sqlmap/lib/parse/payloads.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import re

from xml.etree import ElementTree as et

from lib.core.common import getSafeExString
from lib.core.compat import xrange
from lib.core.data import conf
from lib.core.data import paths
from lib.core.datatype import AttribDict
from lib.core.exception import SqlmapInstallationException
from lib.core.settings import PAYLOAD_XML_FILES

def cleanupVals(text, tag):
    if tag == "clause" and '-' in text:
        text = re.sub(r"(\d+)-(\d+)", lambda match: ','.join(str(_) for _ in xrange(int(match.group(1)), int(match.group(2)) + 1)), text)

    if tag in ("clause", "where"):
        text = text.split(',')

    if hasattr(text, "isdigit") and text.isdigit():
        text = int(text)

    elif isinstance(text, list):
        count = 0

        for _ in text:
            text[count] = int(_) if _.isdigit() else _
            count += 1

        if len(text) == 1 and tag not in ("clause", "where"):
            text = text[0]

    return text

def parseXmlNode(node):
    for element in node.findall("boundary"):
        boundary = AttribDict()

        for child in element:
            if child.text:
                values = cleanupVals(child.text, child.tag)
                boundary[child.tag] = values
            else:
                boundary[child.tag] = None

        conf.boundaries.append(boundary)

    for element in node.findall("test"):
        test = AttribDict()

        for child in element:
            if child.text and child.text.strip():
                values = cleanupVals(child.text, child.tag)
                test[child.tag] = values
            else:
                if len(child.findall("*")) == 0:
                    test[child.tag] = None
                    continue
                else:
                    test[child.tag] = AttribDict()

                for gchild in child:
                    if gchild.tag in test[child.tag]:
                        prevtext = test[child.tag][gchild.tag]
                        test[child.tag][gchild.tag] = [prevtext, gchild.text]
                    else:
                        test[child.tag][gchild.tag] = gchild.text

        conf.tests.append(test)

def loadBoundaries():
    """
    Loads boundaries from XML

    >>> conf.boundaries = []
    >>> loadBoundaries()
    >>> len(conf.boundaries) > 0
    True
    """

    try:
        doc = et.parse(paths.BOUNDARIES_XML)
    except Exception as ex:
        errMsg = "something appears to be wrong with "
        errMsg += "the file '%s' ('%s'). Please make " % (paths.BOUNDARIES_XML, getSafeExString(ex))
        errMsg += "sure that you haven't made any changes to it"
        raise SqlmapInstallationException(errMsg)

    root = doc.getroot()
    parseXmlNode(root)

def loadPayloads():
    """
    Loads payloads/tests from XML

    >>> conf.tests = []
    >>> loadPayloads()
    >>> len(conf.tests) > 0
    True
    """

    for payloadFile in PAYLOAD_XML_FILES:
        payloadFilePath = os.path.join(paths.SQLMAP_XML_PAYLOADS_PATH, payloadFile)

        try:
            doc = et.parse(payloadFilePath)
        except Exception as ex:
            errMsg = "something appears to be wrong with "
            errMsg += "the file '%s' ('%s'). Please make " % (payloadFilePath, getSafeExString(ex))
            errMsg += "sure that you haven't made any changes to it"
            raise SqlmapInstallationException(errMsg)

        root = doc.getroot()
        parseXmlNode(root)
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`"""`
Copyright year bump 2022-01-03 13:30:34 +03:00			`Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`"""`

code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`import os`
Cleaning a mess with stacked queries and pre-WHERE boundaries 2018-09-14 11:30:58 +03:00			`import re`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`from xml.etree import ElementTree as et`

Minor patch 2015-10-23 15:29:48 +03:00			`from lib.core.common import getSafeExString`
Some more DREI stuff 2019-03-28 18:04:38 +03:00			`from lib.core.compat import xrange`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`from lib.core.data import conf`
			`from lib.core.data import paths`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`from lib.core.datatype import AttribDict`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00			`from lib.core.exception import SqlmapInstallationException`
Renaming payload files (consistency with the rest of the project) 2016-07-17 01:21:16 +03:00			`from lib.core.settings import PAYLOAD_XML_FILES`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`def cleanupVals(text, tag):`
Cleaning a mess with stacked queries and pre-WHERE boundaries 2018-09-14 11:30:58 +03:00			`if tag == "clause" and '-' in text:`
			`text = re.sub(r"(\d+)-(\d+)", lambda match: ','.join(str(_) for _ in xrange(int(match.group(1)), int(match.group(2)) + 1)), text)`

Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`if tag in ("clause", "where"):`
			`text = text.split(',')`
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders. 2010-12-01 20:09:52 +03:00
Dealing with basesting (one baby step closer to Py3 salvation) 2019-03-28 15:53:54 +03:00			`if hasattr(text, "isdigit") and text.isdigit():`
			`text = int(text)`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00
			`elif isinstance(text, list):`
			`count = 0`

