sqlmap/lib/controller/action.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.controller.handler import setHandler
from lib.core.common import Backend
from lib.core.common import Format
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.enums import CONTENT_TYPE
from lib.core.exception import SqlmapNoneDataException
from lib.core.exception import SqlmapUnsupportedDBMSException
from lib.core.settings import SUPPORTED_DBMS
from lib.techniques.brute.use import columnExists
from lib.techniques.brute.use import tableExists

def action():
    """
    This function exploit the SQL injection on the affected
    URL parameter and extract requested data from the
    back-end database management system or operating system
    if possible
    """

    # First of all we have to identify the back-end database management
    # system to be able to go ahead with the injection
    setHandler()

    if not Backend.getDbms() or not conf.dbmsHandler:
        htmlParsed = Format.getErrorParsedDBMSes()

        errMsg = "sqlmap was not able to fingerprint the "
        errMsg += "back-end database management system"

        if htmlParsed:
            errMsg += ", but from the HTML error page it was "
            errMsg += "possible to determinate that the "
            errMsg += "back-end DBMS is %s" % htmlParsed

        if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:
            errMsg += ". Do not specify the back-end DBMS manually, "
            errMsg += "sqlmap will fingerprint the DBMS for you"
        elif kb.nullConnection:
            errMsg += ". You can try to rerun without using optimization "
            errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection")

        raise SqlmapUnsupportedDBMSException(errMsg)

    conf.dumper.singleString(conf.dbmsHandler.getFingerprint())

    # Enumeration options
    if conf.getBanner:
        conf.dumper.banner(conf.dbmsHandler.getBanner())

    if conf.getCurrentUser:
        conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser())

    if conf.getCurrentDb:
        conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())

    if conf.getHostname:
        conf.dumper.hostname(conf.dbmsHandler.getHostname())

    if conf.isDba:
        conf.dumper.dba(conf.dbmsHandler.isDba())

    if conf.getUsers:
        conf.dumper.users(conf.dbmsHandler.getUsers())

    if conf.getPasswordHashes:
        try:
            conf.dumper.userSettings("database management system users password hashes",
                                    conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS)
        except SqlmapNoneDataException, ex:
            logger.critical(ex)
        except:
            raise

    if conf.getPrivileges:
        try:
            conf.dumper.userSettings("database management system users privileges",
                                    conf.dbmsHandler.getPrivileges(), "privilege", CONTENT_TYPE.PRIVILEGES)
        except SqlmapNoneDataException, ex:
            logger.critical(ex)
        except:
            raise

    if conf.getRoles:
        try:
            conf.dumper.userSettings("database management system users roles",
                                    conf.dbmsHandler.getRoles(), "role", CONTENT_TYPE.ROLES)
        except SqlmapNoneDataException, ex:
            logger.critical(ex)
        except:
            raise

    if conf.getDbs:
        conf.dumper.dbs(conf.dbmsHandler.getDbs())

    if conf.getTables:
        conf.dumper.dbTables(conf.dbmsHandler.getTables())

    if conf.commonTables:
        conf.dumper.dbTables(tableExists(paths.COMMON_TABLES))

    if conf.getSchema:
        conf.dumper.dbTableColumns(conf.dbmsHandler.getSchema(), CONTENT_TYPE.SCHEMA)

    if conf.getColumns:
        conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns(), CONTENT_TYPE.COLUMNS)

    if conf.getCount:
        conf.dumper.dbTablesCount(conf.dbmsHandler.getCount())

    if conf.commonColumns:
        conf.dumper.dbTableColumns(columnExists(paths.COMMON_COLUMNS))

    if conf.dumpTable:
        conf.dbmsHandler.dumpTable()

    if conf.dumpAll:
        conf.dbmsHandler.dumpAll()

    if conf.search:
        conf.dbmsHandler.search()

    if conf.query:
        conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query))

    if conf.sqlShell:
        conf.dbmsHandler.sqlShell()

    if conf.sqlFile:
        conf.dbmsHandler.sqlFile()

    # User-defined function options
    if conf.udfInject:
        conf.dbmsHandler.udfInjectCustom()

    # File system options
    if conf.rFile:
        conf.dumper.rFile(conf.dbmsHandler.readFile(conf.rFile))

    if conf.wFile:
        conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)

