sqlmap/lib/controller/action.py

182 lines
5.6 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
2010-03-03 18:26:27 +03:00
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
2008-10-15 19:38:22 +04:00
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
from lib.controller.handler import setHandler
from lib.core.common import getHtmlErrorFp
2010-09-26 18:02:13 +04:00
from lib.core.common import dataToStdout
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
2010-09-30 16:35:45 +04:00
from lib.core.data import paths
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapUnsupportedDBMSException
from lib.core.settings import SUPPORTED_DBMS
from lib.techniques.blind.timebased import timeTest
2008-10-15 19:38:22 +04:00
from lib.techniques.inband.union.test import unionTest
from lib.techniques.outband.stacked import stackedTest
2008-10-15 19:38:22 +04:00
def action():
"""
This function exploit the SQL injection on the affected
url parameter and extract requested data from the
back-end database management system or operating system
if possible
"""
# First of all we have to identify the back-end database management
# system to be able to go ahead with the injection
setHandler()
2008-10-15 19:38:22 +04:00
if not conf.dbmsHandler:
htmlParsed = getHtmlErrorFp()
errMsg = "sqlmap was not able to fingerprint the "
errMsg += "back-end database management system"
if htmlParsed:
errMsg += ", but from the HTML error page it was "
errMsg += "possible to determinate that the "
errMsg += "back-end DBMS is %s" % htmlParsed
if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:
errMsg += ". Do not specify the back-end DBMS manually, "
errMsg += "sqlmap will fingerprint the DBMS for you"
else:
errMsg += ". Support for this DBMS will be implemented if "
errMsg += "you ask, just drop us an email"
raise sqlmapUnsupportedDBMSException, errMsg
2010-09-26 18:02:13 +04:00
dataToStdout("%s\n" % conf.dbmsHandler.getFingerprint())
2008-10-15 19:38:22 +04:00
# Techniques options
if conf.stackedTest:
conf.dumper.technic("stacked queries support", stackedTest())
if conf.timeTest:
conf.dumper.technic("time based blind sql injection payload", timeTest())
if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
conf.dumper.technic("valid union", unionTest())
2008-10-15 19:38:22 +04:00
# Enumeration options
if conf.getBanner:
conf.dumper.banner(conf.dbmsHandler.getBanner())
2008-10-15 19:38:22 +04:00
if conf.getCurrentUser:
conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser())
2008-10-15 19:38:22 +04:00
if conf.getCurrentDb:
conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())
2008-10-15 19:38:22 +04:00
if conf.isDba:
conf.dumper.dba(conf.dbmsHandler.isDba())
2008-10-15 19:38:22 +04:00
if conf.getUsers:
conf.dumper.users(conf.dbmsHandler.getUsers())
2008-10-15 19:38:22 +04:00
if conf.getPasswordHashes:
conf.dumper.userSettings("database management system users password hashes",
conf.dbmsHandler.getPasswordHashes(), "password hash")
2008-10-15 19:38:22 +04:00
if conf.getPrivileges:
conf.dumper.userSettings("database management system users privileges",
conf.dbmsHandler.getPrivileges(), "privilege")
2008-10-15 19:38:22 +04:00
if conf.getRoles:
conf.dumper.userSettings("database management system users roles",
conf.dbmsHandler.getRoles(), "role")
2008-10-15 19:38:22 +04:00
if conf.getDbs:
conf.dumper.dbs(conf.dbmsHandler.getDbs())
2008-10-15 19:38:22 +04:00
if conf.getTables:
conf.dumper.dbTables(conf.dbmsHandler.getTables())
2008-10-15 19:38:22 +04:00
2010-09-30 16:35:45 +04:00
if conf.cExists:
conf.dumper.dbTables(conf.dbmsHandler.tableExists(paths.COMMON_TABLES))
if conf.tableFile:
conf.dumper.dbTables(conf.dbmsHandler.tableExists(conf.tableFile))
2008-10-15 19:38:22 +04:00
if conf.getColumns:
conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns())
2008-10-15 19:38:22 +04:00
if conf.dumpTable:
conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())
2008-10-15 19:38:22 +04:00
if conf.dumpAll:
conf.dbmsHandler.dumpAll()
if conf.search:
conf.dbmsHandler.search()
2008-10-15 19:38:22 +04:00
if conf.query:
conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query))
2008-10-15 19:38:22 +04:00
if conf.sqlShell:
conf.dbmsHandler.sqlShell()
# User-defined function options
if conf.udfInject:
conf.dbmsHandler.udfInjectCustom()
2008-10-15 19:38:22 +04:00
# File system options
if conf.rFile:
conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile))
2008-10-15 19:38:22 +04:00
if conf.wFile:
conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)
# Operating system options
if conf.osCmd:
conf.dbmsHandler.osCmd()
2008-10-15 19:38:22 +04:00
if conf.osShell:
conf.dbmsHandler.osShell()
if conf.osPwn:
conf.dbmsHandler.osPwn()
if conf.osSmb:
conf.dbmsHandler.osSmb()
if conf.osBof:
conf.dbmsHandler.osBof()
# Windows registry options
if conf.regRead:
conf.dumper.registerValue(conf.dbmsHandler.regRead())
if conf.regAdd:
conf.dbmsHandler.regAdd()
if conf.regDel:
conf.dbmsHandler.regDel()
# Miscellaneous options
if conf.cleanup:
conf.dbmsHandler.cleanup()
if conf.direct:
conf.dbmsConnector.close()