sqlmap/lib/utils/resume.py

196 lines
6.8 KiB
Python
Raw Normal View History

2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
2008-10-15 19:56:32 +04:00
$Id$
2008-10-15 19:38:22 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
2008-10-15 19:38:22 +04:00
"""
import re
import time
2008-10-15 19:38:22 +04:00
from lib.core.common import calculateDeltaSeconds
2008-10-15 19:38:22 +04:00
from lib.core.common import dataToSessionFile
2010-01-15 19:06:59 +03:00
from lib.core.common import safeStringFormat
from lib.core.common import randomStr
from lib.core.common import replaceNewlineTabs
2008-10-15 19:38:22 +04:00
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.unescaper import unescaper
from lib.techniques.blind.inference import bisection
2008-10-15 19:38:22 +04:00
def queryOutputLength(expression, payload):
"""
Returns the query output length.
"""
lengthQuery = queries[kb.dbms].length
select = re.search("\ASELECT\s+", expression, re.I)
selectTopExpr = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
selectDistinctExpr = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I)
selectFromExpr = re.search("\ASELECT\s+(.+?)\s+FROM", expression, re.I)
selectExpr = re.search("\ASELECT\s+(.+)$", expression, re.I)
2008-10-15 19:38:22 +04:00
miscExpr = re.search("\A(.+)", expression, re.I)
if selectTopExpr or selectDistinctExpr or selectFromExpr or selectExpr:
2008-10-15 19:38:22 +04:00
if selectTopExpr:
regExpr = selectTopExpr.groups()[0]
elif selectDistinctExpr:
regExpr = selectDistinctExpr.groups()[0]
elif selectFromExpr:
regExpr = selectFromExpr.groups()[0]
2008-10-15 19:38:22 +04:00
elif selectExpr:
regExpr = selectExpr.groups()[0]
elif miscExpr:
regExpr = miscExpr.groups()[0]
if ( select and re.search("\A(COUNT|LTRIM)\(", regExpr, re.I) ) or len(regExpr) <= 1:
return None, None, None
if selectDistinctExpr:
2010-03-11 01:08:11 +03:00
lengthExpr = "SELECT %s FROM (%s)" % (lengthQuery % regExpr, expression)
if kb.dbms in ( "MySQL", "PostgreSQL" ):
lengthExpr += " AS %s" % randomStr(lowercase=True)
elif select:
2008-10-15 19:38:22 +04:00
lengthExpr = expression.replace(regExpr, lengthQuery % regExpr, 1)
else:
lengthExpr = lengthQuery % expression
infoMsg = "retrieving the length of query output"
logger.info(infoMsg)
output = resume(lengthExpr, payload)
if output:
return 0, output, regExpr
2010-01-15 20:42:46 +03:00
dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], lengthExpr))
2008-10-15 19:38:22 +04:00
start = time.time()
2008-10-15 19:38:22 +04:00
lengthExprUnescaped = unescaper.unescape(lengthExpr)
count, length = bisection(payload, lengthExprUnescaped, charsetType=2)
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
if length == " ":
length = 0
2008-10-15 19:38:22 +04:00
return count, length, regExpr
def resume(expression, payload):
"""
This function can be called to resume part or entire output of a
SQL injection query output.
"""
2010-10-14 00:54:18 +04:00
try:
if "sqlmapfile" in expression or "sqlmapoutput" in expression:
return None
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
condition = (
kb.resumedQueries and conf.url in kb.resumedQueries.keys()
and expression in kb.resumedQueries[conf.url].keys()
)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if not condition:
return None
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
resumedValue = kb.resumedQueries[conf.url][expression]
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if not resumedValue:
return None
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
resumedValue = resumedValue.replace("__NEWLINE__", "\n").replace("__TAB__", "\t")
2010-10-14 00:54:18 +04:00
if resumedValue[-1] == "]":
resumedValue = resumedValue[:-1]
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
infoMsg = "read from file '%s': " % conf.sessionFile
logValue = re.findall("__START__(.*?)__STOP__", resumedValue, re.S)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if logValue:
logValue = ", ".join([value.replace("__DEL__", ", ") for value in logValue])
else:
logValue = resumedValue
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if "\n" in logValue:
infoMsg += "%s..." % logValue.split("\n")[0]
else:
infoMsg += logValue
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
return resumedValue
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
# If we called this function without providing a payload it means that
# we have called it from lib/request/inject __goInband() function
# in UNION query (inband) SQL injection so we return to the calling
# function so that the query output will be retrieved taking advantage
# of the inband SQL injection vulnerability.
if not payload:
return None
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if not kb.dbms:
return None
2010-10-14 00:54:18 +04:00
substringQuery = queries[kb.dbms].substring
select = re.search("\ASELECT ", expression, re.I)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
_, length, regExpr = queryOutputLength(expression, payload)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if not length:
return None
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if len(resumedValue) == int(length):
infoMsg = "read from file '%s': " % conf.sessionFile
infoMsg += "%s" % resumedValue.split("\n")[0]
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, replaceNewlineTabs(resumedValue)))
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
return resumedValue
elif len(resumedValue) < int(length):
infoMsg = "resumed from file '%s': " % conf.sessionFile
infoMsg += "%s..." % resumedValue.split("\n")[0]
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
dataToSessionFile("[%s][%s][%s][%s][%s" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, replaceNewlineTabs(resumedValue)))
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if select:
newExpr = expression.replace(regExpr, safeStringFormat(substringQuery, (regExpr, len(resumedValue) + 1, int(length))), 1)
else:
newExpr = safeStringFormat(substringQuery, (expression, len(resumedValue) + 1, int(length)))
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
missingCharsLength = int(length) - len(resumedValue)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
infoMsg = "retrieving pending %d query " % missingCharsLength
infoMsg += "output characters"
logger.info(infoMsg)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
start = time.time()
count, finalValue = bisection(payload, newExpr, length=missingCharsLength)
2010-10-14 00:54:18 +04:00
debugMsg = "performed %d queries in %d seconds" % (count, calculateDeltaSeconds(start))
logger.debug(debugMsg)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
if len(finalValue) != ( int(length) - len(resumedValue) ):
warnMsg = "the total length of the query is not "
warnMsg += "right, sqlmap is going to retrieve the "
warnMsg += "query value from the beginning now"
logger.warn(warnMsg)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
return None
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
return "%s%s" % (resumedValue, finalValue)
2008-10-15 19:38:22 +04:00
2010-10-14 00:54:18 +04:00
return None
2010-10-14 19:23:42 +04:00
except ValueError:
2010-10-14 00:54:18 +04:00
errMsg = "invalid resume value for expression: '%s'" % expression
logger.error(errMsg)
return None