Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3977be9

Browse files
committed
Fixing falling back (aka query2) for --tables
1 parent 9da558f commit 3977be9

3 files changed

Lines changed: 68 additions & 63 deletions

File tree

data/xml/queries.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -127,8 +127,8 @@
127127
<blind query="SELECT DISTINCT(schemaname) FROM pg_tables ORDER BY schemaname OFFSET %d LIMIT 1" count="SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables"/>
128128
</dbs>
129129
<tables>
130-
<inband query="SELECT schemaname,tablename FROM pg_tables" condition="schemaname"/>
131-
<blind query="SELECT tablename FROM pg_tables WHERE schemaname='%s' ORDER BY tablename OFFSET %d LIMIT 1" count="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'"/>
130+
<inband query="SELECT schemaname,tablename FROM pg_tables" condition="schemaname" query2="SELECT table_schema,table_name FROM information_schema.tables" condition2="table_schema"/>
131+
<blind query="SELECT tablename FROM pg_tables WHERE schemaname='%s' ORDER BY tablename OFFSET %d LIMIT 1" count="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'" query2="SELECT table_name FROM information_schema.tables WHERE table_schema='%s' OFFSET %d LIMIT 1" count2="SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema='%s'"/>
132132
</tables>
133133
<columns>
134134
<inband query="SELECT attname,typname FROM pg_attribute b JOIN pg_class a ON a.oid=b.attrelid JOIN pg_type c ON c.oid=b.atttypid JOIN pg_namespace d ON a.relnamespace=d.oid WHERE b.attnum>0 AND a.relname='%s' AND nspname='%s' ORDER BY attname" condition="attname"/>

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
from thirdparty.six import unichr as _unichr
2121

2222
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
23-
VERSION = "1.5.8.2"
23+
VERSION = "1.5.8.3"
2424
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2525
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2626
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

plugins/generic/databases.py

Lines changed: 65 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -363,78 +363,83 @@ def getTables(self, bruteForce=None):
363363
singleTimeLogMessage(infoMsg)
364364
continue
365365

366-
infoMsg = "fetching number of tables for "
367-
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(db)
368-
logger.info(infoMsg)
369-
370-
if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.ACCESS, DBMS.MCKOI, DBMS.EXTREMEDB):
371-
query = rootQuery.blind.count
372-
else:
373-
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db)
366+
for query, count in ((rootQuery.blind.query, rootQuery.blind.count), (getattr(rootQuery.blind, "query2", None), getattr(rootQuery.blind, "count2", None))):
367+
if query is None:
368+
break
374369

375-
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
370+
infoMsg = "fetching number of tables for "
371+
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(db)
372+
logger.info(infoMsg)
376373

377-
if count == 0:
378-
warnMsg = "database '%s' " % unsafeSQLIdentificatorNaming(db)
379-
warnMsg += "appears to be empty"
380-
logger.warn(warnMsg)
381-
continue
374+
if Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.FIREBIRD, DBMS.MAXDB, DBMS.ACCESS, DBMS.MCKOI, DBMS.EXTREMEDB):
375+
count = count % unsafeSQLIdentificatorNaming(db)
382376

383-
elif not isNumPosStrValue(count):
384-
warnMsg = "unable to retrieve the number of "
385-
warnMsg += "tables for database '%s'" % unsafeSQLIdentificatorNaming(db)
386-
logger.warn(warnMsg)
387-
continue
377+
count = inject.getValue(count, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
388378

389-
tables = []
379+
if count == 0:
380+
warnMsg = "database '%s' " % unsafeSQLIdentificatorNaming(db)
381+
warnMsg += "appears to be empty"
382+
logger.warn(warnMsg)
383+
break
390384

391-
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
392-
indexRange = getLimitRange(count, plusOne=plusOne)
385+
elif not isNumPosStrValue(count):
386+
warnMsg = "unable to retrieve the number of "
387+
warnMsg += "tables for database '%s'" % unsafeSQLIdentificatorNaming(db)
388+
singleTimeWarnMessage(warnMsg)
389+
continue
390+
391+
tables = []
392+
393+
plusOne = Backend.getIdentifiedDbms() in PLUS_ONE_DBMSES
394+
indexRange = getLimitRange(count, plusOne=plusOne)
395+
396+
for index in indexRange:
397+
if Backend.isDbms(DBMS.SYBASE):
398+
query = query % (db, (kb.data.cachedTables[-1] if kb.data.cachedTables else " "))
399+
elif Backend.getIdentifiedDbms() in (DBMS.MAXDB, DBMS.ACCESS, DBMS.MCKOI, DBMS.EXTREMEDB):
400+
query = query % (kb.data.cachedTables[-1] if kb.data.cachedTables else " ")
401+
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD):
402+
query = query % index
403+
elif Backend.getIdentifiedDbms() in (DBMS.HSQLDB, DBMS.INFORMIX, DBMS.FRONTBASE, DBMS.VIRTUOSO):
404+
query = query % (index, unsafeSQLIdentificatorNaming(db))
405+
else:
406+
query = query % (unsafeSQLIdentificatorNaming(db), index)
393407

