sqlmap/lib/controller/action.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

from lib.controller.handler import setHandler
from lib.core.common import getHtmlErrorFp
from lib.core.common import dataToStdout
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import paths
from lib.core.exception import sqlmapUnsupportedDBMSException
from lib.core.settings import SUPPORTED_DBMS
from lib.techniques.blind.timebased import timeTest
from lib.techniques.inband.union.test import unionTest
from lib.techniques.outband.stacked import stackedTest

def action():
    """
    This function exploit the SQL injection on the affected
    url parameter and extract requested data from the
    back-end database management system or operating system
    if possible
    """

    # First of all we have to identify the back-end database management
    # system to be able to go ahead with the injection
    setHandler()

    if not conf.dbmsHandler:
        htmlParsed = getHtmlErrorFp()

        errMsg  = "sqlmap was not able to fingerprint the "
        errMsg += "back-end database management system"

        if htmlParsed:
            errMsg += ", but from the HTML error page it was "
            errMsg += "possible to determinate that the "
            errMsg += "back-end DBMS is %s" % htmlParsed

        if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:
            errMsg += ". Do not specify the back-end DBMS manually, "
            errMsg += "sqlmap will fingerprint the DBMS for you"
        else:
            errMsg += ". Support for this DBMS will be implemented at "
            errMsg += "some point"

        raise sqlmapUnsupportedDBMSException, errMsg

    dataToStdout("%s\n" % conf.dbmsHandler.getFingerprint())

    # Techniques options
    if conf.stackedTest:
        conf.dumper.technic("stacked queries support", stackedTest())

    if conf.timeTest:
        conf.dumper.technic("time based blind sql injection payload", timeTest())

    if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:
        conf.dumper.technic("valid union", unionTest())

    # Enumeration options
    if conf.getBanner:
        conf.dumper.banner(conf.dbmsHandler.getBanner())

    if conf.getCurrentUser:
        conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser())

    if conf.getCurrentDb:
        conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())

    if conf.isDba:
        conf.dumper.dba(conf.dbmsHandler.isDba())

    if conf.getUsers:
        conf.dumper.users(conf.dbmsHandler.getUsers())

    if conf.getPasswordHashes:
        conf.dumper.userSettings("database management system users password hashes",
                                 conf.dbmsHandler.getPasswordHashes(), "password hash")

    if conf.getPrivileges:
        conf.dumper.userSettings("database management system users privileges",
                                 conf.dbmsHandler.getPrivileges(), "privilege")

    if conf.getRoles:
        conf.dumper.userSettings("database management system users roles",
                                 conf.dbmsHandler.getRoles(), "role")

    if conf.getDbs:
        conf.dumper.dbs(conf.dbmsHandler.getDbs())

    if conf.getTables:
        conf.dumper.dbTables(conf.dbmsHandler.getTables())

    if conf.cExists:
        conf.dumper.dbTables(conf.dbmsHandler.tableExists(paths.COMMON_TABLES))

    if conf.tableFile:
        conf.dumper.dbTables(conf.dbmsHandler.tableExists(conf.tableFile))

    if conf.getColumns:
        conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns())

    if conf.dumpTable:
        conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())

    if conf.dumpAll:
        conf.dbmsHandler.dumpAll()

    if conf.search:
        conf.dbmsHandler.search()

    if conf.query:
        conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query))

    if conf.sqlShell:
        conf.dbmsHandler.sqlShell()

    # User-defined function options
    if conf.udfInject:
        conf.dbmsHandler.udfInjectCustom()

    # File system options
    if conf.rFile:
        conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile))

    if conf.wFile:
        conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)

    # Operating system options
    if conf.osCmd:
        conf.dbmsHandler.osCmd()

    if conf.osShell:
        conf.dbmsHandler.osShell()

    if conf.osPwn:
        conf.dbmsHandler.osPwn()

    if conf.osSmb:
        conf.dbmsHandler.osSmb()

    if conf.osBof:
        conf.dbmsHandler.osBof()

    # Windows registry options
    if conf.regRead:
        conf.dumper.registerValue(conf.dbmsHandler.regRead())

    if conf.regAdd:
        conf.dbmsHandler.regAdd()

    if conf.regDel:
        conf.dbmsHandler.regDel()

    # Miscellaneous options
    if conf.cleanup:
        conf.dbmsHandler.cleanup()

    if conf.direct:
        conf.dbmsConnector.close()
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

			`from lib.controller.handler import setHandler`
			`from lib.core.common import getHtmlErrorFp`
changes regarding Feature #160 2010-09-26 18:02:13 +04:00			`from lib.core.common import dataToStdout`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
changes regarding EXISTS feature 2010-09-30 16:35:45 +04:00			`from lib.core.data import paths`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.exception import sqlmapUnsupportedDBMSException`
			`from lib.core.settings import SUPPORTED_DBMS`
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file. 2008-11-13 02:44:09 +03:00			`from lib.techniques.blind.timebased import timeTest`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.techniques.inband.union.test import unionTest`
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option 2008-12-17 00:30:24 +03:00			`from lib.techniques.outband.stacked import stackedTest`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`def action():`
			`"""`
			`This function exploit the SQL injection on the affected`
			`url parameter and extract requested data from the`
			`back-end database management system or operating system`
			`if possible`
			`"""`

