Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit de6fa12

Browse files
stamparmstamparm
committed
moved injections to xml format
1 parent d9d0c97 commit de6fa12

3 files changed

Lines changed: 47 additions & 180 deletions

File tree

lib/controller/checks.py

Lines changed: 39 additions & 172 deletions
Original file line numberDiff line numberDiff line change
@@ -22,10 +22,13 @@
2222
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
2323
"""
2424

25+
import codecs
2526
import re
2627
import socket
2728
import time
2829

30+
from xml.dom import minidom
31+
2932
from lib.core.agent import agent
3033
from lib.core.common import getUnicode
3134
from lib.core.common import preparePageForLineComparison
@@ -36,6 +39,7 @@
3639
from lib.core.data import conf
3740
from lib.core.data import kb
3841
from lib.core.data import logger
42+
from lib.core.data import paths
3943
from lib.core.exception import sqlmapConnectionException
4044
from lib.core.exception import sqlmapNoneDataException
4145
from lib.core.session import setString
@@ -55,197 +59,53 @@ def checkSqlInjection(place, parameter, value, parenthesis):
5559

5660
randInt = randomInt()
5761
randStr = randomStr()
62+
prefix = ""
63+
postfix = ""
5864

5965
if conf.prefix or conf.postfix:
60-
prefix = ""
61-
postfix = ""
62-
6366
if conf.prefix:
6467
prefix = conf.prefix
6568

6669
if conf.postfix:
6770
postfix = conf.postfix
6871

69-
infoMsg = "testing custom injection "
70-
infoMsg += "on %s parameter '%s'" % (place, parameter)
71-
logger.info(infoMsg)
72-
73-
payload = agent.payload(place, parameter, value, "%s%s%s AND %s%d=%d %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randInt, randInt, postfix))
74-
trueResult = Request.queryPage(payload, place)
75-
76-
if trueResult:
77-
payload = agent.payload(place, parameter, value, "%s%s%s AND %s%d=%d %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randInt, randInt + 1, postfix))
78-
falseResult = Request.queryPage(payload, place)
79-
80-
if not falseResult:
81-
infoMsg = "confirming custom injection "
82-
infoMsg += "on %s parameter '%s'" % (place, parameter)
83-
logger.info(infoMsg)
84-
85-
payload = agent.payload(place, parameter, value, "%s%s%s AND %s%s %s" % (value, prefix, ")" * parenthesis, "(" * parenthesis, randStr, postfix))
86-
falseResult = Request.queryPage(payload, place)
87-
88-
if not falseResult:
89-
infoMsg = "%s parameter '%s' is " % (place, parameter)
90-
infoMsg += "custom injectable "
91-
logger.info(infoMsg)
92-
93-
return "custom"
94-
95-
infoMsg = "testing unescaped numeric injection "
96-
infoMsg += "on %s parameter '%s'" % (place, parameter)
97-
logger.info(infoMsg)
98-
99-
payload = agent.payload(place, parameter, value, "%s%s AND %s%d=%d" % (value, ")" * parenthesis, "(" * parenthesis, randInt, randInt))
100-
trueResult = Request.queryPage(payload, place)
101-
102-
if trueResult:
103-
payload = agent.payload(place, parameter, value, "%s%s AND %s%d=%d" % (value, ")" * parenthesis, "(" * parenthesis, randInt, randInt + 1))
104-
falseResult = Request.queryPage(payload, place)
105-
106-
if not falseResult:
107-
infoMsg = "confirming unescaped numeric injection "
108-
infoMsg += "on %s parameter '%s'" % (place, parameter)
109-
logger.info(infoMsg)
110-
111-
payload = agent.payload(place, parameter, value, "%s%s AND %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
112-
falseResult = Request.queryPage(payload, place)
113-
114-
if not falseResult:
115-
infoMsg = "%s parameter '%s' is " % (place, parameter)
116-
infoMsg += "unescaped numeric injectable "
117-
infoMsg += "with %d parenthesis" % parenthesis
118-
logger.info(infoMsg)
119-
120-
return "numeric"
121-
122-
infoMsg = "%s parameter '%s' is not " % (place, parameter)
123-
infoMsg += "unescaped numeric injectable"
124-
logger.info(infoMsg)
125-
126-
infoMsg = "testing single quoted string injection "
127-
infoMsg += "on %s parameter '%s'" % (place, parameter)
128-
logger.info(infoMsg)
129-
130-
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
131-
trueResult = Request.queryPage(payload, place)
132-
133-
if trueResult:
134-
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s'='%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
135-
falseResult = Request.queryPage(payload, place)
136-
137-
if not falseResult:
138-
infoMsg = "confirming single quoted string injection "
139-
infoMsg += "on %s parameter '%s'" % (place, parameter)
140-
logger.info(infoMsg)
141-
142-
payload = agent.payload(place, parameter, value, "%s'%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
143-
falseResult = Request.queryPage(payload, place)
144-
145-
if not falseResult:
146-
infoMsg = "%s parameter '%s' is " % (place, parameter)
147-
infoMsg += "single quoted string injectable "
148-
infoMsg += "with %d parenthesis" % parenthesis
149-
logger.info(infoMsg)
150-
151-
return "stringsingle"
152-
153-
infoMsg = "%s parameter '%s' is not " % (place, parameter)
154-
infoMsg += "single quoted string injectable"
155-
logger.info(infoMsg)
156-
157-
infoMsg = "testing LIKE single quoted string injection "
158-
infoMsg += "on %s parameter '%s'" % (place, parameter)
159-
logger.info(infoMsg)
160-
161-
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
162-
trueResult = Request.queryPage(payload, place)
163-
164-
if trueResult:
165-
payload = agent.payload(place, parameter, value, "%s'%s AND %s'%s' LIKE '%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
166-
falseResult = Request.queryPage(payload, place)
167-
168-
if not falseResult:
169-
infoMsg = "confirming LIKE single quoted string injection "
170-
infoMsg += "on %s parameter '%s'" % (place, parameter)
171-
logger.info(infoMsg)
172-
173-
payload = agent.payload(place, parameter, value, "%s'%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
174-
falseResult = Request.queryPage(payload, place)
175-
176-
if not falseResult:
177-
infoMsg = "%s parameter '%s' is " % (place, parameter)
178-
infoMsg += "LIKE single quoted string injectable "
179-
infoMsg += "with %d parenthesis" % parenthesis
180-
logger.info(infoMsg)
181-
182-
return "likesingle"
183-
184-
infoMsg = "%s parameter '%s' is not " % (place, parameter)
185-
infoMsg += "LIKE single quoted string injectable"
186-
logger.info(infoMsg)
187-
188-
infoMsg = "testing double quoted string injection "
189-
infoMsg += "on %s parameter '%s'" % (place, parameter)
190-
logger.info(infoMsg)
191-
192-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
193-
trueResult = Request.queryPage(payload, place)
194-
195-
if trueResult:
196-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\"=\"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
197-
falseResult = Request.queryPage(payload, place)
198-
199-
if not falseResult:
200-
infoMsg = "confirming double quoted string injection "
201-
infoMsg += "on %s parameter '%s'" % (place, parameter)
202-
logger.info(infoMsg)
203-
204-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
205-
falseResult = Request.queryPage(payload, place)
206-
207-
if not falseResult:
208-
infoMsg = "%s parameter '%s' is " % (place, parameter)
209-
infoMsg += "double quoted string injectable "
210-
infoMsg += "with %d parenthesis" % parenthesis
211-
logger.info(infoMsg)
72+
f = codecs.open(paths.INJECTIONS_XML, 'r', conf.dataEncoding)
73+
injections = minidom.parse(f).documentElement
74+
f.close()
21275

