Skip to content

Commit 97c8b45

Browse files
committed
Minor patches
1 parent d9a4a09 commit 97c8b45

4 files changed

Lines changed: 22 additions & 3 deletions

File tree

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
from thirdparty import six
2121

2222
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
23-
VERSION = "1.10.7.79"
23+
VERSION = "1.10.7.80"
2424
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2525
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2626
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/utils/prove.py

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -347,6 +347,10 @@ def proveExploitation():
347347
# back, exploitation is NOT proven; say so plainly instead of echoing the detection verdict.
348348
proven = bool(rungs)
349349

350+
# whether ANY confirmed technique here can return data inline; a stacked-query-only point cannot, so a
351+
# failed read-back below is expected there and must NOT be spun into a "false positive" verdict
352+
canReadBack = any(_ in injection.data for _ in (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.TIME))
353+
350354
if proven:
351355
if proof:
352356
fields.append(_field("Proof", proof))
@@ -361,7 +365,12 @@ def proveExploitation():
361365
verdict = ["no value could be read back through the injection (tried a random arithmetic product and the DBMS banner)"]
362366
if suspectWaf:
363367
verdict.append("the TRUE/FALSE difference is only an HTTP %s (blocked) response - characteristic of a WAF/IPS, not a database answer" % signal.get("trueCode"))
364-
if wafInterfering:
368+
if not canReadBack:
369+
# e.g. stacked-query-only: no confirmed technique returns data inline, so a value cannot be read
370+
# back here - that is expected by design and is NOT evidence of a false positive
371+
verdict.append("this injection point exposes no data-returning channel (e.g. stacked queries), so a value cannot be read back inline - expected here, not a false positive")
372+
verdict.append("=> confirm exploitation through a side effect instead (e.g. '--os-shell', or '--sql-query' run with '--technique=S')")
373+
elif wafInterfering:
365374
# behind a WAF, an unconfirmed read-back is ambiguous: a genuine injection whose data-retrieval
366375
# payloads are being blocked looks the same as a pure WAF artifact - so don't assert "false
367376
# positive", point the user at the way to disambiguate instead

lib/utils/sqlalchemy.py

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,15 @@ def execute(self, query):
131131
retVal = True
132132
except (_sqlalchemy.exc.OperationalError, _sqlalchemy.exc.ProgrammingError) as ex:
133133
logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) %s" % getSafeExString(ex))
134+
# Roll back the failed statement's transaction so it does not poison every following query with
135+
# 'InFailedSqlTransaction' (SQLAlchemy 2.0+ keeps the transaction open after an error). Without this
136+
# a single legitimately-failing probe - e.g. AURORA_VERSION() on vanilla PostgreSQL during
137+
# fingerprinting - made all later queries silently return wrong values (e.g. '--is-dba' read False)
138+
if hasattr(self.connector, "rollback"):
139+
try:
140+
self.connector.rollback()
141+
except Exception:
142+
pass
134143
except _sqlalchemy.exc.InternalError as ex:
135144
raise SqlmapConnectionException(getSafeExString(ex))
136145

tamper/space2mssqlhash.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,12 @@ def tamper(payload, **kwargs):
1515
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
1616
1717
Requirement:
18-
* MSSQL
1918
* MySQL
2019
2120
Notes:
2221
* Useful to bypass several web application firewalls
22+
* The '#' single-line comment used here is MySQL-only (despite this script's legacy name);
23+
T-SQL has no '#' comment, so it does not apply to Microsoft SQL Server
2324
2425
>>> tamper('1 AND 9227=9227')
2526
'1%23%0AAND%23%0A9227=9227'

0 commit comments

Comments
 (0)