sqlmap/lib/techniques/error/use.py

69 lines
2.2 KiB
Python
Raw Normal View History

2010-10-20 13:09:04 +04:00
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
import re
import time
from lib.core.agent import agent
2010-12-06 10:48:14 +03:00
from lib.core.common import extractRegexResult
2010-10-20 13:09:04 +04:00
from lib.core.common import getUnicode
2010-12-18 12:51:34 +03:00
from lib.core.common import initTechnique
2010-10-20 13:09:04 +04:00
from lib.core.common import randomInt
from lib.core.common import replaceNewlineTabs
from lib.core.common import safeStringFormat
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
2010-12-15 14:21:47 +03:00
from lib.core.enums import PAYLOAD
2010-10-20 13:09:04 +04:00
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
def errorUse(expression):
2010-10-20 13:09:04 +04:00
"""
Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter.
"""
2010-10-25 18:11:47 +04:00
2010-12-18 12:51:34 +03:00
initTechnique(PAYLOAD.TECHNIQUE.ERROR)
output = None
2010-12-15 14:21:47 +03:00
vector = agent.cleanupPayload(kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector)
2010-12-03 17:45:13 +03:00
query = unescaper.unescape(vector)
query = agent.prefixQuery(query)
query = agent.suffixQuery(query)
check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
2010-10-20 13:09:04 +04:00
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
2010-10-21 02:43:02 +04:00
if kb.dbms == DBMS.MYSQL:
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
2010-10-21 02:43:02 +04:00
expression = expression.replace(fieldToCastStr, nulledCastedField, 1)
expression = unescaper.unescape(expression)
2010-12-11 11:24:29 +03:00
expression = query.replace("[QUERY]", expression)
2010-10-20 13:09:04 +04:00
#debugMsg = "query: %s" % expression
#logger.debug(debugMsg)
payload = agent.payload(newValue=expression)
reqBody, _ = Request.queryPage(payload, content=True)
2010-12-06 10:48:14 +03:00
output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE)
2010-10-26 13:33:18 +04:00
2010-12-06 10:48:14 +03:00
if output:
2010-12-07 01:40:07 +03:00
output = output.replace(kb.misc.space, " ")
2010-12-06 10:48:14 +03:00
if conf.verbose > 0:
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
logger.info(infoMsg)
2010-10-20 13:09:04 +04:00
return output