sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity
e419177871
sqlmap/lib/request/inject.py

495 lines
20 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
updating copyright date
2012-01-11 18:59:46 +04:00
Copyright (c) 2006-2012 sqlmap developers (http://www.sqlmap.org/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
import re
import time
from lib.core.agent import agent
minor refactoring
2012-02-16 13:46:41 +04:00
from lib.core.bigarray import BigArray
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
from lib.core.common import Backend
added calculateDeltaSeconds method for dealing with non-deterministic time behaviour in some cases (e.g. WAITFOR DELAY in case of MSSQL)
2010-05-13 15:05:35 +04:00
from lib.core.common import calculateDeltaSeconds
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import cleanQuery
from lib.core.common import expandAsteriskForColumns
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
from lib.core.common import extractExpectedValue
quick fix of a fix
2010-12-15 15:10:33 +03:00
from lib.core.common import getPublicTypeMembers
added helper function for HashDB data storing/retrieval
2012-02-24 17:07:20 +04:00
from lib.core.common import hashDBRetrieve
from lib.core.common import hashDBWrite
code refactoring and some fixes
2010-12-18 12:51:34 +03:00
from lib.core.common import initTechnique
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
from lib.core.common import isNumPosStrValue
quick fix of a fix
2010-12-15 15:10:33 +03:00
from lib.core.common import isTechniqueAvailable
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
from lib.core.common import parseUnionPage
minor cosmetic update
2010-10-11 17:52:32 +04:00
from lib.core.common import popValue
from lib.core.common import pushValue
added randInt to error injection vectors
2010-10-20 12:56:58 +04:00
from lib.core.common import randomInt
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
from lib.core.common import safeStringFormat
minor update
2012-03-08 19:43:22 +04:00
from lib.core.common import singleTimeWarnMessage
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
minor update
2012-03-01 14:10:19 +04:00
from lib.core.enums import CHARSET_TYPE
further refactoring (all enumerations are now put into enums.py)
2010-11-08 12:20:02 +03:00
from lib.core.enums import DBMS
minor refactoring
2010-12-10 15:30:36 +03:00
from lib.core.enums import EXPECTED
code beautification
2010-12-08 16:04:48 +03:00
from lib.core.enums import PAYLOAD
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
from lib.core.exception import sqlmapNotVulnerableException
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
from lib.core.exception import sqlmapUserQuitException
just a makeup
2012-02-07 16:05:23 +04:00
from lib.core.settings import FROM_DUMMY_TABLE
now resume is available for time-based blinds too
2010-12-08 15:49:26 +03:00
from lib.core.settings import MIN_TIME_RESPONSES
cosmetics
2010-12-21 18:26:23 +03:00
from lib.core.settings import MAX_TECHNIQUES_PER_VALUE
improvement for recognition of scalar vs multiple-row commands
2011-05-19 20:45:05 +04:00
from lib.core.settings import SQL_SCALAR_REGEX
some fixes
2011-01-07 19:39:47 +03:00
from lib.core.threads import getCurrentThreadData
you won't believe commit
2010-12-10 16:20:59 +03:00
from lib.core.unescaper import unescaper
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
from lib.request.connect import Connect as Request
Added support to directly connect also to Microsoft SQL Server database. Fixed direct connection to always use the same query as of UNION query SQL injection (= one query with multiple columns/entries output). Minor fixes to Firebird/Access/SQLite connectors to use connector's execute()/fetchall() as wrapper for third-party libraries' methods. Forced conf.timeout to 10 seconds when directly connecting to database. Slightly improved regular expression to parse -d parameter. Added import check for all connectors' third-party libraries. Code refactoring: * Moved conf.direct request to direct() function in lib/request/direct.py (code reused where needed). * Back-delegated to generic connector close() and other methods.
