Refactoring to --technique

bdamele · bdamele · commit 17844eb87ca2 · 2011-04-07T10:00:47.000Z
diff --git a/doc/README.html b/doc/README.html
@@ -937,6 +937,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
     These options can be used to tweak testing of specific SQL injection
     techniques.
 
+    --technique=TECH    SQL injection techniques to test for (default all)
     --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
     --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
     --union-char=UCHAR  Character to use for bruteforcing number of columns
@@ -1796,6 +1797,39 @@ <H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Techniques</A>
 techniques.</P>
 
 
+<H3>SQL injection techniques to test for</H3>
+
+<P>Switch: <CODE>-</CODE><CODE>-technique</CODE></P>
+
+<P>This switch can be used to specify which SQL injection type to test for.
+By default sqlmap tests for <B>all</B> types/techniques it supports.</P>
+
+<P>In certain situations you may want to test only for one or few specific
+types of SQL injection thought and this is where this switch comes into
+play.</P>
+
+<P>This switch requires an argument. Such argument is a string composed by
+any combination of <CODE>B</CODE>, <CODE>E</CODE>, <CODE>U</CODE>, <CODE>S</CODE> and
+<CODE>T</CODE> characters where each letter stands for a different technique:</P>
+<P>
+<UL>
+<LI><CODE>B</CODE>: Boolean-based blind SQL injection</LI>
+<LI><CODE>E</CODE>: Error-based SQL injection</LI>
+<LI><CODE>U</CODE>: UNION query SQL injection</LI>
+<LI><CODE>S</CODE>: Stacked queries SQL injection</LI>
+<LI><CODE>T</CODE>: Time-based blind SQL injection</LI>
+</UL>
+</P>
+
+<P>For instance, you can provide <CODE>ES</CODE> if you want to test for and
+exploit error-based and stacked queries SQL injection types only.
+The default value is <CODE>BEUST</CODE>.</P>
+
+<P>Note that the string must include stacked queries technique letter,
+<CODE>S</CODE>, when you want to access the file system, takeover the
+operating system or access Windows registry hives.</P>
+
+
 <H3>Seconds to delay the DBMS response for time-based blind SQL injection</H3>
 
 <P>Switch: <CODE>-</CODE><CODE>-time-sec</CODE></P>
diff --git a/doc/README.pdf b/doc/README.pdf
diff --git a/doc/README.sgml b/doc/README.sgml
@@ -1791,7 +1791,36 @@ techniques.
 Switch: <tt>-</tt><tt>-technique</tt>
 
 <p>
-TODO
+This switch can be used to specify which SQL injection type to test for.
+By default sqlmap tests for <bf>all</bf> types/techniques it supports.
+
+<p>
+In certain situations you may want to test only for one or few specific
+types of SQL injection thought and this is where this switch comes into
+play.
+
+<p>
+This switch requires an argument. Such argument is a string composed by
+any combination of <tt>B</tt>, <tt>E</tt>, <tt>U</tt>, <tt>S</tt> and
+<tt>T</tt> characters where each letter stands for a different technique:
+
+<itemize>
+<item><tt>B</tt>: Boolean-based blind SQL injection
+<item><tt>E</tt>: Error-based SQL injection
+<item><tt>U</tt>: UNION query SQL injection
+<item><tt>S</tt>: Stacked queries SQL injection
+<item><tt>T</tt>: Time-based blind SQL injection
+</itemize>
+
+<p>
+For instance, you can provide <tt>ES</tt> if you want to test for and
+exploit error-based and stacked queries SQL injection types only.
+The default value is <tt>BEUST</tt>.
+
+<p>
+Note that the string must include stacked queries technique letter,
+<tt>S</tt>, when you want to access the file system, takeover the
+operating system or access Windows registry hives.
 
 
 <sect2>Seconds to delay the DBMS response for time-based blind SQL injection
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -27,6 +27,7 @@
 from lib.controller.checks import checkConnection
 from lib.core.common import Backend
 from lib.core.common import dataToStdout
+from lib.core.common import getPublicTypeMembers
 from lib.core.common import extractRegexResult
 from lib.core.common import filterStringValue
 from lib.core.common import getConsoleWidth
@@ -605,8 +606,22 @@ def __setOS():
         raise sqlmapUnsupportedDBMSException, errMsg
 
 def __setTechnique():
-    if not conf.tech or not isinstance(conf.tech, int):
-        conf.tech = []
+    validTechniques = getPublicTypeMembers(PAYLOAD.TECHNIQUE)
+    selTechniques = []
+
+    if conf.tech and isinstance(conf.tech, basestring):
+        for t in conf.tech:
+            if t.upper() not in ("B", "E", "U", "S", "T"):
+                errMsg = "value for --technique must be a string composed "
+                errMsg += "by the letters B, E, U, S and T. Refer to the "
+                errMsg += "user's manual for details"
+                raise sqlmapSyntaxException, errMsg
+
+            for validTech, validInt in validTechniques:
+                if t.upper() == validTech[0]:
+                    selTechniques.append(validInt)
+                    break
+        conf.tech = selTechniques
     else:
         conf.tech = filter(lambda x: x in PAYLOAD.SQLINJECTION, [int(c) for c in str(conf.tech)])
 
@@ -617,7 +632,7 @@ def __setTechnique():
            'osCmd', 'osShell', 'osPwn', 'osSmb', 'osBof', 'regRead', \
            'regAdd', 'regDel'])) and PAYLOAD.TECHNIQUE.STACKED not in conf.tech:
             errMsg = "value for --technique must include stacked queries "
-            errMsg += "technique (4) when you want to access the file "
+            errMsg += "technique (S) when you want to access the file "
             errMsg += "system, takeover the operating system or access "
             errMsg += "Windows registry hives"
             raise sqlmapSyntaxException, errMsg
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -70,7 +70,7 @@
                              },
 
             "Techniques":    {
-                               "tech":              "integer",
+                               "tech":              "string",
                                "timeSec":           "integer",
                                "uCols":             "string",
                                "uChar":             "string"
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -207,9 +207,9 @@ def cmdLineParser():
                                  "used to tweak testing of specific SQL "
                                  "injection techniques.")
 
-        techniques.add_option("--technique", dest="tech", type="int",
-                          default=0, help="SQL injection techniques to "
-                                          "test for (default all)")
+        techniques.add_option("--technique", dest="tech", default="BEUST",
+                              help="SQL injection techniques to test for "
+                                   "(default BEUST)")
 
         techniques.add_option("--time-sec", dest="timeSec",
                               type="int", default=TIME_DEFAULT_DELAY,
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -224,16 +224,16 @@ textOnly = False
 [Techniques]
 
 # SQL injection techniques to test for.
-# Valid: an integer composed by 1, 2, 3, 4 or 5 where:
-# 1: boolean-based blind SQL injection
-# 2: error-based SQL injection
-# 3: UNION query SQL injection
-# 4: stacked queries SQL injection
-# 5: time-based blind SQL injection
-# Example: 24 (means test for error-based and stacked queries SQL
+# Valid: a string composed by B, E, U, S and T where:
+# B: Boolean-based blind SQL injection
+# E: Error-based SQL injection
+# U: UNION query SQL injection
+# S: Stacked queries SQL injection
+# T: Time-based blind SQL injection
+# Example: ES (means test for error-based and stacked queries SQL
 # injection types only)
-# Default: 0 (means test for all SQL injection types - recommended)
-tech = 0
+# Default: BEUST (means test for all SQL injection types - recommended)
+tech = BEUST
 
 # Seconds to delay the response from the DBMS.
 # Valid: integer
