sqlmap/lib/core/xmldump.py

537 lines
20 KiB
Python
Raw Normal View History

#!/usr/bin/env python
import codecs
import os
import re
import xml
import xml.sax.saxutils as saxutils
2010-06-02 16:31:36 +04:00
from lib.core.common import getUnicode
from lib.core.data import conf
2011-05-11 00:44:36 +04:00
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapFilePathException
2011-01-30 14:36:03 +03:00
from lib.core.settings import UNICODE_ENCODING
2012-07-14 19:01:04 +04:00
from thirdparty.prettyprint import prettyprint
from xml.dom.minidom import Document
from xml.parsers.expat import ExpatError
TECHNIC_ELEM_NAME = "Technic"
TECHNICS_ELEM_NAME = "Technics"
BANNER_ELEM_NAME = "Banner"
COLUMNS_ELEM_NAME = "DatabaseColumns"
COLUMN_ELEM_NAME = "Column"
CELL_ELEM_NAME = "Cell"
COLUMN_ATTR = "column"
ROW_ELEM_NAME = "Row"
TABLES_ELEM_NAME = "tables"
DATABASE_COLUMNS_ELEM = "DB"
DB_TABLES_ELEM_NAME = "DBTables"
DB_TABLE_ELEM_NAME = "DBTable"
IS_DBA_ELEM_NAME = "isDBA"
FILE_CONTENT_ELEM_NAME = "FileContent"
DB_ATTR = "db"
UNKNOWN_COLUMN_TYPE= "unknown"
USER_SETTINGS_ELEM_NAME = "UserSettings"
USER_SETTING_ELEM_NAME = "UserSetting"
USERS_ELEM_NAME = "Users"
USER_ELEM_NAME = "User"
DB_USER_ELEM_NAME = "DBUser"
SETTINGS_ELEM_NAME = "Settings"
DBS_ELEM_NAME = "DBs"
DB_NAME_ELEM_NAME = "DBName"
DATABASE_ELEM_NAME = "Database"
TABLE_ELEM_NAME = "Table"
DB_TABLE_VALUES_ELEM_NAME = "DBTableValues"
DB_VALUES_ELEM = "DBValues"
QUERIES_ELEM_NAME = "Queries"
QUERY_ELEM_NAME = "Query"
REGISTERY_ENTRIES_ELEM_NAME = "RegistryEntries"
REGISTER_DATA_ELEM_NAME = "RegisterData"
DEFAULT_DB = "All"
MESSAGE_ELEM = "Message"
MESSAGES_ELEM_NAME = "Messages"
ERROR_ELEM_NAME = "Error"
LST_ELEM_NAME = "List"
LSTS_ELEM_NAME = "Lists"
CURRENT_USER_ELEM_NAME = "CurrentUser"
CURRENT_DB_ELEM_NAME = "CurrentDB"
MEMBER_ELEM = "Member"
ADMIN_USER = "Admin"
REGULAR_USER = "User"
STATUS_ELEM_NAME = "Status"
RESULTS_ELEM_NAME = "Results"
UNHANDLED_PROBLEM_TYPE = "Unhandled"
NAME_ATTR = "name"
TYPE_ATTR = "type"
VALUE_ATTR = "value"
SUCESS_ATTR = "success"
NAME_SPACE_ATTR = 'http://www.w3.org/2001/XMLSchema-instance'
XMLNS_ATTR = "xmlns:xsi"
SCHEME_NAME = "sqlmap.xsd"
SCHEME_NAME_ATTR = "xsi:noNamespaceSchemaLocation"
CHARACTERS_TO_ENCODE = range(32) + range(127, 256)
2011-04-30 17:20:05 +04:00
ENTITIES = {'"':'"',"'":"'"}
class XMLDump:
'''
This class purpose is to dump the data into an xml Format.
