sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity
537b619165
sqlmap/lib/request/inject.py

454 lines
18 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
large commit with copyright header modifications
2010-10-14 18:41:14 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
import re
import time
from lib.core.agent import agent
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
from lib.core.common import calculateDeltaSeconds
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import cleanQuery
from lib.core.common import dataToSessionFile
cosmetics
2010-10-19 19:28:54 +04:00
from lib.core.common import dataToStdout
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import expandAsteriskForColumns
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
from lib.core.common import parseUnionPage
minor cosmetic update
2010-10-11 17:52:32 +04:00
from lib.core.common import popValue
from lib.core.common import pushValue
added randInt to error injection vectors
2010-10-20 12:56:58 +04:00
from lib.core.common import randomInt
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
Properly save error-based enumerated data in session file, able to be resumed like with other techniques
2010-11-12 14:40:37 +03:00
from lib.core.common import replaceNewlineTabs
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
from lib.core.common import safeStringFormat
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
further refactoring (all enumerations are now put into enums.py)
2010-11-08 12:20:02 +03:00
from lib.core.enums import DBMS
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
from lib.core.exception import sqlmapNotVulnerableException
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
from lib.request.connect import Connect as Request
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
from lib.request.direct import direct
removed pageTemplate from injection(s), it's not longer stored in session, and it's reloaded when resuming from session
2010-12-07 17:06:54 +03:00
from lib.request.templates import getPageTemplate
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.techniques.inband.union.use import unionUse
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2008-11-13 02:44:09 +03:00
from lib.techniques.blind.inference import bisection
code refactoring
2010-10-20 13:09:04 +04:00
from lib.techniques.error.use import errorUse
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.utils.resume import queryOutputLength
from lib.utils.resume import resume
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
start = time.time()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if ( conf.eta or conf.threads > 1 ) and kb.dbms:
_, length, _ = queryOutputLength(expression, payload)
else:
length = None
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression))
Minor fix
2008-10-16 19:39:25 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
logger.debug(debugMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
outputs = []
origExpr = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
for field in expressionFieldsList:
output = None
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if field.startswith("ROWNUM "):
continue
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
origExpr = expression
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
expression = agent.limitQuery(num, expression, field)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if "ROWNUM" in expressionFieldsList:
expressionReplaced = expression
Major bug fixes
2009-01-23 01:28:27 +03:00
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
output = resume(expressionReplaced, payload)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if not output or ( expected == "int" and not output.isdigit() ):
if output:
warnMsg = "expected value type %s, resumed '%s', " % (expected, output)
warnMsg += "sqlmap is going to retrieve the value again"
logger.warn(warnMsg)
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
expression = origExpr
After the storm, a restore..
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
Minor code adjustments
2010-10-25 18:11:47 +04:00
sqlmap premiere of blind time based query/bisection
2010-12-08 15:28:54 +03:00
if kb.technique and kb.injection.data[kb.technique].vector is not None:
vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector)
kb.pageTemplate = getPageTemplate(kb.injection.data[kb.technique].templatePayload, kb.injection.place)
On my way to properly parse test's <where> tag in exploitation phase
2010-12-02 02:32:58 +03:00
else:
vector = queries[kb.misc.testedDbms].inference.query
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
2010-12-06 21:20:57 +03:00
kb.pageTemplate = kb.originalPage
On my way to properly parse test's <where> tag in exploitation phase
2010-12-02 02:32:58 +03:00
query = agent.prefixQuery(vector)
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-18 01:00:09 +03:00
query = agent.suffixQuery(query)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
outputs = []
test = None
untilLimitChar = None
untilOrderChar = None
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
output = resume(expression, payload)
else:
output = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return output
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if not unpack:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
return __goInference(payload, expression, charsetType, firstChar, lastChar)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if kb.dbmsDetected:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Initial support for SQLite (90% approx). Initial support for Firebird (30% approx). Initial support for Access (10% approx). Shared libraries code/installation scripts ported to 64bit, directory structure adapted. Minor code adjustments.
2010-03-18 20:20:54 +03:00
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
if rdbRegExp and kb.dbms == DBMS.FIREBIRD:
Initial support for SQLite (90% approx). Initial support for Firebird (30% approx). Initial support for Access (10% approx). Shared libraries code/installation scripts ported to 64bit, directory structure adapted. Minor code adjustments.
