sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-02-16 19:40:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major rewrote of --columns: now it accepts -D only (enumerate all tables' columns of a specific database), -D and -T (enumerate all columns of a specific database's table), -T (enumerate all columns of a current database's table), etc.

Browse Source
This commit is contained in:
Bernardo Damele 2011-04-30 22:10:27 +00:00
parent 284c69a686
commit b31b861d7b
1 changed files with 235 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

411
plugins/generic/enumeration.py
View File

@ -870,7 +870,7 @@ class Enumeration:
tables = [] tables = []
if Backend.getIdentifiedDbms() in ( DBMS.MSSQL, DBMS.ORACLE ): if Backend.isDbms(DBMS.ORACLE):
plusOne = True plusOne = True
else: else:
plusOne = False plusOne = False
@ -905,37 +905,61 @@ class Enumeration:
return kb.data.cachedTables return kb.data.cachedTables
def getColumns(self, onlyColNames=False): def getColumns(self, onlyColNames=False):
bruteForce = False self.forceDbmsEnum()
if conf.tbl is not None and "." in conf.tbl: if conf.db is None or conf.db == "CD":
if not conf.db: if conf.db is None:
conf.db, conf.tbl = conf.tbl.split(".") warnMsg = "missing database parameter, sqlmap is going "
warnMsg += "to use the current database to enumerate "
if conf.tbl is not None and conf.db is None: warnMsg += "table(s) columns"
warnMsg = "missing database parameter, sqlmap is going to " logger.warn(warnMsg)
warnMsg += "use the current database to enumerate table "
warnMsg += "'%s' columns" % conf.tbl
logger.warn(warnMsg)
conf.db = self.getCurrentDb() conf.db = self.getCurrentDb()
self.forceDbmsEnum() elif conf.db is not None:
if Backend.isDbms(DBMS.ORACLE):
conf.db = conf.db.upper()
if kb.data.cachedColumns and conf.db in kb.data.cachedColumns \ if ',' in conf.db:
and conf.tbl in kb.data.cachedColumns[conf.db]: errMsg = "only one database name is allowed when enumerating "
infoMsg = "fetching columns " errMsg += "the tables' columns"
infoMsg += "for table '%s' " % conf.tbl raise sqlmapMissingMandatoryOptionException, errMsg
infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg)
return { conf.db: kb.data.cachedColumns[conf.db]} conf.db = safeSQLIdentificatorNaming(conf.db)
if not conf.tbl: if conf.col:
warnMsg = "missing table parameter, sqlmap will enumerate " if Backend.isDbms(DBMS.ORACLE):
warnMsg += "the full database management system schema" conf.col = conf.col.upper()
logger.warn(warnMsg)
return self.getSchema() colList = conf.col.split(",")
else:
colList = []
for col in colList:
colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
if conf.tbl:
if Backend.isDbms(DBMS.ORACLE):
conf.tbl = conf.tbl.upper()
tblList = conf.tbl.split(",")
else:
self.getTables()
if len(kb.data.cachedTables) > 0:
tblList = kb.data.cachedTables.values()
if isinstance(tblList[0], (set, tuple, list)):
tblList = tblList[0]
else:
errMsg = "unable to retrieve the tables"
errMsg += "on database '%s'" % conf.db
raise sqlmapNoneDataException, errMsg
for tbl in tblList:
tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl)
bruteForce = False
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema: if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
errMsg = "information_schema not available, " errMsg = "information_schema not available, "
@ -949,27 +973,27 @@ class Enumeration:
logger.error(errMsg) logger.error(errMsg)
bruteForce = True bruteForce = True
conf.tbl = safeSQLIdentificatorNaming(conf.tbl, True)
conf.db = safeSQLIdentificatorNaming(conf.db)
if bruteForce: if bruteForce:
resumeAvailable = False resumeAvailable = False
for db, table, colName, colType in kb.brute.columns: for tbl in tblList:
if db == conf.db and table == conf.tbl: for db, table, colName, colType in kb.brute.columns:
resumeAvailable = True if db == conf.db and table == tbl:
break resumeAvailable = True
break
if resumeAvailable: if resumeAvailable:
columns = {} columns = {}
for db, table, colName, colType in kb.brute.columns:
if db == conf.db and table == conf.tbl:
columns[colName] = colType
if conf.db in kb.data.cachedColumns: for tbl in tblList:
kb.data.cachedColumns[conf.db][conf.tbl] = columns for db, table, colName, colType in kb.brute.columns:
else: if db == conf.db and table == tbl:
kb.data.cachedColumns[conf.db] = {conf.tbl: columns} columns[colName] = colType
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[conf.db][tbl] = columns
else:
kb.data.cachedColumns[conf.db] = {tbl: columns}
return kb.data.cachedColumns return kb.data.cachedColumns
@ -986,160 +1010,190 @@ class Enumeration:
rootQuery = queries[Backend.getIdentifiedDbms()].columns rootQuery = queries[Backend.getIdentifiedDbms()].columns
condition = rootQuery.blind.condition if 'condition' in rootQuery.blind else None condition = rootQuery.blind.condition if 'condition' in rootQuery.blind else None
