sqlmap/plugins/dbms/oracle/connector.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

try:
    import cx_Oracle
except:
    pass

import logging
import os
import re

from lib.core.common import getSafeExString
from lib.core.convert import getText
from lib.core.data import conf
from lib.core.data import logger
from lib.core.exception import SqlmapConnectionException
from plugins.generic.connector import Connector as GenericConnector

os.environ["NLS_LANG"] = ".AL32UTF8"

class Connector(GenericConnector):
    """
    Homepage: https://oracle.github.io/python-cx_Oracle/
    User https://cx-oracle.readthedocs.io/en/latest/
    API: https://wiki.python.org/moin/DatabaseProgramming
    License: https://cx-oracle.readthedocs.io/en/latest/license.html#license
    """

    def connect(self):
        self.initConnection()
        self.__dsn = cx_Oracle.makedsn(self.hostname, self.port, self.db)
        self.__dsn = getText(self.__dsn)
        self.user = getText(self.user)
        self.password = getText(self.password)

        try:
            self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user, password=self.password, mode=cx_Oracle.SYSDBA)
            logger.info("successfully connected as SYSDBA")
        except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError, cx_Oracle.InterfaceError) as ex:
            if "Oracle Client library" in getSafeExString(ex):
                msg = re.sub(r"DPI-\d+:\s+", "", getSafeExString(ex))
                msg = re.sub(r': ("[^"]+")', r" (\g<1>)", msg)
                msg = re.sub(r". See (http[^ ]+)", r'. See "\g<1>"', msg)
                raise SqlmapConnectionException(msg)

            try:
                self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user, password=self.password)
            except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError, cx_Oracle.InterfaceError) as ex:
                raise SqlmapConnectionException(ex)

        self.initCursor()
        self.printConnected()

    def fetchall(self):
        try:
            return self.cursor.fetchall()
        except cx_Oracle.InterfaceError as ex:
            logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))
            return None

    def execute(self, query):
        retVal = False

        try:
            self.cursor.execute(getText(query))
            retVal = True
        except cx_Oracle.DatabaseError as ex:
            logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))

        self.connector.commit()

        return retVal

    def select(self, query):
        retVal = None

        if self.execute(query):
            retVal = self.fetchall()

        return retVal
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
			`"""`
Bumping copyright year 2024-01-04 01:11:52 +03:00			`Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`"""`

Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`try:`
			`import cx_Oracle`
Fixes #2677 2017-09-04 18:05:48 +03:00			`except:`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`pass`

Patch for an Issue #212 2012-10-23 17:34:59 +04:00			`import logging`
removing of unused imports together with some general code refactoring 2012-02-22 14:40:11 +04:00			`import os`
Update related to the #2677 2018-01-25 14:13:33 +03:00			`import re`
Added unicode support also to Oracle connector - see #184. 2010-05-29 16:14:51 +04:00
More refactoring like the last couple of commits 2019-01-22 04:08:02 +03:00			`from lib.core.common import getSafeExString`
Patch for -d (DREI) 2019-11-17 02:22:47 +03:00			`from lib.core.convert import getText`
Patch for an Issue #212 2012-10-23 17:34:59 +04:00			`from lib.core.data import conf`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`from lib.core.data import logger`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`from lib.core.exception import SqlmapConnectionException`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`from plugins.generic.connector import Connector as GenericConnector`

removing of unused imports together with some general code refactoring 2012-02-22 14:40:11 +04:00			`os.environ["NLS_LANG"] = ".AL32UTF8"`
Added unicode support also to Oracle connector - see #184. 2010-05-29 16:14:51 +04:00
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`class Connector(GenericConnector):`
			`"""`
Minor updates 2018-05-08 15:06:34 +03:00			`Homepage: https://oracle.github.io/python-cx_Oracle/`
			`User https://cx-oracle.readthedocs.io/en/latest/`
			`API: https://wiki.python.org/moin/DatabaseProgramming`
			`License: https://cx-oracle.readthedocs.io/en/latest/license.html#license`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`"""`

Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods. 2010-03-31 14:50:47 +04:00			`def connect(self):`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`self.initConnection()`
			`self.__dsn = cx_Oracle.makedsn(self.hostname, self.port, self.db)`
Patch for -d (DREI) 2019-11-17 02:22:47 +03:00			`self.__dsn = getText(self.__dsn)`
			`self.user = getText(self.user)`
			`self.password = getText(self.password)`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00
			`try:`
			`self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user, password=self.password, mode=cx_Oracle.SYSDBA)`
			`logger.info("successfully connected as SYSDBA")`
Baby steps (2 to 3 at a time) 2019-01-22 02:40:48 +03:00			`except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError, cx_Oracle.InterfaceError) as ex:`
More refactoring like the last couple of commits 2019-01-22 04:08:02 +03:00			`if "Oracle Client library" in getSafeExString(ex):`
			`msg = re.sub(r"DPI-\d+:\s+", "", getSafeExString(ex))`
Update related to the #2677 2018-01-25 14:23:54 +03:00			`msg = re.sub(r': ("[^"]+")', r" (\g<1>)", msg)`
			`msg = re.sub(r". See (http[^ ]+)", r'. See "\g<1>"', msg)`
Update related to the #2677 2018-01-25 14:13:33 +03:00			`raise SqlmapConnectionException(msg)`

Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`try:`
			`self.connector = cx_Oracle.connect(dsn=self.__dsn, user=self.user, password=self.password)`
More refactoring like the last couple of commits 2019-01-22 04:08:02 +03:00			`except (cx_Oracle.OperationalError, cx_Oracle.DatabaseError, cx_Oracle.InterfaceError) as ex:`
			`raise SqlmapConnectionException(ex)`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00
Better naming 2013-01-18 14:21:23 +04:00			`self.initCursor()`
Code restyling 2013-04-15 16:31:27 +04:00			`self.printConnected()`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00
			`def fetchall(self):`
more update 2010-04-06 19:12:52 +04:00			`try:`
			`return self.cursor.fetchall()`
More refactoring like the last couple of commits 2019-01-22 04:08:02 +03:00			`except cx_Oracle.InterfaceError as ex:`
			`logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))`
more update 2010-04-06 19:12:52 +04:00			`return None`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00
			`def execute(self, query):`
some fixes 2012-01-13 18:10:53 +04:00			`retVal = False`

Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`try:`
Patch for -d (DREI) 2019-11-17 02:22:47 +03:00			`self.cursor.execute(getText(query))`
some fixes 2012-01-13 18:10:53 +04:00			`retVal = True`
More refactoring like the last couple of commits 2019-01-22 04:08:02 +03:00			`except cx_Oracle.DatabaseError as ex:`
			`logger.log(logging.WARN if conf.dbmsHandler else logging.DEBUG, "(remote) '%s'" % getSafeExString(ex))`
Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00
			`self.connector.commit()`

some fixes 2012-01-13 18:10:53 +04:00			`return retVal`

Added support to connect directly also to Oracle - see #158 2010-03-28 00:50:19 +03:00			`def select(self, query):`
some fixes 2012-01-13 18:10:53 +04:00			`retVal = None`

			`if self.execute(query):`
			`retVal = self.fetchall()`

			`return retVal`