MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / heuristicCheckDbms

Function heuristicCheckDbms

lib/controller/checks.py:863–906  ·  view source on GitHub ↗

This functions is called when boolean-based blind is identified with a generic payload and the DBMS has not yet been fingerprinted to attempt to identify with a simple DBMS specific boolean-based test what the DBMS may be

(injection)

Source from the content-addressed store, hash-verified

861
862@stackedmethod
863def heuristicCheckDbms(injection):
864 """
865 This functions is called when boolean-based blind is identified with a
866 generic payload and the DBMS has not yet been fingerprinted to attempt
867 to identify with a simple DBMS specific boolean-based test what the DBMS
868 may be
869 """
870
871 retVal = False
872
873 if conf.skipHeuristics:
874 return retVal
875
876 pushValue(kb.injection)
877 kb.injection = injection
878
879 for dbms in getPublicTypeMembers(DBMS, True):
880 randStr1, randStr2 = randomStr(), randomStr()
881
882 Backend.forceDbms(dbms)
883
884 if dbms in HEURISTIC_NULL_EVAL:
885 result = checkBooleanExpression("(SELECT %s%s) IS NULL" % (HEURISTIC_NULL_EVAL[dbms], FROM_DUMMY_TABLE.get(dbms, "")))
886 elif not ((randStr1 in unescaper.escape("'%s'" % randStr1)) and list(FROM_DUMMY_TABLE.values()).count(FROM_DUMMY_TABLE.get(dbms, "")) != 1):
887 result = checkBooleanExpression("(SELECT '%s'%s)=%s%s%s" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), SINGLE_QUOTE_MARKER, randStr1, SINGLE_QUOTE_MARKER))
888 else:
889 result = False
890
891 if result:
892 if not checkBooleanExpression("(SELECT '%s'%s)=%s%s%s" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), SINGLE_QUOTE_MARKER, randStr2, SINGLE_QUOTE_MARKER)):
893 retVal = dbms
894 break
895
896 Backend.flushForcedDbms()
897 kb.injection = popValue()
898
899 if retVal:
900 infoMsg = "heuristic (extended) test shows that the back-end DBMS " # Not as important as "parsing" counter-part (because of false-positives)
901 infoMsg += "could be '%s' " % retVal
902 logger.info(infoMsg)
903
904 kb.heuristicExtendedDbms = retVal
905
906 return retVal
907
908@stackedmethod
909def checkFalsePositives(injection):

Callers 1

checkSqlInjectionFunction · 0.85

Calls 11

pushValueFunction · 0.90
getPublicTypeMembersFunction · 0.90
randomStrFunction · 0.90
checkBooleanExpressionFunction · 0.90
popValueFunction · 0.90
forceDbmsMethod · 0.80
valuesMethod · 0.80
flushForcedDbmsMethod · 0.80
infoMethod · 0.80
getMethod · 0.45
escapeMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…