2008-10-15 19:38:22 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
2008-10-15 19:56:32 +04:00
|
|
|
$Id$
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2012-01-11 18:59:46 +04:00
|
|
|
Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
|
2010-10-15 03:18:29 +04:00
|
|
|
See the file 'doc/COPYING' for copying permission
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
|
|
|
|
import re
|
|
|
|
import time
|
|
|
|
|
|
|
|
from lib.core.agent import agent
|
2012-02-16 13:46:41 +04:00
|
|
|
from lib.core.bigarray import BigArray
|
2011-01-28 19:36:09 +03:00
|
|
|
from lib.core.common import Backend
|
2010-05-13 15:05:35 +04:00
|
|
|
from lib.core.common import calculateDeltaSeconds
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.common import cleanQuery
|
|
|
|
from lib.core.common import expandAsteriskForColumns
|
2012-02-17 18:22:48 +04:00
|
|
|
from lib.core.common import extractExpectedValue
|
2010-12-15 15:10:33 +03:00
|
|
|
from lib.core.common import getPublicTypeMembers
|
2012-02-24 17:07:20 +04:00
|
|
|
from lib.core.common import hashDBRetrieve
|
|
|
|
from lib.core.common import hashDBWrite
|
2010-12-18 12:51:34 +03:00
|
|
|
from lib.core.common import initTechnique
|
2011-01-19 02:02:11 +03:00
|
|
|
from lib.core.common import isNumPosStrValue
|
2010-12-15 15:10:33 +03:00
|
|
|
from lib.core.common import isTechniqueAvailable
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.core.common import parseUnionPage
|
2010-10-11 17:52:32 +04:00
|
|
|
from lib.core.common import popValue
|
|
|
|
from lib.core.common import pushValue
|
2010-10-20 12:56:58 +04:00
|
|
|
from lib.core.common import randomInt
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.common import readInput
|
2010-10-19 16:02:04 +04:00
|
|
|
from lib.core.common import safeStringFormat
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.data import logger
|
|
|
|
from lib.core.data import queries
|
2012-03-01 14:10:19 +04:00
|
|
|
from lib.core.enums import CHARSET_TYPE
|
2010-11-08 12:20:02 +03:00
|
|
|
from lib.core.enums import DBMS
|
2010-12-10 15:30:36 +03:00
|
|
|
from lib.core.enums import EXPECTED
|
2010-12-08 16:04:48 +03:00
|
|
|
from lib.core.enums import PAYLOAD
|
2010-11-29 00:27:47 +03:00
|
|
|
from lib.core.exception import sqlmapNotVulnerableException
|
2011-01-19 02:02:11 +03:00
|
|
|
from lib.core.exception import sqlmapUserQuitException
|
2012-02-07 16:05:23 +04:00
|
|
|
from lib.core.settings import FROM_DUMMY_TABLE
|
2010-12-08 15:49:26 +03:00
|
|
|
from lib.core.settings import MIN_TIME_RESPONSES
|
2010-12-21 18:26:23 +03:00
|
|
|
from lib.core.settings import MAX_TECHNIQUES_PER_VALUE
|
2011-05-19 20:45:05 +04:00
|
|
|
from lib.core.settings import SQL_SCALAR_REGEX
|
2011-01-07 19:39:47 +03:00
|
|
|
from lib.core.threads import getCurrentThreadData
|
2010-12-10 16:20:59 +03:00
|
|
|