2010-03-31 14:50:47 +04:00
from lib.request.direct import direct
Properly moved and improved inject.goStacked() function and newly implemented Time based blind SQL injection now is a single test file within the lib/techniques/ folder. Renamed lib/techniques/inference to lib/techniques/blind, it is more approriate and adapted the rest of the libraries. Updated ChangeLog file.
2008-11-13 02:44:09 +03:00
from lib.techniques.blind.inference import bisection
Minor refactoring
2012-04-04 16:42:58 +04:00
from lib.techniques.dns.test import dnsTest
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
from lib.techniques.dns.use import dnsUse
code refactoring
2010-10-20 13:09:04 +04:00
from lib.techniques.error.use import errorUse
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
from lib.techniques.union.use import unionUse
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.utils.resume import queryOutputLength
from lib.utils.resume import resume
Major bug fix to make --first and --last apply only to --dump's entries dump phase (in either of the blind SQL injection techs only)
2011-02-27 15:14:13 +03:00
def __goInference(payload, expression, charsetType=None, firstChar=None, lastChar=None, dump=False):
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
start = time.time()
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
value = None
count = 0
minor improvements regarding data retrieval through DNS channel
2012-04-03 13:18:30 +04:00
value = __goDns(payload, expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
if value is None:
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
update regarding time based data retrieval
2011-01-16 20:52:42 +03:00
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
if (conf.eta or conf.threads > 1) and Backend.getIdentifiedDbms() and not timeBasedCompare:
_, length, _ = queryOutputLength(expression, payload)
else:
length = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
kb.inferenceMode = True
count, value = bisection(payload, expression, length, charsetType, firstChar, lastChar, dump)
kb.inferenceMode = False
After the storm, a restore..
2008-10-15 19:38:22 +04:00
further update of DNS data retrieval mechanism through SQLi
2012-04-02 18:05:30 +04:00
if not kb.bruteMode:
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
logger.debug(debugMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
minor improvements regarding data retrieval through DNS channel
2012-04-03 13:18:30 +04:00
def __goDns(payload, expression):
value = None
if conf.dnsDomain and kb.dnsTest is not False:
if kb.dnsTest is None:
Minor refactoring
2012-04-04 16:42:58 +04:00
dnsTest(payload)
minor improvements regarding data retrieval through DNS channel
2012-04-03 13:18:30 +04:00
if kb.dnsTest:
value = dnsUse(payload, expression)
return value
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
outputs = []
origExpr = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
for field in expressionFieldsList:
output = None
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if field.startswith("ROWNUM "):
continue
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
origExpr = expression
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
expression = agent.limitQuery(num, expression, field)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
if "ROWNUM" in expressionFieldsList:
expressionReplaced = expression
Major bug fixes
2009-01-23 01:28:27 +03:00
else:
expressionReplaced = expression.replace(expressionFields, field, 1)
Limited custom query now works also on Oracle in inferential blind SQL injection technique
2008-12-24 02:34:50 +03:00
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
output = __goInference(payload, expressionReplaced, charsetType, firstChar, lastChar, dump)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server
2008-12-22 22:36:01 +03:00
if isinstance(num, int):
expression = origExpr
After the storm, a restore..
2008-10-15 19:38:22 +04:00
outputs.append(output)
return outputs
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query characted by character taking
advantage of an blind SQL injection vulnerability on the affected
parameter through a bisection algorithm.
