PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-07 21:21:33 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' of github.com:sqlmapproject/sqlmap

Browse Source
This commit is contained in:
Bernardo Damele
2013-01-11 13:31:49 +00:00
parent 41834e7a5b db91137eda
commit 675e4a026b
132 changed files with 359 additions and 322 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/dbms/access/fingerprint.py
View File

@@ -52,7 +52,7 @@ class Fingerprint(GenericFingerprint):
"97": ("MSysModules2", "MSysAccessObjects"),
"2000" : ("!MSysModules2", "MSysAccessObjects"),
"2002-2003" : ("MSysAccessStorage", "!MSysNavPaneObjectIDs"),
"2007" : ("MSysAccessStorage", "MSysNavPaneObjectIDs")
"2007" : ("MSysAccessStorage", "MSysNavPaneObjectIDs"),
}
# MSysAccessXML is not a reliable system table because it doesn't always exist
# ("Access through Access", p6, should be "normally doesn't exist" instead of "is normally empty")

3
plugins/dbms/db2/enumeration.py
View File

@@ -17,4 +17,5 @@ class Enumeration(GenericEnumeration):
warnMsg = "on DB2 it is not possible to list password hashes"
logger.warn(warnMsg)
return {}
return {}

2
plugins/dbms/db2/fingerprint.py
View File

@@ -47,7 +47,7 @@ class Fingerprint(GenericFingerprint):
return None
def getFingerprint(self):
value = ""
value = ""
wsOsFp = Format.getOs("web server", kb.headersFp)
if wsOsFp:

2
plugins/dbms/firebird/connector.py
View File

@@ -40,7 +40,7 @@ class Connector(GenericConnector):
try:
self.connector = kinterbasdb.connect(host=self.hostname.encode(UNICODE_ENCODING), database=self.db.encode(UNICODE_ENCODING), \
user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") #http://www.daniweb.com/forums/thread248499.html
user=self.user.encode(UNICODE_ENCODING), password=self.password.encode(UNICODE_ENCODING), charset="UTF8") # Reference: http://www.daniweb.com/forums/thread248499.html
except kinterbasdb.OperationalError, msg:
raise SqlmapConnectionException(msg[1])
self.setCursor()

10
plugins/dbms/firebird/fingerprint.py
View File

@@ -70,16 +70,16 @@ class Fingerprint(GenericFingerprint):
def _sysTablesCheck(self):
retVal = None
table = (
("1.0", ["EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]),
("1.5", ["NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]),
("2.0", ["EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0"]),
("2.1", ["BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0"])
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
)
for i in xrange(len(table)):
version, checks = table[i]
failed = False
check = checks[randomRange(0, len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
check = checks[randomRange(0, len(checks) - 1)].replace("%d", getUnicode(randomRange(1, 100)))
result = inject.checkBooleanExpression(check)
if result:

2
plugins/dbms/maxdb/enumeration.py
View File

@@ -148,7 +148,7 @@ class Enumeration(GenericEnumeration):
randStr = randomStr()
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), ("'%s'" % unsafeSQLIdentificatorNaming(conf.db)) if unsafeSQLIdentificatorNaming(conf.db) != "USER" else 'USER')
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr,'%s.datatype' % randStr,'%s.len' % randStr], blind=True)
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.columnname' % randStr, '%s.datatype' % randStr, '%s.len' % randStr], blind=True)
if retVal:
table = {}

8
plugins/dbms/mssqlserver/enumeration.py
View File

@@ -42,7 +42,7 @@ class Enumeration(GenericEnumeration):
areAdmins = set()
if conf.user:
users = [ conf.user ]
users = [conf.user]
elif not len(kb.data.cachedUsers):
users = self.getUsers()
else:
@@ -203,7 +203,7 @@ class Enumeration(GenericEnumeration):
if not isNoneValue(values):
if isinstance(values, basestring):
values = [ values ]
values = [values]
for foundTbl in values:
if foundTbl is None:
@@ -325,7 +325,7 @@ class Enumeration(GenericEnumeration):
if not isNoneValue(values):
if isinstance(values, basestring):
values = [ values ]
values = [values]
for foundTbl in values:
foundTbl = safeSQLIdentificatorNaming(foundTbl, True)
@@ -353,7 +353,7 @@ class Enumeration(GenericEnumeration):
if db in foundCols[column]:
foundCols[column][db].append(foundTbl)
else:
foundCols[column][db] = [ foundTbl ]
foundCols[column][db] = [foundTbl]
else:
foundCols[column][db] = []

2
plugins/dbms/mssqlserver/filesystem.py
View File

@@ -44,7 +44,7 @@ class Filesystem(GenericFilesystem):
for fileLine in xrange(0, len(fileContent), lineLen):
scrString = ""
for lineChar in fileContent[fileLine:fileLine+lineLen]:
for lineChar in fileContent[fileLine:fileLine + lineLen]:
strLineChar = hexencode(lineChar)
if not scrString:

