + #return None, None, originalCharset + #if item not in kb.cache.md5: + #kb.cache.md5[item] = md5hash(item).upper() + #item = kb.cache.md5[item] + # Check if the common output (item) starts with prevValue - if reObj.search(item): + if item.startswith(prevValue): singleValue = item - for index in wildIndexes: - char = item[index] - + if len(item) > len(prevValue): + char = item[len(prevValue)] if char not in predictionSet: predictionSet.add(char) diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index 5d153138e..52a841270 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -214,14 +214,13 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None else: if minValue == maxChar or maxValue == minChar: return None - retVal = originalTbl[originalTbl.index(minValue) + 1] - forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal)) - queriesCount[0] += 1 - result = Request.queryPage(urlencode(forgedPayload)) - if result: - return chr(retVal) if retVal < 128 else unichr(retVal) - else: - return None + for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]): + forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal)) + queriesCount[0] += 1 + result = Request.queryPage(urlencode(forgedPayload)) + if result: + return chr(retVal) if retVal < 128 else unichr(retVal) + return None def etaProgressUpdate(charTime, index): if len(progressTime) <= ( (length * 3) / 100 ): diff --git a/txt/common-outputs.txt b/txt/common-outputs.txt index 4acf9bcbf..6d25092f1 100644 --- a/txt/common-outputs.txt +++ b/txt/common-outputs.txt @@ -1,10 +1,14 @@ [Databases] + +#MySQL information_schema mysql public master [Tables] + +#MySQL CHARACTER_SETS COLLATION_CHARACTER_SET_APPLICABILITY COLLATIONS @@ -33,3 +37,46 @@ TABLES TRIGGERS USER_PRIVILEGES VIEWS + +#Oracle +BONUS +DEPT +EMP +SALGRADE +USERS + +[Passwords] + +root +test +testpass +password +abc123 +qwertz +12345 +123456 + +[Users] + +#Oracle +SCOTT +MGMT_VIEW +MDDATA +SYSMAN +MDSYS +SI_INFORMTN_SCHEMA +ORDPLUGINS +ORDSYS +OLAPSYS +ANONYMOUS +XDB +CTXSYS +EXFSYS +WMSYS +DBSNMP +TSMSYS +DMSYS +DIP +OUTLN +SYSTEM +SYS