[sqlmap-users] App outputs only column #0
Brought to you by:
inquisb
Menu
▾
▴
[sqlmap-users] App outputs only column #0
|
From: Anton M. <aza...@ya...> - 2010-10-18 23:32:12
|
Hello.
One web application has union query injection. But only zero-th column is printed at the page.
Like this:
<?php
if (isset($_GET['name']))
{
mysql_connect('localhost', 'user', 'TopSecret');
mysql_select_db('sqlmap_test');
$result = mysql_query("SELECT * FROM `data` WHERE `name` = '{$_GET['name']}'");
$row = mysql_fetch_row($result);
echo $row[0];
}
else
{
echo '<a href="?name=item_1">Click me</a>';
}
?>
Data in DBMS should be like this:
mysql> CREATE DATABASE `sqlmap_test`;
mysql> USE `sqlmap_test`;
mysql> CREATE TABLE `data` (`name` VARCHAR(255), `value` VARCHAR(255));
mysql> INSERT INTO `data` VALUES ('item_1', 'foo');
sqlmap can't determine this injection. And after changing "echo $row[0];" to "echo $row[1];" everything is OK.
In fact it finds, but set "kb.unionPosition" to 0 and after that check if injection was found with code similair to "if kb.unionPosition:".
As I understand, expected that kb.unionPosition will be None if nothing is found and 1,2,3... if something is found. And so sqlmap interprets 0-th position as it wasn't found ability to use UNION (because 0 in "if kb.unionPosition:" is interpreted as False).
I did rogue patch basically changing
if kb.unionPosition:
to
if kb.unionPosition != None:
and similair things. Didn't test carefully and I'm definetily not knowledgable enough to ensure that everything is done properly, but in my particular case it helped.
diff -ur sqlmap-dev/lib/controller/action.py sqlmap-dev-edited/lib/controller/action.py
--- sqlmap-dev/lib/controller/action.py 2010-10-19 01:50:39.241344594 +0400
+++ sqlmap-dev-edited/lib/controller/action.py 2010-10-19 02:54:13.465340951 +0400
@@ -60,7 +60,7 @@
if conf.timeTest:
conf.dumper.technic("time based blind sql injection payload", timeTest())
- if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
+ if ( conf.unionUse or conf.unionTest ) and kb.unionPosition == None:
conf.dumper.technic("valid union", unionTest())
# Enumeration options
diff -ur sqlmap-dev/lib/core/agent.py sqlmap-dev-edited/lib/core/agent.py
--- sqlmap-dev/lib/core/agent.py 2010-10-19 01:50:39.484343548 +0400
+++ sqlmap-dev-edited/lib/core/agent.py 2010-10-19 02:55:54.672339497 +0400
@@ -452,7 +452,7 @@
query = query[len("TOP %s " % topNum):]
inbandQuery += "TOP %s " % topNum
- if not exprPosition:
+ if exprPosition == None:
exprPosition = kb.unionPosition
intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
diff -ur sqlmap-dev/lib/core/session.py sqlmap-dev-edited/lib/core/session.py
--- sqlmap-dev/lib/core/session.py 2010-10-19 01:50:39.501342465 +0400
+++ sqlmap-dev-edited/lib/core/session.py 2010-10-19 02:52:27.288339918 +0400
@@ -223,7 +223,7 @@
kb.unionComment = comment
kb.unionCount = count
- if position:
+ if position != None:
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
( not kb.resumedQueries[conf.url].has_key("Union position")
diff -ur sqlmap-dev/lib/request/inject.py sqlmap-dev-edited/lib/request/inject.py
--- sqlmap-dev/lib/request/inject.py 2010-10-19 01:50:39.600342306 +0400
+++ sqlmap-dev-edited/lib/request/inject.py 2010-10-19 02:51:28.344340250 +0400
@@ -347,7 +347,7 @@
expression = expression.replace("DISTINCT ", "")
- if inband and kb.unionPosition:
+ if inband and kb.unionPosition != None:
value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
if not value:
diff -ur sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py sqlmap-dev-edited/plugins/dbms/mssqlserver/enumeration.py
--- sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py 2010-10-19 01:50:33.629342785 +0400
+++ sqlmap-dev-edited/plugins/dbms/mssqlserver/enumeration.py 2010-10-19 03:00:52.724338261 +0400
@@ -48,7 +48,7 @@
else:
dbs = [conf.db]
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
for db in dbs:
if conf.excludeSysDbs and db in self.excludeDbsList:
infoMsg = "skipping system database '%s'" % db
@@ -138,7 +138,7 @@
continue
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"] % db
query += tblQuery
values = inject.getValue(query, blind=False)
@@ -223,7 +223,7 @@
continue
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"] % (db, db, db, db, db)
query += " AND %s" % colQuery.replace("[DB]", db)
values = inject.getValue(query, blind=False)
diff -ur sqlmap-dev/plugins/dbms/mssqlserver/filesystem.py sqlmap-dev-edited/plugins/dbms/mssqlserver/filesystem.py
--- sqlmap-dev/plugins/dbms/mssqlserver/filesystem.py 2010-10-19 01:50:33.625342874 +0400
+++ sqlmap-dev-edited/plugins/dbms/mssqlserver/filesystem.py 2010-10-19 03:00:15.052341781 +0400
@@ -92,7 +92,7 @@
binToHexQuery = urlencode(binToHexQuery, convall=True)
inject.goStacked(binToHexQuery)
- if kb.unionPosition:
+ if kb.unionPosition != None:
result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
if not result:
diff -ur sqlmap-dev/plugins/dbms/oracle/enumeration.py sqlmap-dev-edited/plugins/dbms/oracle/enumeration.py
--- sqlmap-dev/plugins/dbms/oracle/enumeration.py 2010-10-19 01:50:33.577342360 +0400
+++ sqlmap-dev-edited/plugins/dbms/oracle/enumeration.py 2010-10-19 03:01:11.381340862 +0400
@@ -36,7 +36,7 @@
# Set containing the list of DBMS administrators
areAdmins = set()
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if query2:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
@@ -196,7 +196,7 @@
colQuery = colQuery % column
for db in dbs.keys():
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
query += colQuery
values = inject.getValue(query, blind=False)
diff -ur sqlmap-dev/plugins/generic/enumeration.py sqlmap-dev-edited/plugins/generic/enumeration.py
--- sqlmap-dev/plugins/generic/enumeration.py 2010-10-19 01:50:33.817345961 +0400
+++ sqlmap-dev-edited/plugins/generic/enumeration.py 2010-10-19 02:50:44.488340196 +0400
@@ -136,7 +136,7 @@
condition = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) )
condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema )
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if condition:
query = rootQuery["inband"]["query2"]
else:
@@ -193,7 +193,7 @@
logger.info(infoMsg)
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
query = rootQuery["inband"]["query2"]
else:
@@ -390,7 +390,7 @@
"E": "EXECUTE"
}
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
condition = rootQuery["inband"]["condition2"]
@@ -636,7 +636,7 @@
rootQuery = queries[kb.dbms].dbs
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
else:
@@ -703,7 +703,7 @@
rootQuery = queries[kb.dbms].tables
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
condition = rootQuery["inband"]["condition"]
@@ -899,7 +899,7 @@
infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg)
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms in ( "MySQL", "PostgreSQL" ):
query = rootQuery["inband"]["query"] % (conf.tbl, conf.db)
query += condQuery
@@ -1078,7 +1078,7 @@
entriesCount = 0
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "Oracle":
query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper())
elif kb.dbms == "SQLite":
@@ -1336,7 +1336,7 @@
dbQuery = "%s%s" % (dbCond, dbCondParam)
dbQuery = dbQuery % db
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
if kb.dbms == "MySQL" and not kb.data.has_information_schema:
query = rootQuery["inband"]["query2"]
else:
@@ -1424,7 +1424,7 @@
tblQuery = "%s%s" % (tblCond, tblCondParam)
tblQuery = tblQuery % tbl
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
query += tblQuery
query += exclDbsQuery
@@ -1545,7 +1545,7 @@
colQuery = "%s%s" % (colCond, colCondParam)
colQuery = colQuery % column
- if kb.unionPosition or conf.direct:
+ if kb.unionPosition != None or conf.direct:
query = rootQuery["inband"]["query"]
query += colQuery
query += exclDbsQuery
And thanks very much for such helpful program!
|