			`# First of all we have to identify the back-end database management`
			`# system to be able to go ahead with the injection`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`setHandler()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if not conf.dbmsHandler:`
			`htmlParsed = getHtmlErrorFp()`

			`errMsg = "sqlmap was not able to fingerprint the "`
			`errMsg += "back-end database management system"`

			`if htmlParsed:`
			`errMsg += ", but from the HTML error page it was "`
			`errMsg += "possible to determinate that the "`
			`errMsg += "back-end DBMS is %s" % htmlParsed`

			`if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:`
			`errMsg += ". Do not specify the back-end DBMS manually, "`
			`errMsg += "sqlmap will fingerprint the DBMS for you"`
			`else:`
Minor cosmetic fixes 2010-10-18 15:34:53 +04:00			`errMsg += ". Support for this DBMS will be implemented at "`
			`errMsg += "some point"`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`raise sqlmapUnsupportedDBMSException, errMsg`

changes regarding Feature #160 2010-09-26 18:02:13 +04:00			`dataToStdout("%s\n" % conf.dbmsHandler.getFingerprint())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments. 2008-11-12 03:36:50 +03:00			`# Techniques options`
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option 2008-12-17 00:30:24 +03:00			`if conf.stackedTest:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.technic("stacked queries support", stackedTest())`
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option 2008-12-17 00:30:24 +03:00
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments. 2008-11-12 03:36:50 +03:00			`if conf.timeTest:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.technic("time based blind sql injection payload", timeTest())`
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments. 2008-11-12 03:36:50 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if ( conf.unionUse or conf.unionTest ) and not kb.unionPosition:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.technic("valid union", unionTest())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`# Enumeration options`
			`if conf.getBanner:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.banner(conf.dbmsHandler.getBanner())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getCurrentUser:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getCurrentDb:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 23:41:11 +03:00			`if conf.isDba:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dba(conf.dbmsHandler.isDba())`
Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 23:41:11 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.getUsers:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.users(conf.dbmsHandler.getUsers())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getPasswordHashes:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.userSettings("database management system users password hashes",`
			`conf.dbmsHandler.getPasswordHashes(), "password hash")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getPrivileges:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.userSettings("database management system users privileges",`
			`conf.dbmsHandler.getPrivileges(), "privilege")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00			`if conf.getRoles:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.userSettings("database management system users roles",`
			`conf.dbmsHandler.getRoles(), "role")`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 18:46:06 +03:00
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.getDbs:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dbs(conf.dbmsHandler.getDbs())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.getTables:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dbTables(conf.dbmsHandler.getTables())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
changes regarding EXISTS feature 2010-09-30 16:35:45 +04:00			`if conf.cExists:`
			`conf.dumper.dbTables(conf.dbmsHandler.tableExists(paths.COMMON_TABLES))`

			`if conf.tableFile:`
			`conf.dumper.dbTables(conf.dbmsHandler.tableExists(conf.tableFile))`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.getColumns:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.dumpTable:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.dbTableValues(conf.dbmsHandler.dumpTable())`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.dumpAll:`
			`conf.dbmsHandler.dumpAll()`

Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190: * --search -D foobar: searches all database names like the ones provided * --search -T foobar: searches all databases' table names like the ones provided (soon) * --search -C foobar: replaces --dump -C 2010-05-07 17:40:57 +04:00			`if conf.search:`
			`conf.dbmsHandler.search()`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`if conf.query:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.query(conf.query, conf.dbmsHandler.sqlQuery(conf.query))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.sqlShell:`
			`conf.dbmsHandler.sqlShell()`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`# User-defined function options`
			`if conf.udfInject:`
			`conf.dbmsHandler.udfInjectCustom()`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`# File system options`
			`if conf.rFile:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.rFile(conf.rFile, conf.dbmsHandler.readFile(conf.rFile))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.wFile:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`conf.dbmsHandler.writeFile(conf.wFile, conf.dFile, conf.wFileType)`

			`# Operating system options`
			`if conf.osCmd:`
			`conf.dbmsHandler.osCmd()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if conf.osShell:`
			`conf.dbmsHandler.osShell()`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if conf.osPwn:`
			`conf.dbmsHandler.osPwn()`

			`if conf.osSmb:`
			`conf.dbmsHandler.osSmb()`

			`if conf.osBof:`
			`conf.dbmsHandler.osBof()`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00			`# Windows registry options`
			`if conf.regRead:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 20:43:04 +04:00			`conf.dumper.registerValue(conf.dbmsHandler.regRead())`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-26 03:03:45 +04:00
			`if conf.regAdd:`
			`conf.dbmsHandler.regAdd()`

			`if conf.regDel:`
			`conf.dbmsHandler.regDel()`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Miscellaneous options`
			`if conf.cleanup:`
			`conf.dbmsHandler.cleanup()`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
			`if conf.direct:`
			`conf.dbmsConnector.close()`