The format of the xml file is described in the scheme file xml/sqlmap.xsd
'''
def __init__(self):
self.__outputFile = None
2011-04-30 17:20:05 +04:00
self.__outputFP = None
self.__root = None
self.__doc = Document()
def __addToRoot(self,element):
'''
Adds element to the root element
'''
self.__root.appendChild(element)
def __write(self, data, n=True):
'''
Writes the data into the file
'''
if n:
self.__outputFP.write("%s\n" % data)
else:
self.__outputFP.write("%s " % data)
self.__outputFP.flush()
2011-05-11 00:44:36 +04:00
kb.dataOutputFlag = True
def __getRootChild(self,elemName):
'''
Returns the child of the root with the described name
'''
elements = self.__root.getElementsByTagName(elemName)
if elements :
return elements[0]
2010-09-16 17:19:13 +04:00
return elements
def __createTextNode(self,data):
'''
Creates a text node with utf8 data inside.
The text is escaped to an fit the xml text Format.
'''
if data is None :
2010-06-02 12:34:57 +04:00
return self.__doc.createTextNode(u'')
else :
2012-07-01 13:05:04 +04:00
escaped_data = saxutils.escape(data, ENTITIES)
2010-06-02 12:28:38 +04:00
return self.__doc.createTextNode(escaped_data)
def __createAttribute(self,attrName,attrValue):
'''
Creates an attribute node with utf8 data inside.
The text is escaped to an fit the xml text Format.
'''
attr = self.__doc.createAttribute(attrName)
if attrValue is None :
2010-06-02 12:34:57 +04:00
attr.nodeValue = u''
else :
2010-06-02 16:31:36 +04:00
attr.nodeValue = getUnicode(attrValue)
return attr
def string(self, header, data, sort=True):
'''
Adds string element to the xml.
'''
if isinstance(data, (list, tuple, set)):
self.lister(header, data, sort)
return
2010-09-16 17:19:13 +04:00
messagesElem = self.__getRootChild(MESSAGES_ELEM_NAME)
if (not(messagesElem)):
messagesElem = self.__doc.createElement(MESSAGES_ELEM_NAME)
self.__addToRoot(messagesElem)
if data:
data = self.__formatString(data)
else :
data = ""
2010-09-16 17:19:13 +04:00
elem = self.__doc.createElement(MESSAGE_ELEM)
elem.setAttributeNode(self.__createAttribute(TYPE_ATTR, header))
elem.appendChild(self.__createTextNode(data))
messagesElem.appendChild(elem)
def lister(self, header, elements, sort=True):
'''
Adds information formatted as list element
'''
lstElem = self.__doc.createElement(LST_ELEM_NAME)
lstElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, header))
if elements:
if sort:
try:
elements = set(elements)
elements = list(elements)
elements.sort(key=lambda x: x.lower())
except:
pass
2010-09-16 17:19:13 +04:00
for element in elements:
memberElem = self.__doc.createElement(MEMBER_ELEM)
lstElem.appendChild(memberElem)
if isinstance(element, basestring):
memberElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, "string"))
memberElem.appendChild(self.__createTextNode(element))
elif isinstance(element, (list, tuple, set)):
memberElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, "list"))
for e in element :
memberElemStr = self.__doc.createElement(MEMBER_ELEM)
memberElemStr.setAttributeNode(self.__createAttribute(TYPE_ATTR, "string"))
2010-06-02 16:31:36 +04:00
memberElemStr.appendChild(self.__createTextNode(getUnicode(e)))
memberElem.appendChild(memberElemStr)
listsElem = self.__getRootChild(LSTS_ELEM_NAME)
if not(listsElem):
listsElem = self.__doc.createElement(LSTS_ELEM_NAME)
self.__addToRoot(listsElem)
listsElem.appendChild(lstElem)
def technic(self,technicType,data):
'''
Adds information about the technic used to extract data from the db
'''
technicElem = self.__doc.createElement(TECHNIC_ELEM_NAME)
technicElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, technicType))
textNode = self.__createTextNode(data)
technicElem.appendChild(textNode)
technicsElem = self.__getRootChild(TECHNICS_ELEM_NAME)
if not(technicsElem):
technicsElem = self.__doc.createElement(TECHNICS_ELEM_NAME)
self.__addToRoot(technicsElem)
technicsElem.appendChild(technicElem)
def banner(self,data):
'''
Adds information about the database banner to the xml.
The banner contains information about the type and the version of the database.