infoMsg = "fetching columns "
if conf.col:
if Backend.isDbms(DBMS.ORACLE):
conf.col = conf.col.upper()
colList = conf.col.split(",")
condQuery = " AND (" + " OR ".join("%s LIKE '%s'" % (condition, "%" + unsafeSQLIdentificatorNaming(col) + "%") for col in colList) + ")"
infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in colList)
else:
condQuery = ""
infoMsg += "for table '%s' " % conf.tbl
infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg)
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct: if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) or conf.direct:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): for tbl in tblList:
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(conf.tbl), unsafeSQLIdentificatorNaming(conf.db)) if conf.db is not None and len(kb.data.cachedColumns) > 0 \
query += condQuery and conf.db in kb.data.cachedColumns and tbl in \
elif Backend.isDbms(DBMS.ORACLE): kb.data.cachedColumns[conf.db]:
query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(conf.tbl.upper()) infoMsg = "fetched tables' columns on "
query += condQuery infoMsg += "database '%s'" % conf.db
elif Backend.isDbms(DBMS.MSSQL): logger.info(infoMsg)
query = rootQuery.inband.query % (conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.db,
conf.db, unsafeSQLIdentificatorNaming(conf.tbl))
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.SQLITE):
query = rootQuery.inband.query % conf.tbl
value = inject.getValue(query, blind=False) return { conf.db: kb.data.cachedColumns[conf.db]}
infoMsg = "fetching columns "
if len(colList) > 0:
condQuery = " AND (%s)" % " OR ".join("%s LIKE '%%%s%%'" % (condition, unsafeSQLIdentificatorNaming(col)) for col in colList)
infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in colList)
else:
condQuery = ""
infoMsg += "for table '%s' " % tbl
infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(tbl.upper())
query += condQuery
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.inband.query % (conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.db,
conf.db, unsafeSQLIdentificatorNaming(tbl))
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.SQLITE):
query = rootQuery.inband.query % tbl
value = inject.getValue(query, blind=False)
if Backend.isDbms(DBMS.SQLITE):
parseSqliteTableSchema(value)
elif value:
table = {}
columns = {}
for columnData in value:
if columnData[0] is not None:
name = safeSQLIdentificatorNaming(columnData[0])
if len(columnData) == 1:
columns[name] = ""
else:
columns[name] = columnData[1]
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[conf.db][tbl] = columns
else:
table[tbl] = columns
kb.data.cachedColumns[conf.db] = table
if not kb.data.cachedColumns and not conf.direct:
for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
and conf.db in kb.data.cachedColumns and tbl in \
kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on "
infoMsg += "database '%s'" % conf.db
logger.info(infoMsg)
return { conf.db: kb.data.cachedColumns[conf.db]}
infoMsg = "fetching columns "
if len(colList) > 0:
condQuery = " AND (%s)" % " OR ".join("%s LIKE '%%%s%%'" % (condition, unsafeSQLIdentificatorNaming(col)) for col in colList)
likeMsg = "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in colList)
infoMsg += likeMsg
else:
condQuery = ""
likeMsg = ""
infoMsg += "for table '%s' " % tbl
infoMsg += "on database '%s'" % conf.db
logger.info(infoMsg)
countMsg = "fetching number of columns %s" % likeMsg
countMsg += "for table '%s'" % tbl
countMsg += " on database '%s'" % conf.db
logger.info(countMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl.upper())
query += condQuery
elif Backend.getIdentifiedDbms() in DBMS.MSSQL:
query = rootQuery.blind.count % (conf.db, conf.db, \
unsafeSQLIdentificatorNaming(tbl))
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.count % (tbl)
query += condQuery
elif Backend.isDbms(DBMS.SQLITE):
query = rootQuery.blind.query % tbl
value = inject.getValue(query, inband=False, error=False)
parseSqliteTableSchema(value)
return kb.data.cachedColumns
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
if not isNumPosStrValue(count):
errMsg = "unable to retrieve the number of columns "
errMsg += "for table '%s' " % tbl
errMsg += "on database '%s'" % conf.db
raise sqlmapNoneDataException, errMsg
if Backend.isDbms(DBMS.SQLITE):
parseSqliteTableSchema(value)
elif value:
table = {} table = {}
columns = {} columns = {}
for columnData in value: indexRange = getRange(count)
if columnData[0] is not None:
name = safeSQLIdentificatorNaming(columnData[0])
if len(columnData) == 1: for index in indexRange:
columns[name] = ""
else:
columns[name] = columnData[1]
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[conf.db][conf.tbl] = columns
else:
table[conf.tbl] = columns
kb.data.cachedColumns[conf.db] = table
