Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit aee269c

Browse files
stamparmstamparm
committed
gazillion changes, nothing will work, muhahaha
1 parent dcf7277 commit aee269c

8 files changed

Lines changed: 461 additions & 518 deletions

File tree

lib/core/common.py

Lines changed: 36 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@
6161
from lib.core.convert import urldecode
6262
from lib.core.convert import urlencode
6363
from lib.core.enums import DBMS
64+
from lib.core.enums import EXPECTED
6465
from lib.core.enums import HTTPHEADER
6566
from lib.core.enums import HTTPMETHOD
6667
from lib.core.enums import OS
@@ -2206,10 +2207,10 @@ def trimAlphaNum(value):
22062207

22072208
def isNumPosStrValue(value):
22082209
"""
2209-
Returns True if value is a string with a positive integer representation
2210+
Returns True if value is a string (or integer) with a positive integer representation
22102211
"""
22112212

2212-
return value and isinstance(value, basestring) and value.isdigit() and value != "0"
2213+
return (value and isinstance(value, basestring) and value.isdigit() and value != "0") or (isinstance(value, int) and value != 0)
22132214

22142215
@cachedmethod
22152216
def aliasToDbmsEnum(dbms):
@@ -3096,3 +3097,36 @@ def getCounter(technique):
30963097
"""
30973098

30983099
return kb.counters.get(technique, 0)
3100+
3101+
def extractExpectedValue(value, expected):
3102+
"""
3103+
Extracts and returns expected value by a given type
3104+
"""
3105+
3106+
if not expected:
3107+
return value
3108+
3109+
value = unArrayizeValue(value)
3110+
3111+
if isNoneValue(value):
3112+
value = None
3113+
elif expected == EXPECTED.BOOL:
3114+
if isinstance(value, int):
3115+
value = bool(value)
3116+
elif isinstance(value, basestring):
3117+
value = value.strip().lower()
3118+
if value in ("true", "false"):
3119+
value = value == "true"
3120+
elif value in ("1", "-1"):
3121+
value = True
3122+
elif value == "0":
3123+
value = False
3124+
else:
3125+
value = None
3126+
elif expected == EXPECTED.INT:
3127+
if isinstance(value, basestring):
3128+
if value.isdigit():
3129+
value = int(value)
3130+
else:
3131+
value = None
3132+
return value

lib/core/option.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1467,6 +1467,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
14671467
kb.reflectiveCounters = {REFLECTIVE_COUNTER.MISS:0, REFLECTIVE_COUNTER.HIT:0}
14681468
kb.responseTimes = []
14691469
kb.resumedQueries = {}
1470+
kb.resumeValues = True
14701471
kb.safeCharEncode = False
14711472
kb.singleLogFlags = set()
14721473
kb.skipOthersDbms = None

lib/core/settings.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@
5757
PARAMETER_AMP_MARKER = "__AMP__"
5858
PARAMETER_SEMICOLON_MARKER = "__SEMICOLON__"
5959

60+
PARTIAL_VALUE_MARKER = "__PARTIAL__"
61+
6062
URI_QUESTION_MARKER = "__QUESTION_MARK__"
6163

6264
PAYLOAD_DELIMITER = "\x00"

lib/request/inject.py

Lines changed: 32 additions & 87 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,10 @@
1717
from lib.core.common import cleanQuery
1818
from lib.core.common import dataToSessionFile
1919
from lib.core.common import expandAsteriskForColumns
20+
from lib.core.common import extractExpectedValue
2021
from lib.core.common import getPublicTypeMembers
2122
from lib.core.common import initTechnique
23+
from lib.core.common import isNoneValue
2224
from lib.core.common import isNumPosStrValue
2325
from lib.core.common import isTechniqueAvailable
2426
from lib.core.common import parseUnionPage
@@ -72,7 +74,7 @@ def __goInference(payload, expression, charsetType=None, firstChar=None, lastCha
7274

7375
return value
7476

75-
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
77+
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
7678
outputs = []
7779
origExpr = None
7880