'''
bannerElem = self.__doc.createElement(BANNER_ELEM_NAME)
bannerElem.appendChild(self.__createTextNode(data))
self.__addToRoot(bannerElem)
def currentUser(self,data):
'''
Adds information about the current database user to the xml
'''
currentUserElem = self.__doc.createElement(CURRENT_USER_ELEM_NAME)
textNode = self.__createTextNode(data)
currentUserElem.appendChild(textNode)
self.__addToRoot(currentUserElem)
def currentDb(self,data):
'''
Adds information about the current database is use to the xml
'''
currentDBElem = self.__doc.createElement(CURRENT_DB_ELEM_NAME)
textNode = self.__createTextNode(data)
currentDBElem.appendChild(textNode)
self.__addToRoot(currentDBElem)
def dba(self,isDBA):
'''
Adds information to the xml that indicates whether the user has DBA privileges
'''
isDBAElem = self.__doc.createElement(IS_DBA_ELEM_NAME)
2010-06-02 16:31:36 +04:00
isDBAElem.setAttributeNode(self.__createAttribute(VALUE_ATTR, getUnicode(isDBA)))
self.__addToRoot(isDBAElem)
def users(self,users):
'''
Adds a list of the existing users to the xml
'''
usersElem = self.__doc.createElement(USERS_ELEM_NAME)
if isinstance(users, basestring):
users = [users]
if users:
for user in users:
userElem = self.__doc.createElement(DB_USER_ELEM_NAME)
usersElem.appendChild(userElem)
userElem.appendChild(self.__createTextNode(user))
self.__addToRoot(usersElem)
def dbs(self, dbs):
'''
Adds a list of the existing databases to the xml
'''
dbsElem = self.__doc.createElement(DBS_ELEM_NAME)
if dbs:
for db in dbs:
dbElem = self.__doc.createElement(DB_NAME_ELEM_NAME)
dbsElem.appendChild(dbElem)
dbElem.appendChild(self.__createTextNode(db))
self.__addToRoot(dbsElem)
def userSettings(self, header, userSettings, subHeader):
'''
Adds information about the user's settings to the xml.
The information can be user's passwords, privileges and etc..
'''
self.__areAdmins = set()
userSettingsElem = self.__getRootChild(USER_SETTINGS_ELEM_NAME)
if (not(userSettingsElem)):
userSettingsElem = self.__doc.createElement(USER_SETTINGS_ELEM_NAME)
self.__addToRoot(userSettingsElem)
userSettingElem = self.__doc.createElement(USER_SETTING_ELEM_NAME)
userSettingElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, header))
if isinstance(userSettings, (tuple, list, set)):
self.__areAdmins = userSettings[1]
userSettings = userSettings[0]
users = userSettings.keys()
users.sort(key=lambda x: x.lower())
for user in users:
userElem = self.__doc.createElement(USER_ELEM_NAME)
userSettingElem.appendChild(userElem)
if user in self.__areAdmins:
2010-09-16 17:19:13 +04:00
userElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, ADMIN_USER))
else:
userElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, REGULAR_USER))
2010-09-16 17:19:13 +04:00
settings = userSettings[user]
settings.sort()
for setting in settings:
settingsElem = self.__doc.createElement(SETTINGS_ELEM_NAME)
settingsElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, subHeader))
settingTextNode = self.__createTextNode(setting)
settingsElem.appendChild(settingTextNode)
userElem.appendChild(settingsElem)
userSettingsElem.appendChild(userSettingElem)
def dbTables(self, dbTables):
'''
Adds information of the existing db tables to the xml
'''
if not isinstance(dbTables, dict):
self.string(TABLES_ELEM_NAME, dbTables)
return
2010-09-16 17:19:13 +04:00
dbTablesElem = self.__doc.createElement(DB_TABLES_ELEM_NAME)
for db, tables in dbTables.items():
tables.sort(key=lambda x: x.lower())
dbElem = self.__doc.createElement(DATABASE_ELEM_NAME)
dbElem.setAttributeNode(self.__createAttribute(NAME_ATTR,db))
dbTablesElem.appendChild(dbElem)
for table in tables:
tableElem = self.__doc.createElement(DB_TABLE_ELEM_NAME)
tableElem.appendChild(self.__createTextNode(table))
dbElem.appendChild(tableElem)
self.__addToRoot(dbTablesElem)
def dbTableColumns(self, tableColumns):
'''
Adds information about the columns of the existing tables to the xml
'''
2010-09-16 17:19:13 +04:00
columnsElem = self.__getRootChild(COLUMNS_ELEM_NAME)
if not(columnsElem):
columnsElem = self.__doc.createElement(COLUMNS_ELEM_NAME)
2010-09-16 17:19:13 +04:00
for db, tables in tableColumns.items():
if not db:
db = DEFAULT_DB
dbElem = self.__doc.createElement(DATABASE_COLUMNS_ELEM)
dbElem.setAttributeNode(self.__createAttribute(NAME_ATTR, db))
columnsElem.appendChild(dbElem)
for table, columns in tables.items():
tableElem = self.__doc.createElement(TABLE_ELEM_NAME)
tableElem.setAttributeNode(self.__createAttribute(NAME_ATTR, table))
2010-09-16 17:19:13 +04:00
colList = columns.keys()
colList.sort(key=lambda x: x.lower())
for column in colList:
colType = columns[column]
colElem = self.__doc.createElement(COLUMN_ELEM_NAME)
if colType is not None:
colElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, colType))
else :
2010-09-16 17:19:13 +04:00
colElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, UNKNOWN_COLUMN_TYPE))
colElem.appendChild(self.__createTextNode(column))
tableElem.appendChild(colElem)
2010-09-16 17:19:13 +04:00
self.__addToRoot(columnsElem)
def dbTableValues(self, tableValues):
'''
Adds the values of specific table to the xml.
The values are organized according to the relevant row and column.
'''
tableElem = self.__doc.createElement(DB_TABLE_VALUES_ELEM_NAME)
2010-09-16 17:19:13 +04:00
if (tableValues is not None):
db = tableValues["__infos__"]["db"]
if not db:
db = "All"
table = tableValues["__infos__"]["table"]
2010-09-16 17:19:13 +04:00
2011-04-30 17:20:05 +04:00
count = int(tableValues["__infos__"]["count"])
columns = tableValues.keys()
columns.sort(key=lambda x: x.lower())
2010-09-16 17:19:13 +04:00
tableElem.setAttributeNode(self.__createAttribute(DB_ATTR, db))
tableElem.setAttributeNode(self.__createAttribute(NAME_ATTR, table))
2010-09-16 17:19:13 +04:00
for i in range(count):
rowElem = self.__doc.createElement(ROW_ELEM_NAME)
tableElem.appendChild(rowElem)
for column in columns:
if column != "__infos__":
info = tableValues[column]
value = info["values"][i]
2010-09-16 17:19:13 +04:00
if re.search("^[\ *]*$", value):
value = "NULL"
2010-09-16 17:19:13 +04:00
cellElem = self.__doc.createElement(CELL_ELEM_NAME)
cellElem.setAttributeNode(self.__createAttribute(COLUMN_ATTR, column))
cellElem.appendChild(self.__createTextNode(value))
rowElem.appendChild(cellElem)
2010-09-16 17:19:13 +04:00
dbValuesElem = self.__getRootChild(DB_VALUES_ELEM)
if (not(dbValuesElem)):
dbValuesElem = self.__doc.createElement(DB_VALUES_ELEM)
self.__addToRoot(dbValuesElem)
2010-09-16 17:19:13 +04:00
dbValuesElem.appendChild(tableElem)
2010-09-16 17:19:13 +04:00
logger.info("Table '%s.%s' dumped to XML file" % (db, table))
2011-01-15 16:15:10 +03:00
def dbColumns(self, dbColumns, colConsider, dbs):
'''
2010-09-16 17:19:13 +04:00
Adds information about the columns
'''
for column in dbColumns.keys():
printDbs = {}
for db, tblData in dbs.items():
for tbl, colData in tblData.items():
for col, dataType in colData.items():
if column in col:
if db in printDbs:
if tbl in printDbs[db]:
printDbs[db][tbl][col] = dataType
else:
printDbs[db][tbl] = { col: dataType }
else:
printDbs[db] = {}
printDbs[db][tbl] = { col: dataType }
continue
self.dbTableColumns(printDbs)
def query(self,query,queryRes):
'''
Adds details of an executed query to the xml.
The query details are the query itself and it's results.
