Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit fe2039f

Browse files
stamparmstamparm
committed
coollyy little commits
1 parent d71e51e commit fe2039f

4 files changed

Lines changed: 21 additions & 16 deletions

File tree

lib/core/agent.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
from xml.etree import ElementTree as ET
1313

1414
from lib.core.common import getCompiledRegex
15+
from lib.core.common import isDBMSVersionAtLeast
1516
from lib.core.common import randomInt
1617
from lib.core.common import randomStr
1718
from lib.core.convert import urlencode
@@ -214,7 +215,14 @@ def cleanupPayload(self, payload, origvalue=None):
214215

215216
if "[INFERENCE]" in payload:
216217
if kb.dbms is not None:
217-
inferenceQuery = queries[kb.dbms].inference.query
218+
inference = queries[kb.dbms].inference
219+
if "dbms_version" in inference:
220+
if isDBMSVersionAtLeast(inference.dbms_version):
221+
inferenceQuery = inference.query
222+
else:
223+
inferenceQuery = inference.query2
224+
else:
225+
inferenceQuery = inference.query
218226
payload = payload.replace("[INFERENCE]", inferenceQuery)
219227
elif kb.misc.testedDbms is not None:
220228
inferenceQuery = queries[kb.misc.testedDbms].inference.query

lib/core/settings.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,9 @@
4646
DUMP_START_MARKER = "__START__"
4747
DUMP_STOP_MARKER = "__STOP__"
4848

49-
PAYLOAD_DELIMITER = "\x00"
50-
51-
MIN_TIME_RESPONSES = 10
49+
PAYLOAD_DELIMITER = "\x00"
50+
CHAR_INFERENCE_MARK = "%c"
51+
MIN_TIME_RESPONSES = 10
5252

5353
# System variables
5454
IS_WIN = subprocess.mswindows

lib/techniques/blind/inference.py

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
from lib.core.exception import sqlmapThreadException
3434
from lib.core.exception import unhandledException
3535
from lib.core.progress import ProgressBar
36+
from lib.core.settings import CHAR_INFERENCE_MARK
3637
from lib.core.unescaper import unescaper
3738
from lib.request.connect import Connect as Request
3839

@@ -141,7 +142,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
141142
continuousOrder means that distance between each two neighbour's
142143
numerical values is exactly 1
143144
"""
144-
145+
145146
result = tryHint(idx)
146147

147148
if result:
@@ -170,18 +171,14 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
170171
position = (len(charTbl) >> 1)
171172
posValue = charTbl[position]
172173

173-
if dbms in (DBMS.SQLITE, DBMS.MAXDB):
174-
pushValue(posValue)
175-
posValue = chr(posValue) if posValue < 128 else unichr(posValue)
176-
177-
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
174+
if CHAR_INFERENCE_MARK not in payload:
175+
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
176+
else:
177+
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else unichr(posValue))
178178

179179
queriesCount[0] += 1
180180
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
181181

182-
if dbms in (DBMS.SQLITE, DBMS.MAXDB):
183-
posValue = popValue()
184-
185182
if result:
186183
minValue = posValue
187184

xml/queries.xml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -303,7 +303,7 @@
303303
<timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))" dbms_version="&gt;=3.0"/>
304304
<substring query="SUBSTR((%s), %d, %d)"/>
305305
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
306-
<inference query="SUBSTR((%s), %d, 1) > '%s'"/>
306+
<inference query="SUBSTR((%s), %d, 1) > '%c'"/>
307307
<banner query="SELECT SQLITE_VERSION()"/>
308308
<current_user/>
309309
<current_db/>
@@ -386,7 +386,7 @@
386386
<inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
387387
<blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
388388
</users>
389-
<inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d" dbms_version="&gt;=2.1"/>
389+
<inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d" dbms_version="&gt;=2.1" query2="SUBSTRING((%s) FROM %d FOR 1) > '%c'"/>
390390
<is_dba query="CURRENT_USER='SYSDBA'"/>
391391
<tables>
392392
<inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
@@ -429,7 +429,7 @@
429429
<current_db query="SELECT DATABASE() FROM DUAL"/>
430430
<order query="ORDER BY %s ASC"/>
431431
<case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
432-
<inference query="SUBSTR((%s), %d, 1) > '%s'"/>
432+
<inference query="SUBSTR((%s), %d, 1) > '%c'"/>
433433
<delimiter query=","/>
434434
<substring query="SUBSTR((%s), %d, %d)"/>
435435
<users>

0 commit comments

Comments
 (0)