mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-12-06 20:51:31 +00:00
More bug fixes to properly distinguish between full inband and single-entry inband sql injections
This commit is contained in:
Bernardo Damele
@@ -483,7 +483,7 @@ class Agent:
|
|||||||
|
|
||||||
return concatenatedQuery
|
return concatenatedQuery
|
||||||
|
|
||||||
def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None):
|
def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None, multipleUnions=None):
|
||||||
"""
|
"""
|
||||||
Take in input an query (pseudo query) string and return its
|
Take in input an query (pseudo query) string and return its
|
||||||
processed UNION ALL SELECT query.
|
processed UNION ALL SELECT query.
|
||||||
@@ -569,6 +569,22 @@ class Agent:
|
|||||||
if intoRegExp:
|
if intoRegExp:
|
||||||
inbandQuery += intoRegExp
|
inbandQuery += intoRegExp
|
||||||
|
|
||||||
|
if multipleUnions:
|
||||||
|
inbandQuery += " UNION ALL SELECT "
|
||||||
|
|
||||||
|
for element in range(count):
|
||||||
|
if element > 0:
|
||||||
|
inbandQuery += ", "
|
||||||
|
|
||||||
|
if element == exprPosition:
|
||||||
|
inbandQuery += multipleUnions
|
||||||
|
else:
|
||||||
|
inbandQuery += nullChar
|
||||||
|
|
||||||
|
if kb.dbms == DBMS.ORACLE:
|
||||||
|
inbandQuery += " FROM DUAL"
|
||||||
|
|
||||||
|
|
||||||
inbandQuery = self.suffixQuery(inbandQuery, comment)
|
inbandQuery = self.suffixQuery(inbandQuery, comment)
|
||||||
|
|
||||||
return inbandQuery
|
return inbandQuery
|
||||||
|
|||||||
@@ -8,6 +8,8 @@ See the file 'doc/COPYING' for copying permission
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
from lib.core.agent import agent
|
from lib.core.agent import agent
|
||||||
|
from lib.core.common import getUnicode
|
||||||
|
from lib.core.common import parseUnionPage
|
||||||
from lib.core.common import randomStr
|
from lib.core.common import randomStr
|
||||||
from lib.core.data import conf
|
from lib.core.data import conf
|
||||||
from lib.core.data import kb
|
from lib.core.data import kb
|
||||||
@@ -46,6 +48,22 @@ def __unionPosition(negative=False, count=None, comment=None):
|
|||||||
setUnion(position=exprPosition)
|
setUnion(position=exprPosition)
|
||||||
validPayload = payload
|
validPayload = payload
|
||||||
|
|
||||||
|
if not negative:
|
||||||
|
# Prepare expression with delimiters
|
||||||
|
randQuery2 = randomStr()
|
||||||
|
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
|
||||||
|
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
|
||||||
|
|
||||||
|
# Confirm that it is a full inband SQL injection
|
||||||
|
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, multipleUnions=randQueryUnescaped2)
|
||||||
|
payload = agent.payload(newValue=query, negative=negative)
|
||||||
|
|
||||||
|
# Perform the request
|
||||||
|
resultPage, _ = Request.queryPage(payload, content=True)
|
||||||
|
|
||||||
|
if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
|
||||||
|
setUnion(negative=True)
|
||||||
|
|
||||||
break
|
break
|
||||||
|
|
||||||
return validPayload
|
return validPayload
|
||||||
|
|||||||
Reference in New Issue
Block a user