diff --git a/extra/xmlobject/xmlobject.py b/extra/xmlobject/xmlobject.py index a40c0adb5..f060cf361 100644 --- a/extra/xmlobject/xmlobject.py +++ b/extra/xmlobject/xmlobject.py @@ -142,6 +142,7 @@ class XMLFile: fobj = kw.get("file", None) raw = kw.get("raw", None) root = kw.get("root", None) + textfilter = kw.get("textfilter", None) if path: self.path = path @@ -176,6 +177,11 @@ class XMLFile: raise IncorrectRootTag("Gave root='%s', input has root='%s'" % ( root, rootnode.nodeName)) + if textfilter: + self.textfilter = textfilter + else: + self.textfilter = lambda x: x + # need this for recursion in XMLNode self._childrenByName = {} self._children = [] @@ -278,7 +284,7 @@ class XMLNode: self._value = None if isinstance(node, xml.dom.minidom.Text): self._type = "text" - self._value = node.nodeValue + self._value = self._root.textfilter(node.nodeValue) elif isinstance(node, xml.dom.minidom.Element): self._type = "node" elif isinstance(node, xml.dom.minidom.Comment): diff --git a/lib/core/agent.py b/lib/core/agent.py index d317ebeef..4f3d3e8c4 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -220,8 +220,8 @@ class Agent: if field.startswith("(CASE"): nulledCastedField = field else: - nulledCastedField = queries[kb.dbms].cast % field - nulledCastedField = queries[kb.dbms].isnull % nulledCastedField + nulledCastedField = queries[kb.dbms].cast.query % field + nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField return nulledCastedField @@ -260,7 +260,7 @@ class Agent: fields = fields.replace(", ", ",") fieldsSplitted = fields.split(",") - dbmsDelimiter = queries[kb.dbms].delimiter + dbmsDelimiter = queries[kb.dbms].delimiter.query nulledCastedFields = [] for field in fieldsSplitted: @@ -516,18 +516,18 @@ class Agent: """ limitedQuery = query - limitStr = queries[kb.dbms].limit + limitStr = queries[kb.dbms].limit.query fromIndex = limitedQuery.index(" FROM ") untilFrom = limitedQuery[:fromIndex] fromFrom = limitedQuery[fromIndex+1:] orderBy = False if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ): - limitStr = queries[kb.dbms].limit % (num, 1) + limitStr = queries[kb.dbms].limit.query % (num, 1) limitedQuery += " %s" % limitStr elif kb.dbms == "Firebird": - limitStr = queries[kb.dbms].limit % (num+1, num+1) + limitStr = queries[kb.dbms].limit.query % (num+1, num+1) limitedQuery += " %s" % limitStr elif kb.dbms == "Oracle": @@ -556,7 +556,7 @@ class Agent: limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct) if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "): - topNums = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I) + topNums = re.search(queries[kb.dbms].limitregexp.query, limitedQuery, re.I) if topNums: topNums = topNums.groups() @@ -602,7 +602,7 @@ class Agent: @rtype: C{str} """ - return queries[kb.dbms].case % expression + return queries[kb.dbms].case.query % expression # SQL agent agent = Agent() diff --git a/lib/core/common.py b/lib/core/common.py index 59862fffa..f693730da 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -909,14 +909,14 @@ def getDelayQuery(andCond=False): banVer = kb.bannerFp["dbmsVersion"] if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"): - query = queries[kb.dbms].timedelay % conf.timeSec + query = queries[kb.dbms].timedelay.query % conf.timeSec else: - query = queries[kb.dbms].timedelay2 % conf.timeSec + query = queries[kb.dbms].timedelay.query2 % conf.timeSec elif kb.dbms == "Firebird": - query = queries[kb.dbms].timedelay + query = queries[kb.dbms].timedelay.query else: - query = queries[kb.dbms].timedelay % conf.timeSec + query = queries[kb.dbms].timedelay.query % conf.timeSec if andCond: if kb.dbms in ( "MySQL", "SQLite" ): @@ -1078,6 +1078,8 @@ def safeStringFormat(formatStr, params): if count < len(params): retVal = retVal[:index] + getUnicode(params[count]) + retVal[index+2:] else: + import pdb + pdb.set_trace() raise sqlmapNoneDataException, "wrong number of parameters during string formatting" count += 1 diff --git a/lib/core/option.py b/lib/core/option.py index 1eac060cf..c162fefb3 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -37,6 +37,7 @@ from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger from lib.core.data import paths +from lib.core.data import queries from lib.core.datatype import advancedDict from lib.core.exception import sqlmapFilePathException from lib.core.exception import sqlmapGenericException @@ -55,7 +56,6 @@ from lib.core.settings import SUPPORTED_OS from lib.core.settings import VERSION_STRING from lib.core.update import update from lib.parse.configfile import configFileParser -from lib.parse.queriesfile import queriesParser from lib.request.proxy import ProxyHTTPSHandler from lib.request.certhandler import HTTPSCertAuthHandler from lib.request.redirecthandler import SmartRedirectHandler @@ -195,6 +195,13 @@ def __feedTargetsDict(reqFile, addedTargetUrls): kb.targetUrls.add((url, method, data, cookie)) addedTargetUrls.add(url) +def __loadQueries(): + """ + Loads queries from 'xml/queries.xml' file. + """ + for node in xmlobject.XMLFile(path=paths.QUERIES_XML, textfilter=sanitizeStr).root.dbms: + queries[node.value] = node + def __setMultipleTargets(): """ Define a configuration parameter if we are running in multiple target @@ -1258,4 +1265,4 @@ def init(inputOptions=advancedDict()): __setMetasploit() update() - queriesParser() + __loadQueries() diff --git a/lib/parse/queriesfile.py b/lib/parse/queriesfile.py deleted file mode 100644 index 6a7ebf397..000000000 --- a/lib/parse/queriesfile.py +++ /dev/null @@ -1,240 +0,0 @@ -#!