sqlmap/lib/takeover/abstraction.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.common import dataToStdout
from lib.core.common import Backend
from lib.core.common import isTechniqueAvailable
from lib.core.common import readInput
from lib.core.convert import safechardecode
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import DBMS
from lib.core.enums import OS
from lib.core.enums import PAYLOAD
from lib.core.exception import sqlmapUnsupportedFeatureException
from lib.core.shell import autoCompletion
from lib.takeover.udf import UDF
from lib.takeover.web import Web
from lib.takeover.xp_cmdshell import xp_cmdshell


class Abstraction(Web, UDF, xp_cmdshell):
    """
    This class defines an abstraction layer for OS takeover functionalities
    to UDF / xp_cmdshell objects
    """

    def __init__(self):
        self.envInitialized = False
        self.alwaysRetrieveCmdOutput = False

        UDF.__init__(self)
        Web.__init__(self)
        xp_cmdshell.__init__(self)

    def execCmd(self, cmd, silent=False):
        if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
            self.webBackdoorRunCmd(cmd)

        elif Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
            self.udfExecCmd(cmd, silent=silent)

        elif Backend.isDbms(DBMS.MSSQL):
            self.xpCmdshellExecCmd(cmd, silent=silent)

        else:
            errMsg = "Feature not yet implemented for the back-end DBMS"
            raise sqlmapUnsupportedFeatureException, errMsg

    def evalCmd(self, cmd, first=None, last=None):
        retVal = None

        if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
            retVal = self.webBackdoorRunCmd(cmd)

        elif Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
            retVal = self.udfEvalCmd(cmd, first, last)

        elif Backend.isDbms(DBMS.MSSQL):
            retVal = self.xpCmdshellEvalCmd(cmd, first, last)

        else:
            errMsg = "Feature not yet implemented for the back-end DBMS"
            raise sqlmapUnsupportedFeatureException, errMsg

        return safechardecode(retVal)

    def runCmd(self, cmd):
        getOutput = None

        if not self.alwaysRetrieveCmdOutput:
            message = "do you want to retrieve the command standard "
            message += "output? [Y/n/a] "
            getOutput = readInput(message, default="Y")

            if getOutput in ("a", "A"):
                self.alwaysRetrieveCmdOutput = True

        if not getOutput or getOutput in ("y", "Y") or self.alwaysRetrieveCmdOutput:
            output = self.evalCmd(cmd)

            if output:
                conf.dumper.string("command standard output", output)
            else:
                dataToStdout("No output\n")
        else:
            self.execCmd(cmd)

    def shell(self):
        if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):
            infoMsg = "calling OS shell. To quit type "
            infoMsg += "'x' or 'q' and press ENTER"
            logger.info(infoMsg)

        else:
            if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
                infoMsg = "going to use injected sys_eval and sys_exec "
                infoMsg += "user-defined functions for operating system "
                infoMsg += "command execution"
                logger.info(infoMsg)

            elif Backend.isDbms(DBMS.MSSQL):
                infoMsg = "going to use xp_cmdshell extended procedure for "
                infoMsg += "operating system command execution"
                logger.info(infoMsg)

            else:
                errMsg = "feature not yet implemented for the back-end DBMS"
                raise sqlmapUnsupportedFeatureException, errMsg

            infoMsg = "calling %s OS shell. To quit type " % (Backend.getOs() or "Windows")
            infoMsg += "'x' or 'q' and press ENTER"
            logger.info(infoMsg)

        autoCompletion(osShell=True)

        while True:
            command = None

            try:
                command = raw_input("os-shell> ")
            except KeyboardInterrupt:
                print
                errMsg = "user aborted"
                logger.error(errMsg)
            except EOFError:
                print
                errMsg = "exit"
                logger.error(errMsg)
                break

            if not command:
                continue

            if command.lower() in ( "x", "q", "exit", "quit" ):
                break

            self.runCmd(command)

    def initEnv(self, mandatory=True, detailed=False, web=False):
        if self.envInitialized:
            return

        if web:
            self.webInit()
        else:
            self.checkDbmsOs(detailed)

            if mandatory and not self.isDba():
                warnMsg = "the functionality requested might not work because "
                warnMsg += "the session user is not a database administrator"
                logger.warn(warnMsg)

            if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
                self.udfInjectSys()
            elif Backend.isDbms(DBMS.MSSQL):
                if mandatory:
                    self.xpCmdshellInit()
            else:
                errMsg = "feature not yet implemented for the back-end DBMS"
                raise sqlmapUnsupportedFeatureException(errMsg)

        self.envInitialized = True
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`#!/usr/bin/env python`