"""
Minor code adjustments
2010-10-25 18:11:47 +04:00
code refactoring and some fixes
2010-12-18 12:51:34 +03:00
initTechnique(kb.technique)
Major bug fix for semi-centralize unescape() and cleanupPayload() into prefixQuery() and suffixQuery()
2011-02-07 01:58:12 +03:00
query = agent.prefixQuery(kb.injection.data[kb.technique].vector)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
count = None
startLimit = 0
stopLimit = None
hello big tables, this is sqlmap, sqlmap this is big tables
2011-07-24 13:19:33 +04:00
outputs = BigArray()
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
test = None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
untilLimitChar = None
untilOrderChar = None
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if not unpack:
Major bug fix to make --first and --last apply only to --dump's entries dump phase (in either of the blind SQL injection techs only)
2011-02-27 15:14:13 +03:00
return __goInference(payload, expression, charsetType, firstChar, lastChar, dump)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
_, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
More code refactoring of Backend class methods used
2011-04-30 18:54:29 +04:00
if rdbRegExp and Backend.isDbms(DBMS.FIREBIRD):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
expressionFieldsList = [expressionFields]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if len(expressionFieldsList) > 1:
minor cosmetics
2012-04-05 03:34:08 +04:00
infoMsg = "the SQL query provided has more than one field. "
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
infoMsg += "sqlmap will now unpack it into distinct queries "
infoMsg += "to be able to retrieve the output even if we "
infoMsg += "are going blind"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
# If we have been here from SQL query/shell we have to check if
# the SQL query might return multiple entries and in such case
# forge the SQL limiting the query output one entry per time
# NOTE: I assume that only queries that get data from a table
# can return multiple entries
Refactoring
2011-02-02 01:27:36 +03:00
if fromUser and " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
minor fix
2012-02-07 18:57:48 +04:00
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and not \
just a makeup
2012-02-07 16:05:23 +04:00
expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
improvement for recognition of scalar vs multiple-row commands
2011-05-19 20:45:05 +04:00
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
Refactoring
2011-02-02 01:27:36 +03:00
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
if limitRegExp or (Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE) and topLimit):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
Fixed another bug on Microsoft SQL Server custom "limited" query reported by Konrads Smelkovs
2009-02-03 02:44:19 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection
2009-01-03 02:26:45 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if limitRegExp:
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
limitGroupStart = queries[Backend.getIdentifiedDbms()].limitgroupstart.query
limitGroupStop = queries[Backend.getIdentifiedDbms()].limitgroupstop.query
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if limitGroupStart.isdigit():
startLimit = int(limitRegExp.group(int(limitGroupStart)))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit = limitRegExp.group(int(limitGroupStop))
limitCond = int(stopLimit) > 1
elif topLimit:
startLimit = 0
stopLimit = int(topLimit.group(1))
limitCond = int(stopLimit) > 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
More code refactoring of Backend class methods used
2011-04-30 18:54:29 +04:00
elif Backend.isDbms(DBMS.ORACLE):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
limitCond = False
else:
limitCond = True
# I assume that only queries NOT containing a "LIMIT #, 1"
# (or similar depending on the back-end DBMS) can return
# multiple entries
if limitCond:
if limitRegExp:
stopLimit = int(stopLimit)
# From now on we need only the expression until the " LIMIT "
# (or similar, depending on the back-end DBMS) word
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit += startLimit
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
untilLimitChar = expression.index(queries[Backend.getIdentifiedDbms()].limitstring.query)
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
expression = expression[:untilLimitChar]
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit += startLimit
if not stopLimit or stopLimit <= 1:
minor fix
2012-02-07 18:57:48 +04:00
if Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
test = False
else:
test = True
if test:
# Count the number of SQL query entries output
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
countFirstField = queries[Backend.getIdentifiedDbms()].count.query % expressionFieldsList[0]
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
countedExpression = expression.replace(expressionFields, countFirstField, 1)
if re.search(" ORDER BY ", expression, re.I):
untilOrderChar = countedExpression.index(" ORDER BY ")
countedExpression = countedExpression[:untilOrderChar]
if not stopLimit:
minor update
2012-03-01 14:10:19 +04:00
count = __goInference(payload, countedExpression, CHARSET_TYPE.DIGITS, firstChar, lastChar)
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if isNumPosStrValue(count):
count = int(count)
if batch:
stopLimit = count
else:
message = "the SQL query provided can return "
message += "%d entries. How many " % count
message += "entries do you want to retrieve?\n"