/usr/bin/env python - -""" -$Id$ - -Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/) -See the file 'doc/COPYING' for copying permission -""" - -from xml.sax.handler import ContentHandler - -from lib.core.common import checkFile -from lib.core.common import parseXmlFile -from lib.core.common import sanitizeStr -from lib.core.data import logger -from lib.core.data import queries -from lib.core.data import paths -from lib.core.datatype import advancedDict - -class queriesHandler(ContentHandler): - """ - This class defines methods to parse the default DBMS queries - from an XML file - """ - - def __init__(self): - self.__dbms = '' - self.__queries = advancedDict() - - def startElement(self, name, attrs): - if name == "dbms": - data = sanitizeStr(attrs.get("value")) - self.__dbms = data - - elif name == "cast": - data = sanitizeStr(attrs.get("query")) - self.__queries.cast = data - - elif name == "length": - data = sanitizeStr(attrs.get("query")) - self.__queries.length = data - - elif name == "isnull": - data = sanitizeStr(attrs.get("query")) - self.__queries.isnull = data - - elif name == "delimiter": - data = sanitizeStr(attrs.get("query")) - self.__queries.delimiter = data - - elif name == "limit": - data = sanitizeStr(attrs.get("query")) - self.__queries.limit = data - - elif name == "limitregexp": - data = sanitizeStr(attrs.get("query")) - self.__queries.limitregexp = data - - elif name == "limitgroupstart": - data = sanitizeStr(attrs.get("query")) - self.__queries.limitgroupstart = data - - elif name == "limitgroupstop": - data = sanitizeStr(attrs.get("query")) - self.__queries.limitgroupstop = data - - elif name == "limitstring": - data = sanitizeStr(attrs.get("query")) - self.__queries.limitstring = data - - elif name == "order": - data = sanitizeStr(attrs.get("query")) - self.__queries.order = data - - elif name == "count": - data = sanitizeStr(attrs.get("query")) - self.__queries.count = data - - elif name == "comment": - data = sanitizeStr(attrs.get("query")) - self.__queries.comment = data - - elif name == "timedelay": - data = sanitizeStr(attrs.get("query")) - self.__queries.timedelay = data - - data = sanitizeStr(attrs.get("query2")) - self.__queries.timedelay2 = data - - elif name == "substring": - data = sanitizeStr(attrs.get("query")) - self.__queries.substring = data - - elif name == "case": - data = sanitizeStr(attrs.get("query")) - self.__queries.case = data - - elif name == "error": - data = sanitizeStr(attrs.get("query")) - self.__queries.error = data - - elif name == "inference": - data = sanitizeStr(attrs.get("query")) - self.__queries.inference = data - - elif name == "banner": - data = sanitizeStr(attrs.get("query")) - self.__queries.banner = data - - elif name == "current_user": - data = sanitizeStr(attrs.get("query")) - self.__queries.currentUser = data - - elif name == "current_db": - data = sanitizeStr(attrs.get("query")) - self.__queries.currentDb = data - - elif name == "is_dba": - data = sanitizeStr(attrs.get("query")) - self.__queries.isDba = data - - elif name == "check_udf": - data = sanitizeStr(attrs.get("query")) - self.__queries.checkUdf = data - - elif name == "inband": - self.__inband = sanitizeStr(attrs.get("query")) - self.__inband2 = sanitizeStr(attrs.get("query2")) - self.__conditionInband = sanitizeStr(attrs.get("condition")) - self.__conditionInband2 = sanitizeStr(attrs.get("condition2")) - - elif name == "blind": - self.__blind = sanitizeStr(attrs.get("query")) - self.__blind2 = sanitizeStr(attrs.get("query2")) - self.__count = sanitizeStr(attrs.get("count")) - self.__count2 = sanitizeStr(attrs.get("count2")) - self.__conditionBlind = sanitizeStr(attrs.get("condition")) - self.__conditionBlind2 = sanitizeStr(attrs.get("condition2")) - - def endElement(self, name): - if name == "dbms": - queries[self.__dbms] = self.__queries - self.__queries = advancedDict() - - elif name == "users": - self.__users = {} - self.__users["inband"] = { "query": self.__inband, "query2": self.__inband2 } - self.__users["blind"] = { "query": self.__blind, "query2": self.__blind2, - "count": self.__count, "count2": self.__count2 } - - self.__queries.users = self.__users - - elif name == "passwords": - self.__passwords = {} - self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband } - self.__passwords["blind"] = { "query": self.__blind, "query2": self.__blind2, - "count": self.__count, "count2": self.__count2 } - - self.__queries.passwords = self.__passwords - - elif name == "privileges": - self.__privileges = {} - self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 } - self.__privileges["blind"] = { "query": self.__blind, "query2": self.__blind2, - "count": self.__count, "count2": self.__count2 } - - self.__queries.privileges = self.__privileges - - elif name == "roles": - self.__roles = {} - self.__roles["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 } - self.__roles["blind"] = { "query": self.__blind, "query2": self.__blind2, - "count": self.__count, "count2": self.__count2 } - - self.__queries.roles = self.__roles - - elif name == "dbs": - self.__dbs = {} - self.__dbs["inband"] = { "query": self.__inband, "query2": self.__inband2 } - self.__dbs["blind"] = { "query": self.__blind, "query2": self.__blind2, - "count": self.__count, "count2": self.__count2 } - - self.__queries.dbs = self.__dbs - - elif name == "tables": - self.__tables = {} - self.