from lib.core.unescaper import unescaper
|
2008-11-12 03:36:50 +03:00
|
|
|
from lib.request.connect import Connect as Request
|
2010-03-31 14:50:47 +04:00
|
|
|
from lib.request.direct import direct
|
2011-06-18 16:34:41 +04:00
|
|
|
from lib.techniques.union.use import unionUse
|
2008-11-13 02:44:09 +03:00
|
|
|
from lib.techniques.blind.inference import bisection
|
2010-10-20 13:09:04 +04:00
|
|
|
from lib.techniques.error.use import errorUse
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.utils.resume import queryOutputLength
|
|
|
|
from lib.utils.resume import resume
|
|
|
|
|
2011-02-27 15:14:13 +03:00
|
|
|
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
2008-11-12 03:36:50 +03:00
|
|
|
start = time.time()
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-16 20:52:42 +03:00
|
|
|
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
|
|
|
|
|
2011-01-28 19:36:09 +03:00
|
|
|
if (conf.eta or conf.threads > 1) and Backend.getIdentifiedDbms() and not timeBasedCompare:
|
2008-10-15 19:38:22 +04:00
|
|
|
_, length, _ = queryOutputLength(expression, payload)
|
|
|
|
else:
|
|
|
|
length = None
|
|
|
|
|
2011-11-21 20:41:02 +04:00
|
|
|
kb.inferenceMode = True
|
2011-02-27 15:14:13 +03:00
|
|
|
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump)
|
2011-11-21 20:41:02 +04:00
|
|
|
kb.inferenceMode = False
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-04-08 15:02:21 +04:00
|
|
|
if not kb.bruteMode:
|
|
|
|
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
|
|
|
|
logger.debug(debugMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
return value
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
2011-01-19 02:02:11 +03:00
|
|
|
outputs = []
|
|
|
|
origExpr = None
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
for field in expressionFieldsList:
|
|
|
|
output = None
|
|
|
|
|
2008-12-24 02:34:50 +03:00
|
|
|
if field.startswith("ROWNUM "):
|
|
|
|
continue
|
|
|
|
|
2008-12-22 22:36:01 +03:00
|
|
|
if isinstance(num, int):
|
2011-01-19 02:02:11 +03:00
|
|
|
origExpr = expression
|
2008-12-22 22:36:01 +03:00
|
|
|
expression = agent.limitQuery(num, expression, field)
|
|
|
|
|
2008-12-24 02:34:50 +03:00
|
|
|
if "ROWNUM" in expressionFieldsList:
|
|
|
|
expressionReplaced = expression
|
2009-01-23 01:28:27 +03:00
|
|
|
else:
|
|
|
|
expressionReplaced = expression.replace(expressionFields, field, 1)
|
2008-12-24 02:34:50 +03:00
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-12-22 22:36:01 +03:00
|
|
|
if isinstance(num, int):
|
|
|
|
expression = origExpr
|
|
|
|
|
2008-10-15 19:38:22 +04:00
|
|
|
outputs.append(output)
|
|
|
|
|
|
|
|
return outputs
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
Retrieve the output of a SQL query characted by character taking
|
|
|
|
advantage of an blind SQL injection vulnerability on the affected
|
|
|
|
parameter through a bisection algorithm.
