Ahead with the improvements to the comparison algorithm.

Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2025-12-09 06:01:29 +00:00 · 2008-12-19 20:09:46 +00:00
parent 68354be45a
commit ad228e6947
11 changed files with 132 additions and 66 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -468,5 +468,25 @@ class Agent:
        return limitedQuery


+    def forgeCaseStatement(self, expression):
+        """
+        Take in input a query string and return its CASE statement query
+        string.
+
+        Example:
+
+        Input:  (SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'
+        Output: SELECT (CASE WHEN ((SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y') THEN 1 ELSE 0 END)
+
+        @param expression: expression to be processed
+        @type num: C{str}
+
+        @return: processed expression
+        @rtype: C{str}
+        """
+
+        return queries[kb.dbms].case % expression
+
+
 # SQL agent
 agent = Agent()
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -40,6 +40,7 @@ from lib.core.data import logger
 from lib.core.data import temp
 from lib.core.exception import sqlmapFilePathException
 from lib.core.data import paths
+from lib.core.settings import SQL_STATEMENTS
 from lib.core.settings import VERSION_STRING


@@ -493,39 +494,11 @@ def parsePasswordHash(password):


 def cleanQuery(query):
-    # SQL SELECT statement
-    upperQuery = query.replace("select ", "SELECT ")
-    upperQuery = upperQuery.replace(" from ", " FROM ")
-    upperQuery = upperQuery.replace(" where ", " WHERE ")
-    upperQuery = upperQuery.replace(" group by ", " GROUP BY ")
-    upperQuery = upperQuery.replace(" order by ", " ORDER BY ")
-    upperQuery = upperQuery.replace(" having ", " HAVING ")
-    upperQuery = upperQuery.replace(" limit ", " LIMIT ")
-    upperQuery = upperQuery.replace(" offset ", " OFFSET ")
-    upperQuery = upperQuery.replace(" union all ", " UNION ALL ")
-    upperQuery = upperQuery.replace(" rownum ", " ROWNUM ")
+    upperQuery = query

-    # SQL data definition
-    upperQuery = upperQuery.replace(" create ", " CREATE ")
-    upperQuery = upperQuery.replace(" drop ", " DROP ")
-    upperQuery = upperQuery.replace(" truncate ", " TRUNCATE ")
-    upperQuery = upperQuery.replace(" alter ", " ALTER ")
-
-    # SQL data manipulation
-    upperQuery = upperQuery.replace(" insert ", " INSERT ")
-    upperQuery = upperQuery.replace(" update ", " UPDATE ")
-    upperQuery = upperQuery.replace(" delete ", " DELETE ")
-    upperQuery = upperQuery.replace(" merge ", " MERGE ")
-
-    # SQL data control
-    upperQuery = upperQuery.replace(" grant ", " GRANT ")
-
-    # SQL transaction control
-    upperQuery = upperQuery.replace(" start transaction ", " START TRANSACTION ")
-    upperQuery = upperQuery.replace(" begin work ", " BEGIN WORK ")
-    upperQuery = upperQuery.replace(" begin transaction ", " BEGIN TRANSACTION ")
-    upperQuery = upperQuery.replace(" commit ", " COMMIT ")
-    upperQuery = upperQuery.replace(" rollback ", " ROLLBACK ")
+    for sqlStatements in SQL_STATEMENTS.values():
+        for sqlStatement in sqlStatements:
+            upperQuery = upperQuery.replace(sqlStatement, sqlStatement.upper())

    return upperQuery

--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -570,7 +570,7 @@ def __setConfAttributes():
    logger.debug(debugMsg)

    conf.cj              = None
-    conf.contentLengths  = []
+    conf.pageLengths     = []
    conf.dbmsHandler     = None
    conf.dumpPath        = None
    conf.equalLines      = []
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -68,3 +68,44 @@ SUPPORTED_DBMS    = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIAS
 # TODO: port to command line/configuration file options?
 SECONDS           = 5
 RETRIES           = 3
+
+SQL_STATEMENTS    = {
+                      "SQL SELECT statement":  (
+                                                 "select ",
+                                                 " from ",
+                                                 " where ",
+                                                 " group by ",
+                                                 " order by ",
+                                                 " having ",
+                                                 " limit ",
+                                                 " offset ",
+                                                 " union all ",
+                                                 " rownum ",
+                                               ),
+
+                      "SQL data definition":   (
+                                                 "create ",
+                                                 "drop ",
+                                                 "truncate ",
+                                                 "alter ",
+                                               ),
+
+                      "SQL data manipulation": (
+                                                 "insert ",
+                                                 "update ",
+                                                 "delete ",
+                                                 "merge ",
+                                               ),
+
+                      "SQL data control":      (
+                                                 "grant ",
+                                               ),
+
+                      "SQL transaction":       (
+                                                 "start transaction ",
+                                                 "begin work ",
+                                                 "begin transaction ",
+                                                 "commit ",
+                                                 "rollback ",
+                                               ),
+                    }