sqlmap/lib/utils/resume.py

#!/usr/bin/env python

"""
$Id$

This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.

sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""

import re

from lib.core.common import dataToSessionFile
from lib.core.common import safeStringFormat
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.unescaper import unescaper
from lib.techniques.blind.inference import bisection

def queryOutputLength(expression, payload):
    """
    Returns the query output length.
    """

    lengthQuery         = queries[kb.dbms].length

    select              = re.search("\ASELECT\s+", expression, re.I)
    selectTopExpr       = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
    selectDistinctExpr  = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I)
    selectFromExpr      = re.search("\ASELECT\s+(.+?)\s+FROM", expression, re.I)
    selectExpr          = re.search("\ASELECT\s+(.+)$", expression, re.I)
    miscExpr            = re.search("\A(.+)", expression, re.I)

    if selectTopExpr or selectDistinctExpr or selectFromExpr or selectExpr:
        if selectTopExpr:
            regExpr = selectTopExpr.groups()[0]
        elif selectDistinctExpr:
            regExpr = selectDistinctExpr.groups()[0]
        elif selectFromExpr:
            regExpr = selectFromExpr.groups()[0]
        elif selectExpr:
            regExpr = selectExpr.groups()[0]
    elif miscExpr:
        regExpr = miscExpr.groups()[0]

    if ( select and re.search("\A(COUNT|LTRIM)\(", regExpr, re.I) ) or len(regExpr) <= 1:
        return None, None, None

    if select:
        lengthExpr = expression.replace(regExpr, lengthQuery % regExpr, 1)
    else:
        lengthExpr = lengthQuery % expression

    infoMsg = "retrieving the length of query output"
    logger.info(infoMsg)

    output = resume(lengthExpr, payload)

    if output:
        return 0, output, regExpr

    dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], lengthExpr)))

    lengthExprUnescaped = unescaper.unescape(lengthExpr)
    count, length       = bisection(payload, lengthExprUnescaped)

    if length == " ":
        length = 0

    return count, length, regExpr

def resume(expression, payload):
    """
    This function can be called to resume part or entire output of a
    SQL injection query output.
    """

    condition = (
                  kb.resumedQueries and conf.url in kb.resumedQueries.keys()
                  and expression in kb.resumedQueries[conf.url].keys()
                )

    if not condition:
        return None

    resumedValue = kb.resumedQueries[conf.url][expression]

    if not resumedValue:
        return None

    if resumedValue[-1] == "]":
        resumedValue = resumedValue[:-1]

        infoMsg  = "read from file '%s': " % conf.sessionFile
        logValue = re.findall("__START__(.*?)__STOP__", resumedValue, re.S)

        if logValue:
            logValue = ", ".join([value.replace("__DEL__", ", ") for value in logValue])
        else:
            logValue = resumedValue

        if "\n" in logValue:
            infoMsg += "%s..." % logValue.split("\n")[0]
        else:
            infoMsg += logValue

        logger.info(infoMsg)

        return resumedValue

    # If we called this function without providing a payload it means that
    # we have called it from lib/request/inject __goInband() function
    # in UNION query (inband) SQL injection so we return to the calling
    # function so that the query output will be retrieved taking advantage
    # of the inband SQL injection vulnerability.
    if not payload:
        return None

    substringQuery = queries[kb.dbms].substring
    select = re.search("\ASELECT ", expression, re.I)

    _, length, regExpr = queryOutputLength(expression, payload)

    if not length:
        return None

    if len(resumedValue) == int(length):
        infoMsg  = "read from file '%s': " % conf.sessionFile
        infoMsg += "%s" % resumedValue.split("\n")[0]
        logger.info(infoMsg)

        dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][%s]\n", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)))

        return resumedValue
    elif len(resumedValue) < int(length):
        infoMsg  = "resumed from file '%s': " % conf.sessionFile
        infoMsg += "%s..." % resumedValue.split("\n")[0]
        logger.info(infoMsg)

        dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][%s", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)))

        if select:
            newExpr = expression.replace(regExpr, safeStringFormat(substringQuery, (regExpr, len(resumedValue) + 1, int(length))), 1)
        else:
            newExpr = safeStringFormat(substringQuery, (expression, len(resumedValue) + 1, int(length)))

        missingCharsLength = int(length) - len(resumedValue)

        infoMsg  = "retrieving pending %d query " % missingCharsLength
        infoMsg += "output characters"
        logger.info(infoMsg)

        _, finalValue = bisection(payload, newExpr, length=missingCharsLength)

        if len(finalValue) != ( int(length) - len(resumedValue) ):
            warnMsg  = "the total length of the query is not "
            warnMsg += "right, sqlmap is going to retrieve the "
            warnMsg += "query value from the beginning now"
            logger.warn(warnMsg)

            return None

        return safeStringFormat("%s%s", (resumedValue, finalValue))

    return None
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`This file is part of the sqlmap project, http://sqlmap.sourceforge.net.`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>`
			`Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`sqlmap is free software; you can redistribute it and/or modify it under`
			`the terms of the GNU General Public License as published by the Free`
			`Software Foundation version 2 of the License.`

			`sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY`
			`WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`details.`

			`You should have received a copy of the GNU General Public License along`
			`with sqlmap; if not, write to the Free Software Foundation, Inc., 51`
			`Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`"""`

			`import re`

			`from lib.core.common import dataToSessionFile`
introduced safe string formatting 2010-01-15 19:06:59 +03:00			`from lib.core.common import safeStringFormat`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
			`from lib.core.data import queries`
			`from lib.core.unescaper import unescaper`
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file. 2008-11-13 02:44:09 +03:00			`from lib.techniques.blind.inference import bisection`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def queryOutputLength(expression, payload):`
			`"""`
			`Returns the query output length.`
			`"""`