'''
queryElem = self.__doc.createElement(QUERY_ELEM_NAME)
queryElem.setAttributeNode(self.__createAttribute(VALUE_ATTR, query))
queryElem.appendChild(self.__createTextNode(queryRes))
queriesElem = self.__getRootChild(QUERIES_ELEM_NAME)
if (not(queriesElem)):
queriesElem = self.__doc.createElement(QUERIES_ELEM_NAME)
self.__addToRoot(queriesElem)
queriesElem.appendChild(queryElem)
def registerValue(self,registerData):
'''
Adds information about an extracted registry key to the xml
'''
registerElem = self.__doc.createElement(REGISTER_DATA_ELEM_NAME)
registerElem.appendChild(self.__createTextNode(registerData))
registriesElem = self.__getRootChild(REGISTERY_ENTRIES_ELEM_NAME)
if (not(registriesElem)):
registriesElem = self.__doc.createElement(REGISTERY_ENTRIES_ELEM_NAME)
self.__addToRoot(registriesElem)
registriesElem.appendChild(registerElem)
def rFile(self, filePath, data):
'''
Adds an extracted file's content to the xml
'''
fileContentElem = self.__doc.createElement(FILE_CONTENT_ELEM_NAME)
fileContentElem.setAttributeNode(self.__createAttribute(NAME_ATTR, filePath))
fileContentElem.appendChild(self.__createTextNode(data))
self.__addToRoot(fileContentElem)
def setOutputFile(self):
'''
Initiates the xml file from the configuration.
'''
if (conf.xmlFile) :
try :
self.__outputFile = conf.xmlFile
self.__root = None
if os.path.exists(self.__outputFile):
try:
self.__doc = xml.dom.minidom.parse(self.__outputFile)
self.__root = self.__doc.childNodes[0]
except ExpatError:
self.__doc = Document()
2011-01-30 14:36:03 +03:00
self.__outputFP = codecs.open(self.__outputFile, "w+", UNICODE_ENCODING)
2010-09-16 17:19:13 +04:00
if self.__root is None:
self.__root = self.__doc.createElementNS(NAME_SPACE_ATTR, RESULTS_ELEM_NAME)
self.__root.setAttributeNode(self.__createAttribute(XMLNS_ATTR,NAME_SPACE_ATTR))
self.__root.setAttributeNode(self.__createAttribute(SCHEME_NAME_ATTR,SCHEME_NAME))
self.__doc.appendChild(self.__root)
except IOError:
raise sqlmapFilePathException("Wrong filename provided for saving the xml file: %s" % conf.xmlFile)
2010-09-26 18:56:55 +04:00
def getOutputFile(self):
return self.__outputFile
2010-09-26 18:56:55 +04:00
def finish(self, resultStatus, resultMsg=""):
'''
Finishes the dumper operation:
1. Adds the session status to the xml
2. Writes the xml to the file
3. Closes the xml file
'''
if ((self.__outputFP is not None) and not(self.__outputFP.closed)):
statusElem = self.__doc.createElement(STATUS_ELEM_NAME)
2010-06-02 16:31:36 +04:00
statusElem.setAttributeNode(self.__createAttribute(SUCESS_ATTR,getUnicode(resultStatus)))
2010-06-10 19:34:28 +04:00
if not resultStatus:
errorElem = self.__doc.createElement(ERROR_ELEM_NAME)
2010-06-10 19:34:28 +04:00
if isinstance(resultMsg, Exception):
errorElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, type(resultMsg).__name__))
2010-06-10 19:34:28 +04:00
else:
2010-06-02 16:31:36 +04:00
errorElem.setAttributeNode(self.__createAttribute(TYPE_ATTR, UNHANDLED_PROBLEM_TYPE))
2010-06-02 16:31:36 +04:00
errorElem.appendChild(self.__createTextNode(getUnicode(resultMsg)))
statusElem.appendChild(errorElem)
self.__addToRoot(statusElem)
2011-01-30 14:36:03 +03:00
self.__write(prettyprint.formatXML(self.__doc, encoding=UNICODE_ENCODING))
self.__outputFP.close()
def closeDumper(status, msg=""):
"""
Closes the dumper of the session
"""
if hasattr(conf, "dumper") and hasattr(conf.dumper, "finish"):
conf.dumper.finish(status, msg)
dumper = XMLDump()