__tables["inband"] = { "query": self.__inband, "condition": self.__conditionInband } - self.__tables["blind"] = { "query": self.__blind, "count": self.__count } - - self.__queries.tables = self.__tables - - elif name == "columns": - self.__columns = {} - self.__columns["inband"] = { "query": self.__inband, "condition": self.__conditionInband } - self.__columns["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "condition": self.__conditionBlind } - - self.__queries.columns = self.__columns - - elif name == "dump_table": - self.__dumpTable = {} - self.__dumpTable["inband"] = { "query": self.__inband } - self.__dumpTable["blind"] = { "query": self.__blind, "count": self.__count } - - self.__queries.dumpTable = self.__dumpTable - - elif name == "search_db": - self.__searchDb = {} - self.__searchDb["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 } - self.__searchDb["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 } - - self.__queries.searchDb = self.__searchDb - - elif name == "search_table": - self.__searchTable = {} - self.__searchTable["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 } - self.__searchTable["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 } - - self.__queries.searchTable = self.__searchTable - - elif name == "search_column": - self.__searchColumn = {} - self.__searchColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 } - self.__searchColumn["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 } - - self.__queries.searchColumn = self.__searchColumn - -def queriesParser(): - """ - This function calls a class to parse the default DBMS queries - from an XML file - """ - - debugMsg = "parsing XML queries file" - logger.debug(debugMsg) - - xmlfile = paths.QUERIES_XML - - checkFile(xmlfile) - handler = queriesHandler() - parseXmlFile(xmlfile, handler) diff --git a/lib/request/inject.py b/lib/request/inject.py index f2d9f7d19..55ccea1dd 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -96,8 +96,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r advantage of an blind SQL injection vulnerability on the affected parameter through a bisection algorithm. """ - - query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference) + query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference.query) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) count = None @@ -139,13 +138,13 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r # NOTE: I assume that only queries that get data from a table # can return multiple entries if fromUser and " FROM " in expression: - limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I) + limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ): if kb.dbms in ( "MySQL", "PostgreSQL" ): - limitGroupStart = queries[kb.dbms].limitgroupstart - limitGroupStop = queries[kb.dbms].limitgroupstop + limitGroupStart = queries[kb.dbms].limitgroupstart.query + limitGroupStop = queries[kb.dbms].limitgroupstop.query if limitGroupStart.isdigit(): startLimit = int(limitRegExp.group(int(limitGroupStart))) @@ -155,8 +154,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r elif kb.dbms == "Microsoft SQL Server": if limitRegExp: - limitGroupStart = queries[kb.dbms].limitgroupstart - limitGroupStop = queries[kb.dbms].limitgroupstop + limitGroupStart = queries[kb.dbms].limitgroupstart.query + limitGroupStop = queries[kb.dbms].limitgroupstop.query if limitGroupStart.isdigit(): startLimit = int(limitRegExp.group(int(limitGroupStart))) @@ -184,7 +183,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r # (or similar, depending on the back-end DBMS) word if kb.dbms in ( "MySQL", "PostgreSQL" ): stopLimit += startLimit - untilLimitChar = expression.index(queries[kb.dbms].limitstring) + untilLimitChar = expression.index(queries[kb.dbms].limitstring.query) expression = expression[:untilLimitChar] elif kb.dbms == "Microsoft SQL Server": @@ -202,7 +201,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r if not test or test[0] in ("y", "Y"): # Count the number of SQL query entries output - countFirstField = queries[kb.dbms].count % expressionFieldsList[0] + countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0] countedExpression = expression.replace(expressionFields, countFirstField, 1) if re.search(" ORDER BY ", expression, re.I): @@ -398,7 +397,7 @@ def goStacked(expression, silent=False): debugMsg = "query: %s" % expression logger.debug(debugMsg) - comment = queries[kb.dbms].comment + comment = queries[kb.dbms].comment.query query = agent.prefixQuery("; %s" % expression) query = agent.postfixQuery("%s;%s" % (query, comment)) payload = agent.payload(newValue=query) diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index cce3d2be3..b978c23b0 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -461,7 +461,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None # check it via equal against the substring-query output if commonPattern is not None: # Substring-query containing equals commonPattern - subquery = queries[kb.dbms].substring % (expressionUnescaped, 1, len(commonPattern)) + subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern)) testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False) query = agent.prefixQuery(" %s" % safeStringFormat("AND (%s) = %s", (subquery, testValue))) query = agent.postfixQuery(query) diff --git a/lib/techniques/error/test.py b/lib/techniques/error/test.py index a98931449..dae7beff9 100644 --- a/lib/techniques/error/test.py +++ b/lib/techniques/error/test.py @@ -30,7 +30,7 @@ def errorTest(): logger.info(infoMsg) randInt = getUnicode(randomInt(1)) - query = queries[kb.dbms].case % ("%s=%s" % (randInt, randInt)) + query = queries[kb.dbms].case.query % ("%s=%s" % (randInt, randInt)) result = inject.goError(query) if result: diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 07630d3ef..c6fd70bbb 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -30,14 +30,15 @@ from lib.core.settings import ERROR_EMPTY_CHAR from lib.core.settings import ERROR_START_CHAR from lib.core.settings import ERROR_END_CHAR -def errorUse(expression, resumeValue=True): +def errorUse(expression): """ Retrieve the output of a SQL query taking advantage of an error SQL injection vulnerability on the affected parameter. """ + output = None logic = conf.logic randInt = randomInt(1) - query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error) + query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error.query) query = agent.postfixQuery(query) payload = agent.payload(newValue=query) startLimiter = "" @@ -45,14 +46,6 @@ def errorUse(expression, resumeValue=True): expressionUnescaped = expression - if resumeValue: - output = resume(expression, payload) - else: - output = None - - if output: - return output - if kb.dbmsDetected: _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression) nulledCastedField = agent.nullAndCastField(fieldToCastStr) diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index c2992c364..fbcd80414 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -203,7 +203,7 @@ def unionTest(): value = None columns = None - for comment in (queries[kb.dbms].comment, ""): + for comment in (queries[kb.dbms].comment.query, ""): if conf.uTech == "orderby": columns = __unionTestByOrderBy(comment) else: diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index bc49fd218..d9a8d3598 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -65,12 +65,12 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh # NOTE: I assume that only queries that get data from a table can # return multiple entries if " FROM " in expression: - limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I) + limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I) if limitRegExp: if kb.dbms in ( "MySQL", "PostgreSQL" ): - limitGroupStart = queries[kb.dbms].limitgroupstart - limitGroupStop = queries[kb.dbms].limitgroupstop + limitGroupStart = queries[kb.dbms].limitgroupstart.query + limitGroupStop = queries[kb.dbms].limitgroupstop.query if limitGroupStart.isdigit(): startLimit = int(limitRegExp.group(int(limitGroupStart))) @@ -79,8 +79,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh limitCond = int(stopLimit) > 1 elif kb.dbms == "Microsoft SQL Server": - limitGroupStart = queries[kb.dbms].limitgroupstart - limitGroupStop = queries[kb.dbms].limitgroupstop + limitGroupStart = queries[kb.dbms].limitgroupstart.query + limitGroupStop = queries[kb.dbms].limitgroupstop.query if limitGroupStart.isdigit(): startLimit = int(limitRegExp.group(int(limitGroupStart))) @@ -104,7 +104,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh # (or similar, depending on the back-end DBMS) word if kb.dbms in ( "MySQL", "PostgreSQL" ): stopLimit += startLimit - untilLimitChar = expression.index(queries[kb.dbms].limitstring) + untilLimitChar = expression.index(queries[kb.dbms].limitstring.query) expression = expression[:untilLimitChar] elif kb.dbms == "Microsoft SQL Server": @@ -123,7 +123,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh if test: # Count the number of SQL query entries output - countFirstField = queries[kb.dbms].count % expressionFieldsList[0] + countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0] countedExpression = origExpr.replace(expressionFields, countFirstField, 1) if re.search(" ORDER BY ", expression, re.I): diff --git a/lib/utils/resume.py b/lib/utils/resume.py index ff2fcaf88..044469025 100644 --- a/lib/utils/resume.py +++ b/lib/utils/resume.py @@ -14,6 +14,7 @@ from lib.core.common import calculateDeltaSeconds from lib.core.common import dataToSessionFile from lib.core.common import safeStringFormat from lib.core.common import randomStr +from lib.core.common import replaceNewlineTabs from lib.core.common import restoreDumpMarkedChars from lib.core.data import conf from lib.core.data import kb @@ -30,7 +31,7 @@ def queryOutputLength(expression, payload): Returns the query output length. """ - lengthQuery = queries[kb.dbms].length + lengthQuery = queries[kb.dbms].length.query select = re.search("\ASELECT\s+", expression, re.I) selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I) @@ -83,7 +84,7 @@ def queryOutputLength(expression, payload): if length == " ": length = 0 - + return count, length, regExpr def resume(expression, payload): @@ -141,7 +142,7 @@ def resume(expression, payload): if not kb.dbms: return None - substringQuery = queries[kb.dbms].substring + substringQuery = queries[kb.dbms].substring.query select = re.search("\ASELECT ", expression, re.I) _, length, regExpr = queryOutputLength(expression, payload) diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py index 9c4dafb74..ba5cd3502 100644 --- a/plugins/dbms/mssqlserver/enumeration.py +++ b/plugins/dbms/mssqlserver/enumeration.py @@ -56,7 +56,7 @@ class Enumeration(GenericEnumeration): continue - query = rootQuery["inband"]["query"] % db + query = rootQuery.inband.query % db value = inject.getValue(query, blind=False) if value: @@ -74,7 +74,7 @@ class Enumeration(GenericEnumeration): infoMsg += "database '%s'" % db logger.info(infoMsg) - query = rootQuery["blind"]["count"] % db + query = rootQuery.blind.count % db count = inject.getValue(query, inband=False, charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -86,7 +86,7 @@ class Enumeration(GenericEnumeration): tables = [] for index in range(int(count)): - query = rootQuery["blind"]["query"] % (db, index, db) + query = rootQuery.blind.query % (db, index, db) table = inject.getValue(query, inband=False) tables.append(table) kb.hintValue = table @@ -108,8 +108,8 @@ class Enumeration(GenericEnumeration): rootQuery = queries[kb.dbms].searchTable foundTbls = {} tblList = conf.tbl.split(",") - tblCond = rootQuery["inband"]["condition"] - dbCond = rootQuery["inband"]["condition2"] + tblCond = rootQuery.inband.condition + dbCond = rootQuery.inband.condition2 tblConsider, tblCondParam = self.likeOrExact("table") @@ -193,7 +193,7 @@ class Enumeration(GenericEnumeration): foundCols = {} dbs = {} colList = conf.col.split(",") - colCond = rootQuery["inband"]["condition"] + colCond = rootQuery.inband.condition colConsider, colCondParam = self.likeOrExact("column") if not len(kb.data.cachedDbs): diff --git a/plugins/dbms/oracle/enumeration.py b/plugins/dbms/oracle/enumeration.py index c97be10ff..c3cc35bec 100644 --- a/plugins/dbms/oracle/enumeration.py +++ b/plugins/dbms/oracle/enumeration.py @@ -38,11 +38,11 @@ class Enumeration(GenericEnumeration): if kb.unionPosition or conf.direct: if query2: - query = rootQuery["inband"]["query2"] - condition = rootQuery["inband"]["condition2"] + query = rootQuery.inband.query2 + condition = rootQuery.inband.condition2 else: - query = rootQuery["inband"]["query"] - condition = rootQuery["inband"]["condition"] + query = rootQuery.inband.query + condition = rootQuery.inband.condition if conf.user: users = conf.user.split(",") @@ -111,9 +111,9 @@ class Enumeration(GenericEnumeration): queryUser = user if query2: - query = rootQuery["blind"]["count2"] % queryUser + query = rootQuery.blind.count2 % queryUser else: - query = rootQuery["blind"]["count"] % queryUser + query = rootQuery.blind.count % queryUser count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -137,9 +137,9 @@ class Enumeration(GenericEnumeration): for index in indexRange: if query2: - query = rootQuery["blind"]["query2"] % (queryUser, index) + query = rootQuery.blind.query2 % (queryUser, index) else: - query = rootQuery["blind"]["query"] % (queryUser, index) + query = rootQuery.blind.query % (queryUser, index) role = inject.getValue(query, inband=False) # In Oracle we get the list of roles as string @@ -178,7 +178,7 @@ class Enumeration(GenericEnumeration): foundCols = {} dbs = { "USERS": {} } colList = conf.col.split(",") - colCond = rootQuery["inband"]["condition"] + colCond = rootQuery.inband.condition colConsider, colCondParam = self.likeOrExact("column") for column in colList: @@ -197,7 +197,7 @@ class Enumeration(GenericEnumeration): for db in dbs.keys(): if kb.unionPosition or conf.direct: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query query += colQuery values = inject.getValue(query, blind=False) @@ -234,7 +234,7 @@ class Enumeration(GenericEnumeration): infoMsg += " '%s' in database '%s'" % (column, db) logger.info(infoMsg) - query = rootQuery["blind"]["count2"] + query = rootQuery.blind.count2 query += " WHERE %s" % colQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -251,7 +251,7 @@ class Enumeration(GenericEnumeration): indexRange = getRange(count) for index in indexRange: - query = rootQuery["blind"]["query2"] + query = rootQuery.blind.query2 query += " WHERE %s" % colQuery query = agent.limitQuery(index, query) tbl = inject.getValue(query, inband=False) diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index 77b3351b5..f52ecbf4a 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -76,7 +76,7 @@ class Enumeration: if conf.unionUse or conf.unionTest: conf.dumper.technic("valid union", unionTest()) - query = queries[kb.dbms].banner + query = queries[kb.dbms].banner.query kb.data.banner = inject.getValue(query) bannerParser(kb.data.banner) @@ -97,7 +97,7 @@ class Enumeration: infoMsg = "fetching current user" logger.info(infoMsg) - query = queries[kb.dbms].currentUser + query = queries[kb.dbms].currentUser.query if not kb.data.currentUser: kb.data.currentUser = inject.getValue(query) @@ -108,7 +108,7 @@ class Enumeration: infoMsg = "fetching current database" logger.info(infoMsg) - query = queries[kb.dbms].currentDb + query = queries[kb.dbms].currentDb.query if not kb.data.currentDb: kb.data.currentDb = inject.getValue(query) @@ -119,7 +119,7 @@ class Enumeration: infoMsg = "testing if current user is DBA" logger.info(infoMsg) - query = agent.forgeCaseStatement(queries[kb.dbms].isDba) + query = agent.forgeCaseStatement(queries[kb.dbms].isDba.query) kb.data.isDba = inject.getValue(query, unpack=False, charsetType=1) @@ -136,9 +136,9 @@ class Enumeration: if kb.unionPosition or conf.direct: if condition: - query = rootQuery["inband"]["query2"] + query = rootQuery.inband.query2 else: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query value = inject.getValue(query, blind=False) if value: @@ -149,9 +149,9 @@ class Enumeration: logger.info(infoMsg) if condition: - query = rootQuery["blind"]["count2"] + query = rootQuery.blind.count2 else: - query = rootQuery["blind"]["count"] + query = rootQuery.blind.count