			`lengthQuery = queries[kb.dbms].length`

			`select = re.search("\ASELECT\s+", expression, re.I)`
			`selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)`
			`selectDistinctExpr = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I)`
Fixed resume functionality on --read-file when using MySQL's LOAD_FILE() via blind SQL injection. 2010-01-02 04:35:13 +03:00			`selectFromExpr = re.search("\ASELECT\s+(.+?)\s+FROM", expression, re.I)`
			`selectExpr = re.search("\ASELECT\s+(.+)$", expression, re.I)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`miscExpr = re.search("\A(.+)", expression, re.I)`

Fixed resume functionality on --read-file when using MySQL's LOAD_FILE() via blind SQL injection. 2010-01-02 04:35:13 +03:00			`if selectTopExpr or selectDistinctExpr or selectFromExpr or selectExpr:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if selectTopExpr:`
			`regExpr = selectTopExpr.groups()[0]`
			`elif selectDistinctExpr:`
			`regExpr = selectDistinctExpr.groups()[0]`
Fixed resume functionality on --read-file when using MySQL's LOAD_FILE() via blind SQL injection. 2010-01-02 04:35:13 +03:00			`elif selectFromExpr:`
			`regExpr = selectFromExpr.groups()[0]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif selectExpr:`
			`regExpr = selectExpr.groups()[0]`
			`elif miscExpr:`
			`regExpr = miscExpr.groups()[0]`

			`if ( select and re.search("\A(COUNT\|LTRIM)\(", regExpr, re.I) ) or len(regExpr) <= 1:`
			`return None, None, None`

			`if select:`
			`lengthExpr = expression.replace(regExpr, lengthQuery % regExpr, 1)`
			`else:`
			`lengthExpr = lengthQuery % expression`

			`infoMsg = "retrieving the length of query output"`
			`logger.info(infoMsg)`

			`output = resume(lengthExpr, payload)`

			`if output:`
			`return 0, output, regExpr`

introduced safe string formatting 2010-01-15 19:06:59 +03:00			`dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], lengthExpr)))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`lengthExprUnescaped = unescaper.unescape(lengthExpr)`
			`count, length = bisection(payload, lengthExprUnescaped)`

			`if length == " ":`
			`length = 0`

			`return count, length, regExpr`

			`def resume(expression, payload):`
			`"""`
			`This function can be called to resume part or entire output of a`
			`SQL injection query output.`
			`"""`

			`condition = (`
			`kb.resumedQueries and conf.url in kb.resumedQueries.keys()`
			`and expression in kb.resumedQueries[conf.url].keys()`
			`)`

			`if not condition:`
			`return None`

			`resumedValue = kb.resumedQueries[conf.url][expression]`

			`if not resumedValue:`
			`return None`

			`if resumedValue[-1] == "]":`
			`resumedValue = resumedValue[:-1]`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`infoMsg = "read from file '%s': " % conf.sessionFile`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`logValue = re.findall("__START__(.*?)__STOP__", resumedValue, re.S)`

			`if logValue:`
			`logValue = ", ".join([value.replace("__DEL__", ", ") for value in logValue])`
			`else:`
			`logValue = resumedValue`

			`if "\n" in logValue:`
			`infoMsg += "%s..." % logValue.split("\n")[0]`
			`else:`
			`infoMsg += logValue`

			`logger.info(infoMsg)`

			`return resumedValue`

			`# If we called this function without providing a payload it means that`
			`# we have called it from lib/request/inject __goInband() function`
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation 2008-11-28 01:33:33 +03:00			`# in UNION query (inband) SQL injection so we return to the calling`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`# function so that the query output will be retrieved taking advantage`
			`# of the inband SQL injection vulnerability.`
			`if not payload:`
			`return None`

			`substringQuery = queries[kb.dbms].substring`
			`select = re.search("\ASELECT ", expression, re.I)`

			`_, length, regExpr = queryOutputLength(expression, payload)`

			`if not length:`
			`return None`

			`if len(resumedValue) == int(length):`
			`infoMsg = "read from file '%s': " % conf.sessionFile`
			`infoMsg += "%s" % resumedValue.split("\n")[0]`
			`logger.info(infoMsg)`

introduced safe string formatting 2010-01-15 19:06:59 +03:00			`dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][%s]\n", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`return resumedValue`
			`elif len(resumedValue) < int(length):`
			`infoMsg = "resumed from file '%s': " % conf.sessionFile`
			`infoMsg += "%s..." % resumedValue.split("\n")[0]`
			`logger.info(infoMsg)`

introduced safe string formatting 2010-01-15 19:06:59 +03:00			`dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][%s", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if select:`
introduced safe string formatting 2010-01-15 19:06:59 +03:00			`newExpr = expression.replace(regExpr, safeStringFormat(substringQuery, (regExpr, len(resumedValue) + 1, int(length))), 1)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
introduced safe string formatting 2010-01-15 19:06:59 +03:00			`newExpr = safeStringFormat(substringQuery, (expression, len(resumedValue) + 1, int(length)))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`missingCharsLength = int(length) - len(resumedValue)`

			`infoMsg = "retrieving pending %d query " % missingCharsLength`
			`infoMsg += "output characters"`
			`logger.info(infoMsg)`

			`_, finalValue = bisection(payload, newExpr, length=missingCharsLength)`

			`if len(finalValue) != ( int(length) - len(resumedValue) ):`
			`warnMsg = "the total length of the query is not "`
			`warnMsg += "right, sqlmap is going to retrieve the "`
			`warnMsg += "query value from the beginning now"`
			`logger.warn(warnMsg)`

			`return None`

introduced safe string formatting 2010-01-15 19:06:59 +03:00			`return safeStringFormat("%s%s", (resumedValue, finalValue))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`return None`