4
plugins/dbms/mssqlserver/takeover.py
View File

@@ -41,7 +41,7 @@ class Takeover(GenericTakeover):
#"2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)" ),
# 2003 Service Pack 2 updated at 05/2009
"2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)")
"2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),
# 2003 Service Pack 2 updated at 09/2009
#"2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
@@ -68,7 +68,7 @@ class Takeover(GenericTakeover):
hexStr = binascii.hexlify(self.shellcodeString[:-1])
for hexPair in xrange(0, len(hexStr), 2):
shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair+2]
shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair + 2]
shellcodeChar = shellcodeChar[:-1]

4
plugins/dbms/mysql/fingerprint.py
View File

@@ -174,7 +174,7 @@ class Fingerprint(GenericFingerprint):
infoMsg = "confirming %s" % DBMS.MYSQL
logger.info(infoMsg)
result = inject.checkBooleanExpression("USER()=USER()")
result = inject.checkBooleanExpression("USER() LIKE USER()")
if not result:
warnMsg = "the back-end DBMS is not %s" % DBMS.MYSQL
@@ -206,7 +206,7 @@ class Fingerprint(GenericFingerprint):
elif inject.checkBooleanExpression("@@table_open_cache=@@table_open_cache"):
if inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.GLOBAL_STATUS LIMIT 0, 1)" % (randInt, randInt)):
Backend.setVersionList([">= 5.1.12", "< 5.5.0"])
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt,randInt)):
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PROCESSLIST LIMIT 0, 1)" % (randInt, randInt)):
Backend.setVersionList([">= 5.1.7", "< 5.1.12"])
elif inject.checkBooleanExpression("%s=(SELECT %s FROM information_schema.PARTITIONS LIMIT 0, 1)" % (randInt, randInt)):
Backend.setVersion("= 5.1.6")

4
plugins/dbms/oracle/connector.py
View File

@@ -64,10 +64,8 @@ class Connector(GenericConnector):
try:
self.cursor.execute(utf8encode(query))
retVal = True
except (cx_Oracle.DatabaseError), msg:
except cx_Oracle.DatabaseError, msg:
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % msg)
except cx_Oracle.InternalError, msg:
raise SqlmapConnectionException(msg)
self.connector.commit()

8
plugins/dbms/postgresql/__init__.py
View File

@@ -24,10 +24,10 @@ class PostgreSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous,
self.excludeDbsList = PGSQL_SYSTEM_DBS
self.sysUdfs = {
# UDF name: UDF parameters' input data-type and return data-type
"sys_exec": { "input": [ "text" ], "return": "int4" },
"sys_eval": { "input": [ "text" ], "return": "text" },
"sys_bineval": { "input": [ "text" ], "return": "int4" },
"sys_fileread": { "input": [ "text" ], "return": "text" }
"sys_exec": { "input": ["text"], "return": "int4" },
"sys_eval": { "input": ["text"], "return": "text" },
"sys_bineval": { "input": ["text"], "return": "int4" },
"sys_fileread": { "input": ["text"], "return": "text" }
}
Syntax.__init__(self)

6
plugins/dbms/sqlite/syntax.py
View File

@@ -39,7 +39,7 @@ class Syntax(GenericSyntax):
break
firstIndex = index
index = expression[firstIndex+2:].find("'")
index = expression[firstIndex + 2:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
@@ -49,8 +49,8 @@ class Syntax(GenericSyntax):
oldUpper = old.upper()
oldUpper = oldUpper.replace("X'", "").replace("'", "")
for i in xrange(len(oldUpper)/2):
char = oldUpper[i*2:i*2+2]
for i in xrange(len(oldUpper) / 2):
char = oldUpper[i * 2:i * 2 + 2]
escaped = "'%s'" % chr(int(char, 16))
expression = expression.replace(old, escaped)

6
plugins/dbms/sybase/enumeration.py
View File

@@ -60,7 +60,7 @@ class Enumeration(GenericEnumeration):
areAdmins = set()
if conf.user:
users = [ conf.user ]
users = [conf.user]
elif not len(kb.data.cachedUsers):
users = self.getUsers()
else:
@@ -221,7 +221,7 @@ class Enumeration(GenericEnumeration):
if colList:
table = {}
table[safeSQLIdentificatorNaming(tbl)] = dict(map(lambda x: (x, None), colList))
table[safeSQLIdentificatorNaming(tbl)] = dict((_, None) for _ in colList)
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = table
continue
@@ -233,7 +233,7 @@ class Enumeration(GenericEnumeration):
for blind in blinds:
randStr = randomStr()
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr,'%s.usertype' % randStr], blind=blind)
retVal = pivotDumpTable("(%s) AS %s" % (query, randStr), ['%s.name' % randStr, '%s.usertype' % randStr], blind=blind)
if retVal:
table = {}