sqlmap/lib/core/session.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

import re

from lib.core.common import Backend
from lib.core.common import Format
from lib.core.common import dataToSessionFile
from lib.core.common import intersect
from lib.core.common import readInput
from lib.core.common import singleTimeWarnMessage
from lib.core.convert import base64pickle
from lib.core.convert import base64unpickle
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import OS
from lib.core.settings import SUPPORTED_DBMS
from lib.core.settings import UNKNOWN_DBMS_VERSION

def safeFormatString(value):
    retVal = value
    if retVal:
        retVal = retVal.replace("[", "__LEFT_SQUARE_BRACKET__").replace("]", "__RIGHT_SQUARE_BRACKET__")
    return retVal

def unSafeFormatString(value):
    retVal = value
    if retVal:
        retVal = retVal.replace("__LEFT_SQUARE_BRACKET__", "[").replace("__RIGHT_SQUARE_BRACKET__", "]")
    return retVal

def setDbms(dbms):
    """
    @param dbms: database management system to be set into the knowledge
    base as fingerprint.
    @type dbms: C{str}
    """
    condition = (
                  not kb.resumedQueries
                  or ( kb.resumedQueries.has_key(conf.url) and
                  not kb.resumedQueries[conf.url].has_key("DBMS") )
                )

    if condition:
        dataToSessionFile("[%s][%s][%s][DBMS][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), safeFormatString(dbms)))

    firstRegExp = "(%s)" % ("|".join([alias for alias in SUPPORTED_DBMS]))
    dbmsRegExp = re.search("^%s" % firstRegExp, dbms, re.I)

    if dbmsRegExp:
        dbms = dbmsRegExp.group(1)

    Backend.setDbms(dbms)

    logger.info("the back-end DBMS is %s" % Backend.getDbms())

def setOs():
    """
    Example of kb.bannerFp dictionary:

    {
      'sp': set(['Service Pack 4']),
      'dbmsVersion': '8.00.194',
      'dbmsServicePack': '0',
      'distrib': set(['2000']),
      'dbmsRelease': '2000',
      'type': set(['Windows'])
    }
    """

    infoMsg = ""
    condition = (
                  not kb.resumedQueries
                  or ( kb.resumedQueries.has_key(conf.url) and
                  not kb.resumedQueries[conf.url].has_key("OS") )
                )

    if not kb.bannerFp:
        return

    if "type" in kb.bannerFp:
        Backend.setOs(Format.humanize(kb.bannerFp["type"]))
        infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()

    if "distrib" in kb.bannerFp:
        kb.osVersion = Format.humanize(kb.bannerFp["distrib"])
        infoMsg += " %s" % kb.osVersion

    if "sp" in kb.bannerFp:
        kb.osSP = int(Format.humanize(kb.bannerFp["sp"]).replace("Service Pack ", ""))

    elif "sp" not in kb.bannerFp and Backend.isOs(OS.WINDOWS):
        kb.osSP = 0

    if Backend.getOs() and kb.osVersion and kb.osSP:
        infoMsg += " Service Pack %d" % kb.osSP

    if infoMsg:
        logger.info(infoMsg)

    if condition:
        dataToSessionFile("[%s][%s][%s][OS][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), Backend.getOs()))

def resumeConfKb(expression, url, value):
    if expression == "Dynamic markings" and url == conf.url:
        kb.dynamicMarkings = base64unpickle(value[:-1])
        infoMsg = "resuming dynamic markings from session file"
        logger.info(infoMsg)

    elif expression == "DBMS" and url == conf.url:
        dbms = unSafeFormatString(value[:-1])
        dbms = dbms.lower()
        dbmsVersion = [UNKNOWN_DBMS_VERSION]

        infoMsg = "resuming back-end DBMS '%s' " % dbms
        infoMsg += "from session file"
        logger.info(infoMsg)

        firstRegExp = "(%s)" % ("|".join([alias for alias in SUPPORTED_DBMS]))
        dbmsRegExp = re.search("%s ([\d\.]+)" % firstRegExp, dbms)