@@ -91,16 +93,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
9193
else:
9294
expressionReplaced = expression.replace(expressionFields, field, 1)
9395

94-
if resumeValue:
95-
output = resume(expressionReplaced, payload)
96-
97-
if not output or (expected == EXPECTED.INT and not output.isdigit()):
98-
if output:
99-
warnMsg = "expected value type %s, resumed '%s', " % (expected, output)
100-
warnMsg += "sqlmap is going to retrieve the value again"
101-
logger.warn(warnMsg)
102-
103-
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump)
96+
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump)
10497

10598
if isinstance(num, int):
10699
expression = origExpr
@@ -109,7 +102,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
109102

110103
return outputs
111104

112-
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
105+
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
113106
"""
114107
Retrieve the output of a SQL query characted by character taking
115108
advantage of an blind SQL injection vulnerability on the affected
@@ -129,14 +122,6 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
129122
untilLimitChar = None
130123
untilOrderChar = None
131124

132-
if resumeValue:
133-
output = resume(expression, payload)
134-
else:
135-
output = None
136-
137-
if output and (expected is None or (expected == EXPECTED.INT and output.isdigit())):
138-
return output
139-
140125
if not unpack:
141126
return __goInference(payload, expression, charsetType, firstChar, lastChar, dump)
142127

@@ -229,12 +214,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
229214
untilOrderChar = countedExpression.index(" ORDER BY ")
230215
countedExpression = countedExpression[:untilOrderChar]
231216

232-
if resumeValue:
233-
count = resume(countedExpression, payload)
234-
235217
if not stopLimit:
236-
if not count or not count.isdigit():
237-
count = __goInference(payload, countedExpression, 2, firstChar, lastChar)
218+
count = __goInference(payload, countedExpression, 2, firstChar, lastChar)
238219

239220
if isNumPosStrValue(count):
240221
count = int(count)
@@ -298,17 +279,12 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
298279

299280
return None
300281

301-
elif (not count or int(count) == 0) and (not stopLimit or stopLimit == 0):
302-
if not count:
303-
warnMsg = "the SQL query provided does not "
304-
warnMsg += "return any output"
305-
logger.warn(warnMsg)
306-
282+
elif (not stopLimit or stopLimit == 0):
307283
return None
308284

309285
try:
310286
for num in xrange(startLimit, stopLimit):
311-
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
287+
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
312288
outputs.append(output)
313289

314290
except KeyboardInterrupt:
@@ -321,12 +297,12 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
321297
elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
322298
expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
323299

324-
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
300+
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
325301
returnValue = ", ".join(output for output in outputs)
326302

327303
return returnValue
328304

329-
def __goBooleanProxy(expression, resumeValue=True):
305+
def __goBooleanProxy(expression):
330306
"""
331307
Retrieve the output of a boolean based SQL query
332308
"""
@@ -340,54 +316,37 @@ def __goBooleanProxy(expression, resumeValue=True):
340316
payload = agent.payload(newValue=query)
341317
timeBasedCompare = kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)
342318

343-
if resumeValue:
344-
output = resume(expression, payload)
345-
else:
346-
output = None
319+
output = conf.hashDB.retrieve(expression) if not any([conf.flushSession, conf.freshQueries, not kb.resumeValues]) else None
347320

348321
if not output:
349322
output = Request.queryPage(payload, timeBasedCompare=timeBasedCompare, raise404=False)
350323

324+
if output is not None:
325+
conf.hashDB.write(expression, output)
326+
351327
return output
352328

353-
def __goError(expression, expected=None, resumeValue=True, dump=False):
329+
def __goError(expression, expected=None, dump=False):
354330
"""
355331
Retrieve the output of a SQL query taking advantage of an error-based
356332
SQL injection vulnerability on the affected parameter.
357333
"""
358334

359-
output = None
360-
361-
if resumeValue:
362-
output = resume(expression, None)
363-
364-
if output and expected == EXPECTED.INT and not output.isdigit():
365-
output = None
366-
367-
if output is None:
368-
output = errorUse(expression, expected, resumeValue, dump)
335+
output = errorUse(expression, expected, dump)
369336

