sqlmap/lib/utils/brute.py

412 lines
16 KiB
Python
Raw Permalink Normal View History

2019-05-08 13:47:52 +03:00
#!/usr/bin/env python
2010-11-09 12:42:43 +03:00
"""
2022-01-03 13:30:34 +03:00
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
2017-10-11 15:50:46 +03:00
See the file 'LICENSE' for copying permission
2010-11-09 12:42:43 +03:00
"""
2019-06-04 13:15:39 +03:00
from __future__ import division
2019-06-27 18:28:43 +03:00
import logging
2010-11-09 12:42:43 +03:00
import time
2019-06-04 15:44:06 +03:00
from lib.core.common import Backend
2010-11-24 00:00:42 +03:00
from lib.core.common import clearConsoleLine
2010-11-09 12:42:43 +03:00
from lib.core.common import dataToStdout
from lib.core.common import filterListValue
2010-11-09 12:42:43 +03:00
from lib.core.common import getFileItems
from lib.core.common import getPageWordSet
from lib.core.common import hashDBWrite
2019-06-27 18:28:43 +03:00
from lib.core.common import isNoneValue
2019-06-28 14:56:48 +03:00
from lib.core.common import ntToPosixSlashes
2019-06-27 18:28:43 +03:00
from lib.core.common import popValue
from lib.core.common import pushValue
2010-11-09 12:42:43 +03:00
from lib.core.common import randomInt
from lib.core.common import randomStr
2014-05-13 02:50:36 +04:00
from lib.core.common import readInput
2011-03-30 01:54:15 +04:00
from lib.core.common import safeSQLIdentificatorNaming
2019-06-04 15:44:06 +03:00
from lib.core.common import safeStringFormat
2019-06-27 18:28:43 +03:00
from lib.core.common import unArrayizeValue
2013-02-15 17:48:24 +04:00
from lib.core.common import unsafeSQLIdentificatorNaming
2010-11-09 12:42:43 +03:00
from lib.core.data import conf
from lib.core.data import kb
2010-11-09 12:42:43 +03:00
from lib.core.data import logger
2019-06-27 18:28:43 +03:00
from lib.core.decorators import stackedmethod
2010-12-26 14:15:02 +03:00
from lib.core.enums import DBMS
2011-12-28 17:50:03 +04:00
from lib.core.enums import HASHDB_KEYS
2014-05-13 02:50:36 +04:00
from lib.core.enums import PAYLOAD
from lib.core.exception import SqlmapDataException
from lib.core.exception import SqlmapMissingMandatoryOptionException
2019-06-27 18:28:43 +03:00
from lib.core.exception import SqlmapNoneDataException
from lib.core.settings import BRUTE_COLUMN_EXISTS_TEMPLATE
from lib.core.settings import BRUTE_TABLE_EXISTS_TEMPLATE
from lib.core.settings import METADB_SUFFIX
2020-01-27 19:32:31 +03:00
from lib.core.settings import UPPER_CASE_DBMSES
from lib.core.threads import getCurrentThreadData
from lib.core.threads import runThreads
2010-12-09 01:14:42 +03:00
from lib.request import inject
2010-11-09 12:42:43 +03:00
def _addPageTextWords():
wordsList = []
2011-02-08 03:02:54 +03:00
2010-12-26 12:40:40 +03:00
infoMsg = "adding words used on web page to the check list"
logger.info(infoMsg)
pageWords = getPageWordSet(kb.originalPage)
2011-01-07 19:36:32 +03:00
for word in pageWords:
word = word.lower()
2011-01-07 19:36:32 +03:00
if len(word) > 2 and not word[0].isdigit() and word not in wordsList:
wordsList.append(word)
2010-11-09 12:42:43 +03:00
return wordsList
2019-08-13 13:23:45 +03:00
@stackedmethod
def tableExists(tableFile, regex=None):
2021-01-12 15:21:51 +03:00
if kb.choices.tableExists is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
2014-05-13 02:50:36 +04:00
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common table existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
2021-01-12 15:21:51 +03:00
kb.choices.tableExists = readInput(message, default='N', boolean=True)
2014-05-13 02:50:36 +04:00
2021-01-12 15:21:51 +03:00
if not kb.choices.tableExists:
2014-05-13 02:50:36 +04:00
return None
