2008-10-15 19:38:22 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
2008-10-15 19:56:32 +04:00
|
|
|
$Id$
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
|
|
|
|
2010-03-03 18:26:27 +03:00
|
|
|
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
2009-04-22 15:48:07 +04:00
|
|
|
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
sqlmap is free software; you can redistribute it and/or modify it under
|
|
|
|
the terms of the GNU General Public License as published by the Free
|
|
|
|
Software Foundation version 2 of the License.
|
|
|
|
|
|
|
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
|
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
|
|
details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
|
|
|
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
"""
|
|
|
|
|
|
|
|
from lib.controller.handler import setHandler
|
|
|
|
from lib.core.common import getHtmlErrorFp
|
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.dump import dumper
|
|
|
|
from lib.core.exception import sqlmapUnsupportedDBMSException
|
|
|
|
from lib.core.settings import SUPPORTED_DBMS
|
2008-11-13 02:44:09 +03:00
|
|
|
from lib.techniques.blind.timebased import timeTest
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.techniques.inband.union.test import unionTest
|
2008-12-17 00:30:24 +03:00
|
|
|
from lib.techniques.outband.stacked import stackedTest
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
def action():
|
|
|
|
"""
|
|
|
|
This function exploit the SQL injection on the affected
|
|
|
|
url parameter and extract requested data from the
|
|
|
|
back-end database management system or operating system
|
|
|
|
if possible
|
|
|
|
"""
|
|
|
|
|
|
|
|
# First of all we have to identify the back-end database management
|
|
|
|
# system to be able to go ahead with the injection
|
|
|
|
conf.dbmsHandler = setHandler()
|
|
|
|
|
|
|
|
if not conf.dbmsHandler:
|
|
|
|
htmlParsed = getHtmlErrorFp()
|
|
|
|
|
|
|
|
errMsg = "sqlmap was not able to fingerprint the "
|
|
|
|
errMsg += "back-end database management system"
|
|
|
|
|
|
|
|
if htmlParsed:
|
|
|
|
errMsg += ", but from the HTML error page it was "
|
|
|
|
errMsg += "possible to determinate that the "
|
|
|
|
errMsg += "back-end DBMS is %s" % htmlParsed
|
|
|
|
|
|
|
|
if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:
|
|
|
|
errMsg += ". Do not specify the back-end DBMS manually, "
|
|
|
|
errMsg += "sqlmap will fingerprint the DBMS for you"
|
|
|
|
else:
|
|
|
|
errMsg += ". Support for this DBMS will be implemented if "
|
|
|
|
errMsg += "you ask, just drop us an email"
|
|
|
|
|
|
|
|
raise sqlmapUnsupportedDBMSException, errMsg
|
|
|
|
|
2008-11-17 03:00:54 +03:00
|
|
|
print "%s\n" % conf.dbmsHandler.getFingerprint()
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2008-11-12 03:36:50 +03:00
|
|
|
# Techniques options
|
2008-12-17 00:30:24 +03:00
|
|
|
if conf.stackedTest:
|
|
|
|
dumper.string("stacked queries support", stackedTest())
|
|
|
|
|
2008-11-12 03:36:50 +03:00
|
|
|
if conf.timeTest:
|
2008-11-13 02:44:09 +03:00
|
|
|
dumper.string("time based blind sql injection payload", timeTest())
|
2008-11-12 03:36:50 +03:00
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
|
2008-10-15 19:38:22 +04:00
|
|