2010-03-18 20:20:54 +03:00
expressionFieldsList = [expressionFields]
fix for Bug #207
2010-10-22 18:01:48 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if len(expressionFieldsList) > 1:
infoMsg = "the SQL query provided has more than a field. "
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry per time
# NOTE: I assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression:
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 17:13:12 +04:00
limitRegExp = re.search(queries[kb.dbms].limitregexp.query, expression, re.I)
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
if limitRegExp or ( kb.dbms == DBMS.MSSQL and topLimit ):
minor cosmetics
2010-12-04 01:28:09 +03:00
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 17:13:12 +04:00
limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop.query
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
elif kb.dbms == DBMS.MSSQL:
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
if limitRegExp:
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 17:13:12 +04:00
limitGroupStart = queries[kb.dbms].limitgroupstart.query
limitGroupStop = queries[kb.dbms].limitgroupstop.query
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
elif topLimit:
startLimit = 0
stopLimit = int(topLimit.group(1))
limitCond = int(stopLimit) > 1
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
elif kb.dbms == DBMS.ORACLE:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return
# multiple entries
if limitCond:
if limitRegExp:
stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word
minor cosmetics
2010-12-04 01:28:09 +03:00
if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
stopLimit += startLimit
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 17:13:12 +04:00
untilLimitChar = expression.index(queries[kb.dbms].limitstring.query)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
expression = expression[:untilLimitChar]
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
elif kb.dbms == DBMS.MSSQL:
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
stopLimit += startLimit
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not stopLimit or stopLimit <= 1:
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
if kb.dbms == DBMS.ORACLE and expression.endswith("FROM DUAL"):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
test = "n"
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
elif batch:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
test = "y"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
message = "can the SQL query provided return "
message += "multiple entries? [Y/n] "
After the storm, a restore..
2008-10-15 19:38:22 +04:00
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
# Count the number of SQL query entries output
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 17:13:12 +04:00
countFirstField = queries[kb.dbms].count.query % expressionFieldsList[0]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):
untilOrderChar = countedExpression.index(" ORDER BY ")
countedExpression = countedExpression[:untilOrderChar]
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
count = resume(countedExpression, payload)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not stopLimit:
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if not count or not count.isdigit():
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
count = __goInference(payload, countedExpression, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
if count and count.isdigit() and int(count) > 0:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
count = int(count)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if batch:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
stopLimit = count
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
message = "the SQL query provided can return "
message += "up to %d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
test = readInput(message, default="a")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not test or test[0] in ("a", "A"):
stopLimit = count
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif test[0] in ("q", "Q"):
return "Quit"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif test.isdigit() and int(test) > 0 and int(test) <= count:
stopLimit = int(test)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif test[0] in ("#", "s", "S"):
message = "How many? "
stopLimit = readInput(message, default="10")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not stopLimit.isdigit():
errMsg = "Invalid choice"
logger.error(errMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
stopLimit = int(stopLimit)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
errMsg = "Invalid choice"
logger.error(errMsg)
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor adjustments and bug fixes
2008-12-17 23:11:18 +03:00
elif count and not count.isdigit():
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
elif ( not count or int(count) == 0 ):
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
for num in xrange(startLimit, stopLimit):
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
refactoring of hard coded dbms names
2010-11-02 14:59:24 +03:00
elif kb.dbms == DBMS.ORACLE and expression.startswith("SELECT ") and " FROM " not in expression:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
expression = "%s FROM DUAL" % expression
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
returnValue = ", ".join([output for output in outputs])
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
returnValue = __goInference(payload, expression, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return returnValue
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
def __goError(expression, resumeValue=True):
"""
Retrieve the output of a SQL query taking advantage of an error-based
SQL injection vulnerability on the affected parameter.
"""
result = None
if conf.direct:
return direct(expression), None
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
if condition and resumeValue:
result = resume(expression, None)
if not result:
result = errorUse(expression)
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(result)))
return result
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 19:48:40 +04:00
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query taking advantage of an inband SQL
injection vulnerability on the affected parameter.