message += "[a] All (default)\n[#] Specific number\n"
message += "[q] Quit"
test = readInput(message, default="a")
if not test or test[0] in ("a", "A"):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
stopLimit = count
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif test.isdigit() and int(test) > 0 and int(test) <= count:
stopLimit = int(test)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
infoMsg = "sqlmap is now going to retrieve the "
infoMsg += "first %d query output entries" % stopLimit
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif test[0] in ("#", "s", "S"):
message = "how many? "
stopLimit = readInput(message, default="10")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
if not stopLimit.isdigit():
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
errMsg = "invalid choice"
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
logger.error(errMsg)
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
else:
stopLimit = int(stopLimit)
else:
errMsg = "invalid choice"
logger.error(errMsg)
Minor adjustments and bug fixes
2008-12-17 23:11:18 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
return None
Minor adjustments and bug fixes
2008-12-17 23:11:18 +03:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif count and not count.isdigit():
warnMsg = "it was not possible to count the number "
warnMsg += "of entries for the SQL query provided. "
warnMsg += "sqlmap will assume that it returns only "
warnMsg += "one entry"
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
stopLimit = 1
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
elif (not count or int(count) == 0):
more concise language
2012-01-07 21:45:45 +04:00
if not count:
warnMsg = "the SQL query provided does not "
warnMsg += "return any output"
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return None
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
elif (not stopLimit or stopLimit == 0):
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
return None
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
try:
for num in xrange(startLimit, stopLimit):
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
outputs.append(output)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
except KeyboardInterrupt:
print
cosmeticados ;)
2011-04-08 14:39:07 +04:00
warnMsg = "user aborted during dumping phase"
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
logger.warn(warnMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
return outputs
just a makeup
2012-02-07 16:05:23 +04:00
elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
Major code refactoring - centralized all kb.dbms* info for both retrieval and set.
2011-01-20 02:06:15 +03:00
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
minor optimization
2011-11-21 00:14:47 +04:00
returnValue = ", ".join(output for output in outputs)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return returnValue
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
def __goBooleanProxy(expression):
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
"""
Retrieve the output of a boolean based SQL query
"""
initTechnique(kb.technique)
vector = kb.injection.data[kb.technique].vector
vector = vector.replace("[INFERENCE]", expression)
query = agent.prefixQuery(vector)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
timeBasedCompare = kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)
added helper function for HashDB data storing/retrieval
2012-02-24 17:07:20 +04:00
output = hashDBRetrieve(expression)
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
if not output:
output = Request.queryPage(payload, timeBasedCompare=timeBasedCompare, raise404=False)
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
if output is not None:
added helper function for HashDB data storing/retrieval
2012-02-24 17:07:20 +04:00
hashDBWrite(expression, output)
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
return output
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
def __goError(expression, expected=None, dump=False):
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
"""
Retrieve the output of a SQL query taking advantage of an error-based
SQL injection vulnerability on the affected parameter.
"""
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
output = errorUse(expression, expected, dump)
Minor adjustments Cosmetics
2011-02-01 00:22:39 +03:00
return output
Important update to parse correctly the <where> tag during exploitation phase. Minor code cleanup.
2010-12-03 13:44:16 +03:00
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
def __goInband(expression, expected=None, unique=True, unpack=True, dump=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Retrieve the output of a SQL query taking advantage of an inband SQL
injection vulnerability on the affected parameter.
"""
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
output = unionUse(expression, unpack=unpack, dump=dump)
if isinstance(output, basestring):
output = parseUnionPage(output, unique)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
return output
After the storm, a restore..
2008-10-15 19:38:22 +04:00
some refactoring/speedup around UNION technique
2011-12-22 14:32:21 +04:00
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, unique=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Called each time sqlmap inject a SQL query on the SQL injection
affected parameter. It can call a function to retrieve the output
through inband SQL injection (if selected) and/or blind SQL injection
(if selected).
