sqlmap/lib/techniques/blind/inference.py

417 lines
15 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
2010-03-03 18:26:27 +03:00
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
2008-10-15 19:38:22 +04:00
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
import threading
import time
import traceback
2008-10-15 19:38:22 +04:00
from lib.core.agent import agent
from lib.core.common import dataToSessionFile
from lib.core.common import dataToStdout
from lib.core.common import getCharset
from lib.core.common import getGoodSamaritanParameters
2008-10-15 19:38:22 +04:00
from lib.core.common import replaceNewlineTabs
2010-01-15 19:06:59 +03:00
from lib.core.common import safeStringFormat
from lib.core.convert import urlencode
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapConnectionException
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapValueException
from lib.core.exception import sqlmapThreadException
from lib.core.exception import unhandledException
2008-10-15 19:38:22 +04:00
from lib.core.progress import ProgressBar
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
2010-02-04 20:45:56 +03:00
def bisection(payload, expression, length=None, charsetType=None, firstChar=None, lastChar=None):
2008-10-15 19:38:22 +04:00
"""
Bisection algorithm that can be used to perform blind SQL injection
on an affected host
"""
partialValue = ""
finalValue = ""
asciiTbl = getCharset(charsetType)
if "LENGTH(" in expression or "LEN(" in expression:
firstChar = 0
elif conf.firstChar is not None and ( isinstance(conf.firstChar, int) or ( isinstance(conf.firstChar, basestring) and conf.firstChar.isdigit() ) ):
firstChar = int(conf.firstChar) - 1
elif firstChar is None:
firstChar = 0
elif ( isinstance(firstChar, basestring) and firstChar.isdigit() ) or isinstance(firstChar, int):
firstChar = int(firstChar) - 1
if "LENGTH(" in expression or "LEN(" in expression:
lastChar = 0
elif conf.lastChar is not None and ( isinstance(conf.lastChar, int) or ( isinstance(conf.lastChar, basestring) and conf.lastChar.isdigit() ) ):
lastChar = int(conf.lastChar)
elif lastChar in ( None, "0" ):
lastChar = 0
elif ( isinstance(lastChar, basestring) and lastChar.isdigit() ) or isinstance(lastChar, int):
lastChar = int(lastChar)
2008-10-15 19:38:22 +04:00
if kb.dbmsDetected:
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced)
2008-10-15 19:38:22 +04:00
else:
expressionUnescaped = unescaper.unescape(expression)
2008-10-15 19:38:22 +04:00
debugMsg = "query: %s" % expressionUnescaped
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
if length and not isinstance(length, int) and length.isdigit():
length = int(length)
if length == 0:
return 0, ""
if lastChar > 0 and length > ( lastChar - firstChar ):
length = ( lastChar - firstChar )
showEta = conf.eta and isinstance(length, int)
2008-10-15 19:38:22 +04:00
numThreads = min(conf.threads, length)
threads = []
2008-10-15 19:38:22 +04:00
if showEta:
progress = ProgressBar(maxValue=length)
progressTime = []
2010-03-12 17:48:33 +03:00
if numThreads is not None:
debugMsg = "starting %d thread%s" % (numThreads, ("s" if numThreads > 1 else ""))
logger.debug(debugMsg)
if conf.verbose >= 1 and not showEta:
2008-10-15 19:38:22 +04:00
if isinstance(length, int) and conf.threads > 1:
2010-03-12 15:46:26 +03:00
dataToStdout("[%s] [INFO] retrieved: %s" % (time.strftime("%X"), "_" * min(length, conf.progressWidth)))
2008-10-15 19:38:22 +04:00
dataToStdout("\r[%s] [INFO] retrieved: " % time.strftime("%X"))
else:
dataToStdout("[%s] [INFO] retrieved: " % time.strftime("%X"))
queriesCount = [0] # As list to deal with nested scoping rules
2010-02-04 20:45:56 +03:00
hintlock = threading.Lock()
def tryHint(idx):
hintlock.acquire()
hintValue = kb.hintValue
hintlock.release()
if hintValue is not None and len(hintValue) >= idx:
if kb.dbms == "SQLite":
posValue = hintValue[idx-1]
else:
posValue = ord(hintValue[idx-1])
queriesCount[0] += 1
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
result = Request.queryPage(urlencode(forgedPayload))
if result:
return hintValue[idx-1]
hintlock.acquire()
kb.hintValue = None
hintlock.release()
return None
def getChar(idx, charTbl=asciiTbl, sequentialOrder=True):
result = tryHint(idx)
if result:
return result
if not sequentialOrder:
originalTbl = list(charTbl)
if len(charTbl) == 1:
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0]))
result = Request.queryPage(urlencode(forgedPayload))
if result:
return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0])
else:
return None
maxChar = maxValue = charTbl[-1]
minValue = charTbl[0]
2008-10-15 19:38:22 +04:00
while len(charTbl) != 1:
2008-10-15 19:38:22 +04:00
queriesCount[0] += 1
position = (len(charTbl) >> 1)
posValue = charTbl[position]
if kb.dbms == "SQLite":
posValueOld = posValue
2010-05-24 15:18:47 +04:00
if posValue < 128:
posValue = chr(posValue)
else:
posValue = unichr(posValue)
2010-05-13 02:02:47 +04:00
if not conf.useBetween or kb.dbms == "SQLite":
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
else:
2010-05-13 15:17:24 +04:00
forgedPayload = safeStringFormat(payload.replace('%3E', 'NOT BETWEEN 0 AND'), (expressionUnescaped, idx, posValue))
result = Request.queryPage(urlencode(forgedPayload))
if kb.dbms == "SQLite":
posValue = posValueOld
2010-05-13 15:17:24 +04:00
if result:
minValue = posValue
if type(charTbl) != xrange:
charTbl = charTbl[position:]
else:
charTbl = xrange(charTbl[position], charTbl[-1] + 1)
2010-05-13 15:17:24 +04:00
else:
maxValue = posValue
if type(charTbl) != xrange:
charTbl = charTbl[:position]
else:
2010-05-24 13:28:20 +04:00
charTbl = xrange(charTbl[0], charTbl[position])
2008-10-15 19:38:22 +04:00
if len(charTbl) == 1:
2008-10-15 19:38:22 +04:00
if maxValue == 1:
return None
elif minValue == maxChar:
charTbl = xrange(maxChar + 1, (maxChar + 1) << 8)
maxChar = maxValue = charTbl[-1]
minValue = charTbl[0]
elif sequentialOrder:
retVal = minValue + 1
return chr(retVal) if retVal < 128 else unichr(retVal)
else:
retVal = originalTbl[originalTbl.index(minValue) + 1]
2010-02-04 20:45:56 +03:00
2008-10-15 19:38:22 +04:00
def etaProgressUpdate(charTime, index):
if len(progressTime) <= ( (length * 3) / 100 ):
eta = 0
else:
midTime = sum(progressTime) / len(progressTime)
midTimeWithLatest = (midTime + charTime) / 2
eta = midTimeWithLatest * (length - index) / conf.threads
progressTime.append(charTime)
progress.update(index)
progress.draw(eta)
2010-02-04 20:45:56 +03:00
2008-10-15 19:38:22 +04:00
if conf.threads > 1 and isinstance(length, int) and length > 1:
value = [ None ] * length
index = [ firstChar ] # As list for python nested function scoping
2008-10-15 19:38:22 +04:00
idxlock = threading.Lock()
iolock = threading.Lock()
valuelock = threading.Lock()
2010-03-10 17:14:27 +03:00
conf.seqLock = threading.Lock()
conf.threadContinue = True
2010-02-04 20:45:56 +03:00
2008-10-15 19:38:22 +04:00
def downloadThread():
try:
while conf.threadContinue:
idxlock.acquire()
2008-10-15 19:38:22 +04:00
if index[0] >= length:
idxlock.release()
2008-10-15 19:38:22 +04:00
return
2008-10-15 19:38:22 +04:00
index[0] += 1
curidx = index[0]
idxlock.release()
2008-10-15 19:38:22 +04:00
if conf.threadContinue:
charStart = time.time()
val = getChar(curidx)
2010-03-25 19:26:50 +03:00
if val is None:
raise sqlmapValueException, "failed to get character at index %d (expected %d total)" % (curidx, length)
else:
break
2008-10-15 19:38:22 +04:00
valuelock.acquire()
value[curidx-1] = val
currentValue = list(value)
valuelock.release()
if conf.threadContinue:
if showEta:
etaProgressUpdate(time.time() - charStart, index[0])
elif conf.verbose >= 1:
2010-03-12 15:38:19 +03:00
startCharIndex = 0
endCharIndex = 0
2010-03-25 19:26:50 +03:00
2010-03-12 15:38:19 +03:00
for i in xrange(length):
if currentValue[i] is not None:
2010-03-12 15:38:19 +03:00
endCharIndex = max(endCharIndex, i)
2010-03-25 19:26:50 +03:00
2010-03-12 15:38:19 +03:00
output = ''
2010-03-25 19:26:50 +03:00
2010-03-12 15:46:26 +03:00
if endCharIndex > conf.progressWidth:
startCharIndex = endCharIndex - conf.progressWidth
2010-03-25 19:26:50 +03:00
2010-03-12 15:38:19 +03:00
count = 0
2010-03-25 19:26:50 +03:00
for i in xrange(startCharIndex, endCharIndex + 1):
output += '_' if currentValue[i] is None else currentValue[i]
2010-03-12 15:38:19 +03:00
for i in xrange(length):
count += 1 if currentValue[i] is not None else 0
2010-03-12 15:38:19 +03:00
if startCharIndex > 0:
2010-03-12 17:31:14 +03:00
output = '..' + output[2:]
2010-04-19 19:25:52 +04:00
if (endCharIndex - startCharIndex == conf.progressWidth) and (endCharIndex < length-1):
2010-03-12 17:31:14 +03:00
output = output[:-2] + '..'