394-
for index in indexRange:
395-
if Backend.isDbms(DBMS.SYBASE):
396-
query = rootQuery.blind.query % (db, (kb.data.cachedTables[-1] if kb.data.cachedTables else " "))
397-
elif Backend.getIdentifiedDbms() in (DBMS.MAXDB, DBMS.ACCESS, DBMS.MCKOI, DBMS.EXTREMEDB):
398-
query = rootQuery.blind.query % (kb.data.cachedTables[-1] if kb.data.cachedTables else " ")
399-
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD):
400-
query = rootQuery.blind.query % index
401-
elif Backend.getIdentifiedDbms() in (DBMS.HSQLDB, DBMS.INFORMIX, DBMS.FRONTBASE, DBMS.VIRTUOSO):
402-
query = rootQuery.blind.query % (index, unsafeSQLIdentificatorNaming(db))
403-
else:
404-
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(db), index)
408+
table = unArrayizeValue(inject.getValue(query, union=False, error=False))
405409

406-
table = unArrayizeValue(inject.getValue(query, union=False, error=False))
410+
if not isNoneValue(table):
411+
kb.hintValue = table
412+
table = safeSQLIdentificatorNaming(table, True)
413+
tables.append(table)
407414

408-
if not isNoneValue(table):
409-
kb.hintValue = table
410-
table = safeSQLIdentificatorNaming(table, True)
411-
tables.append(table)
415+
if tables:
416+
kb.data.cachedTables[db] = tables
412417

413418
if conf.getComments:
414-
_ = queries[Backend.getIdentifiedDbms()].table_comment
415-
if hasattr(_, "query"):
416-
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE):
417-
query = _.query % (unsafeSQLIdentificatorNaming(db.upper()), unsafeSQLIdentificatorNaming(table.upper()))
419+
for table in tables:
420+
_ = queries[Backend.getIdentifiedDbms()].table_comment
421+
if hasattr(_, "query"):
422+
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.DERBY, DBMS.ALTIBASE):
423+
query = _.query % (unsafeSQLIdentificatorNaming(db.upper()), unsafeSQLIdentificatorNaming(table.upper()))
424+
else:
425+
query = _.query % (unsafeSQLIdentificatorNaming(db), unsafeSQLIdentificatorNaming(table))
426+
427+
comment = unArrayizeValue(inject.getValue(query, union=False, error=False))
428+
if not isNoneValue(comment):
429+
infoMsg = "retrieved comment '%s' for table '%s'" % (comment, unsafeSQLIdentificatorNaming(table))
430+
if METADB_SUFFIX not in db:
431+
infoMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(db)
432+
logger.info(infoMsg)
418433
else:
419-
query = _.query % (unsafeSQLIdentificatorNaming(db), unsafeSQLIdentificatorNaming(table))
434+
warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
435+
warnMsg += "possible to get table comments"
436+
singleTimeWarnMessage(warnMsg)
420437

421-
comment = unArrayizeValue(inject.getValue(query, union=False, error=False))
422-
if not isNoneValue(comment):
423-
infoMsg = "retrieved comment '%s' for table '%s'" % (comment, unsafeSQLIdentificatorNaming(table))
424-
if METADB_SUFFIX not in db:
425-
infoMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(db)
426-
logger.info(infoMsg)
427-
else:
428-
warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
429-
warnMsg += "possible to get table comments"
430-
singleTimeWarnMessage(warnMsg)
431-
432-
if tables:
433-
kb.data.cachedTables[db] = tables
434-
else:
435-
warnMsg = "unable to retrieve the table names "
436-
warnMsg += "for database '%s'" % unsafeSQLIdentificatorNaming(db)
437-
logger.warn(warnMsg)
438+
break
439+
else:
440+
warnMsg = "unable to retrieve the table names "
441+
warnMsg += "for database '%s'" % unsafeSQLIdentificatorNaming(db)
442+
logger.warn(warnMsg)
438443

439444
if isNoneValue(kb.data.cachedTables):
440445
kb.data.cachedTables.clear()

0 commit comments

Comments
 (0)