|
|
|
|
"""
|
2010-10-25 18:11:47 +04:00
|
|
|
|
2010-12-18 12:51:34 +03:00
|
|
|
initTechnique(kb.technique)
|
|
|
|
|
2011-02-07 01:58:12 +03:00
|
|
|
query = agent.prefixQuery(kb.injection.data[kb.technique].vector)
|
2010-12-14 00:33:42 +03:00
|
|
|
query = agent.suffixQuery(query)
|
|
|
|
payload = agent.payload(newValue=query)
|
|
|
|
count = None
|
|
|
|
startLimit = 0
|
|
|
|
stopLimit = None
|
2011-07-24 13:19:33 +04:00
|
|
|
outputs = BigArray()
|
2010-12-14 00:33:42 +03:00
|
|
|
test = None
|
2008-10-15 19:38:22 +04:00
|
|
|
untilLimitChar = None
|
|
|
|
untilOrderChar = None
|
|
|
|
|
2010-01-02 05:02:12 +03:00
|
|
|
if not unpack:
|
2011-02-27 15:14:13 +03:00
|
|
|
return __goInference(payload, expression, charsetType, firstChar, lastChar, dump)
|
2009-04-22 15:48:07 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
|
2011-04-30 18:54:29 +04:00
|
|
|
if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD):
|
2011-01-20 02:06:15 +03:00
|
|
|
expressionFieldsList = [expressionFields]
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
if len(expressionFieldsList) > 1:
|
|
|
|
infoMsg = "the SQL query provided has more than a field. "
|
|
|
|
infoMsg += "sqlmap will now unpack it into distinct queries "
|
|
|
|
infoMsg += "to be able to retrieve the output even if we "
|
|
|
|
infoMsg += "are going blind"
|
|
|
|
logger.info(infoMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
# If we have been here from SQL query/shell we have to check if
|
|
|
|
# the SQL query might return multiple entries and in such case
|
|
|
|
# forge the SQL limiting the query output one entry per time
|
|
|
|
# NOTE: I assume that only queries that get data from a table
|
|
|
|
# can return multiple entries
|
2011-02-02 01:27:36 +03:00
|
|
|
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
|
2012-02-07 18:57:48 +04:00
|
|
|
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
|
2012-02-07 16:05:23 +04:00
|
|
|
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
|
2011-05-19 20:45:05 +04:00
|
|
|
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
|
2011-02-02 01:27:36 +03:00
|
|
|
|
2011-01-28 19:36:09 +03:00
|
|
|
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
2011-01-20 02:06:15 +03:00
|
|
|
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
2009-02-03 02:44:19 +03:00
|
|
|
|
2011-01-28 19:36:09 +03:00
|
|
|
if limitRegExp or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
|
|
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
|
|
|
|
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
|
|
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
2009-02-03 02:44:19 +03:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
if limitGroupStart.isdigit():
|
|
|
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
2009-01-03 02:26:45 +03:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
|
|
limitCond = int(stopLimit) > 1
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-28 19:36:09 +03:00
|
|
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
2008-10-15 19:38:22 +04:00
|
|
|
if limitRegExp:
|
2011-01-28 19:36:09 +03:00
|
|
|
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
|
|
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
if limitGroupStart.isdigit():
|
|
|
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
|
|
limitCond = int(stopLimit) > 1
|
|
|
|
elif topLimit:
|
|
|
|
startLimit = 0
|
|
|
|
stopLimit = int(topLimit.group(1))
|
|
|
|
limitCond = int(stopLimit) > 1
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-04-30 18:54:29 +04:00
|
|
|
elif Backend.isDbms(DBMS.ORACLE):
|
2011-01-20 02:06:15 +03:00
|
|
|
limitCond = False
|
|
|
|
else:
|
|
|
|
limitCond = True
|
|
|
|
|
|
|
|
# I assume that only queries NOT containing a "LIMIT #, 1"
|
|
|
|
# (or similar depending on the back-end DBMS) can return
|
|
|
|