count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -166,9 +166,9 @@ class Enumeration: for index in indexRange: if condition: - query = rootQuery["blind"]["query2"] % index + query = rootQuery.blind.query2 % index else: - query = rootQuery["blind"]["query"] % index + query = rootQuery.blind.query % index user = inject.getValue(query, inband=False) if user: @@ -193,11 +193,11 @@ class Enumeration: if kb.unionPosition or conf.direct: if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): - query = rootQuery["inband"]["query2"] + query = rootQuery.inband.query2 else: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query - condition = rootQuery["inband"]["condition"] + condition = rootQuery.inband.condition if conf.user: if "," in conf.user: @@ -256,9 +256,9 @@ class Enumeration: logger.info(infoMsg) if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): - query = rootQuery["blind"]["count2"] % user + query = rootQuery.blind.count2 % user else: - query = rootQuery["blind"]["count"] % user + query = rootQuery.blind.count % user count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -281,11 +281,11 @@ class Enumeration: for index in indexRange: if kb.dbms == "Microsoft SQL Server": if kb.dbmsVersion[0] in ( "2005", "2008" ): - query = rootQuery["blind"]["query2"] % (user, index, user) + query = rootQuery.blind.query2 % (user, index, user) else: - query = rootQuery["blind"]["query"] % (user, index, user) + query = rootQuery.blind.query % (user, index, user) else: - query = rootQuery["blind"]["query"] % (user, index) + query = rootQuery.blind.query % (user, index) password = inject.getValue(query, inband=False) password = parsePasswordHash(password) passwords.append(password) @@ -390,14 +390,14 @@ class Enumeration: if kb.unionPosition or conf.direct: if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["inband"]["query2"] - condition = rootQuery["inband"]["condition2"] + query = rootQuery.inband.query2 + condition = rootQuery.inband.condition2 elif kb.dbms == "Oracle" and query2: - query = rootQuery["inband"]["query2"] - condition = rootQuery["inband"]["condition2"] + query = rootQuery.inband.query2 + condition = rootQuery.inband.condition2 else: - query = rootQuery["inband"]["query"] - condition = rootQuery["inband"]["condition"] + query = rootQuery.inband.query + condition = rootQuery.inband.condition if conf.user: users = conf.user.split(",") @@ -506,13 +506,13 @@ class Enumeration: queryUser = user if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["blind"]["count2"] % queryUser + query = rootQuery.blind.count2 % queryUser elif kb.dbms == "MySQL" and kb.data.has_information_schema: - query = rootQuery["blind"]["count"] % (conditionChar, queryUser) + query = rootQuery.blind.count % (conditionChar, queryUser) elif kb.dbms == "Oracle" and query2: - query = rootQuery["blind"]["count2"] % queryUser + query = rootQuery.blind.count2 % queryUser else: - query = rootQuery["blind"]["count"] % queryUser + query = rootQuery.blind.count % queryUser count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -540,15 +540,15 @@ class Enumeration: for index in indexRange: if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["blind"]["query2"] % (queryUser, index) + query = rootQuery.blind.query2 % (queryUser, index) elif kb.dbms == "MySQL" and kb.data.has_information_schema: - query = rootQuery["blind"]["query"] % (conditionChar, queryUser, index) + query = rootQuery.blind.query % (conditionChar, queryUser, index) elif kb.dbms == "Oracle" and query2: - query = rootQuery["blind"]["query2"] % (queryUser, index) + query = rootQuery.blind.query2 % (queryUser, index) elif kb.dbms == "Firebird": - query = rootQuery["blind"]["query"] % (index, queryUser) + query = rootQuery.blind.query % (index, queryUser) else: - query = rootQuery["blind"]["query"] % (queryUser, index) + query = rootQuery.blind.query % (queryUser, index) privilege = inject.getValue(query, inband=False) # In PostgreSQL we get 1 if the privilege is True, @@ -636,9 +636,9 @@ class Enumeration: if kb.unionPosition or conf.direct: if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["inband"]["query2"] + query = rootQuery.inband.query2 else: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query value = inject.getValue(query, blind=False) if value: @@ -649,9 +649,9 @@ class Enumeration: logger.info(infoMsg) if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["blind"]["count2"] + query = rootQuery.blind.count2 else: - query = rootQuery["blind"]["count"] + query = rootQuery.blind.count count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -662,9 +662,9 @@ class Enumeration: for index in indexRange: if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["blind"]["query2"] % index + query = rootQuery.blind.query2 % index else: - query = rootQuery["blind"]["query"] % index + query = rootQuery.blind.query % index db = inject.getValue(query, inband=False) if db: @@ -702,8 +702,8 @@ class Enumeration: rootQuery = queries[kb.dbms].tables if kb.unionPosition or conf.direct: - query = rootQuery["inband"]["query"] - condition = rootQuery["inband"]["condition"] + query = rootQuery.inband.query + condition = rootQuery.inband.condition if conf.db and kb.dbms != "SQLite": if "," in conf.db: @@ -762,9 +762,9 @@ class Enumeration: logger.info(infoMsg) if kb.dbms in ("SQLite", "Firebird"): - query = rootQuery["blind"]["count"] + query = rootQuery.blind.count else: - query = rootQuery["blind"]["count"] % db + query = rootQuery.blind.count % db count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -783,9 +783,9 @@ class Enumeration: for index in indexRange: if kb.dbms in ("SQLite", "Firebird"): - query = rootQuery["blind"]["query"] % index + query = rootQuery.blind.query % index else: - query = rootQuery["blind"]["query"] % (db, index) + query = rootQuery.blind.query % (db, index) table = inject.getValue(query, inband=False) tables.append(table) kb.hintValue = table @@ -880,7 +880,7 @@ class Enumeration: } rootQuery = queries[kb.dbms].columns - condition = rootQuery["blind"]["condition"] + condition = rootQuery.blind.condition infoMsg = "fetching columns " @@ -899,19 +899,19 @@ class Enumeration: if kb.unionPosition or conf.direct: if kb.dbms in ( "MySQL", "PostgreSQL" ): - query = rootQuery["inband"]["query"] % (conf.tbl, conf.db) + query = rootQuery.inband.query % (conf.tbl, conf.db) query += condQuery elif kb.dbms == "Oracle": - query = rootQuery["inband"]["query"] % conf.tbl.upper() + query = rootQuery.inband.query % conf.tbl.upper() query += condQuery elif kb.dbms == "Microsoft SQL Server": - query = rootQuery["inband"]["query"] % (conf.db, conf.db, + query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.tbl) query += condQuery.replace("[DB]", conf.db) elif kb.dbms == "SQLite": - query = rootQuery["inband"]["query"] % conf.tbl + query = rootQuery.inband.query % conf.tbl value = inject.getValue(query, blind=False) @@ -936,16 +936,16 @@ class Enumeration: logger.info(infoMsg) if kb.dbms in ( "MySQL", "PostgreSQL" ): - query = rootQuery["blind"]["count"] % (conf.tbl, conf.db) + query = rootQuery.blind.count % (conf.tbl, conf.db) query += condQuery elif kb.dbms == "Oracle": - query = rootQuery["blind"]["count"] % conf.tbl.upper() + query = rootQuery.blind.count % conf.tbl.upper() query += condQuery elif kb.dbms == "Microsoft SQL Server": - query = rootQuery["blind"]["count"] % (conf.db, conf.db, conf.tbl) + query = rootQuery.blind.count % (conf.db, conf.db, conf.tbl) query += condQuery.replace("[DB]", conf.db) elif kb.dbms == "Firebird": - query = rootQuery["blind"]["count"] % (conf.tbl) + query = rootQuery.blind.count % (conf.tbl) query += condQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -963,22 +963,22 @@ class Enumeration: for index in indexRange: if kb.dbms in ( "MySQL", "PostgreSQL" ): - query = rootQuery["blind"]["query"] % (conf.tbl, conf.db) + query = rootQuery.blind.query % (conf.tbl, conf.db) query += condQuery field = None elif kb.dbms == "Oracle": - query = rootQuery["blind"]["query"] % (conf.tbl.upper()) + query = rootQuery.blind.query % (conf.tbl.upper()) query += condQuery field = None elif kb.dbms == "Microsoft SQL Server": - query = rootQuery["blind"]["query"] % (conf.db, conf.db, + query = rootQuery.blind.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.tbl) query += condQuery.replace("[DB]", conf.db) field = condition.replace("[DB]", conf.db) elif kb.dbms == "Firebird": - query = rootQuery["blind"]["query"] % (conf.tbl) + query = rootQuery.blind.query % (conf.tbl) query += condQuery field = None @@ -987,15 +987,15 @@ class Enumeration: if not onlyColNames: if kb.dbms in ( "MySQL", "PostgreSQL" ): - query = rootQuery["blind"]["query2"] % (conf.tbl, column, conf.db) + query = rootQuery.blind.query2 % (conf.tbl, column, conf.db) elif kb.dbms == "Oracle": - query = rootQuery["blind"]["query2"] % (conf.tbl.upper(), column) + query = rootQuery.blind.query2 % (conf.tbl.upper(), column) elif kb.dbms == "Microsoft SQL Server": - query = rootQuery["blind"]["query2"] % (conf.db, conf.db, conf.db, + query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db, conf.db, conf.db, conf.tbl) elif kb.dbms == "Firebird": - query = rootQuery["blind"]["query2"] % (conf.tbl, column) + query = rootQuery.blind.query2 % (conf.tbl, column) colType = inject.getValue(query, inband=False) @@ -1078,11 +1078,11 @@ class Enumeration: if kb.unionPosition or conf.direct: if kb.dbms == "Oracle": - query = rootQuery["inband"]["query"] % (colString, conf.tbl.upper()) + query = rootQuery.inband.query % (colString, conf.tbl.upper()) elif kb.dbms == "SQLite": - query = rootQuery["inband"]["query"] % (colString, conf.tbl) + query = rootQuery.inband.query % (colString, conf.tbl) else: - query = rootQuery["inband"]["query"] % (colString, conf.db, conf.tbl) + query = rootQuery.inband.query % (colString, conf.db, conf.tbl) entries = inject.getValue(query, blind=False, dump=True) if entries: @@ -1126,11 +1126,11 @@ class Enumeration: logger.info(infoMsg) if kb.dbms == "Oracle": - query = rootQuery["blind"]["count"] % conf.tbl.upper() + query = rootQuery.blind.count % conf.tbl.upper() elif kb.dbms == "SQLite": - query = rootQuery["blind"]["count"] % conf.tbl + query = rootQuery.blind.count % conf.tbl else: - query = rootQuery["blind"]["count"] % (conf.db, conf.tbl) + query = rootQuery.blind.count % (conf.db, conf.tbl) count = inject.getValue(query, inband=False, expected="int", charsetType=2) if not count.isdigit() or not len(count) or count == "0": @@ -1162,19 +1162,19 @@ class Enumeration: entries[column] = [] if kb.dbms in ( "MySQL", "PostgreSQL" ): - query = rootQuery["blind"]["query"] % (column, conf.db, + query = rootQuery.blind.query % (column, conf.db, conf.tbl, index) elif kb.dbms == "Oracle": - query = rootQuery["blind"]["query"] % (column, column, + query = rootQuery.blind.query % (column, column, conf.tbl.upper(), index) elif kb.dbms == "Microsoft SQL