			`"""`
			$Id$

updating copyright date 2012-01-11 18:59:46 +04:00			`Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`"""`

Minor code refactoring 2010-10-21 02:09:03 +04:00			`from lib.core.common import dataToStdout`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`from lib.core.common import Backend`
update 2010-12-18 18:57:47 +03:00			`from lib.core.common import isTechniqueAvailable`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import readInput`
decoding of chars for --os-shell 2011-05-03 19:31:12 +04:00			`from lib.core.convert import safechardecode`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`from lib.core.enums import OS`
update 2010-12-18 18:57:47 +03:00			`from lib.core.enums import PAYLOAD`
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed). Minor common library code refactoring. Code cleanup. Set back the default User-Agent to sqlmap for comparison algorithm reasons. Updated THANKS. 2009-04-28 03:05:11 +04:00			`from lib.core.exception import sqlmapUnsupportedFeatureException`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.shell import autoCompletion`
			`from lib.takeover.udf import UDF`
Added automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP. Updated ChangeLog. Major code refactoring. 2010-01-14 17:03:16 +03:00			`from lib.takeover.web import Web`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.takeover.xp_cmdshell import xp_cmdshell`

refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00
Added automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP. Updated ChangeLog. Major code refactoring. 2010-01-14 17:03:16 +03:00			`class Abstraction(Web, UDF, xp_cmdshell):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`"""`
			`This class defines an abstraction layer for OS takeover functionalities`
			`to UDF / xp_cmdshell objects`
			`"""`

			`def __init__(self):`
			`self.envInitialized = False`
more feature updates 2010-02-25 14:40:49 +03:00			`self.alwaysRetrieveCmdOutput = False`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`UDF.__init__(self)`
Added automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP. Updated ChangeLog. Major code refactoring. 2010-01-14 17:03:16 +03:00			`Web.__init__(self)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`xp_cmdshell.__init__(self)`

Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown. Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls. 2010-10-28 04:19:40 +04:00			`def execCmd(self, cmd, silent=False):`
update 2010-12-18 18:57:47 +03:00			`if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):`
Minor code refactoring 2010-01-14 17:33:08 +03:00			`self.webBackdoorRunCmd(cmd)`
Added automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP. Updated ChangeLog. Major code refactoring. 2010-01-14 17:03:16 +03:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`elif Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`self.udfExecCmd(cmd, silent=silent)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
More code refactoring of Backend class methods used 2011-04-30 18:54:29 +04:00			`elif Backend.isDbms(DBMS.MSSQL):`
Avoid waiting 30 seconds when cleaning up the dbms and file system from sqlmap data 2010-10-29 17:09:53 +04:00			`self.xpCmdshellExecCmd(cmd, silent=silent)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`else:`
			`errMsg = "Feature not yet implemented for the back-end DBMS"`
			`raise sqlmapUnsupportedFeatureException, errMsg`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`def evalCmd(self, cmd, first=None, last=None):`
decoding of chars for --os-shell 2011-05-03 19:31:12 +04:00			`retVal = None`

update 2010-12-18 18:57:47 +03:00			`if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):`
decoding of chars for --os-shell 2011-05-03 19:31:12 +04:00			`retVal = self.webBackdoorRunCmd(cmd)`
Minor code refactoring 2010-01-14 17:33:08 +03:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`elif Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):`
decoding of chars for --os-shell 2011-05-03 19:31:12 +04:00			`retVal = self.udfEvalCmd(cmd, first, last)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
More code refactoring of Backend class methods used 2011-04-30 18:54:29 +04:00			`elif Backend.isDbms(DBMS.MSSQL):`
decoding of chars for --os-shell 2011-05-03 19:31:12 +04:00			`retVal = self.xpCmdshellEvalCmd(cmd, first, last)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`else:`
			`errMsg = "Feature not yet implemented for the back-end DBMS"`
			`raise sqlmapUnsupportedFeatureException, errMsg`

decoding of chars for --os-shell 2011-05-03 19:31:12 +04:00			`return safechardecode(retVal)`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`def runCmd(self, cmd):`
			`getOutput = None`

more feature updates 2010-02-25 14:40:49 +03:00			`if not self.alwaysRetrieveCmdOutput:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`message = "do you want to retrieve the command standard "`
			`message += "output? [Y/n/a] "`
more feature updates 2010-02-25 14:40:49 +03:00			`getOutput = readInput(message, default="Y")`
removed all trailing spaces from blank lines 2010-11-03 13:08:27 +03:00
more feature updates 2010-02-25 14:40:49 +03:00			`if getOutput in ("a", "A"):`
			`self.alwaysRetrieveCmdOutput = True`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
more feature updates 2010-02-25 14:40:49 +03:00			`if not getOutput or getOutput in ("y", "Y") or self.alwaysRetrieveCmdOutput:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`output = self.evalCmd(cmd)`

