sqlmap/lib/parse/queriesfile.py

#!/usr/bin/env python

"""
$Id$

This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.

sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""

from xml.sax.handler import ContentHandler

from lib.core.common import checkFile
from lib.core.common import parseXmlFile
from lib.core.common import sanitizeStr
from lib.core.data import logger
from lib.core.data import queries
from lib.core.data import paths
from lib.core.datatype import advancedDict

class queriesHandler(ContentHandler):
    """
    This class defines methods to parse the default DBMS queries
    from an XML file
    """

    def __init__(self):
        self.__dbms    = ''
        self.__queries = advancedDict()

    def startElement(self, name, attrs):
        if name == "dbms":
            data = sanitizeStr(attrs.get("value"))
            self.__dbms = data

        elif name == "cast":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.cast = data

        elif name == "length":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.length = data

        elif name == "isnull":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.isnull = data

        elif name == "delimiter":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.delimiter = data

        elif name == "limit":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.limit = data

        elif name == "limitregexp":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.limitregexp = data

        elif name == "limitgroupstart":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.limitgroupstart = data

        elif name == "limitgroupstop":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.limitgroupstop = data

        elif name == "limitstring":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.limitstring = data

        elif name == "order":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.order = data

        elif name == "count":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.count = data

        elif name == "comment":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.comment = data

        elif name == "timedelay":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.timedelay = data

            data = sanitizeStr(attrs.get("query2"))
            self.__queries.timedelay2 = data

        elif name == "substring":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.substring = data

        elif name == "case":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.case = data

        elif name == "inference":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.inference = data

        elif name == "banner":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.banner = data

        elif name == "current_user":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.currentUser = data

        elif name == "current_db":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.currentDb = data

        elif name == "is_dba":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.isDba = data

        elif name == "check_udf":
            data = sanitizeStr(attrs.get("query"))
            self.__queries.checkUdf = data

        elif name == "inband":
            self.__inband    = sanitizeStr(attrs.get("query"))
            self.__inband2   = sanitizeStr(attrs.get("query2"))
            self.__conditionInband = sanitizeStr(attrs.get("condition"))
            self.__conditionInband2 = sanitizeStr(attrs.get("condition2"))

        elif name == "blind":
            self.__blind  = sanitizeStr(attrs.get("query"))
            self.__blind2 = sanitizeStr(attrs.get("query2"))
            self.__count  = sanitizeStr(attrs.get("count"))
            self.__count2 = sanitizeStr(attrs.get("count2"))
            self.__conditionBlind = sanitizeStr(attrs.get("condition"))
            self.__conditionBlind2 = sanitizeStr(attrs.get("condition2"))

    def endElement(self, name):
        if name == "dbms":
            queries[self.__dbms] = self.__queries
            self.__queries = advancedDict()

        elif name == "users":
            self.__users = {}
            self.__users["inband"] = { "query": self.__inband, "query2": self.__inband2 }
            self.__users["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                       "count": self.__count, "count2": self.__count2 }

            self.__queries.users = self.__users

        elif name == "passwords":
            self.__passwords = {}
            self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband }
            self.__passwords["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                           "count": self.__count, "count2": self.__count2 }

            self.__queries.passwords = self.__passwords

        elif name == "privileges":
            self.__privileges = {}
            self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__privileges["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                           "count": self.__count, "count2": self.__count2 }

            self.__queries.privileges = self.__privileges

        elif name == "roles":
            self.__roles = {}
            self.__roles["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__roles["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                       "count": self.__count, "count2": self.__count2 }

            self.__queries.roles = self.__roles

        elif name == "dbs":
            self.__dbs = {}
            self.__dbs["inband"] = { "query": self.__inband, "query2": self.__inband2 }
            self.__dbs["blind"]  = { "query": self.__blind, "query2": self.__blind2,
                                     "count": self.__count, "count2": self.__count2 }

            self.__queries.dbs = self.__dbs

        elif name == "tables":
            self.__tables = {}
            self.__tables["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
            self.__tables["blind"]  = { "query": self.__blind, "count": self.__count }

            self.__queries.tables = self.__tables

        elif name == "columns":
            self.__columns = {}
            self.__columns["inband"] = { "query": self.__inband, "condition": self.__conditionInband }
            self.__columns["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "condition": self.__conditionBlind }

            self.__queries.columns = self.__columns

        elif name == "dump_table":
            self.__dumpTable = {}
            self.__dumpTable["inband"] = { "query": self.__inband }
            self.__dumpTable["blind"]  = { "query": self.__blind, "count": self.__count }