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), randomStr())))
if result:
errMsg = "can't use table existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
2019-08-13 13:23:45 +03:00
pushValue(conf.db)
2020-01-27 19:32:31 +03:00
if conf.db and Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
2019-08-13 13:23:45 +03:00
conf.db = conf.db.upper()
2017-04-19 14:56:29 +03:00
message = "which common tables (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % tableFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common tables file location?\n"
tableFile = readInput(message) or tableFile
2019-08-13 13:23:45 +03:00
infoMsg = "performing table existence using items from '%s'" % tableFile
logger.info(infoMsg)
2017-04-19 14:56:29 +03:00
tables = getFileItems(tableFile, lowercase=Backend.getIdentifiedDbms() in (DBMS.ACCESS,), unique=True)
tables.extend(_addPageTextWords())
tables = filterListValue(tables, regex)
2011-06-07 14:08:12 +04:00
2019-08-13 13:23:45 +03:00
for conf.db in (conf.db.split(',') if conf.db else [conf.db]):
if conf.db and METADB_SUFFIX not in conf.db:
2019-08-13 13:23:45 +03:00
infoMsg = "checking database '%s'" % conf.db
logger.info(infoMsg)
2011-06-07 14:08:12 +04:00
threadData = getCurrentThreadData()
2019-08-13 13:23:45 +03:00
threadData.shared.count = 0
threadData.shared.limit = len(tables)
threadData.shared.files = []
threadData.shared.unique = set()
def tableExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
table = safeSQLIdentificatorNaming(tables[threadData.shared.count], True)
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
fullTableName = "%s.%s" % (conf.db, table)
else:
fullTableName = table
2020-01-23 01:41:06 +03:00
if Backend.isDbms(DBMS.MCKOI):
_ = randomInt(1)
result = inject.checkBooleanExpression("%s" % safeStringFormat("%d=(SELECT %d FROM %s)", (_, _, fullTableName)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat(BRUTE_TABLE_EXISTS_TEMPLATE, (randomInt(1), fullTableName)))
2019-08-13 13:23:45 +03:00
kb.locks.io.acquire()
if result and table.lower() not in threadData.shared.unique:
threadData.shared.files.append(table)
threadData.shared.unique.add(table.lower())
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(table))
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
runThreads(conf.threads, tableExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during table existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.files:
warnMsg = "no table(s) found"
if conf.db:
2019-12-10 00:13:52 +03:00
warnMsg += " for database '%s'" % conf.db
2019-08-13 13:23:45 +03:00
logger.warn(warnMsg)
else:
for item in threadData.shared.files:
if conf.db not in kb.data.cachedTables:
kb.data.cachedTables[conf.db] = [item]
else:
kb.data.cachedTables[conf.db].append(item)
for _ in ((conf.db, item) for item in threadData.shared.files):
if _ not in kb.brute.tables:
kb.brute.tables.append(_)
conf.db = popValue()
hashDBWrite(HASHDB_KEYS.KB_BRUTE_TABLES, kb.brute.tables, True)
2011-12-28 17:50:03 +04:00
return kb.data.cachedTables
2010-11-09 12:42:43 +03:00
def columnExists(columnFile, regex=None):
2021-01-12 15:21:51 +03:00
if kb.choices.columnExists is None and not any(_ for _ in kb.injection.data if _ not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) and not conf.direct:
2014-05-13 02:50:36 +04:00
warnMsg = "it's not recommended to use '%s' and/or '%s' " % (PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.TIME], PAYLOAD.SQLINJECTION[PAYLOAD.TECHNIQUE.STACKED])
warnMsg += "for common column existence check"
logger.warn(warnMsg)
message = "are you sure you want to continue? [y/N] "
2021-01-12 15:21:51 +03:00
kb.choices.columnExists = readInput(message, default='N', boolean=True)