Style update 2012-12-10 20:20:04 +04:00			`for _ in text:`
Fixes #1621 2015-12-23 10:55:45 +03:00			`text[count] = int(_) if _.isdigit() else _`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`count += 1`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`if len(text) == 1 and tag not in ("clause", "where"):`
			`text = text[0]`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`return text`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
			`def parseXmlNode(node):`
Fixes #4126 2020-02-28 16:08:43 +03:00			`for element in node.findall("boundary"):`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`boundary = AttribDict()`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Some more Python 3.9 patching 2020-02-28 16:24:50 +03:00			`for child in element:`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`if child.text:`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`values = cleanupVals(child.text, child.tag)`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`boundary[child.tag] = values`
			`else:`
			`boundary[child.tag] = None`

			`conf.boundaries.append(boundary)`

Fixes #4126 2020-02-28 16:08:43 +03:00			`for element in node.findall("test"):`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`test = AttribDict()`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Some more Python 3.9 patching 2020-02-28 16:24:50 +03:00			`for child in element:`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`if child.text and child.text.strip():`
Code cleanup and minor refactoring 2010-12-03 13:51:27 +03:00			`values = cleanupVals(child.text, child.tag)`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`test[child.tag] = values`
			`else:`
Some more Python 3.9 patching 2020-02-28 16:24:50 +03:00			`if len(child.findall("*")) == 0:`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`test[child.tag] = None`
			`continue`
			`else:`
few fixes and minor cosmetics 2011-07-08 10:02:31 +04:00			`test[child.tag] = AttribDict()`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00
Some more Python 3.9 patching 2020-02-28 16:24:50 +03:00			`for gchild in child:`
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`if gchild.tag in test[child.tag]:`
			`prevtext = test[child.tag][gchild.tag]`
			`test[child.tag][gchild.tag] = [prevtext, gchild.text]`
			`else:`
			`test[child.tag][gchild.tag] = gchild.text`

			`conf.tests.append(test)`

code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`def loadBoundaries():`
Some more Python 3.9 patching 2020-02-28 16:24:50 +03:00			`"""`
			`Loads boundaries from XML`

			`>>> conf.boundaries = []`
			`>>> loadBoundaries()`
			`>>> len(conf.boundaries) > 0`
			`True`
			`"""`

Patch for an Issue #919 2014-11-10 15:41:53 +03:00			`try:`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`doc = et.parse(paths.BOUNDARIES_XML)`
Baby steps (2 to 3 at a time) 2019-01-22 02:40:48 +03:00			`except Exception as ex:`
More formal language 2016-05-22 22:44:17 +03:00			`errMsg = "something appears to be wrong with "`
Minor patch 2015-10-23 15:29:48 +03:00			`errMsg += "the file '%s' ('%s'). Please make " % (paths.BOUNDARIES_XML, getSafeExString(ex))`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00			`errMsg += "sure that you haven't made any changes to it"`
Dealing with deprecated raises 2018-03-13 13:13:38 +03:00			`raise SqlmapInstallationException(errMsg)`
Patch for an Issue #919 2014-11-10 15:41:53 +03:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! 2010-11-28 21:10:54 +03:00			`root = doc.getroot()`
			`parseXmlNode(root)`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00
			`def loadPayloads():`
Some more Python 3.9 patching 2020-02-28 16:24:50 +03:00			`"""`
			`Loads payloads/tests from XML`

			`>>> conf.tests = []`
			`>>> loadPayloads()`
			`>>> len(conf.tests) > 0`
			`True`
			`"""`

Renaming payload files (consistency with the rest of the project) 2016-07-17 01:21:16 +03:00			`for payloadFile in PAYLOAD_XML_FILES:`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`payloadFilePath = os.path.join(paths.SQLMAP_XML_PAYLOADS_PATH, payloadFile)`

			`try:`
			`doc = et.parse(payloadFilePath)`
Baby steps (2 to 3 at a time) 2019-01-22 02:40:48 +03:00			`except Exception as ex:`
More formal language 2016-05-22 22:44:17 +03:00			`errMsg = "something appears to be wrong with "`
Minor patch 2015-10-23 15:29:48 +03:00			`errMsg += "the file '%s' ('%s'). Please make " % (payloadFilePath, getSafeExString(ex))`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00			`errMsg += "sure that you haven't made any changes to it"`
Dealing with deprecated raises 2018-03-13 13:13:38 +03:00			`raise SqlmapInstallationException(errMsg)`
code refactoring: split boundaries and payloads XML files 2015-02-15 19:31:35 +03:00
minor fix 2015-02-18 13:13:28 +03:00			`root = doc.getroot()`
			`parseXmlNode(root)`