2010-03-12 16:07:07 +03:00
output += '_' * (min(length, conf.progressWidth) - len(output))
status = ' %d/%d (%d%s)' % (count, length, round(100.0*count/length), '%')
2010-03-12 15:38:19 +03:00
output += status if count != length else " "*len(status)
iolock.acquire()
dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), replaceNewlineTabs(output, stdout=True)))
iolock.release()
except (sqlmapConnectionException, sqlmapValueException), errMsg:
2010-03-25 19:26:50 +03:00
print
conf.threadException = True
logger.error("thread %d: %s" % (numThread + 1, errMsg))
except KeyboardInterrupt:
conf.threadException = True
print
logger.debug("waiting for threads to finish")
try:
while (threading.activeCount() > 1):
pass
except KeyboardInterrupt:
raise sqlmapThreadException, "user aborted"
except:
2010-03-25 19:26:50 +03:00
print
conf.threadException = True
errMsg = unhandledException()
logger.error("thread %d: %s" % (numThread + 1, errMsg))
traceback.print_exc()
2010-02-04 20:45:56 +03:00
2008-10-15 19:38:22 +04:00
# Start the threads
for numThread in range(numThreads):
thread = threading.Thread(target=downloadThread)
2008-10-15 19:38:22 +04:00
thread.start()
threads.append(thread)
# And wait for them to all finish
try:
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
thread.join(5)
except KeyboardInterrupt:
conf.threadContinue = False
raise
2010-03-11 14:20:52 +03:00
infoMsg = None
# If we have got one single character not correctly fetched it
# can mean that the connection to the target url was lost
if None in value:
for v in value:
if isinstance(v, basestring) and v is not None:
partialValue += v
2008-10-15 19:38:22 +04:00
if partialValue:
finalValue = partialValue
infoMsg = "\r[%s] [INFO] partially retrieved: %s" % (time.strftime("%X"), finalValue)
else:
finalValue = "".join(value)
infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), finalValue)
2008-10-15 19:38:22 +04:00
if isinstance(finalValue, basestring) and len(finalValue) > 0:
dataToSessionFile(replaceNewlineTabs(finalValue))
2008-10-15 19:38:22 +04:00
if conf.verbose >= 1 and not showEta and infoMsg:
dataToStdout(infoMsg)
2008-10-15 19:38:22 +04:00
2010-03-10 17:14:27 +03:00
conf.seqLock = None
2008-10-15 19:38:22 +04:00
else:
index = firstChar
2008-10-15 19:38:22 +04:00
while True:
index += 1
2008-10-15 19:38:22 +04:00
charStart = time.time()
2010-05-21 13:35:36 +04:00
if conf.useCommonPrediction:
singleValue, predictedCharset, otherCharset = getGoodSamaritanParameters(kb.partRun, finalValue, asciiTbl)
2010-05-25 18:51:02 +04:00
val = None
if singleValue is None:
val = getChar(index, predictedCharset, False) if predictedCharset else None
else:
2010-05-25 18:51:02 +04:00
#forgedPayload = safeStringFormat('AND (%s) = \'%s\'', (expressionUnescaped, singleValue))
#result = Request.queryPage(urlencode(forgedPayload))
#if result:
# finalValue = singleValue
# break
pass
2010-05-25 18:51:02 +04:00
2010-05-21 13:35:36 +04:00
if not val:
2010-05-21 16:25:49 +04:00
val = getChar(index, otherCharset)
2010-05-21 13:35:36 +04:00
else:
val = getChar(index, asciiTbl)
2008-10-15 19:38:22 +04:00
if val is None or ( lastChar > 0 and index > lastChar ):
2008-10-15 19:38:22 +04:00
break
finalValue += val
2008-10-15 19:38:22 +04:00
dataToSessionFile(replaceNewlineTabs(val))
2008-10-15 19:38:22 +04:00
if showEta:
etaProgressUpdate(time.time() - charStart, index)
elif conf.verbose >= 1:
2008-10-15 19:38:22 +04:00
dataToStdout(val)
if conf.verbose >= 1 or showEta:
2008-10-15 19:38:22 +04:00
dataToStdout("\n")
2010-05-11 18:15:03 +04:00
if ( conf.verbose in ( 1, 2 ) and showEta ) or conf.verbose >= 3:
infoMsg = "retrieved: %s" % finalValue
2008-10-15 19:38:22 +04:00
logger.info(infoMsg)
if not partialValue:
dataToSessionFile("]\n")
if conf.threadException:
raise sqlmapThreadException, "something unexpected happen into the threads"
2008-10-15 19:38:22 +04:00
return queriesCount[0], finalValue