2014-05-13 02:50:36 +04:00
2021-01-12 15:21:51 +03:00
if not kb.choices.columnExists:
2014-05-13 02:50:36 +04:00
return None
if not conf.tbl:
errMsg = "missing table parameter"
raise SqlmapMissingMandatoryOptionException(errMsg)
2020-01-27 19:32:31 +03:00
if conf.db and Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
2013-01-23 20:22:28 +04:00
conf.db = conf.db.upper()
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (randomStr(), randomStr())))
2013-01-23 20:22:28 +04:00
if result:
errMsg = "can't use column existence check because of detected invalid results "
errMsg += "(most likely caused by inability of the used injection "
errMsg += "to distinguish erroneous results)"
raise SqlmapDataException(errMsg)
2017-04-19 14:56:29 +03:00
message = "which common columns (wordlist) file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % columnFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common columns file location?\n"
columnFile = readInput(message) or columnFile
infoMsg = "checking column existence using items from '%s'" % columnFile
logger.info(infoMsg)
2010-12-26 14:15:02 +03:00
columns = getFileItems(columnFile, unique=True)
columns.extend(_addPageTextWords())
columns = filterListValue(columns, regex)
2012-11-28 03:03:17 +04:00
table = safeSQLIdentificatorNaming(conf.tbl, True)
if conf.db and METADB_SUFFIX not in conf.db and Backend.getIdentifiedDbms() not in (DBMS.SQLITE, DBMS.ACCESS, DBMS.FIREBIRD):
2012-11-28 03:03:17 +04:00
table = "%s.%s" % (safeSQLIdentificatorNaming(conf.db), table)
2010-11-12 01:26:36 +03:00
kb.threadContinue = True
kb.bruteMode = True
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(columns)
threadData.shared.files = []
def columnExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
2011-12-28 20:27:17 +04:00
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
column = safeSQLIdentificatorNaming(columns[threadData.shared.count])
threadData.shared.count += 1
2011-12-28 20:27:17 +04:00
kb.locks.count.release()
else:
2011-12-28 20:27:17 +04:00
kb.locks.count.release()
break
2010-11-09 12:42:43 +03:00
2020-01-23 01:41:06 +03:00
if Backend.isDbms(DBMS.MCKOI):
result = inject.checkBooleanExpression(safeStringFormat("0<(SELECT COUNT(%s) FROM %s)", (column, table)))
else:
result = inject.checkBooleanExpression(safeStringFormat(BRUTE_COLUMN_EXISTS_TEMPLATE, (column, table)))
2010-11-09 12:42:43 +03:00
2011-12-28 20:27:17 +04:00
kb.locks.io.acquire()
2011-01-07 19:36:32 +03:00
if result:
threadData.shared.files.append(column)
2017-04-10 20:21:22 +03:00
if conf.verbose in (1, 2) and not conf.api:
clearConsoleLine(True)
2014-10-01 15:59:51 +04:00
infoMsg = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), unsafeSQLIdentificatorNaming(column))
dataToStdout(infoMsg, True)
2010-11-09 12:42:43 +03:00
if conf.verbose in (1, 2):
2014-10-01 15:59:51 +04:00
status = "%d/%d items (%d%%)" % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
2011-01-16 03:15:30 +03:00
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
2011-01-07 19:36:32 +03:00
2011-12-28 20:27:17 +04:00
kb.locks.io.release()
2010-11-09 12:42:43 +03:00
try:
runThreads(conf.threads, columnExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during column existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
2019-06-27 18:28:43 +03:00
finally:
kb.bruteMode = False
2010-11-24 00:00:42 +03:00
clearConsoleLine(True)
2011-01-16 03:15:30 +03:00
dataToStdout("\n")
2010-11-09 12:42:43 +03:00
if not threadData.shared.files:
2011-05-31 03:04:49 +04:00
warnMsg = "no column(s) found"
2010-11-09 12:42:43 +03:00
logger.warn(warnMsg)
else:
columns = {}
2010-11-09 12:42:43 +03:00