213-
return "stringdouble"
76+
for case in injections.getElementsByTagName("case"):
77+
tag = case.getAttribute("tag")
78+
desc = case.getAttribute("desc")
21479

215-
infoMsg = "%s parameter '%s' is not " % (place, parameter)
216-
infoMsg += "double quoted string injectable"
217-
logger.info(infoMsg)
80+
infoMsg = "testing %s injection " % desc
81+
infoMsg += "on %s parameter '%s'" % (place, parameter)
82+
logger.info(infoMsg)
21883

219-
infoMsg = "testing LIKE double quoted string injection "
220-
infoMsg += "on %s parameter '%s'" % (place, parameter)
221-
logger.info(infoMsg)
84+
positive = case.getElementsByTagName("positive")[0]
85+
negative = case.getElementsByTagName("negative")[0]
22286

223-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr))
224-
trueResult = Request.queryPage(payload, place)
87+
params = positive.getAttribute("params")
88+
format = positive.getAttribute("format")
89+
90+
if not prefix and not postfix and tag == "custom":
91+
continue
92+
93+
payload = agent.payload(place, parameter, value, format % eval(params))
22594

226-
if trueResult:
227-
payload = agent.payload(place, parameter, value, "%s\"%s AND %s\"%s\" LIKE \"%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr, randStr + randomStr(1)))
228-
falseResult = Request.queryPage(payload, place)
95+
trueResult = Request.queryPage(payload, place)
22996

230-
if not falseResult:
231-
infoMsg = "confirming LIKE double quoted string injection "
232-
infoMsg += "on %s parameter '%s'" % (place, parameter)
233-
logger.info(infoMsg)
97+
if trueResult:
98+
params = negative.getAttribute("params")
99+
format = negative.getAttribute("format")
100+
payload = agent.payload(place, parameter, value, format % eval(params))
234101

235-
payload = agent.payload(place, parameter, value, "%s\"%s and %s%s" % (value, ")" * parenthesis, "(" * parenthesis, randStr))
236102
falseResult = Request.queryPage(payload, place)
237103