# multiple entries
|
|
|
|
if limitCond:
|
|
|
|
if limitRegExp:
|
|
|
|
stopLimit = int(stopLimit)
|
|
|
|
|
|
|
|
# From now on we need only the expression until the " LIMIT "
|
|
|
|
# (or similar, depending on the back-end DBMS) word
|
2011-01-28 19:36:09 +03:00
|
|
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
|
2011-01-20 02:06:15 +03:00
|
|
|
stopLimit += startLimit
|
2011-01-28 19:36:09 +03:00
|
|
|
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
2011-01-20 02:06:15 +03:00
|
|
|
expression = expression[:untilLimitChar]
|
|
|
|
|
2011-01-28 19:36:09 +03:00
|
|
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
2011-01-20 02:06:15 +03:00
|
|
|
stopLimit += startLimit
|
|
|
|
|
|
|
|
if not stopLimit or stopLimit <= 1:
|
2012-02-07 18:57:48 +04:00
|
|
|
if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
|
2011-01-20 02:06:15 +03:00
|
|
|
test = False
|
|
|
|
else:
|
|
|
|
test = True
|
|
|
|
|
|
|
|
if test:
|
|
|
|
# Count the number of SQL query entries output
|
2011-01-28 19:36:09 +03:00
|
|
|
countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
|
2011-01-20 02:06:15 +03:00
|
|
|
countedExpression = expression.replace(expressionFields, countFirstField, 1)
|
|
|
|
|
|
|
|
if re.search(" ORDER BY ", expression, re.I):
|
|
|
|
untilOrderChar = countedExpression.index(" ORDER BY ")
|
|
|
|
countedExpression = countedExpression[:untilOrderChar]
|
|
|
|
|
|
|
|
if not stopLimit:
|
2012-03-01 14:10:19 +04:00
|
|
|
count = __goInference(payload, countedExpression, CHARSET_TYPE.DIGITS, firstChar, lastChar)
|
2011-01-20 02:06:15 +03:00
|
|
|
|
|
|
|
if isNumPosStrValue(count):
|
|
|
|
count = int(count)
|
|
|
|
|
|
|
|
if batch:
|
|
|
|
stopLimit = count
|
|
|
|
else:
|
|
|
|
message = "the SQL query provided can return "
|
|
|
|
message += "%d entries. How many " % count
|
|
|
|
message += "entries do you want to retrieve?\n"
|
|
|
|
message += "[a] All (default)\n[#] Specific number\n"
|
|
|
|
message += "[q] Quit"
|
|
|
|
test = readInput(message, default="a")
|
|
|
|
|
|
|
|
if not test or test[0] in ("a", "A"):
|
2008-10-15 19:38:22 +04:00
|
|
|
stopLimit = count
|
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
elif test[0] in ("q", "Q"):
|
|
|
|
raise sqlmapUserQuitException
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
elif test.isdigit() and int(test) > 0 and int(test) <= count:
|
|
|
|
stopLimit = int(test)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
infoMsg = "sqlmap is now going to retrieve the "
|
|
|
|
infoMsg += "first %d query output entries" % stopLimit
|
|
|
|
logger.info(infoMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
elif test[0] in ("#", "s", "S"):
|
|
|
|
message = "how many? "
|
|
|
|
stopLimit = readInput(message, default="10")
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
if not stopLimit.isdigit():
|
2011-01-19 02:02:11 +03:00
|
|
|
errMsg = "invalid choice"
|
2009-04-22 15:48:07 +04:00
|
|
|
logger.error(errMsg)
|
|
|
|
|
|
|
|
return None
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
else:
|
|
|
|
stopLimit = int(stopLimit)
|
|
|
|
|
|
|
|
else:
|
|
|
|
errMsg = "invalid choice"
|
|
|
|
logger.error(errMsg)
|
2008-12-17 23:11:18 +03:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
return None
|
2008-12-17 23:11:18 +03:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
elif count and not count.isdigit():
|
|
|
|
warnMsg = "it was not possible to count the number "
|
|
|
|
warnMsg += "of entries for the SQL query provided. "
|
|
|
|
warnMsg += "sqlmap will assume that it returns only "
|
|
|
|
warnMsg += "one entry"
|
|
|
|
logger.warn(warnMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
stopLimit = 1
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
elif (not count or int(count) == 0):
|
2012-01-07 21:45:45 +04:00
|
|
|
if not count:
|
|
|
|
