Implementing option '--where' (Issue sqlmapproject#605)

stamparm · stamparm · commit d05bfdd7dd2e · 2014-02-11T16:20:45.000+01:00
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -129,6 +129,7 @@
                                "tbl":               "string",
                                "col":               "string",
                                "excludeCol":        "string",
+                               "dumpWhere":         "string",
                                "user":              "string",
                                "excludeSysDbs":     "boolean",
                                "limitStart":        "integer",
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -424,6 +424,9 @@ def cmdLineParser():
                                help="Exclude DBMS system databases when "
                                     "enumerating tables")
 
+        enumeration.add_option("--where", dest="dumpWhere",
+                               help="Use WHERE condition while table dumping")
+
         enumeration.add_option("--start", dest="limitStart", type="int",
                                help="First query output entry to retrieve")
 
diff --git a/lib/utils/pivotdumptable.py b/lib/utils/pivotdumptable.py
@@ -38,6 +38,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
 
     if count is None:
         query = dumpNode.count % table
+        query = whereQuery(query)
         count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
 
     if isinstance(count, basestring) and count.isdigit():
@@ -83,6 +84,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
             logger.info(infoMsg)
 
             query = dumpNode.count2 % (column, table)
+            query = whereQuery(query)
             value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
             if isNumPosStrValue(value):
@@ -122,6 +124,8 @@ def _(pivotValue):
                     else:
                         query = dumpNode.query2.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, colList[0]), unescaper.escape(pivotValue, False))
 
+                    query = whereQuery(query)
+
                     return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
 
                 value = _(pivotValue)
@@ -163,3 +167,18 @@ def _(pivotValue):
         logger.critical(errMsg)
 
     return entries, lengths
+
+def whereQuery(query):
+    if conf.dumpWhere and query:
+        prefix, suffix = query.split(" ORDER BY ") if " ORDER BY " in query else (query, "")
+
+        if "%s)" % conf.tbl.upper() in prefix.upper():
+            prefix = re.sub(r"(?i)%s\)" % conf.tbl, "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
+        elif re.search(r"(?i)\bWHERE\b", prefix):
+            prefix += " AND %s" % conf.dumpWhere
+        else:
+            prefix += " WHERE %s" % conf.dumpWhere
+
+        query = "%s ORDER BY %s" % (prefix, suffix) if suffix else prefix
+
+    return query
diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py
@@ -42,6 +42,7 @@
 from lib.request import inject
 from lib.utils.hash import attackDumpedTable
 from lib.utils.pivotdumptable import pivotDumpTable
+from lib.utils.pivotdumptable import whereQuery
 
 class Entries:
     """
@@ -175,6 +176,8 @@ def dumpTable(self, foundData=None):
                     else:
                         query = rootQuery.inband.query % (colString, conf.db, tbl)
 
+                    query = whereQuery(query)
+
                     if not entries and query:
                         entries = inject.getValue(query, blind=False, time=False, dump=True)
 
@@ -226,6 +229,8 @@ def dumpTable(self, foundData=None):
                     else:
                         query = rootQuery.blind.count % (conf.db, tbl)
 
+                    query = whereQuery(query)
+
                     count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
                     lengths = {}
@@ -300,6 +305,8 @@ def dumpTable(self, foundData=None):
                                     elif Backend.isDbms(DBMS.FIREBIRD):
                                         query = rootQuery.blind.query % (index, agent.preprocessField(tbl, column), tbl)
 
+                                    query = whereQuery(query)
+
                                     value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True)
                                     value = '' if value is None else value
 
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -458,6 +458,9 @@ col =
 # Back-end database management system database table column(s) to not enumerate.
 excludeCol = 
 
+# Use WHERE condition while table dumping (e.g. "id=1").
+dumpWhere = 
+
 # Back-end database management system database user to enumerate.
 user = 
 
