changes regarding Feature #157 (Evaluate BETWEEN for inference algorithm)

stamparm · stamparm · commit 893bc04fe497 · 2010-05-12T11:30:32.000Z
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -67,6 +67,7 @@
                                "regexp":            "string",
                                "eString":           "string",
                                "eRegexp":           "string",
+                               "useBetween":        "boolean",
                              },
 
             "Techniques":    {
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -182,6 +182,10 @@ def cmdLineParser():
                              help="Matches to be excluded before "
                                   "comparing page contents")
 
+        injection.add_option("--use-between", dest="useBetween",
+                             action="store_true",
+                             help="Use operator BETWEEN instead of default '>'")
+
         # Techniques options
         techniques = OptionGroup(parser, "Techniques", "These options can "
                                  "be used to test for specific SQL injection "
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
@@ -158,18 +158,30 @@ def getChar(idx, asciiTbl=asciiTbl):
                 posValueOld = posValue
                 posValue = chr(posValue)
 
-            forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            if not conf.useBetween:
+                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            else:
+                forgedPayload = safeStringFormat(payload.replace('%3E', 'BETWEEN 0 AND '), (expressionUnescaped, idx, posValue))
+
             result        = Request.queryPage(urlencode(forgedPayload))
 
             if kb.dbms == "SQLite":
                 posValue = posValueOld
 
-            if result:
-                minValue = posValue
-                asciiTbl = asciiTbl[position:]
-            else:
-                maxValue = posValue
-                asciiTbl = asciiTbl[:position]
+            if not conf.useBetween:     #normal
+                if result:
+                    minValue = posValue
+                    asciiTbl = asciiTbl[position:]
+                else:
+                    maxValue = posValue
+                    asciiTbl = asciiTbl[:position]
+            else:                       #reversed
+                if result:
+                    maxValue = posValue
+                    asciiTbl = asciiTbl[:position]
+                else:
+                    minValue = posValue
+                    asciiTbl = asciiTbl[position:]
 
             if len(asciiTbl) == 1:
                 if maxValue == 1:
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -184,6 +184,9 @@ eString =
 # (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
 eRegexp = 
 
+# Use operator BETWEEN instead of default '>'
+# Valid: True or False
+useBetween = False
 
 # These options can be used to test for specific SQL injection technique
 # or to use one of them to exploit the affected parameter(s) rather than