"""
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-26 00:40:31 +04:00
kb.safeCharEncode = safeCharEncode
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
kb.resumeValues = resumeValue
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-26 00:40:31 +04:00
minor fix
2011-02-20 15:20:44 +03:00
if suppressOutput is not None:
pushValue(getCurrentThreadData().disableStdOut)
getCurrentThreadData().disableStdOut = suppressOutput
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 16:02:04 +04:00
update
2010-12-09 01:38:26 +03:00
try:
Fixed annoying bug that prevented proper checkBooleanExpression() function to work with direct connection (-d). Now DBMS fingerprint should work properly with -d
2012-02-14 21:29:00 +04:00
if expected == EXPECTED.BOOL:
forgeCaseExpression = booleanExpression = expression
if expression.upper().startswith("SELECT "):
booleanExpression = expression[len("SELECT "):]
else:
forgeCaseExpression = agent.forgeCaseStatement(expression)
update
2010-12-09 01:38:26 +03:00
if conf.direct:
Fixed annoying bug that prevented proper checkBooleanExpression() function to work with direct connection (-d). Now DBMS fingerprint should work properly with -d
2012-02-14 21:29:00 +04:00
if expected == EXPECTED.BOOL:
value = direct(forgeCaseExpression)
else:
value = direct(expression)
minor cosmetics
2010-12-15 15:15:43 +03:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
elif any(map(isTechniqueAvailable, getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True))):
fix
2010-12-10 18:06:53 +03:00
query = cleanQuery(expression)
query = expandAsteriskForColumns(query)
cosmetics
2010-12-10 18:24:25 +03:00
value = None
found = False
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
resume of brute forced data is now available
2010-12-27 17:17:20 +03:00
if query and not 'COUNT(*)' in query:
query = query.replace("DISTINCT ", "")
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup.
2011-01-19 02:02:11 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count = 0
fix
2010-12-10 18:06:53 +03:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY.
2011-01-12 01:18:47 +03:00
if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
update
2010-12-09 01:38:26 +03:00
kb.technique = PAYLOAD.TECHNIQUE.UNION
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
if expected == EXPECTED.BOOL:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goInband(forgeCaseExpression, expected, unique, unpack, dump)
further update regarding bugtrace's report
2010-12-11 20:32:15 +03:00
else:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goInband(query, expected, unique, unpack, dump)
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup.
2008-12-10 20:23:07 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count += 1
minor bug fix
2010-12-31 15:04:39 +03:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
Higher precedence to union query sql inj than error-based
2010-12-01 13:57:17 +03:00
quick fix of a fix
2010-12-15 15:10:33 +03:00
if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
update
2010-12-09 01:38:26 +03:00
kb.technique = PAYLOAD.TECHNIQUE.ERROR
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
fix
2010-12-10 19:03:32 +03:00
if expected == EXPECTED.BOOL:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goError(forgeCaseExpression, expected, dump)
fix
2010-12-10 19:03:32 +03:00
else:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goError(query, expected, dump)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count += 1
minor bug fix
2010-12-31 15:04:39 +03:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
now resume is available for time-based blinds too
2010-12-08 15:49:26 +03:00
quick fix of a fix
2010-12-15 15:10:33 +03:00
if blind and isTechniqueAvailable(PAYLOAD.TECHNIQUE.BOOLEAN) and not found:
update
2010-12-09 01:38:26 +03:00
kb.technique = PAYLOAD.TECHNIQUE.BOOLEAN
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
minor refactoring
2010-12-10 15:30:36 +03:00
if expected == EXPECTED.BOOL:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goBooleanProxy(booleanExpression)
update regarding boolean based expressions
2010-12-10 00:15:18 +03:00
else:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
Minor enhancement to speedup active dbms fingerprint (-f). Code cleanup and refactoring.