Server": - query = rootQuery["blind"]["query"] % (column, conf.db, + query = rootQuery.blind.query % (column, conf.db, conf.tbl, column, index, column, conf.db, conf.tbl) elif kb.dbms == "SQLite": - query = rootQuery["blind"]["query"] % (column, conf.tbl, index) + query = rootQuery.blind.query % (column, conf.tbl, index) value = inject.getValue(query, inband=False) @@ -1311,9 +1311,9 @@ class Enumeration: dbList = conf.db.split(",") if kb.dbms == "MySQL" and not kb.data.has_information_schema: - dbCond = rootQuery["inband"]["condition2"] + dbCond = rootQuery.inband.condition2 else: - dbCond = rootQuery["inband"]["condition"] + dbCond = rootQuery.inband.condition dbConsider, dbCondParam = self.likeOrExact("database") @@ -1336,9 +1336,9 @@ class Enumeration: if kb.unionPosition or conf.direct: if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["inband"]["query2"] + query = rootQuery.inband.query2 else: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query query += dbQuery query += exclDbsQuery values = inject.getValue(query, blind=False) @@ -1357,9 +1357,9 @@ class Enumeration: logger.info(infoMsg) if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["blind"]["count2"] + query = rootQuery.blind.count2 else: - query = rootQuery["blind"]["count"] + query = rootQuery.blind.count query += dbQuery query += exclDbsQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -1377,9 +1377,9 @@ class Enumeration: for index in indexRange: if kb.dbms == "MySQL" and not kb.data.has_information_schema: - query = rootQuery["blind"]["query2"] + query = rootQuery.blind.query2 else: - query = rootQuery["blind"]["query"] + query = rootQuery.blind.query query += dbQuery query += exclDbsQuery query = agent.limitQuery(index, query, dbCond) @@ -1397,8 +1397,8 @@ class Enumeration: rootQuery = queries[kb.dbms].searchTable foundTbls = {} tblList = conf.tbl.split(",") - tblCond = rootQuery["inband"]["condition"] - dbCond = rootQuery["inband"]["condition2"] + tblCond = rootQuery.inband.condition + dbCond = rootQuery.inband.condition2 tblConsider, tblCondParam = self.likeOrExact("table") @@ -1423,7 +1423,7 @@ class Enumeration: tblQuery = tblQuery % tbl if kb.unionPosition or conf.direct: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query query += tblQuery query += exclDbsQuery values = inject.getValue(query, blind=False) @@ -1444,7 +1444,7 @@ class Enumeration: infoMsg += " '%s'" % tbl logger.info(infoMsg) - query = rootQuery["blind"]["count"] + query = rootQuery.blind.count query += tblQuery query += exclDbsQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -1461,7 +1461,7 @@ class Enumeration: indexRange = getRange(count) for index in indexRange: - query = rootQuery["blind"]["query"] + query = rootQuery.blind.query query += tblQuery query += exclDbsQuery query = agent.limitQuery(index, query) @@ -1481,7 +1481,7 @@ class Enumeration: infoMsg += " '%s' in database '%s'" % (tbl, db) logger.info(infoMsg) - query = rootQuery["blind"]["count2"] + query = rootQuery.blind.count2 query = query % db query += " AND %s" % tblQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -1499,7 +1499,7 @@ class Enumeration: indexRange = getRange(count) for index in indexRange: - query = rootQuery["blind"]["query2"] + query = rootQuery.blind.query2 query = query % db query += " AND %s" % tblQuery query = agent.limitQuery(index, query) @@ -1519,8 +1519,8 @@ class Enumeration: foundCols = {} dbs = {} colList = conf.col.split(",") - colCond = rootQuery["inband"]["condition"] - dbCond = rootQuery["inband"]["condition2"] + colCond = rootQuery.inband.condition + dbCond = rootQuery.inband.condition2 colConsider, colCondParam = self.likeOrExact("column") @@ -1544,7 +1544,7 @@ class Enumeration: colQuery = colQuery % column if kb.unionPosition or conf.direct: - query = rootQuery["inband"]["query"] + query = rootQuery.inband.query query += colQuery query += exclDbsQuery values = inject.getValue(query, blind=False) @@ -1583,7 +1583,7 @@ class Enumeration: infoMsg += " '%s'" % column logger.info(infoMsg) - query = rootQuery["blind"]["count"] + query = rootQuery.blind.count query += colQuery query += exclDbsQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -1600,7 +1600,7 @@ class Enumeration: indexRange = getRange(count) for index in indexRange: - query = rootQuery["blind"]["query"] + query = rootQuery.blind.query query += colQuery query += exclDbsQuery query = agent.limitQuery(index, query) @@ -1623,7 +1623,7 @@ class Enumeration: infoMsg += " '%s' in database '%s'" % (column, db) logger.info(infoMsg) - query = rootQuery["blind"]["count2"] + query = rootQuery.blind.count2 query = query % db query += " AND %s" % colQuery count = inject.getValue(query, inband=False, expected="int", charsetType=2) @@ -1641,7 +1641,7 @@ class Enumeration: indexRange = getRange(count) for index in indexRange: - query = rootQuery["blind"]["query2"] + query = rootQuery.blind.query2 query = query % db query += " AND %s" % colQuery query = agent.limitQuery(index, query) diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py index 5abaad4dd..619bd4835 100644 --- a/plugins/generic/misc.py +++ b/plugins/generic/misc.py @@ -67,7 +67,7 @@ class Miscellaneous: else: raise sqlmapUnsupportedFeatureException, "unsupported DBMS" - query = queries[kb.dbms].substring % (queries[kb.dbms].banner, first, last) + query = queries[kb.dbms].substring.query % (queries[kb.dbms].banner.query, first, last) if conf.direct: query = "SELECT %s" % query