This functions is called when boolean-based blind is identified with a generic payload and the DBMS has not yet been fingerprinted to attempt to identify with a simple DBMS specific boolean-based test what the DBMS may be
(injection)
| 861 | |
| 862 | @stackedmethod |
| 863 | def heuristicCheckDbms(injection): |
| 864 | """ |
| 865 | This functions is called when boolean-based blind is identified with a |
| 866 | generic payload and the DBMS has not yet been fingerprinted to attempt |
| 867 | to identify with a simple DBMS specific boolean-based test what the DBMS |
| 868 | may be |
| 869 | """ |
| 870 | |
| 871 | retVal = False |
| 872 | |
| 873 | if conf.skipHeuristics: |
| 874 | return retVal |
| 875 | |
| 876 | pushValue(kb.injection) |
| 877 | kb.injection = injection |
| 878 | |
| 879 | for dbms in getPublicTypeMembers(DBMS, True): |
| 880 | randStr1, randStr2 = randomStr(), randomStr() |
| 881 | |
| 882 | Backend.forceDbms(dbms) |
| 883 | |
| 884 | if dbms in HEURISTIC_NULL_EVAL: |
| 885 | result = checkBooleanExpression("(SELECT %s%s) IS NULL" % (HEURISTIC_NULL_EVAL[dbms], FROM_DUMMY_TABLE.get(dbms, ""))) |
| 886 | elif not ((randStr1 in unescaper.escape("'%s'" % randStr1)) and list(FROM_DUMMY_TABLE.values()).count(FROM_DUMMY_TABLE.get(dbms, "")) != 1): |
| 887 | result = checkBooleanExpression("(SELECT '%s'%s)=%s%s%s" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), SINGLE_QUOTE_MARKER, randStr1, SINGLE_QUOTE_MARKER)) |
| 888 | else: |
| 889 | result = False |
| 890 | |
| 891 | if result: |
| 892 | if not checkBooleanExpression("(SELECT '%s'%s)=%s%s%s" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), SINGLE_QUOTE_MARKER, randStr2, SINGLE_QUOTE_MARKER)): |
| 893 | retVal = dbms |
| 894 | break |
| 895 | |
| 896 | Backend.flushForcedDbms() |
| 897 | kb.injection = popValue() |
| 898 | |
| 899 | if retVal: |
| 900 | infoMsg = "heuristic (extended) test shows that the back-end DBMS " # Not as important as "parsing" counter-part (because of false-positives) |
| 901 | infoMsg += "could be '%s' " % retVal |
| 902 | logger.info(infoMsg) |
| 903 | |
| 904 | kb.heuristicExtendedDbms = retVal |
| 905 | |
| 906 | return retVal |
| 907 | |
| 908 | @stackedmethod |
| 909 | def checkFalsePositives(injection): |
no test coverage detected
searching dependent graphs…