        if dbmsRegExp:
            dbms = dbmsRegExp.group(1)
            dbmsVersion = [ dbmsRegExp.group(2) ]

        if conf.dbms and conf.dbms.lower() != dbms:
            message = "you provided '%s' as back-end DBMS, " % conf.dbms
            message += "but from a past scan information on the target URL "
            message += "sqlmap assumes the back-end DBMS is %s. " % dbms
            message += "Do you really want to force the back-end "
            message += "DBMS value? [y/N] "
            test = readInput(message, default="N")

            if not test or test[0] in ("n", "N"):
                conf.dbms = None
                Backend.setDbms(dbms)
                Backend.setVersionList(dbmsVersion)
        else:
            Backend.setDbms(dbms)
            Backend.setVersionList(dbmsVersion)

    elif expression == "OS" and url == conf.url:
        os = unSafeFormatString(value[:-1])

        if os and os != 'None':
            infoMsg = "resuming back-end DBMS operating system '%s' " % os
            infoMsg += "from session file"
            logger.info(infoMsg)

            if conf.os and conf.os.lower() != os.lower():
                message = "you provided '%s' as back-end DBMS operating " % conf.os
                message += "system, but from a past scan information on the "
                message += "target URL sqlmap assumes the back-end DBMS "
                message += "operating system is %s. " % os
                message += "Do you really want to force the back-end DBMS "
                message += "OS value? [y/N] "
                test = readInput(message, default="N")

                if not test or test[0] in ("n", "N"):
                    conf.os = os
            else:
                conf.os = os

            Backend.setOs(conf.os)

    elif expression == "Remote temp path" and url == conf.url and conf.tmpPath is None:
        conf.tmpPath = unSafeFormatString(value[:-1])

        infoMsg = "resuming remote absolute path of temporary "
        infoMsg += "files directory '%s' from session file" % conf.tmpPath
        logger.info(infoMsg)

    elif conf.freshQueries:
        pass

    elif expression == "xp_cmdshell availability" and url == conf.url:
        kb.xpCmdshellAvailable = True if unSafeFormatString(value[:-1]).lower() == "true" else False
        infoMsg = "resuming xp_cmdshell availability"
        logger.info(infoMsg)
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
updating copyright date 2012-01-11 18:59:46 +04:00			`Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

			`import re`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`from lib.core.common import Backend`
			`from lib.core.common import Format`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.common import dataToSessionFile`
--technique can now be something like 123 which includes both techniques 1, 2 and 3 2011-02-18 00:39:16 +03:00			`from lib.core.common import intersect`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.common import readInput`
minor update 2011-07-08 13:32:58 +04:00			`from lib.core.common import singleTimeWarnMessage`
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders. 2010-12-01 20:09:52 +03:00			`from lib.core.convert import base64pickle`
			`from lib.core.convert import base64unpickle`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`from lib.core.enums import OS`
fix for proper Firebird resume of version 2011-01-24 14:04:32 +03:00			`from lib.core.settings import SUPPORTED_DBMS`
code refactoring (added UNKNOWN_DBMS_VERSION instead of "Unknown") 2010-12-18 00:29:09 +03:00			`from lib.core.settings import UNKNOWN_DBMS_VERSION`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
bug fix (reported by james@ev6.net) 2010-10-11 00:51:11 +04:00			`def safeFormatString(value):`
			`retVal = value`
			`if retVal:`
			`retVal = retVal.replace("[", "__LEFT_SQUARE_BRACKET__").replace("]", "__RIGHT_SQUARE_BRACKET__")`
			`return retVal`