238104
if not falseResult:
239-
infoMsg = "%s parameter '%s' is " % (place, parameter)
240-
infoMsg += "LIKE double quoted string injectable "
105+
infoMsg = "%s parameter '%s' is %s injectable " % (place, parameter, desc)
241106
infoMsg += "with %d parenthesis" % parenthesis
242107
logger.info(infoMsg)
243-
244-
return "likedouble"
245-
246-
infoMsg = "%s parameter '%s' is not " % (place, parameter)
247-
infoMsg += "LIKE double quoted string injectable"
248-
logger.info(infoMsg)
108+
return tag
249109

250110
return None
251111

@@ -291,10 +151,12 @@ def checkDynamicContent(*pages):
291151
for i in xrange(len(pages)):
292152
firstPage = pages[i]
293153
linesFirst = preparePageForLineComparison(firstPage)
294-
pageLinesNumber = len(linesFirst)
154+
pageLinesNumber = len(linesFirst)
155+
295156
for j in xrange(i+1, len(pages)):
296157
secondPage = pages[j]
297158
linesSecond = preparePageForLineComparison(secondPage)
159+
298160
if pageLinesNumber == len(linesSecond):
299161
for k in xrange(0, pageLinesNumber):
300162
if (linesFirst[k] != linesSecond[k]):
@@ -303,6 +165,7 @@ def checkDynamicContent(*pages):
303165
linesFirst[k+1] if k < pageLinesNumber - 1 else None)
304166

305167
found = None
168+
306169
for other in kb.dynamicContent:
307170
found = True
308171
if other.pageTotal == item.pageTotal:
@@ -311,18 +174,22 @@ def checkDynamicContent(*pages):
311174
other.lineNumber = [other.lineNumber, item.lineNumber]
312175
other.lineContentAfter = item.lineContentAfter
313176
break
177+
314178
elif other.lineNumber == item.lineNumber + 1:
315179
other.lineNumber = [item.lineNumber, other.lineNumber]
316180
other.lineContentBefore = item.lineContentBefore
317181
break
182+
318183
elif item.lineNumber - 1 == other.lineNumber[-1]:
319184
other.lineNumber.append(item.lineNumber)
320185
other.lineContentAfter = item.lineContentAfter
321186
break
187+
322188
elif item.lineNumber + 1 == other.lineNumber[0]:
323189
other.lineNumber.insert(0, item.lineNumber)
324190
other.lineContentBefore = item.lineContentBefore
325191
break
192+
326193
found = False
327194

328195
if not found:

lib/core/common.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -662,6 +662,7 @@ def setPaths():
662662
paths.FUZZ_VECTORS = os.path.join(paths.SQLMAP_TXT_PATH, "fuzz_vectors.txt")
663663
paths.DETECTION_RULES_XML = os.path.join(paths.SQLMAP_XML_PATH, "detection.xml")
664664
paths.ERRORS_XML = os.path.join(paths.SQLMAP_XML_PATH, "errors.xml")
665+
paths.INJECTIONS_XML = os.path.join(paths.SQLMAP_XML_PATH, "injections.xml")
665666
paths.LIVE_TESTS_XML = os.path.join(paths.SQLMAP_XML_PATH, "livetests.xml")
666667
paths.QUERIES_XML = os.path.join(paths.SQLMAP_XML_PATH, "queries.xml")
667668
paths.GENERIC_XML = os.path.join(paths.SQLMAP_XML_BANNER_PATH, "generic.xml")

xml/injection.xml renamed to xml/injections.xml

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,14 @@
1515
</case>
1616
<case tag="likesingle" desc="LIKE single quoted string">
1717
<positive format="%s'%s AND %s'%s' LIKE '%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
18-
<negative format="" params=""/>
18+
<negative format="%s'%s AND %s'%s' LIKE '%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
1919
</case>
20-
<case tag="custom" desc="custom">
21-
<positive format="" params=""/>
22-
<negative format="" params=""/>
20+
<case tag="stringdouble" desc="double quoted string">
21+
<positive format="%s\&quot;%s AND %s\&quot;%s\&quot;=\&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
22+
<negative format="%s\&quot;%s AND %s\&quot;%s\&quot;=\&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
2323
</case>
24-
<case tag="custom" desc="custom">
25-
<positive format="" params=""/>
26-
<negative format="" params=""/>
24+
<case tag="likedouble" desc="LIKE double quoted string">
25+
<positive format="%s\&quot;%s AND %s\&quot;%s\&quot; LIKE \&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr"/>
26+
<negative format="%s\&quot;%s AND %s\&quot;%s\&quot; LIKE \&quot;%s" params="value, &quot;)&quot; * parenthesis, &quot;(&quot; * parenthesis, randStr, randStr + randomStr(1)"/>
2727
</case>
28-
2928
</root>

0 commit comments

Comments
 (0)