sqlmap/lib/parse/payloads.py

#!/usr/bin/env python2

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import re

from xml.etree import ElementTree as et

from lib.core.common import getSafeExString
from lib.core.data import conf
from lib.core.data import paths
from lib.core.datatype import AttribDict
from lib.core.exception import SqlmapInstallationException
from lib.core.settings import PAYLOAD_XML_FILES

def cleanupVals(text, tag):
    if tag == "clause" and '-' in text:
        text = re.sub(r"(\d+)-(\d+)", lambda match: ','.join(str(_) for _ in xrange(int(match.group(1)), int(match.group(2)) + 1)), text)

    if tag in ("clause", "where"):
        text = text.split(',')

    if isinstance(text, basestring):
        text = int(text) if text.isdigit() else text

    elif isinstance(text, list):
        count = 0

        for _ in text:
            text[count] = int(_) if _.isdigit() else _
            count += 1

        if len(text) == 1 and tag not in ("clause", "where"):
            text = text[0]

    return text

def parseXmlNode(node):
    for element in node.getiterator("boundary"):
        boundary = AttribDict()

        for child in element.getchildren():
            if child.text:
                values = cleanupVals(child.text, child.tag)
                boundary[child.tag] = values
            else:
                boundary[child.tag] = None

        conf.boundaries.append(boundary)

    for element in node.getiterator("test"):
        test = AttribDict()

        for child in element.getchildren():
            if child.text and child.text.strip():
                values = cleanupVals(child.text, child.tag)
                test[child.tag] = values
            else:
                if len(child.getchildren()) == 0:
                    test[child.tag] = None
                    continue
                else:
                    test[child.tag] = AttribDict()

                for gchild in child.getchildren():
                    if gchild.tag in test[child.tag]:
                        prevtext = test[child.tag][gchild.tag]
                        test[child.tag][gchild.tag] = [prevtext, gchild.text]
                    else:
                        test[child.tag][gchild.tag] = gchild.text

        conf.tests.append(test)

def loadBoundaries():
    try:
        doc = et.parse(paths.BOUNDARIES_XML)
    except Exception as ex:
        errMsg = "something appears to be wrong with "
        errMsg += "the file '%s' ('%s'). Please make " % (paths.BOUNDARIES_XML, getSafeExString(ex))
        errMsg += "sure that you haven't made any changes to it"
        raise SqlmapInstallationException(errMsg)

    root = doc.getroot()
    parseXmlNode(root)

def loadPayloads():
    for payloadFile in PAYLOAD_XML_FILES:
        payloadFilePath = os.path.join(paths.SQLMAP_XML_PAYLOADS_PATH, payloadFile)

        try:
            doc = et.parse(payloadFilePath)
        except Exception as ex:
            errMsg = "something appears to be wrong with "
            errMsg += "the file '%s' ('%s'). Please make " % (payloadFilePath, getSafeExString(ex))
            errMsg += "sure that you haven't made any changes to it"
            raise SqlmapInstallationException(errMsg)

        root = doc.getroot()
        parseXmlNode(root)
Update regarding #2940 (PEP 394) 2019-03-21 16:00:09 +03:00			`#!/usr/bin/env python2`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`"""`
update_copyright_year() 2019-01-05 23:38:52 +03:00			`Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`"""`

code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`import os`
Cleaning a mess with stacked queries and pre-WHERE boundaries 2018-09-14 11:30:58 +03:00			`import re`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`from xml.etree import ElementTree as et`

Minor patch 2015-10-23 15:29:48 +03:00			`from lib.core.common import getSafeExString`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`from lib.core.data import conf`
			`from lib.core.data import paths`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`from lib.core.datatype import AttribDict`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00			`from lib.core.exception import SqlmapInstallationException`
Renaming payload files (consistency with the rest of the project) 2016-07-17 01:21:16 +03:00			`from lib.core.settings import PAYLOAD_XML_FILES`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`def cleanupVals(text, tag):`
Cleaning a mess with stacked queries and pre-WHERE boundaries 2018-09-14 11:30:58 +03:00			`if tag == "clause" and '-' in text:`
			`text = re.sub(r"(\d+)-(\d+)", lambda match: ','.join(str(_) for _ in xrange(int(match.group(1)), int(match.group(2)) + 1)), text)`

Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`if tag in ("clause", "where"):`
			`text = text.split(',')`
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders. 2010-12-01 20:09:52 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`if isinstance(text, basestring):`
Fixes #1621 2015-12-23 10:55:45 +03:00			`text = int(text) if text.isdigit() else text`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00
			`elif isinstance(text, list):`
			`count = 0`

Style update 2012-12-10 20:20:04 +04:00			`for _ in text:`
Fixes #1621 2015-12-23 10:55:45 +03:00			`text[count] = int(_) if _.isdigit() else _`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`count += 1`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`if len(text) == 1 and tag not in ("clause", "where"):`
			`text = text[0]`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`return text`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`def parseXmlNode(node):`
Trivial style update 2018-06-20 16:21:42 +03:00			`for element in node.getiterator("boundary"):`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`boundary = AttribDict()`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`for child in element.getchildren():`
			`if child.text:`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`values = cleanupVals(child.text, child.tag)`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`boundary[child.tag] = values`
			`else:`
			`boundary[child.tag] = None`

			`conf.boundaries.append(boundary)`

Trivial style update 2018-06-20 16:21:42 +03:00			`for element in node.getiterator("test"):`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`test = AttribDict()`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`for child in element.getchildren():`
			`if child.text and child.text.strip():`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`values = cleanupVals(child.text, child.tag)`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`test[child.tag] = values`
			`else:`
			`if len(child.getchildren()) == 0:`
			`test[child.tag] = None`
			`continue`
			`else:`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`test[child.tag] = AttribDict()`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`for gchild in child.getchildren():`
			`if gchild.tag in test[child.tag]:`
			`prevtext = test[child.tag][gchild.tag]`
			`test[child.tag][gchild.tag] = [prevtext, gchild.text]`
			`else:`
			`test[child.tag][gchild.tag] = gchild.text`

			`conf.tests.append(test)`

code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`def loadBoundaries():`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00			`try:`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`doc = et.parse(paths.BOUNDARIES_XML)`
Baby steps (2 to 3 at a time) 2019-01-22 02:40:48 +03:00			`except Exception as ex:`
More formal language 2016-05-22 22:44:17 +03:00			`errMsg = "something appears to be wrong with "`
Minor patch 2015-10-23 15:29:48 +03:00			`errMsg += "the file '%s' ('%s'). Please make " % (paths.BOUNDARIES_XML, getSafeExString(ex))`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00			`errMsg += "sure that you haven't made any changes to it"`
Dealing with deprecated raises 2018-03-13 13:13:38 +03:00			`raise SqlmapInstallationException(errMsg)`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`root = doc.getroot()`
			`parseXmlNode(root)`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00
			`def loadPayloads():`
Renaming payload files (consistency with the rest of the project) 2016-07-17 01:21:16 +03:00			`for payloadFile in PAYLOAD_XML_FILES:`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`payloadFilePath = os.path.join(paths.SQLMAP_XML_PAYLOADS_PATH, payloadFile)`

			`try:`
			`doc = et.parse(payloadFilePath)`
Baby steps (2 to 3 at a time) 2019-01-22 02:40:48 +03:00			`except Exception as ex:`
More formal language 2016-05-22 22:44:17 +03:00			`errMsg = "something appears to be wrong with "`
Minor patch 2015-10-23 15:29:48 +03:00			`errMsg += "the file '%s' ('%s'). Please make " % (payloadFilePath, getSafeExString(ex))`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`errMsg += "sure that you haven't made any changes to it"`
Dealing with deprecated raises 2018-03-13 13:13:38 +03:00			`raise SqlmapInstallationException(errMsg)`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00
minor fix 2015-02-18 13:13:28 +03:00			`root = doc.getroot()`
			`parseXmlNode(root)`