            self.__queries.dumpTable = self.__dumpTable

        elif name == "search_db":
            self.__searchDb = {}
            self.__searchDb["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__searchDb["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }

            self.__queries.searchDb = self.__searchDb

        elif name == "search_table":
            self.__searchTable = {}
            self.__searchTable["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__searchTable["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }

            self.__queries.searchTable = self.__searchTable

        elif name == "search_column":
            self.__searchColumn = {}
            self.__searchColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }
            self.__searchColumn["blind"]  = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }

            self.__queries.searchColumn = self.__searchColumn

def queriesParser():
    """
    This function calls a class to parse the default DBMS queries
    from an XML file
    """

    debugMsg = "parsing XML queries file"
    logger.debug(debugMsg)

    xmlfile = paths.QUERIES_XML

    checkFile(xmlfile)
    handler = queriesHandler()
    parseXmlFile(xmlfile, handler)
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`This file is part of the sqlmap project, http://sqlmap.sourceforge.net.`

Updated copyright 2010-03-03 18:26:27 +03:00			`Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`sqlmap is free software; you can redistribute it and/or modify it under`
			`the terms of the GNU General Public License as published by the Free`
			`Software Foundation version 2 of the License.`

			`sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY`
			`WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`details.`

			`You should have received a copy of the GNU General Public License along`
			`with sqlmap; if not, write to the Free Software Foundation, Inc., 51`
			`Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`"""`

			`from xml.sax.handler import ContentHandler`

			`from lib.core.common import checkFile`
some code refactoring 2010-04-16 23:57:00 +04:00			`from lib.core.common import parseXmlFile`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.common import sanitizeStr`
			`from lib.core.data import logger`
			`from lib.core.data import queries`
			`from lib.core.data import paths`
			`from lib.core.datatype import advancedDict`

			`class queriesHandler(ContentHandler):`
			`"""`
			`This class defines methods to parse the default DBMS queries`
			`from an XML file`
			`"""`

			`def __init__(self):`
			`self.__dbms = ''`
			`self.__queries = advancedDict()`

			`def startElement(self, name, attrs):`
			`if name == "dbms":`
			`data = sanitizeStr(attrs.get("value"))`
			`self.__dbms = data`

			`elif name == "cast":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.cast = data`

			`elif name == "length":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.length = data`

			`elif name == "isnull":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.isnull = data`

			`elif name == "delimiter":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.delimiter = data`

			`elif name == "limit":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.limit = data`

			`elif name == "limitregexp":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.limitregexp = data`

			`elif name == "limitgroupstart":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.limitgroupstart = data`

			`elif name == "limitgroupstop":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.limitgroupstop = data`

			`elif name == "limitstring":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.limitstring = data`

			`elif name == "order":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.order = data`

			`elif name == "count":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.count = data`

Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments. 2008-11-12 03:36:50 +03:00			`elif name == "comment":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.comment = data`

			`elif name == "timedelay":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.timedelay = data`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`data = sanitizeStr(attrs.get("query2"))`
			`self.__queries.timedelay2 = data`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif name == "substring":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.substring = data`

Ahead with the improvements to the comparison algorithm. Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments. 2008-12-19 23:09:46 +03:00			`elif name == "case":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.case = data`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif name == "inference":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.inference = data`

			`elif name == "banner":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.banner = data`

			`elif name == "current_user":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.currentUser = data`

			`elif name == "current_db":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.currentDb = data`

Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 23:41:11 +03:00			`elif name == "is_dba":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.isDba = data`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`elif name == "check_udf":`
			`data = sanitizeStr(attrs.get("query"))`
			`self.__queries.checkUdf = data`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif name == "inband":`
			`self.__inband = sanitizeStr(attrs.get("query"))`
			`self.__inband2 = sanitizeStr(attrs.get("query2"))`
Minor bug fix 2010-01-13 02:56:43 +03:00			`self.__conditionInband = sanitizeStr(attrs.get("condition"))`
			`self.__conditionInband2 = sanitizeStr(attrs.get("condition2"))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`elif name == "blind":`
			`self.__blind = sanitizeStr(attrs.get("query"))`
			`self.__blind2 = sanitizeStr(attrs.get("query2"))`
			`self.__count = sanitizeStr(attrs.get("count"))`
			`self.__count2 = sanitizeStr(attrs.get("count2"))`
Minor bug fix 2010-01-13 02:56:43 +03:00			`self.__conditionBlind = sanitizeStr(attrs.get("condition"))`
			`self.__conditionBlind2 = sanitizeStr(attrs.get("condition2"))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def endElement(self, name):`
			`if name == "dbms":`
			`queries[self.__dbms] = self.__queries`
			`self.__queries = advancedDict()`