			`def unSafeFormatString(value):`
			`retVal = value`
			`if retVal:`
			`retVal = retVal.replace("__LEFT_SQUARE_BRACKET__", "[").replace("__RIGHT_SQUARE_BRACKET__", "]")`
			`return retVal`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`def setDbms(dbms):`
			`"""`
			`@param dbms: database management system to be set into the knowledge`
			`base as fingerprint.`
			`@type dbms: C{str}`
			`"""`
			`condition = (`
Implemented a better way to deal with % characters in parameters' value. Minor code restyle. 2008-10-16 19:31:02 +04:00			`not kb.resumedQueries`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`or ( kb.resumedQueries.has_key(conf.url) and`
Implemented a better way to deal with % characters in parameters' value. Minor code restyle. 2008-10-16 19:31:02 +04:00			`not kb.resumedQueries[conf.url].has_key("DBMS") )`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`)`

			`if condition:`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`dataToSessionFile("[%s][%s][%s][DBMS][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), safeFormatString(dbms)))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
fix for proper Firebird resume of version 2011-01-24 14:04:32 +03:00			`firstRegExp = "(%s)" % ("\|".join([alias for alias in SUPPORTED_DBMS]))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`dbmsRegExp = re.search("^%s" % firstRegExp, dbms, re.I)`

			`if dbmsRegExp:`
			`dbms = dbmsRegExp.group(1)`

refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`Backend.setDbms(dbms)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`logger.info("the back-end DBMS is %s" % Backend.getDbms())`
Minor adjustments 2008-12-31 00:24:01 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`def setOs():`
			`"""`
			`Example of kb.bannerFp dictionary:`

			`{`
			`'sp': set(['Service Pack 4']),`
			`'dbmsVersion': '8.00.194',`
			`'dbmsServicePack': '0',`
			`'distrib': set(['2000']),`
			`'dbmsRelease': '2000',`
			`'type': set(['Windows'])`
			`}`
			`"""`

Minor code restyling 2011-04-30 17:20:05 +04:00			`infoMsg = ""`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`condition = (`
			`not kb.resumedQueries`
			`or ( kb.resumedQueries.has_key(conf.url) and`
			`not kb.resumedQueries[conf.url].has_key("OS") )`
			`)`

			`if not kb.bannerFp:`
			`return`

			`if "type" in kb.bannerFp:`
Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`Backend.setOs(Format.humanize(kb.bannerFp["type"]))`
			`infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if "distrib" in kb.bannerFp:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`kb.osVersion = Format.humanize(kb.bannerFp["distrib"])`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`infoMsg += " %s" % kb.osVersion`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if "sp" in kb.bannerFp:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`kb.osSP = int(Format.humanize(kb.bannerFp["sp"]).replace("Service Pack ", ""))`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`elif "sp" not in kb.bannerFp and Backend.isOs(OS.WINDOWS):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`kb.osSP = 0`

Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`if Backend.getOs() and kb.osVersion and kb.osSP:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`infoMsg += " Service Pack %d" % kb.osSP`

			`if infoMsg:`
			`logger.info(infoMsg)`

			`if condition:`
Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`dataToSessionFile("[%s][%s][%s][OS][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), Backend.getOs()))`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
moving injection data to HashDB 2012-02-27 17:44:07 +04:00			`def resumeConfKb(expression, url, value):`
			`if expression == "Dynamic markings" and url == conf.url:`
bug fix (dynamic markings were not restored in program rerun which potentially led to no data retrieved) 2010-12-29 22:48:19 +03:00			`kb.dynamicMarkings = base64unpickle(value[:-1])`
Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "resuming dynamic markings from session file"`
			`logger.info(infoMsg)`
bug fix (dynamic markings were not restored in program rerun which potentially led to no data retrieved) 2010-12-29 22:48:19 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`elif expression == "DBMS" and url == conf.url:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`dbms = unSafeFormatString(value[:-1])`
			`dbms = dbms.lower()`
code refactoring (added UNKNOWN_DBMS_VERSION instead of "Unknown") 2010-12-18 00:29:09 +03:00			`dbmsVersion = [UNKNOWN_DBMS_VERSION]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "resuming back-end DBMS '%s' " % dbms`
			`infoMsg += "from session file"`
			`logger.info(infoMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
fix for proper Firebird resume of version 2011-01-24 14:04:32 +03:00			`firstRegExp = "(%s)" % ("\|".join([alias for alias in SUPPORTED_DBMS]))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`dbmsRegExp = re.search("%s ([\d\.]+)" % firstRegExp, dbms)`

