Ahead with the improvements to the comparison algorithm.

Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2025-12-06 12:41:30 +00:00 · 2008-12-19 20:09:46 +00:00
parent 68354be45a
commit ad228e6947
11 changed files with 132 additions and 66 deletions
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -39,6 +39,7 @@ from lib.core.exception import sqlmapMissingMandatoryOptionException
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapUndefinedMethod
 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.settings import SQL_STATEMENTS
 from lib.core.shell import autoCompletion
 from lib.core.unescaper import unescaper
 from lib.parse.banner import bannerParser
@@ -120,7 +121,7 @@ class Enumeration:
        infoMsg = "testing if current user is DBA"
        logger.info(infoMsg)

-        query = queries[kb.dbms].isDba
+        query = agent.forgeCaseStatement(queries[kb.dbms].isDba)

        self.isDba = inject.getValue(query)

@@ -1038,10 +1039,33 @@ class Enumeration:


    def sqlQuery(self, query):
-        infoMsg = "fetching SQL SELECT query output: '%s'" % query
+        output      = None
+        selectQuery = False
+        sqlType     = None
+
+        for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
+            for sqlStatement in sqlStatements:
+                if query.lower().startswith(sqlStatement):
+                    sqlType = sqlTitle
+
+                    if sqlTitle == "SQL SELECT statement":
+                        selectQuery = True
+
+                    break
+
+        if sqlType:
+            infoMsg = "fetching %s query output: '%s'" % (sqlType, query)
+        else:
+            infoMsg = "fetching SQL query output: '%s'" % query
+
        logger.info(infoMsg)

-        output = inject.getValue(query, fromUser=True)
+        if selectQuery == False:
+            # TODO: test if stacked queries are supported by the web
+            # application before injecting
+            inject.goStacked(query)
+        else:
+            output = inject.getValue(query, fromUser=True)

        if output == "Quit":
            return None