Re: [sqlmap-users] App outputs only column #0
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] App outputs only column #0
|
From: Bernardo D. A. G. <ber...@gm...> - 2010-10-19 06:53:13
|
Hi Anton,
Good spot!
Can you please provide us with your patch against the root of the svn working copy? 'svn diff . > union.patch will work.
I will review it and merge.
Bernardo Damele A. G.
On 19 Oct 2010, at 00:32, Anton Mogilin <aza...@ya...> wrote:
> Hello.
>
> One web application has union query injection. But only zero-th column is printed at the page.
> Like this:
>
> <?php
> if (isset($_GET['name']))
> {
> mysql_connect('localhost', 'user', 'TopSecret');
> mysql_select_db('sqlmap_test');
> $result = mysql_query("SELECT * FROM `data` WHERE `name` = '{$_GET['name']}'");
> $row = mysql_fetch_row($result);
> echo $row[0];
> }
> else
> {
> echo '<a href="?name=item_1">Click me</a>';
> }
> ?>
>
> Data in DBMS should be like this:
> mysql> CREATE DATABASE `sqlmap_test`;
> mysql> USE `sqlmap_test`;
> mysql> CREATE TABLE `data` (`name` VARCHAR(255), `value` VARCHAR(255));
> mysql> INSERT INTO `data` VALUES ('item_1', 'foo');
>
> sqlmap can't determine this injection. And after changing "echo $row[0];" to "echo $row[1];" everything is OK.
> In fact it finds, but set "kb.unionPosition" to 0 and after that check if injection was found with code similair to "if kb.unionPosition:".
> As I understand, expected that kb.unionPosition will be None if nothing is found and 1,2,3... if something is found. And so sqlmap interprets 0-th position as it wasn't found ability to use UNION (because 0 in "if kb.unionPosition:" is interpreted as False).
>
> I did rogue patch basically changing
> if kb.unionPosition:
> to
> if kb.unionPosition != None:
> and similair things. Didn't test carefully and I'm definetily not knowledgable enough to ensure that everything is done properly, but in my particular case it helped.
>
> diff -ur sqlmap-dev/lib/controller/action.py sqlmap-dev-edited/lib/controller/action.py
> --- sqlmap-dev/lib/controller/action.py 2010-10-19 01:50:39.241344594 +0400
> +++ sqlmap-dev-edited/lib/controller/action.py 2010-10-19 02:54:13.465340951 +0400
> @@ -60,7 +60,7 @@
> if conf.timeTest:
> conf.dumper.technic("time based blind sql injection payload", timeTest())
>
> - if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
> + if ( conf.unionUse or conf.unionTest ) and kb.unionPosition == None:
> conf.dumper.technic("valid union", unionTest())
>
> # Enumeration options
> diff -ur sqlmap-dev/lib/core/agent.py sqlmap-dev-edited/lib/core/agent.py
> --- sqlmap-dev/lib/core/agent.py 2010-10-19 01:50:39.484343548 +0400
> +++ sqlmap-dev-edited/lib/core/agent.py 2010-10-19 02:55:54.672339497 +0400
> @@ -452,7 +452,7 @@
> query = query[len("TOP %s " % topNum):]
> inbandQuery += "TOP %s " % topNum
>
> - if not exprPosition:
> + if exprPosition == None:
> exprPosition = kb.unionPosition
>
> intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
> diff -ur sqlmap-dev/lib/core/session.py sqlmap-dev-edited/lib/core/session.py
> --- sqlmap-dev/lib/core/session.py 2010-10-19 01:50:39.501342465 +0400
> +++ sqlmap-dev-edited/lib/core/session.py 2010-10-19 02:52:27.288339918 +0400
> @@ -223,7 +223,7 @@
> kb.unionComment = comment
> kb.unionCount = count
>
> - if position:
> + if position != None:
> condition = (
> not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
> ( not kb.resumedQueries[conf.url].has_key("Union position")
> diff -ur sqlmap-dev/lib/request/inject.py sqlmap-dev-edited/lib/request/inject.py
> --- sqlmap-dev/lib/request/inject.py 2010-10-19 01:50:39.600342306 +0400
> +++ sqlmap-dev-edited/lib/request/inject.py 2010-10-19 02:51:28.344340250 +0400
> @@ -347,7 +347,7 @@
>
> expression = expression.replace("DISTINCT ", "")
>
> - if inband and kb.unionPosition:
> + if inband and kb.unionPosition != None:
> value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
>
> if not value:
> diff -ur sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py sqlmap-dev-edited/plugins/dbms/mssqlserver/enumeration.py
> --- sqlmap-dev/plugins/dbms/mssqlserver/enumeration.py 2010-10-19 01:50:33.629342785 +0400
> +++ sqlmap-dev-edited/plugins/dbms/mssqlserver/enumeration.py 2010-10-19 03:00:52.724338261 +0400
> @@ -48,7 +48,7 @@
> else:
> dbs = [conf.db]
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> for db in dbs:
> if conf.excludeSysDbs and db in self.excludeDbsList:
> infoMsg = "skipping system database '%s'" % db
> @@ -138,7 +138,7 @@
>
> continue
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"] % db
> query += tblQuery
> values = inject.getValue(query, blind=False)
> @@ -223,7 +223,7 @@
>
> continue
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"] % (db, db, db, db, db)
> query += " AND %s" % colQuery.replace("[DB]", db)
> values = inject.getValue(query, blind=False)
> diff -ur sqlmap-dev/plugins/dbms/mssqlserver/filesystem.py sqlmap-dev-edited/plugins/dbms/mssqlserver/filesystem.py
> --- sqlmap-dev/plugins/dbms/mssqlserver/filesystem.py 2010-10-19 01:50:33.625342874 +0400
> +++ sqlmap-dev-edited/plugins/dbms/mssqlserver/filesystem.py 2010-10-19 03:00:15.052341781 +0400
> @@ -92,7 +92,7 @@
> binToHexQuery = urlencode(binToHexQuery, convall=True)
> inject.goStacked(binToHexQuery)
>
> - if kb.unionPosition:
> + if kb.unionPosition != None:
> result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False)
>
> if not result:
> diff -ur sqlmap-dev/plugins/dbms/oracle/enumeration.py sqlmap-dev-edited/plugins/dbms/oracle/enumeration.py
> --- sqlmap-dev/plugins/dbms/oracle/enumeration.py 2010-10-19 01:50:33.577342360 +0400
> +++ sqlmap-dev-edited/plugins/dbms/oracle/enumeration.py 2010-10-19 03:01:11.381340862 +0400
> @@ -36,7 +36,7 @@
> # Set containing the list of DBMS administrators
> areAdmins = set()
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if query2:
> query = rootQuery["inband"]["query2"]
> condition = rootQuery["inband"]["condition2"]
> @@ -196,7 +196,7 @@
> colQuery = colQuery % column
>
> for db in dbs.keys():
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += colQuery
> values = inject.getValue(query, blind=False)
> diff -ur sqlmap-dev/plugins/generic/enumeration.py sqlmap-dev-edited/plugins/generic/enumeration.py
> --- sqlmap-dev/plugins/generic/enumeration.py 2010-10-19 01:50:33.817345961 +0400
> +++ sqlmap-dev-edited/plugins/generic/enumeration.py 2010-10-19 02:50:44.488340196 +0400
> @@ -136,7 +136,7 @@
> condition = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) )
> condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema )
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if condition:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -193,7 +193,7 @@
>
> logger.info(infoMsg)
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
> query = rootQuery["inband"]["query2"]
> else:
> @@ -390,7 +390,7 @@
> "E": "EXECUTE"
> }
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> condition = rootQuery["inband"]["condition2"]
> @@ -636,7 +636,7 @@
>
> rootQuery = queries[kb.dbms].dbs
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -703,7 +703,7 @@
>
> rootQuery = queries[kb.dbms].tables
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> condition = rootQuery["inband"]["condition"]
>
> @@ -899,7 +899,7 @@
> infoMsg += "on database '%s'" % conf.db
> logger.info(infoMsg)
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms in ( "MySQL", "PostgreSQL" ):
> query = rootQuery["inband"]["query"] % (conf.tbl, conf.db)
> query += condQuery
> @@ -1078,7 +1078,7 @@
>
> entriesCount = 0
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "Oracle":
> query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper())
> elif kb.dbms == "SQLite":
> @@ -1336,7 +1336,7 @@
> dbQuery = "%s%s" % (dbCond, dbCondParam)
> dbQuery = dbQuery % db
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> if kb.dbms == "MySQL" and not kb.data.has_information_schema:
> query = rootQuery["inband"]["query2"]
> else:
> @@ -1424,7 +1424,7 @@
> tblQuery = "%s%s" % (tblCond, tblCondParam)
> tblQuery = tblQuery % tbl
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += tblQuery
> query += exclDbsQuery
> @@ -1545,7 +1545,7 @@
> colQuery = "%s%s" % (colCond, colCondParam)
> colQuery = colQuery % column
>
> - if kb.unionPosition or conf.direct:
> + if kb.unionPosition != None or conf.direct:
> query = rootQuery["inband"]["query"]
> query += colQuery
> query += exclDbsQuery
>
> And thanks very much for such helpful program!
>
>
>
>
> ------------------------------------------------------------------------------
> Download new Adobe(R) Flash(R) Builder(TM) 4
> The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that run
> across multiple browsers and platforms. Download your free trials today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
|
