removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)

2026-01-21 13:49:04 +00:00 · 2010-10-21 13:13:12 +00:00
parent be443c6947
commit bc79eec702
16 changed files with 169 additions and 401 deletions
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -461,7 +461,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                # check it via equal against the substring-query output
                if commonPattern is not None:
                    # Substring-query containing equals commonPattern
-                    subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern))
+                    subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
                    testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
                    query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue)))
                    query = agent.postfixQuery(query)
--- a/lib/techniques/error/test.py
+++ b/lib/techniques/error/test.py
@@ -30,7 +30,7 @@ def errorTest():
    logger.info(infoMsg)

    randInt = getUnicode(randomInt(1))
-    query = queries[kb.dbms].case % ("%s=%s" % (randInt, randInt))
+    query = queries[kb.dbms].case.query % ("%s=%s" % (randInt, randInt))
    result = inject.goError(query)

    if result:
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -30,14 +30,15 @@ from lib.core.settings import ERROR_EMPTY_CHAR
 from lib.core.settings import ERROR_START_CHAR
 from lib.core.settings import ERROR_END_CHAR

-def errorUse(expression, resumeValue=True):
+def errorUse(expression):
    """
    Retrieve the output of a SQL query taking advantage of an error SQL
    injection vulnerability on the affected parameter.
    """
+    output         = None
    logic          = conf.logic
    randInt        = randomInt(1)
-    query          = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
+    query          = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error.query)
    query          = agent.postfixQuery(query)
    payload        = agent.payload(newValue=query)
    startLimiter   = ""
@@ -45,14 +46,6 @@ def errorUse(expression, resumeValue=True):

    expressionUnescaped = expression

-    if resumeValue:
-        output = resume(expression, payload)
-    else:
-        output = None
-
-    if output:
-        return output
-
    if kb.dbmsDetected:
        _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
        nulledCastedField                = agent.nullAndCastField(fieldToCastStr)
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -203,7 +203,7 @@ def unionTest():
    value   = None
    columns = None

-    for comment in (queries[kb.dbms].comment, ""):
+    for comment in (queries[kb.dbms].comment.query, ""):
        if conf.uTech == "orderby":
            columns = __unionTestByOrderBy(comment)
        else:
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -65,12 +65,12 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
        # NOTE: I assume that only queries that get data from a table can
        # return multiple entries
        if " FROM " in expression:
-            limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
+            limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)

            if limitRegExp:
                if kb.dbms in ( "MySQL", "PostgreSQL" ):
-                    limitGroupStart = queries[kb.dbms].limitgroupstart
-                    limitGroupStop  = queries[kb.dbms].limitgroupstop
+                    limitGroupStart = queries[kb.dbms].limitgroupstart.query
+                    limitGroupStop  = queries[kb.dbms].limitgroupstop.query

                    if limitGroupStart.isdigit():
                        startLimit = int(limitRegExp.group(int(limitGroupStart)))
@@ -79,8 +79,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
                    limitCond = int(stopLimit) > 1

                elif kb.dbms == "Microsoft SQL Server":
-                    limitGroupStart = queries[kb.dbms].limitgroupstart
-                    limitGroupStop  = queries[kb.dbms].limitgroupstop
+                    limitGroupStart = queries[kb.dbms].limitgroupstart.query
+                    limitGroupStop  = queries[kb.dbms].limitgroupstop.query

                    if limitGroupStart.isdigit():
                        startLimit = int(limitRegExp.group(int(limitGroupStart)))
@@ -104,7 +104,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
                    # (or similar, depending on the back-end DBMS) word
                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                        stopLimit += startLimit
-                        untilLimitChar = expression.index(queries[kb.dbms].limitstring)
+                        untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
                        expression = expression[:untilLimitChar]

                    elif kb.dbms == "Microsoft SQL Server":
@@ -123,7 +123,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh

                if test:
                    # Count the number of SQL query entries output
-                    countFirstField   = queries[kb.dbms].count % expressionFieldsList[0]
+                    countFirstField   = queries[kb.dbms].count.query % expressionFieldsList[0]
                    countedExpression = origExpr.replace(expressionFields, countFirstField, 1)

                    if re.search(" ORDER BY ", expression, re.I):