MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / _goInferenceProxy

Function _goInferenceProxy

lib/request/inject.py:163–310  ·  view source on GitHub ↗

Retrieve the output of a SQL query characted by character taking advantage of an blind SQL injection vulnerability on the affected parameter through a bisection algorithm.

(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False)

Source from the content-addressed store, hash-verified

161 return outputs
162
163def _goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
164 """
165 Retrieve the output of a SQL query characted by character taking
166 advantage of an blind SQL injection vulnerability on the affected
167 parameter through a bisection algorithm.
168 """
169
170 initTechnique(getTechnique())
171
172 query = agent.prefixQuery(getTechniqueData().vector)
173 query = agent.suffixQuery(query)
174 payload = agent.payload(newValue=query)
175 count = None
176 startLimit = 0
177 stopLimit = None
178 outputs = BigArray()
179
180 if not unpack:
181 return _goInference(payload, expression, charsetType, firstChar, lastChar, dump)
182
183 _, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
184
185 rdbRegExp = re.search(r"RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
186 if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD):
187 expressionFieldsList = [expressionFields]
188
189 if len(expressionFieldsList) > 1:
190 infoMsg = "the SQL query provided has more than one field. "
191 infoMsg += "sqlmap will now unpack it into distinct queries "
192 infoMsg += "to be able to retrieve the output even if we "
193 infoMsg += "are going blind"
194 logger.info(infoMsg)
195
196 # If we have been here from SQL query/shell we have to check if
197 # the SQL query might return multiple entries and in such case
198 # forge the SQL limiting the query output one entry at a time
199 # NOTE: we assume that only queries that get data from a table
200 # can return multiple entries
201 if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) and not re.search(SQL_SCALAR_REGEX, expression, re.I) and hasattr(queries[Backend.getIdentifiedDbms()].limitregexp, "query"):
202 expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression)
203
204 if limitCond:
205 test = True
206
207 if stopLimit is None or stopLimit <= 1:
208 if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
209 test = False
210
211 if test:
212 # Count the number of SQL query entries output
213 countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
214 countedExpression = expression.replace(expressionFields, countFirstField, 1)
215
216 if " ORDER BY " in countedExpression.upper():
217 _ = countedExpression.upper().rindex(" ORDER BY ")
218 countedExpression = countedExpression[:_]
219
220 if not stopLimit:

Callers 1

getValueFunction · 0.85

Calls 15

appendMethod · 0.95
initTechniqueFunction · 0.90
getTechniqueFunction · 0.90
getTechniqueDataFunction · 0.90
BigArrayClass · 0.90
isNumPosStrValueFunction · 0.90
readInputFunction · 0.90
isDigitFunction · 0.90
SqlmapDataExceptionClass · 0.90
isNoneValueFunction · 0.90
_goInferenceFunction · 0.85
xrangeClass · 0.85

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…