			`if output:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.string("command standard output", output)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`else:`
Minor code refactoring 2010-10-21 02:09:03 +04:00			`dataToStdout("No output\n")`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`else:`
Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown. Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only. Got rid of useless doubleslash param in delRemoteFile() method. Major code refactoring to xp_cmdshell.py methods and parent calls. 2010-10-28 04:19:40 +04:00			`self.execCmd(cmd)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
Minor code refactoring 2010-01-14 17:33:08 +03:00			`def shell(self):`
update 2010-12-18 18:57:47 +03:00			`if self.webBackdoorUrl and not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = "calling OS shell. To quit type "`
Minor code refactoring 2010-01-14 17:33:08 +03:00			`infoMsg += "'x' or 'q' and press ENTER"`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info(infoMsg)`

			`else:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = "going to use injected sys_eval and sys_exec "`
Minor code refactoring 2010-01-14 17:33:08 +03:00			`infoMsg += "user-defined functions for operating system "`
			`infoMsg += "command execution"`
			`logger.info(infoMsg)`

More code refactoring of Backend class methods used 2011-04-30 18:54:29 +04:00			`elif Backend.isDbms(DBMS.MSSQL):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = "going to use xp_cmdshell extended procedure for "`
Minor code refactoring 2010-01-14 17:33:08 +03:00			`infoMsg += "operating system command execution"`
			`logger.info(infoMsg)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
Minor code refactoring 2010-01-14 17:33:08 +03:00			`else:`
			`errMsg = "feature not yet implemented for the back-end DBMS"`
			`raise sqlmapUnsupportedFeatureException, errMsg`

Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = "calling %s OS shell. To quit type " % (Backend.getOs() or "Windows")`
Minor code refactoring 2010-01-14 17:33:08 +03:00			`infoMsg += "'x' or 'q' and press ENTER"`
			`logger.info(infoMsg)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`autoCompletion(osShell=True)`

			`while True:`
			`command = None`

			`try:`
			`command = raw_input("os-shell> ")`
			`except KeyboardInterrupt:`
			`print`
			`errMsg = "user aborted"`
			`logger.error(errMsg)`
			`except EOFError:`
			`print`
			`errMsg = "exit"`
			`logger.error(errMsg)`
			`break`

			`if not command:`
			`continue`

			`if command.lower() in ( "x", "q", "exit", "quit" ):`
			`break`

			`self.runCmd(command)`

More code refactoring 2010-01-14 18:11:32 +03:00			`def initEnv(self, mandatory=True, detailed=False, web=False):`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if self.envInitialized:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`return`

More code refactoring 2010-01-14 18:11:32 +03:00			`if web:`
			`self.webInit()`
			`else:`
			`self.checkDbmsOs(detailed)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
More code refactoring 2010-01-14 18:11:32 +03:00			`if mandatory and not self.isDba():`
Minor code restyling 2011-04-30 17:20:05 +04:00			`warnMsg = "the functionality requested might not work because "`
More code refactoring 2010-01-14 18:11:32 +03:00			`warnMsg += "the session user is not a database administrator"`
			`logger.warn(warnMsg)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):`
--read-file on PostgreSQL now relies on the new sys_fileread() UDF so that also binary files can be read. Fixed a minor bug in custom UDF injection feature --udf-inject. Major code refactoring. 2010-02-12 01:57:50 +03:00			`self.udfInjectSys()`
More code refactoring of Backend class methods used 2011-04-30 18:54:29 +04:00			`elif Backend.isDbms(DBMS.MSSQL):`
More code refactoring 2010-01-14 18:11:32 +03:00			`if mandatory:`
			`self.xpCmdshellInit()`
			`else:`
			`errMsg = "feature not yet implemented for the back-end DBMS"`
			`raise sqlmapUnsupportedFeatureException(errMsg)`
Avoid useless checks for --os-bof (no need to check for DBA or for xp_cmdshell). Minor code restyling. 2010-01-04 18:02:56 +03:00
			`self.envInitialized = True`