for column in threadData.shared.files:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
result = not inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE %s REGEXP '[^0-9]')", (column, table, column)))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE,):
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE %s NOT GLOB '*[^0-9]*')", (column, table, column)))
2020-01-23 01:41:06 +03:00
elif Backend.getIdentifiedDbms() in (DBMS.MCKOI,):
result = inject.checkBooleanExpression("%s" % safeStringFormat("0=(SELECT MAX(%s)-MAX(%s) FROM %s)", (column, column, table)))
else:
result = inject.checkBooleanExpression("%s" % safeStringFormat("EXISTS(SELECT %s FROM %s WHERE ROUND(%s)=ROUND(%s))", (column, table, column, column)))
if result:
2014-10-01 15:59:51 +04:00
columns[column] = "numeric"
else:
2014-10-01 15:59:51 +04:00
columns[column] = "non-numeric"
kb.data.cachedColumns[conf.db] = {conf.tbl: columns}
2017-11-10 15:03:24 +03:00
for _ in ((conf.db, conf.tbl, item[0], item[1]) for item in columns.items()):
2011-12-28 17:50:03 +04:00
if _ not in kb.brute.columns:
kb.brute.columns.append(_)
hashDBWrite(HASHDB_KEYS.KB_BRUTE_COLUMNS, kb.brute.columns, True)
2011-12-28 17:50:03 +04:00
return kb.data.cachedColumns
2019-06-27 18:28:43 +03:00
@stackedmethod
def fileExists(pathFile):
retVal = []
2019-06-28 14:56:48 +03:00
message = "which common files file do you want to use?\n"
message += "[1] default '%s' (press Enter)\n" % pathFile
message += "[2] custom"
choice = readInput(message, default='1')
if choice == '2':
message = "what's the custom common files file location?\n"
pathFile = readInput(message) or pathFile
infoMsg = "checking files existence using items from '%s'" % pathFile
logger.info(infoMsg)
2019-06-27 18:28:43 +03:00
paths = getFileItems(pathFile, unique=True)
kb.bruteMode = True
try:
conf.dbmsHandler.readFile(randomStr())
except SqlmapNoneDataException:
pass
except:
kb.bruteMode = False
raise
threadData = getCurrentThreadData()
threadData.shared.count = 0
threadData.shared.limit = len(paths)
threadData.shared.files = []
2019-06-27 18:28:43 +03:00
def fileExistsThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
kb.locks.count.acquire()
if threadData.shared.count < threadData.shared.limit:
2019-06-28 14:56:48 +03:00
path = ntToPosixSlashes(paths[threadData.shared.count])
2019-06-27 18:28:43 +03:00
threadData.shared.count += 1
kb.locks.count.release()
else:
kb.locks.count.release()
break
try:
result = unArrayizeValue(conf.dbmsHandler.readFile(path))
except SqlmapNoneDataException:
result = None
kb.locks.io.acquire()
if not isNoneValue(result):
threadData.shared.files.append(result)
2019-06-27 18:28:43 +03:00
if not conf.api:
2019-06-27 18:28:43 +03:00
clearConsoleLine(True)
infoMsg = "[%s] [INFO] retrieved: '%s'\n" % (time.strftime("%X"), path)
dataToStdout(infoMsg, True)
if conf.verbose in (1, 2):
status = '%d/%d items (%d%%)' % (threadData.shared.count, threadData.shared.limit, round(100.0 * threadData.shared.count / threadData.shared.limit))
dataToStdout("\r[%s] [INFO] tried %s" % (time.strftime("%X"), status), True)
kb.locks.io.release()
try:
pushValue(logger.getEffectiveLevel())
logger.setLevel(logging.CRITICAL)
runThreads(conf.threads, fileExistsThread, threadChoice=True)
except KeyboardInterrupt:
warnMsg = "user aborted during file existence "
warnMsg += "check. sqlmap will display partial output"
logger.warn(warnMsg)
finally:
kb.bruteMode = False
logger.setLevel(popValue())
clearConsoleLine(True)
dataToStdout("\n")
if not threadData.shared.files:
2019-06-27 18:28:43 +03:00
warnMsg = "no file(s) found"
logger.warn(warnMsg)
else:
retVal = threadData.shared.files
2019-06-27 18:28:43 +03:00
return retVal