2010-12-14 00:33:42 +03:00
minor tuning (2 techniques MAX per value used)
2010-12-21 18:24:14 +03:00
count += 1
minor bug fix
2010-12-31 15:04:39 +03:00
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
now resume is available for time-based blinds too
2010-12-08 15:49:26 +03:00
quick fix of a fix
2010-12-15 15:10:33 +03:00
if time and (isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED)) and not found:
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME):
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-09 02:52:31 +03:00
kb.technique = PAYLOAD.TECHNIQUE.TIME
quick fix of a fix
2010-12-15 15:10:33 +03:00
else:
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-09 02:52:31 +03:00
kb.technique = PAYLOAD.TECHNIQUE.STACKED
sqlmap premiere of blind time based query/bisection
2010-12-08 15:28:54 +03:00
fix
2010-12-10 19:03:32 +03:00
if expected == EXPECTED.BOOL:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goBooleanProxy(booleanExpression)
fix
2010-12-10 19:03:32 +03:00
else:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update
2010-12-09 01:38:26 +03:00
if value and isinstance(value, basestring):
value = value.strip()
else:
errMsg = "none of the injection types identified can be "
errMsg += "leveraged to retrieve queries output"
raise sqlmapNotVulnerableException, errMsg
minor cosmetics
2010-12-15 15:34:14 +03:00
update
2010-12-09 01:38:26 +03:00
finally:
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
kb.resumeValues = True
minor fix
2011-02-20 15:20:44 +03:00
if suppressOutput is not None:
getCurrentThreadData().disableStdOut = popValue()
Minor bug fix
2010-03-18 20:36:58 +03:00
update (smaller memory footprint in postprocessing phase because of safecharencode part)
2011-07-26 00:40:31 +04:00
kb.safeCharEncode = False
added support for handling binary data values (no more garbish chars)
2011-04-10 03:13:16 +04:00
avoiding --no-cast/--hex warning message before a DBMS is fingerprinted
2012-05-08 18:06:41 +04:00
if not kb.testMode and value is None and Backend.getDbms() and conf.dbmsHandler:
minor update
2012-03-08 19:43:22 +04:00
warnMsg = "in case of continuous data retrieval problems you are advised to try "
minor update
2012-04-03 14:43:46 +04:00
warnMsg += "a switch '--no-cast' and/or switch '--hex'"
minor update
2012-03-08 19:43:22 +04:00
singleTimeWarnMessage(warnMsg)
gazillion changes, nothing will work, muhahaha
2012-02-17 18:22:48 +04:00
return extractExpectedValue(value, expected)
Initial implementation of support for stacked queries. Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2008-11-12 03:36:50 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def goStacked(expression, silent=False):
code beautification
2010-12-08 16:04:48 +03:00
kb.technique = PAYLOAD.TECHNIQUE.STACKED
Ahead with the improvements to the comparison algorithm. Added support internally to forge CASE statements, used only by --is-dba query at the moment. Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and SQL shell. Minor code adjustments.
2008-12-19 23:09:46 +03:00
expression = cleanQuery(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
Minor adjustments Cosmetics
2011-02-01 00:22:39 +03:00
return direct(expression)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
refactoring (class names should always be Capital cased)
2011-01-28 19:36:09 +03:00
comment = queries[Backend.getIdentifiedDbms()].comment.query
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
query = agent.prefixQuery("; %s" % expression)
query = agent.suffixQuery("%s;%s" % (query, comment))
Added support to test for stacked queries support and improved check for time based blind sql injection. Minor bug fix in --save option
2008-12-17 00:30:24 +03:00
payload = agent.payload(newValue=query)
minor adjustment
2011-02-07 15:51:38 +03:00
Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare=True)
OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)
2010-12-06 21:20:57 +03:00
just in case as maybe there will be some boolean expression to check where we won't expect None, but explicitly True/False
2010-12-14 12:05:00 +03:00
def checkBooleanExpression(expression, expectingNone=True):
Fixed store and resume of brute-forced tables/columns for MSSQL/Sybase
2011-02-10 14:14:05 +03:00
kb.suppressSession = True
value = getValue(unescaper.unescape(expression), expected=EXPECTED.BOOL, suppressOutput=True, expectingNone=expectingNone)
kb.suppressSession = False
return value
Reference in New Issue Copy Permalink