			`if dbmsRegExp:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`dbms = dbmsRegExp.group(1)`
Minor bug fix to --dbms, updated user's manual 2009-07-09 15:05:24 +04:00			`dbmsVersion = [ dbmsRegExp.group(2) ]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.dbms and conf.dbms.lower() != dbms:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`message = "you provided '%s' as back-end DBMS, " % conf.dbms`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`message += "but from a past scan information on the target URL "`
			`message += "sqlmap assumes the back-end DBMS is %s. " % dbms`
			`message += "Do you really want to force the back-end "`
			`message += "DBMS value? [y/N] "`
			`test = readInput(message, default="N")`

			`if not test or test[0] in ("n", "N"):`
cleanest fix this moment (conf.dbms will for sure deal problems later in any form) 2011-06-22 19:48:44 +04:00			`conf.dbms = None`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`Backend.setDbms(dbms)`
			`Backend.setVersionList(dbmsVersion)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`Backend.setDbms(dbms)`
			`Backend.setVersionList(dbmsVersion)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`elif expression == "OS" and url == conf.url:`
bug fix (reported by james@ev6.net) 2010-10-11 00:51:11 +04:00			`os = unSafeFormatString(value[:-1])`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
another fix (OS was set to None at all previous sessions if there was no explicit OS testing done) 2011-01-02 11:08:38 +03:00			`if os and os != 'None':`
Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "resuming back-end DBMS operating system '%s' " % os`
			`infoMsg += "from session file"`
			`logger.info(infoMsg)`
another fix (OS was set to None at all previous sessions if there was no explicit OS testing done) 2011-01-02 11:08:38 +03:00
			`if conf.os and conf.os.lower() != os.lower():`
Minor code restyling 2011-04-30 17:20:05 +04:00			`message = "you provided '%s' as back-end DBMS operating " % conf.os`
another fix (OS was set to None at all previous sessions if there was no explicit OS testing done) 2011-01-02 11:08:38 +03:00			`message += "system, but from a past scan information on the "`
			`message += "target URL sqlmap assumes the back-end DBMS "`
			`message += "operating system is %s. " % os`
			`message += "Do you really want to force the back-end DBMS "`
			`message += "OS value? [y/N] "`
			`test = readInput(message, default="N")`

			`if not test or test[0] in ("n", "N"):`
			`conf.os = os`
			`else:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`conf.os = os`

Minor code refactoring relating set/get back-end DBMS operating system and minor bug fix to properly enforce OS value with --os switch 2011-04-23 20:25:09 +04:00			`Backend.setOs(conf.os)`

Allow user to force temporary folder with --tmp-path even if it has been saved one in the session file 2011-04-21 18:05:37 +04:00			`elif expression == "Remote temp path" and url == conf.url and conf.tmpPath is None:`
More code cleanup 2011-01-16 02:11:36 +03:00			`conf.tmpPath = unSafeFormatString(value[:-1])`

Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "resuming remote absolute path of temporary "`
			`infoMsg += "files directory '%s' from session file" % conf.tmpPath`
			`logger.info(infoMsg)`
More code cleanup 2011-01-16 02:11:36 +03:00
minor update 2011-06-28 01:48:26 +04:00			`elif conf.freshQueries:`
			`pass`

store/resume info on xp_cmd available in session file 2011-04-21 18:25:04 +04:00			`elif expression == "xp_cmdshell availability" and url == conf.url:`
			`kb.xpCmdshellAvailable = True if unSafeFormatString(value[:-1]).lower() == "true" else False`
Minor variable rename 2011-04-30 19:29:59 +04:00			`infoMsg = "resuming xp_cmdshell availability"`
			`logger.info(infoMsg)`