|
dumper.string("valid union", unionTest())
|
|
|
|
|
|
|
|
# Enumeration options
|
|
|
|
if conf.getBanner:
|
|
|
|
dumper.string("banner", conf.dbmsHandler.getBanner())
|
|
|
|
|
|
|
|
if conf.getCurrentUser:
|
|
|
|
dumper.string("current user", conf.dbmsHandler.getCurrentUser())
|
|
|
|
|
|
|
|
if conf.getCurrentDb:
|
|
|
|
dumper.string("current database", conf.dbmsHandler.getCurrentDb())
|
|
|
|
|
2008-12-18 23:41:11 +03:00
|
|
|
if conf.isDba:
|
|
|
|
dumper.string("current user is DBA", conf.dbmsHandler.isDba())
|
|
|
|
|
2008-10-15 19:38:22 +04:00
|
|
|
if conf.getUsers:
|
|
|
|
dumper.lister("database management system users", conf.dbmsHandler.getUsers())
|
|
|
|
|
|
|
|
if conf.getPasswordHashes:
|
|
|
|
dumper.userSettings("database management system users password hashes",
|
|
|
|
conf.dbmsHandler.getPasswordHashes(), "password hash")
|
|
|
|
|
|
|
|
if conf.getPrivileges:
|
|
|
|
dumper.userSettings("database management system users privileges",
|
|
|
|
conf.dbmsHandler.getPrivileges(), "privilege")
|
|
|
|
|
2010-03-25 18:46:06 +03:00
|
|
|
if conf.getRoles:
|
|
|
|
dumper.userSettings("database management system users roles",
|
|
|
|
conf.dbmsHandler.getRoles(), "role")
|
|
|
|
|
2008-10-15 19:38:22 +04:00
|
|
|
if conf.getDbs:
|
|
|
|
dumper.lister("available databases", conf.dbmsHandler.getDbs())
|
|
|
|
|
|
|
|
if conf.getTables:
|
|
|
|
dumper.dbTables(conf.dbmsHandler.getTables())
|
|
|
|
|
|
|
|
if conf.getColumns:
|
|
|
|
dumper.dbTableColumns(conf.dbmsHandler.getColumns())
|
|
|
|
|
|
|
|
if conf.dumpTable:
|
|
|
|
dumper.dbTableValues(conf.dbmsHandler.dumpTable())
|
|
|
|
|
|
|
|
if conf.dumpAll:
|
|
|
|
conf.dbmsHandler.dumpAll()
|
|
|
|
|
|
|
|
if conf.query:
|
|
|
|
dumper.string(conf.query, conf.dbmsHandler.sqlQuery(conf.query))
|
|
|
|
|
|
|
|
if conf.sqlShell:
|
|
|
|
conf.dbmsHandler.sqlShell()
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
# User-defined function options
|
|
|
|
if conf.udfInject:
|
|
|
|
conf.dbmsHandler.udfInjectCustom()
|
|
|
|
|
2008-10-15 19:38:22 +04:00
|
|
|
# File system options
|
|
|
|
if conf.rFile:
|
2009-04-22 15:48:07 +04:00
|
|
|
dumper.string("%s file saved to" % conf.rFile, conf.dbmsHandler.readFile(conf.rFile), sort=False)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
if conf.wFile:
|
2009-04-22 15:48:07 +04:00
|
|
|
conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)
|
|
|
|
|
|
|
|
# Operating system options
|
|
|
|
if conf.osCmd:
|
|
|
|
conf.dbmsHandler.osCmd()
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
if conf.osShell:
|
|
|
|
conf.dbmsHandler.osShell()
|
2009-04-22 15:48:07 +04:00
|
|
|
|
|
|
|
if conf.osPwn:
|
|
|
|
conf.dbmsHandler.osPwn()
|
|
|
|
|
|
|
|
if conf.osSmb:
|
|
|
|
conf.dbmsHandler.osSmb()
|
|
|
|
|
|
|
|
if conf.osBof:
|
|
|
|
conf.dbmsHandler.osBof()
|
|
|
|
|
2009-09-26 03:03:45 +04:00
|
|
|
# Windows registry options
|
|
|
|
if conf.regRead:
|
|
|
|
dumper.string("Registry key value data", conf.dbmsHandler.regRead())
|
|
|
|
|
|
|
|
if conf.regAdd:
|
|
|
|
conf.dbmsHandler.regAdd()
|
|
|
|
|
|
|
|
if conf.regDel:
|
|
|
|
conf.dbmsHandler.regDel()
|
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
# Miscellaneous options
|
|
|
|
if conf.cleanup:
|
|
|
|
conf.dbmsHandler.cleanup()
|