warnMsg = "the SQL query provided does not "
|
|
|
|
warnMsg += "return any output"
|
|
|
|
logger.warn(warnMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
return None
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
elif (not stopLimit or stopLimit == 0):
|
2011-01-20 02:06:15 +03:00
|
|
|
return None
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
try:
|
|
|
|
for num in xrange(startLimit, stopLimit):
|
2012-02-17 18:22:48 +04:00
|
|
|
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
|
2011-01-20 02:06:15 +03:00
|
|
|
outputs.append(output)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
except KeyboardInterrupt:
|
|
|
|
print
|
2011-04-08 14:39:07 +04:00
|
|
|
warnMsg = "user aborted during dumping phase"
|
2011-01-20 02:06:15 +03:00
|
|
|
logger.warn(warnMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-01-20 02:06:15 +03:00
|
|
|
return outputs
|
|
|
|
|
2012-02-07 16:05:23 +04:00
|
|
|
elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
|
|
|
|
expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
|
2011-01-20 02:06:15 +03:00
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
|
2011-11-21 00:14:47 +04:00
|
|
|
returnValue = ", ".join(output for output in outputs)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
return returnValue
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
def __goBooleanProxy(expression):
|
2011-01-19 02:02:11 +03:00
|
|
|
"""
|
|
|
|
Retrieve the output of a boolean based SQL query
|
|
|
|
"""
|
|
|
|
|
|
|
|
initTechnique(kb.technique)
|
|
|
|
|
|
|
|
vector = kb.injection.data[kb.technique].vector
|
|
|
|
vector = vector.replace("[INFERENCE]", expression)
|
|
|
|
query = agent.prefixQuery(vector)
|
|
|
|
query = agent.suffixQuery(query)
|
|
|
|
payload = agent.payload(newValue=query)
|
|
|
|
timeBasedCompare = kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)
|
|
|
|
|
2012-02-24 17:07:20 +04:00
|
|
|
output = hashDBRetrieve(expression)
|
2011-01-19 02:02:11 +03:00
|
|
|
|
|
|
|
if not output:
|
|
|
|
output = Request.queryPage(payload, timeBasedCompare=timeBasedCompare, raise404=False)
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
if output is not None:
|
2012-02-24 17:07:20 +04:00
|
|
|
hashDBWrite(expression, output)
|
2012-02-17 18:22:48 +04:00
|
|
|
|
2011-01-19 02:02:11 +03:00
|
|
|
return output
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
def __goError(expression, expected=None, dump=False):
|
2010-12-03 13:44:16 +03:00
|
|
|
"""
|
|
|
|
Retrieve the output of a SQL query taking advantage of an error-based
|
|
|
|
SQL injection vulnerability on the affected parameter.
|
|
|
|
"""
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
output = errorUse(expression, expected, dump)
|
2011-02-01 00:22:39 +03:00
|
|
|
|
|
|
|
return output
|
2010-12-03 13:44:16 +03:00
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
def __goInband(expression, expected=None, unique=True, unpack=True, dump=False):
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
Retrieve the output of a SQL query taking advantage of an inband SQL
|
|
|
|
injection vulnerability on the affected parameter.
|
|
|
|
"""
|
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
output = unionUse(expression, unpack=unpack, dump=dump)
|
|
|
|
if isinstance(output, basestring):
|
|
|
|
output = parseUnionPage(output, unique)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
return output
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-12-22 14:32:21 +04:00
|
|
|
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, unique=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
Called each time sqlmap inject a SQL query on the SQL injection
|
|
|
|
affected parameter. It can call a function to retrieve the output
|
|
|
|
through inband SQL injection (if selected) and/or blind SQL injection
|
|
|
|
(if selected).