			`elif name == "users":`
			`self.__users = {}`
			`self.__users["inband"] = { "query": self.__inband, "query2": self.__inband2 }`
			`self.__users["blind"] = { "query": self.__blind, "query2": self.__blind2,`
			`"count": self.__count, "count2": self.__count2 }`

			`self.__queries.users = self.__users`

			`elif name == "passwords":`
			`self.__passwords = {}`
Minor bug fix 2010-01-13 02:56:43 +03:00			`self.__passwords["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband }`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`self.__passwords["blind"] = { "query": self.__blind, "query2": self.__blind2,`
			`"count": self.__count, "count2": self.__count2 }`

			`self.__queries.passwords = self.__passwords`

			`elif name == "privileges":`
			`self.__privileges = {}`
Minor bug fix 2010-01-13 02:56:43 +03:00			`self.__privileges["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`self.__privileges["blind"] = { "query": self.__blind, "query2": self.__blind2,`
			`"count": self.__count, "count2": self.__count2 }`

			`self.__queries.privileges = self.__privileges`

Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`elif name == "roles":`
			`self.__roles = {}`
			`self.__roles["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }`
			`self.__roles["blind"] = { "query": self.__blind, "query2": self.__blind2,`
			`"count": self.__count, "count2": self.__count2 }`

			`self.__queries.roles = self.__roles`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif name == "dbs":`
			`self.__dbs = {}`
			`self.__dbs["inband"] = { "query": self.__inband, "query2": self.__inband2 }`
			`self.__dbs["blind"] = { "query": self.__blind, "query2": self.__blind2,`
			`"count": self.__count, "count2": self.__count2 }`

			`self.__queries.dbs = self.__dbs`

			`elif name == "tables":`
			`self.__tables = {}`
Minor bug fix 2010-01-13 02:56:43 +03:00			`self.__tables["inband"] = { "query": self.__inband, "condition": self.__conditionInband }`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`self.__tables["blind"] = { "query": self.__blind, "count": self.__count }`

			`self.__queries.tables = self.__tables`

			`elif name == "columns":`
			`self.__columns = {}`
Minor bug fix 2010-01-13 02:56:43 +03:00			`self.__columns["inband"] = { "query": self.__inband, "condition": self.__conditionInband }`
			`self.__columns["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "condition": self.__conditionBlind }`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`self.__queries.columns = self.__columns`

			`elif name == "dump_table":`
			`self.__dumpTable = {}`
			`self.__dumpTable["inband"] = { "query": self.__inband }`
			`self.__dumpTable["blind"] = { "query": self.__blind, "count": self.__count }`

			`self.__queries.dumpTable = self.__dumpTable`

Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190: * --search -D foobar: searches all database names like the ones provided * --search -T foobar: searches all databases' table names like the ones provided (soon) * --search -C foobar: replaces --dump -C 2010-05-07 17:40:57 +04:00			`elif name == "search_db":`
			`self.__searchDb = {}`
			`self.__searchDb["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }`
			`self.__searchDb["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }`

			`self.__queries.searchDb = self.__searchDb`

			`elif name == "search_table":`
			`self.__searchTable = {}`
			`self.__searchTable["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }`
			`self.__searchTable["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }`

			`self.__queries.searchTable = self.__searchTable`

			`elif name == "search_column":`
			`self.__searchColumn = {}`
			`self.__searchColumn["inband"] = { "query": self.__inband, "query2": self.__inband2, "condition": self.__conditionInband, "condition2": self.__conditionInband2 }`
			`self.__searchColumn["blind"] = { "query": self.__blind, "query2": self.__blind2, "count": self.__count, "count2": self.__count2, "condition": self.__conditionBlind, "condition2": self.__conditionBlind2 }`

			`self.__queries.searchColumn = self.__searchColumn`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`def queriesParser():`
			`"""`
			`This function calls a class to parse the default DBMS queries`
			`from an XML file`
			`"""`

			`debugMsg = "parsing XML queries file"`
			`logger.debug(debugMsg)`

			`xmlfile = paths.QUERIES_XML`

			`checkFile(xmlfile)`
			`handler = queriesHandler()`
some code refactoring 2010-04-16 23:57:00 +04:00			`parseXmlFile(xmlfile, handler)`