diff --git a/doc/ChangeLog b/doc/ChangeLog index ae84d3f28..51410e63b 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -2,10 +2,17 @@ sqlmap (0.6.3-1) stable; urgency=low * Minor enhancement to be able to specify the number of seconds to wait between each HTTP request; + * Minor enhancement to be able to enumerate table columns and dump table + entries also if the database name is not provided by using the current + database on MySQL and MSSQL, the 'public' scheme on PostgreSQL and the + 'USERS' TABLESPACE_NAME on Oracle; * Minor improvements to sqlmap Debian package files: sqlmap uploaded to official Debian project repository; * Minor bug fix to handle session.error and session.timeout in HTTP requests; + * Minor bug fix so that when the user provide a SELECT statement to be + processed with an asterisk as columns, now it also work if in the FROM + there is no database name specified; * Minor bug fix to correctly dump table entries when the column is provided; diff --git a/lib/controller/action.py b/lib/controller/action.py index 2ac3e954c..c94e4a54c 100644 --- a/lib/controller/action.py +++ b/lib/controller/action.py @@ -31,6 +31,7 @@ from lib.core.data import kb from lib.core.dump import dumper from lib.core.exception import sqlmapUnsupportedDBMSException from lib.core.settings import SUPPORTED_DBMS +from lib.techniques.blind.timebased import timeTest from lib.techniques.inband.union.test import unionTest @@ -70,7 +71,7 @@ def action(): # Techniques options if conf.timeTest: - dumper.string("time based sql injection", conf.dbmsHandler.timeTest()) + dumper.string("time based blind sql injection payload", timeTest()) if conf.unionTest: dumper.string("valid union", unionTest()) diff --git a/lib/core/settings.py b/lib/core/settings.py index 85aee29d9..dbb947b55 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -65,4 +65,4 @@ ORACLE_ALIASES = [ "oracle", "orcl", "ora", "or" ] SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES -TIME_SECONDS = 5 +TIME_DELAY = 5 diff --git a/lib/request/inject.py b/lib/request/inject.py index f8923d7de..b39847ab5 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -38,10 +38,10 @@ from lib.core.data import kb from lib.core.data import logger from lib.core.data import queries from lib.core.data import temp -from lib.core.settings import TIME_SECONDS +from lib.core.settings import TIME_DELAY from lib.request.connect import Connect as Request from lib.techniques.inband.union.use import unionUse -from lib.techniques.inference.blind import bisection +from lib.techniques.blind.inference import bisection from lib.utils.resume import queryOutputLength from lib.utils.resume import resume @@ -388,8 +388,9 @@ def goStacked(expression, timeTest=False): TODO: write description """ + comment = queries[kb.dbms].comment query = agent.prefixQuery("; %s" % expression) - query = agent.postfixQuery(query) + query = agent.postfixQuery("%s; %s" % (query, comment)) payload = agent.payload(newValue=query) start = time.time() @@ -397,6 +398,6 @@ def goStacked(expression, timeTest=False): duration = int(time.time() - start) if timeTest: - return (duration >= TIME_SECONDS, payload) + return (duration >= TIME_DELAY, payload) else: - return duration >= TIME_SECONDS + return duration >= TIME_DELAY diff --git a/lib/techniques/inference/__init__.py b/lib/techniques/blind/__init__.py similarity index 100% rename from lib/techniques/inference/__init__.py rename to lib/techniques/blind/__init__.py diff --git a/lib/techniques/inference/blind.py b/lib/techniques/blind/inference.py similarity index 100% rename from lib/techniques/inference/blind.py rename to lib/techniques/blind/inference.py diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py new file mode 100644 index 000000000..14cda73c3 --- /dev/null +++ b/lib/techniques/blind/timebased.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python + +""" +$Id$ + +This file is part of the sqlmap project, http://sqlmap.sourceforge.net. + +Copyright (c) 2006-2008 Bernardo Damele A. G. + and Daniele Bellucci + +sqlmap is free software; you can redistribute it and/or modify it under +the terms of the GNU General Public License as published by the Free +Software Foundation version 2 of the License. + +sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with sqlmap; if not, write to the Free Software Foundation, Inc., 51 +Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +""" + + + +from lib.core.data import kb +from lib.core.data import logger +from lib.core.data import queries +from lib.core.settings import TIME_DELAY +from lib.request import inject + + +def timeTest(): + infoMsg = "testing time based blind sql injection on parameter " + infoMsg += "'%s'" % kb.injParameter + logger.info(infoMsg) + + query = queries[kb.dbms].timedelay % TIME_DELAY + timeTest = inject.goStacked(query, timeTest=True) + + if timeTest[0] == True: + return timeTest[1] + else: + return None diff --git a/lib/utils/resume.py b/lib/utils/resume.py index 8e16d54c9..03d0311d2 100644 --- a/lib/utils/resume.py +++ b/lib/utils/resume.py @@ -32,7 +32,7 @@ from lib.core.data import kb from lib.core.data import logger from lib.core.data import queries from lib.core.unescaper import unescaper -from lib.techniques.inference.blind import bisection +from lib.techniques.blind.inference import bisection def queryOutputLength(expression, payload): diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index 9d013d12c..fe903e089 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -39,7 +39,6 @@ from lib.core.exception import sqlmapMissingMandatoryOptionException from lib.core.exception import sqlmapNoneDataException from lib.core.exception import sqlmapUndefinedMethod from lib.core.exception import sqlmapUnsupportedFeatureException -from lib.core.settings import TIME_SECONDS from lib.core.shell import autoCompletion from lib.core.unescaper import unescaper from lib.request import inject @@ -69,27 +68,6 @@ class Enumeration: temp.inference = queries[dbms].inference - # TODO: move this function to an appropriate file - def timeTest(self): - infoMsg = "testing time based blind sql injection on parameter " - infoMsg += "'%s'" % kb.injParameter - logger.info(infoMsg) - - # TODO: probably the '; ' will be filled in in all - # future time based SQL injection attacks at the end of the - # stacked query. Find a way that goStacked() function itself - # append it. - query = "%s; " % queries[kb.dbms].timedelay % TIME_SECONDS - query += queries[kb.dbms].comment - - self.timeTest = inject.goStacked(query, timeTest=True) - - if self.timeTest[0] == True: - return "True, verified with payload: %s" % self.timeTest[1] - else: - return "False" - - def forceDbmsEnum(self): pass diff --git a/xml/queries.xml b/xml/queries.xml index 28b1d7d14..14d766a8c 100644 --- a/xml/queries.xml +++ b/xml/queries.xml @@ -72,7 +72,7 @@ - +