"""
output = None
partial = False
data = []
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if condition and resumeValue:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
output = resume(expression, None)
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if not output or ( expected == "int" and not output.isdigit() ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
partial = True
if not output:
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 19:48:40 +04:00
output = unionUse(expression, resetCounter=True, unpack=unpack, dump=dump)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if output:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
data = parseUnionPage(output, expression, partial, condition, sort)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return data
sqlmap premiere of blind time based query/bisection
2010-12-08 15:28:54 +03:00
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Called each time sqlmap inject a SQL query on the SQL injection
affected parameter. It can call a function to retrieve the output
through inband SQL injection (if selected) and/or blind SQL injection
(if selected).
"""
minor cosmetic update
2010-10-11 17:52:32 +04:00
if suppressOutput:
pushValue(conf.verbose)
conf.verbose = 0
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
minor cosmetic update
2010-10-11 17:52:32 +04:00
value = direct(expression)
sqlmap premiere of blind time based query/bisection
2010-12-08 15:28:54 +03:00
elif kb.booleanTest is not None or kb.errorTest is not None or kb.unionTest is not None or kb.timeTest is not None:
minor cosmetic update
2010-10-11 17:52:32 +04:00
expression = cleanQuery(expression)
expression = expandAsteriskForColumns(expression)
value = None
expression = expression.replace("DISTINCT ", "")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Higher precedence to union query sql inj than error-based
2010-12-01 13:57:17 +03:00
if inband and kb.unionTest is not None:
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
kb.technique = 3
minor cosmetic update
2010-10-11 17:52:32 +04:00
value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
Minor bug fix with --sql-query/shell when providing a statement with DISTINCT
2010-01-05 19:15:31 +03:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if not value:
fix for --union-use with --error-test
2010-10-25 16:25:29 +04:00
warnMsg = "for some reason(s) it was not possible to retrieve "
minor cosmetic update
2010-10-11 17:52:32 +04:00
warnMsg += "the query output through inband SQL injection "
warnMsg += "technique, sqlmap is going blind"
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Got rid of UNION false cond
2010-12-05 19:16:15 +03:00
oldParamNegative = kb.unionNegative
kb.unionNegative = False
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
Higher precedence to union query sql inj than error-based
2010-12-01 13:57:17 +03:00
if error and kb.errorTest and not value:
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
kb.technique = 2
value = __goError(expression, resumeValue)
Higher precedence to union query sql inj than error-based
2010-12-01 13:57:17 +03:00
if not value:
warnMsg = "for some reason(s) it was not possible to retrieve "
warnMsg += "the query output through error SQL injection "
warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition is not None else "blind")
logger.warn(warnMsg)
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
if blind and kb.booleanTest and not value:
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
kb.technique = 1
minor cosmetic update
2010-10-11 17:52:32 +04:00
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
sqlmap premiere of blind time based query/bisection
2010-12-08 15:28:54 +03:00
if time and kb.timeTest and not value:
kb.technique = 5
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
Got rid of UNION false cond
2010-12-05 19:16:15 +03:00
kb.unionNegative = oldParamNegative
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if value and isinstance(value, basestring):
value = value.strip()
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
else:
errMsg = "none of the injection types identified can be "
errMsg += "leveraged to retrieve queries output"
raise sqlmapNotVulnerableException, errMsg
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if suppressOutput:
conf.verbose = popValue()
Minor bug fix
2010-03-18 20:36:58 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def goStacked(expression, silent=False):
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
kb.technique = 4
Ahead with the improvements to the comparison algorithm. Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2008-12-19 23:09:46 +03:00
expression = cleanQuery(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
return direct(expression), None
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
2010-10-21 17:13:12 +04:00
comment = queries[kb.dbms].comment.query
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
query = agent.prefixQuery("; %s" % expression)
query = agent.suffixQuery("%s;%s" % (query, comment))
Minor code adjustments
2010-10-25 18:11:47 +04:00
Added one new verbose level, -v 3 now shows the full injected payload. Fixed also -d verbose output.
2010-11-08 01:34:29 +03:00
debugMsg = "query: %s" % query
logger.debug(debugMsg)
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
payload = agent.payload(newValue=query)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
page, _ = Request.queryPage(payload, content=True, silent=silent)
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
return payload, page
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
2010-12-06 21:20:57 +03:00
def checkBooleanExpression(expression):
return getValue(agent.forgeCaseStatement(expression), expected="int", charsetType=1) == "1"
Reference in New Issue Copy Permalink