resume of brute forced data is now available

2025-12-27 09:59:07 +00:00 · 2010-12-27 14:17:20 +00:00
parent c7a160bf72
commit 9fb0e0fc85
5 changed files with 101 additions and 11 deletions
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1128,6 +1128,10 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.authHeader      = None
    kb.bannerFp        = advancedDict()

+    kb.brute           = advancedDict()
+    kb.brute.tables    = []
+    kb.brute.columns   = []
+
    kb.cache           = advancedDict()
    kb.cache.content   = {}
    kb.cache.regex     = {}
--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -21,6 +21,7 @@ from lib.core.data import logger
 from lib.core.datatype import injectionDict
 from lib.core.enums import PAYLOAD
 from lib.core.enums import PLACE
+from lib.core.settings import METADB_SUFFIX
 from lib.core.settings import MSSQL_ALIASES
 from lib.core.settings import MYSQL_ALIASES
 from lib.core.settings import PGSQL_ALIASES
@@ -357,6 +358,35 @@ def resumeConfKb(expression, url, value):
        else:
            conf.os = os

+    elif expression == "TABLE_EXISTS" and url == conf.url:
+        table = unSafeFormatString(value[:-1])
+
+        if '.' in table:
+            db, table = table.split('.')
+        else:
+            db = "%s%s" % (kb.dbms, METADB_SUFFIX)
+
+        logMsg = "resuming brute forced table name "
+        logMsg += "'%s' from session file" % table
+        logger.info(logMsg)
+
+        kb.brute.tables.append((db, table))
+
+    elif expression == "COLUMN_EXISTS" and url == conf.url:
+        table, column = unSafeFormatString(value[:-1]).split('..')
+        colName, colType = column.split(' ')
+
+        if '.' in table:
+            db, table = table.split('.')
+        else:
+            db = "%s%s" % (kb.dbms, METADB_SUFFIX)
+
+        logMsg = "resuming brute forced column name "
+        logMsg += "'%s' for table '%s' from session file" % (colName, table)
+        logger.info(logMsg)
+
+        kb.brute.columns.append((db, table, colName, colType))
+
    elif expression == "Union comment" and url == conf.url:
        kb.unionComment = unSafeFormatString(value[:-1])

--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -403,7 +403,8 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
            query = expandAsteriskForColumns(query)
            value = None
            found = False
-            query = query.replace("DISTINCT ", "")
+            if query and not 'COUNT(*)' in query:
+                query = query.replace("DISTINCT ", "")
            count = 0

            if expected == EXPECTED.BOOL:
--- a/lib/techniques/brute/use.py
+++ b/lib/techniques/brute/use.py
@@ -11,6 +11,7 @@ import threading
 import time

 from lib.core.common import clearConsoleLine
+from lib.core.common import dataToSessionFile
 from lib.core.common import dataToStdout
 from lib.core.common import filterListValue
 from lib.core.common import getFileItems
@@ -26,6 +27,7 @@ from lib.core.enums import DBMS
 from lib.core.exception import sqlmapMissingMandatoryOptionException
 from lib.core.exception import sqlmapThreadException
 from lib.core.settings import METADB_SUFFIX
+from lib.core.session import safeFormatString
 from lib.request import inject

 def tableExists(tableFile, regex=None):
@@ -59,13 +61,19 @@ def tableExists(tableFile, regex=None):
            tbllock.release()

            if conf.db and not conf.db.endswith(METADB_SUFFIX):
-                table = "%s.%s" % (conf.db, table)
-            result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
+                fullTableName = "%s.%s" % (conf.db, table)
+            else:
+                fullTableName = table
+            result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %d FROM %s)", (randomInt(1), fullTableName)))

            iolock.acquire()
            if result:
                retVal.append(table)

+                dataToSessionFile("[%s][%s][%s][TABLE_EXISTS][%s]\n" % (conf.url,\
+                  kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]),\
+                  safeFormatString(fullTableName)))
+
                if conf.verbose in (1, 2):
                    clearConsoleLine(True)
                    infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), table)
@@ -227,13 +235,17 @@ def columnExists(columnFile, regex=None):
        columns = {}

        for column in retVal:
-            result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE RND(%s)>0)", (column, table, column)))
+            result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)>0)", (column, table, column)))

            if result:
                columns[column] = 'numeric'
            else:
                columns[column] = 'non-numeric'

+            dataToSessionFile("[%s][%s][%s][COLUMN_EXISTS][%s..%s %s]\n" % (conf.url, kb.injection.place,\
+              safeFormatString(conf.parameters[kb.injection.place]), safeFormatString(table),\
+              safeFormatString(column), safeFormatString(columns[column])))
+
        kb.data.cachedColumns[conf.db] = {conf.tbl: columns}

    return kb.data.cachedColumns