|
|
|
|
"""
|
|
|
|
|
2011-07-26 00:40:31 +04:00
|
|
|
kb.safeCharEncode = safeCharEncode
|
2012-02-17 18:22:48 +04:00
|
|
|
kb.resumeValues = resumeValue
|
2011-07-26 00:40:31 +04:00
|
|
|
|
2011-02-20 15:20:44 +03:00
|
|
|
if suppressOutput is not None:
|
|
|
|
pushValue(getCurrentThreadData().disableStdOut)
|
|
|
|
getCurrentThreadData().disableStdOut = suppressOutput
|
2010-10-19 16:02:04 +04:00
|
|
|
|
2010-12-09 01:38:26 +03:00
|
|
|
try:
|
2012-02-14 21:29:00 +04:00
|
|
|
if expected == EXPECTED.BOOL:
|
|
|
|
forgeCaseExpression = booleanExpression = expression
|
|
|
|
|
|
|
|
if expression.upper().startswith("SELECT "):
|
|
|
|
booleanExpression = expression[len("SELECT "):]
|
|
|
|
else:
|
|
|
|
forgeCaseExpression = agent.forgeCaseStatement(expression)
|
|
|
|
|
2010-12-09 01:38:26 +03:00
|
|
|
if conf.direct:
|
2012-02-14 21:29:00 +04:00
|
|
|
if expected == EXPECTED.BOOL:
|
|
|
|
value = direct(forgeCaseExpression)
|
|
|
|
else:
|
|
|
|
value = direct(expression)
|
2010-12-15 15:15:43 +03:00
|
|
|
|
2011-01-12 01:18:47 +03:00
|
|
|
elif any(map(isTechniqueAvailable, getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True))):
|
2010-12-10 18:06:53 +03:00
|
|
|
query = cleanQuery(expression)
|
|
|
|
query = expandAsteriskForColumns(query)
|
2010-12-10 18:24:25 +03:00
|
|
|
value = None
|
|
|
|
found = False
|
2011-01-19 02:02:11 +03:00
|
|
|
|
2010-12-27 17:17:20 +03:00
|
|
|
if query and not 'COUNT(*)' in query:
|
|
|
|
query = query.replace("DISTINCT ", "")
|
2011-01-19 02:02:11 +03:00
|
|
|
|
2010-12-21 18:24:14 +03:00
|
|
|
count = 0
|
2010-12-10 18:06:53 +03:00
|
|
|
|
2011-01-12 01:18:47 +03:00
|
|
|
if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
|
2010-12-09 01:38:26 +03:00
|
|
|
kb.technique = PAYLOAD.TECHNIQUE.UNION
|
2010-12-14 00:33:42 +03:00
|
|
|
|
2010-12-11 20:32:15 +03:00
|
|
|
if expected == EXPECTED.BOOL:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goInband(forgeCaseExpression, expected, unique, unpack, dump)
|
2010-12-11 20:32:15 +03:00
|
|
|
else:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goInband(query, expected, unique, unpack, dump)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2010-12-21 18:24:14 +03:00
|
|
|
count += 1
|
2010-12-31 15:04:39 +03:00
|
|
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
2010-12-01 13:57:17 +03:00
|
|
|
|
2010-12-15 15:10:33 +03:00
|
|
|
if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
|
2010-12-09 01:38:26 +03:00
|
|
|
kb.technique = PAYLOAD.TECHNIQUE.ERROR
|
2010-12-14 00:33:42 +03:00
|
|
|
|
2010-12-10 19:03:32 +03:00
|
|
|
if expected == EXPECTED.BOOL:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goError(forgeCaseExpression, expected, dump)
|
2010-12-10 19:03:32 +03:00
|
|
|
else:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goError(query, expected, dump)
|
2010-12-14 00:33:42 +03:00
|
|
|
|
2010-12-21 18:24:14 +03:00
|
|
|
count += 1
|
2010-12-31 15:04:39 +03:00
|
|
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
2010-12-08 15:49:26 +03:00
|
|
|
|
2010-12-15 15:10:33 +03:00
|
|
|
if blind and isTechniqueAvailable(PAYLOAD.TECHNIQUE.BOOLEAN) and not found:
|
2010-12-09 01:38:26 +03:00
|
|
|
kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN
|
2010-12-14 00:33:42 +03:00
|
|
|
|
2010-12-10 15:30:36 +03:00
|
|
|
if expected == EXPECTED.BOOL:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goBooleanProxy(booleanExpression)
|
2010-12-10 00:15:18 +03:00
|
|
|
else:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
|
2010-12-14 00:33:42 +03:00
|
|
|
|
2010-12-21 18:24:14 +03:00
|
|
|
count += 1
|
2010-12-31 15:04:39 +03:00
|
|
|
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
|
2010-12-08 15:49:26 +03:00
|
|
|
|
2010-12-15 15:10:33 +03:00
|
|
|
if time and (isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED)) and not found:
|
|
|
|
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME):
|
2010-12-09 02:52:31 +03:00
|
|
|
kb.technique = PAYLOAD.TECHNIQUE.TIME
|
2010-12-15 15:10:33 +03:00
|
|
|
else:
|
2010-12-09 02:52:31 +03:00
|
|
|
kb.technique = PAYLOAD.TECHNIQUE.STACKED
|
2010-12-08 15:28:54 +03:00
|
|
|
|
2010-12-10 19:03:32 +03:00
|
|
|
if expected == EXPECTED.BOOL:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goBooleanProxy(booleanExpression)
|
2010-12-10 19:03:32 +03:00
|
|
|
else:
|
2012-02-17 18:22:48 +04:00
|
|
|
value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-12-09 01:38:26 +03:00
|
|
|
if value and isinstance(value, basestring):
|
|
|
|
value = value.strip()
|
|
|
|
else:
|
|
|
|
errMsg = "none of the injection types identified can be "
|
|
|
|
errMsg += "leveraged to retrieve queries output"
|
|
|
|
raise sqlmapNotVulnerableException, errMsg
|
2010-12-15 15:34:14 +03:00
|
|
|
|
2010-12-09 01:38:26 +03:00
|
|
|
finally:
|
2012-02-17 18:22:48 +04:00
|
|
|
kb.resumeValues = True
|
2011-02-20 15:20:44 +03:00
|
|
|
if suppressOutput is not None:
|
|
|
|
getCurrentThreadData().disableStdOut = popValue()
|
2010-03-18 20:36:58 +03:00
|
|
|
|
2011-07-26 00:40:31 +04:00
|
|
|
kb.safeCharEncode = False
|
2011-04-10 03:13:16 +04:00
|
|
|
|
2012-02-17 18:22:48 +04:00
|
|
|
return extractExpectedValue(value, expected)
|
2008-11-12 03:36:50 +03:00
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
def goStacked(expression, silent=False):
|
2010-12-08 16:04:48 +03:00
|
|
|
kb.technique = PAYLOAD.TECHNIQUE.STACKED
|
2008-12-19 23:09:46 +03:00
|
|
|
expression = cleanQuery(expression)
|
|
|
|
|
2010-03-27 02:23:25 +03:00
|
|
|
if conf.direct:
|
2011-02-01 00:22:39 +03:00
|
|
|
return direct(expression)
|
2010-03-27 02:23:25 +03:00
|
|
|
|
2011-01-28 19:36:09 +03:00
|
|
|
comment = queries[Backend.getIdentifiedDbms()].comment.query
|
2010-12-01 20:09:52 +03:00
|
|
|
query = agent.prefixQuery("; %s" % expression)
|
|
|
|
query = agent.suffixQuery("%s;%s" % (query, comment))
|
2008-12-17 00:30:24 +03:00
|
|
|
payload = agent.payload(newValue=query)
|
2011-02-07 15:51:38 +03:00
|
|
|
Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare=True)
|
2010-12-06 21:20:57 +03:00
|
|
|
|
2010-12-14 12:05:00 +03:00
|
|
|
def checkBooleanExpression(expression, expectingNone=True):
|
2011-02-10 14:14:05 +03:00
|
|
|
kb.suppressSession = True
|
|
|
|
value = getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, suppressOutput=True, expectingNone=expectingNone)
|
|
|
|
kb.suppressSession = False
|
|
|
|
|
|
|
|
return value
|