370337
return output
371338

372-
def __goInband(expression, expected=None, unique=True, resumeValue=True, unpack=True, dump=False):
339+
def __goInband(expression, expected=None, unique=True, unpack=True, dump=False):
373340
"""
374341
Retrieve the output of a SQL query taking advantage of an inband SQL
375342
injection vulnerability on the affected parameter.
376343
"""
377344

378-
output = None
379-
partial = False
380-
data = None
381-
382-
if output is None:
383-
output = unionUse(expression, unpack=unpack, dump=dump)
384-
385-
if isinstance(output, list):
386-
data = output
387-
else:
388-
data = parseUnionPage(output, unique)
345+
output = unionUse(expression, unpack=unpack, dump=dump)
346+
if isinstance(output, basestring):
347+
output = parseUnionPage(output, unique)
389348

390-
return data
349+
return output
391350

392351
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, unique=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
393352
"""
@@ -398,6 +357,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
398357
"""
399358

400359
kb.safeCharEncode = safeCharEncode
360+
kb.resumeValues = resumeValue
401361

402362
if suppressOutput is not None:
403363
pushValue(getCurrentThreadData().disableStdOut)
@@ -433,9 +393,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
433393
kb.technique = PAYLOAD.TECHNIQUE.UNION
434394

435395
if expected == EXPECTED.BOOL:
436-
value = __goInband(forgeCaseExpression, expected, unique, resumeValue, unpack, dump)
396+
value = __goInband(forgeCaseExpression, expected, unique, unpack, dump)
437397
else:
438-
value = __goInband(query, expected, unique, resumeValue, unpack, dump)
398+
value = __goInband(query, expected, unique, unpack, dump)
439399

440400
count += 1
441401
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
@@ -444,9 +404,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
444404
kb.technique = PAYLOAD.TECHNIQUE.ERROR
445405

446406
if expected == EXPECTED.BOOL:
447-
value = __goError(forgeCaseExpression, expected, resumeValue, dump)
407+
value = __goError(forgeCaseExpression, expected, dump)
448408
else:
449-
value = __goError(query, expected, resumeValue, dump)
409+
value = __goError(query, expected, dump)
450410

451411
count += 1
452412
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
@@ -455,9 +415,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
455415
kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN
456416

457417
if expected == EXPECTED.BOOL:
458-
value = __goBooleanProxy(booleanExpression, resumeValue)
418+
value = __goBooleanProxy(booleanExpression)
459419
else:
460-
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar, dump)
420+
value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
461421

462422
count += 1
463423
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
@@ -469,9 +429,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
469429
kb.technique = PAYLOAD.TECHNIQUE.STACKED
470430

471431
if expected == EXPECTED.BOOL:
472-
value = __goBooleanProxy(booleanExpression, resumeValue)
432+
value = __goBooleanProxy(booleanExpression)
473433
else:
474-
value = __goInferenceProxy(query, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar, dump)
434+
value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
475435

476436
if value and isinstance(value, basestring):
477437
value = value.strip()
@@ -481,28 +441,13 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
481441
raise sqlmapNotVulnerableException, errMsg
482442

483443
finally:
444+
kb.resumeValues = True
484445
if suppressOutput is not None:
485446
getCurrentThreadData().disableStdOut = popValue()
486447

487-
if value and expected == EXPECTED.BOOL:
488-
if isinstance(value, basestring):
489-
value = value.strip().lower()
490-
if value in ("true", "false"):
491-
value = value == "true"
492-
elif value in ("1", "-1"):
493-
value = True
494-
elif value == "0":
495-
value = False
496-
else:
497-
value = None
498-
elif isinstance(value, int):
499-
value = bool(value)
500-
elif value == [None]:
501-
value = None
502-
503448
kb.safeCharEncode = False
504449

505-
return value
450+
return extractExpectedValue(value, expected)
506451

507452
def goStacked(expression, silent=False):
508453
kb.technique = PAYLOAD.TECHNIQUE.STACKED

0 commit comments

Comments
 (0)