    # Operating system options
    if conf.osCmd:
        conf.dbmsHandler.osCmd()

    if conf.osShell:
        conf.dbmsHandler.osShell()

    if conf.osPwn:
        conf.dbmsHandler.osPwn()

    if conf.osSmb:
        conf.dbmsHandler.osSmb()

    if conf.osBof:
        conf.dbmsHandler.osBof()

    # Windows registry options
    if conf.regRead:
        conf.dumper.registerValue(conf.dbmsHandler.regRead())

    if conf.regAdd:
        conf.dbmsHandler.regAdd()

    if conf.regDel:
        conf.dbmsHandler.regDel()

    # Miscellaneous options
    if conf.cleanup:
        conf.dbmsHandler.cleanup()

    if conf.direct:
        conf.dbmsConnector.close()
reverted a previous commit as not all distributions create a link file /usr/bin/python2 to the Python interpreter 2013-02-14 15:32:17 +04:00			`#!/usr/bin/env python`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`"""`
Update of copyright string 2016-01-06 02:06:12 +03:00			`Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

			`from lib.controller.handler import setHandler`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`from lib.core.common import Backend`
			`from lib.core.common import Format`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`from lib.core.data import logger`
changes regarding EXISTS feature 2010-09-30 16:35:45 +04:00			`from lib.core.data import paths`
variable renamed 2013-01-30 19:30:34 +04:00			`from lib.core.enums import CONTENT_TYPE`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`from lib.core.exception import SqlmapNoneDataException`
			`from lib.core.exception import SqlmapUnsupportedDBMSException`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.settings import SUPPORTED_DBMS`
update regarding brute force retrieval of table names and table column names 2010-11-09 19:15:55 +03:00			`from lib.techniques.brute.use import columnExists`
refactoring of brute force techniques 2010-11-09 12:42:43 +03:00			`from lib.techniques.brute.use import tableExists`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def action():`
			`"""`
			`This function exploit the SQL injection on the affected`
Style and consistency update (url -> URL) 2013-04-09 13:48:42 +04:00			`URL parameter and extract requested data from the`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`back-end database management system or operating system`
			`if possible`
			`"""`

			`# First of all we have to identify the back-end database management`
			`# system to be able to go ahead with the injection`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`setHandler()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if not Backend.getDbms() or not conf.dbmsHandler:`
			`htmlParsed = Format.getErrorParsedDBMSes()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor code restyling 2011-04-30 17:20:05 +04:00			`errMsg = "sqlmap was not able to fingerprint the "`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`errMsg += "back-end database management system"`

			`if htmlParsed:`
			`errMsg += ", but from the HTML error page it was "`
			`errMsg += "possible to determinate that the "`
minor update 2012-05-09 14:06:23 +04:00			`errMsg += "back-end DBMS is %s" % htmlParsed`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:`
			`errMsg += ". Do not specify the back-end DBMS manually, "`
			`errMsg += "sqlmap will fingerprint the DBMS for you"`
update of dynamicity testing and few misc fixes 2010-11-05 16:14:12 +03:00			`elif kb.nullConnection:`
			`errMsg += ". You can try to rerun without using optimization "`
			`errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Replacing old and deprecated raise Exception style (PEP8) 2013-01-04 02:20:55 +04:00			`raise SqlmapUnsupportedDBMSException(errMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
minor fix: add also back-end DBMS and web app fingerprint output to log file 2012-12-17 17:02:09 +04:00			`conf.dumper.singleString(conf.dbmsHandler.getFingerprint())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`# Enumeration options`
			`if conf.getBanner:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.banner(conf.dbmsHandler.getBanner())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getCurrentUser:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getCurrentDb:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
added --hostname switch to retrieve DBMS server hostname - closes issue #69 2012-07-12 03:01:57 +04:00			`if conf.getHostname:`
			`conf.dumper.hostname(conf.dbmsHandler.getHostname())`

Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 23:41:11 +03:00			`if conf.isDba:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dba(conf.dbmsHandler.isDba())`
Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 23:41:11 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.getUsers:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.users(conf.dbmsHandler.getUsers())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getPasswordHashes:`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`try:`
			`conf.dumper.userSettings("database management system users password hashes",`
variable renamed 2013-01-30 19:30:34 +04:00			`conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`except SqlmapNoneDataException, ex:`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getPrivileges:`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`try:`
			`conf.dumper.userSettings("database management system users privileges",`
variable renamed 2013-01-30 19:30:34 +04:00			`conf.dbmsHandler.getPrivileges(), "privilege", CONTENT_TYPE.PRIVILEGES)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`except SqlmapNoneDataException, ex:`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`if conf.getRoles:`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`try:`
			`conf.dumper.userSettings("database management system users roles",`
variable renamed 2013-01-30 19:30:34 +04:00			`conf.dbmsHandler.getRoles(), "role", CONTENT_TYPE.ROLES)`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`except SqlmapNoneDataException, ex:`
Patch for an Issue #127 2012-10-05 12:49:31 +04:00			`logger.critical(ex)`
			`except:`
			`raise`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.getDbs:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dbs(conf.dbmsHandler.getDbs())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getTables:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dbTables(conf.dbmsHandler.getTables())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-30 01:09:07 +04:00			`if conf.commonTables:`
			`conf.dumper.dbTables(tableExists(paths.COMMON_TABLES))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Added switch --schema to enumerate DBMS schema and now --columns does not require a mandatory table (-T) anymore, instead it will act as an alias for --schema 2011-04-29 03:59:00 +04:00			`if conf.getSchema:`
variable renamed 2013-01-30 19:30:34 +04:00			`conf.dumper.dbTableColumns(conf.dbmsHandler.getSchema(), CONTENT_TYPE.SCHEMA)`
update regarding brute force retrieval of table names and table column names 2010-11-09 19:15:55 +03:00
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-30 01:09:07 +04:00			`if conf.getColumns:`
variable renamed 2013-01-30 19:30:34 +04:00			`conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns(), CONTENT_TYPE.COLUMNS)`
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-30 01:09:07 +04:00
Added --count switch to count the number of entries for a specific table (when -T is provided), all database's tables (when only -D is provided) or all databases' tables when neither -D nor -T are provided 2011-04-30 04:22:22 +04:00			`if conf.getCount:`
			`conf.dumper.dbTablesCount(conf.dbmsHandler.getCount())`

Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-30 01:09:07 +04:00			`if conf.commonColumns:`
			`conf.dumper.dbTableColumns(columnExists(paths.COMMON_COLUMNS))`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.dumpTable:`
Major improvement for --dump. Minor improvement for --dump-all. Minor bug fix for infinite loop 2011-05-08 06:08:18 +04:00			`conf.dbmsHandler.dumpTable()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.dumpAll:`
			`conf.dbmsHandler.dumpAll()`

Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190: * --search -D foobar: searches all database names like the ones provided * --search -T foobar: searches all databases' table names like the ones provided (soon) * --search -C foobar: replaces --dump -C 2010-05-07 17:40:57 +04:00			`if conf.search:`
			`conf.dbmsHandler.search()`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.query:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.sqlShell:`
			`conf.dbmsHandler.sqlShell()`

initial work for issue #33 2012-07-10 03:27:08 +04:00			`if conf.sqlFile:`
			`conf.dbmsHandler.sqlFile()`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`# User-defined function options`
			`if conf.udfInject:`
			`conf.dbmsHandler.udfInjectCustom()`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`# File system options`
			`if conf.rFile:`
forgot these 2012-12-19 18:12:45 +04:00			`conf.dumper.rFile(conf.dbmsHandler.readFile(conf.rFile))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.wFile:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)`

			`# Operating system options`
			`if conf.osCmd:`
			`conf.dbmsHandler.osCmd()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.osShell:`
			`conf.dbmsHandler.osShell()`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if conf.osPwn:`
			`conf.dbmsHandler.osPwn()`

			`if conf.osSmb:`
			`conf.dbmsHandler.osSmb()`

			`if conf.osBof:`
			`conf.dbmsHandler.osBof()`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`# Windows registry options`
			`if conf.regRead:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.registerValue(conf.dbmsHandler.regRead())`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00
			`if conf.regAdd:`
			`conf.dbmsHandler.regAdd()`

			`if conf.regDel:`
			`conf.dbmsHandler.regDel()`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Miscellaneous options`
			`if conf.cleanup:`
			`conf.dbmsHandler.cleanup()`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
			`if conf.direct:`
			`conf.dbmsConnector.close()`