if not kb.data.cachedColumns and not conf.direct:
infoMsg = "fetching number of columns "
infoMsg += "for table '%s'" % conf.tbl
infoMsg += " on database '%s'" % conf.db
logger.info(infoMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(conf.tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(conf.tbl.upper())
query += condQuery
elif Backend.getIdentifiedDbms() in DBMS.MSSQL:
query = rootQuery.blind.count % (conf.db, conf.db, \
unsafeSQLIdentificatorNaming(conf.tbl))
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.count % (conf.tbl)
query += condQuery
elif Backend.isDbms(DBMS.SQLITE):
query = rootQuery.blind.query % conf.tbl
value = inject.getValue(query, inband=False, error=False)
parseSqliteTableSchema(value)
return kb.data.cachedColumns
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=2)
if not isNumPosStrValue(count):
errMsg = "unable to retrieve the number of columns "
errMsg += "for table '%s' " % conf.tbl
errMsg += "on database '%s'" % conf.db
raise sqlmapNoneDataException, errMsg
table = {}
columns = {}
indexRange = getRange(count)
for index in indexRange:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(conf.tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
field = None
elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(conf.tbl.upper())
query += condQuery
field = None
elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
query = rootQuery.blind.query % (conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.db,
unsafeSQLIdentificatorNaming(conf.tbl))
query += condQuery.replace("[DB]", conf.db)
field = condition.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % (conf.tbl)
query += condQuery
field = None
query = agent.limitQuery(index, query, field)
column = inject.getValue(query, inband=False, error=False)
if not onlyColNames:
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ): if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(conf.tbl), column, unsafeSQLIdentificatorNaming(conf.db)) query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
field = None
elif Backend.isDbms(DBMS.ORACLE): elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(conf.tbl.upper()), column) query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl.upper())
elif Backend.isDbms(DBMS.MSSQL): query += condQuery
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, field = None
conf.db, column, conf.db, elif Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
conf.db, conf.db, unsafeSQLIdentificatorNaming(conf.tbl)) query = rootQuery.blind.query % (conf.db, conf.db,
conf.db, conf.db,
conf.db, conf.db,
unsafeSQLIdentificatorNaming(tbl))
query += condQuery.replace("[DB]", conf.db)
field = condition.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD): elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query2 % (conf.tbl, column) query = rootQuery.blind.query % (tbl)
query += condQuery
field = None
colType = inject.getValue(query, inband=False, error=False) query = agent.limitQuery(index, query, field)
column = inject.getValue(query, inband=False, error=False)
if Backend.isDbms(DBMS.FIREBIRD): if not onlyColNames:
colType = firebirdTypes[colType] if colType in firebirdTypes else colType if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column, unsafeSQLIdentificatorNaming(conf.db))
elif Backend.isDbms(DBMS.ORACLE):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column)
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db,
conf.db, column, conf.db,
conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query2 % (tbl, column)
column = safeSQLIdentificatorNaming(column) colType = inject.getValue(query, inband=False, error=False)
columns[column] = colType
else:
column = safeSQLIdentificatorNaming(column)
columns[column] = None
if columns: if Backend.isDbms(DBMS.FIREBIRD):
if conf.db in kb.data.cachedColumns: colType = firebirdTypes[colType] if colType in firebirdTypes else colType
kb.data.cachedColumns[conf.db][conf.tbl] = columns
else: column = safeSQLIdentificatorNaming(column)
table[conf.tbl] = columns columns[column] = colType
kb.data.cachedColumns[conf.db] = table else:
column = safeSQLIdentificatorNaming(column)
columns[column] = None
if columns:
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[conf.db][tbl] = columns
else:
table[tbl] = columns
kb.data.cachedColumns[conf.db] = table
if not kb.data.cachedColumns: if not kb.data.cachedColumns:
errMsg = "unable to retrieve the columns " errMsg = "unable to retrieve the columns for any "
errMsg += "for table '%s' " % conf.tbl errMsg += "table on database '%s'" % conf.db
errMsg += "on database '%s'" % conf.db
raise sqlmapNoneDataException, errMsg raise sqlmapNoneDataException, errMsg
return kb.data.cachedColumns return kb.data.cachedColumns
@ -1150,9 +1204,13 @@ class Enumeration:
pushValue(conf.db) pushValue(conf.db)
pushValue(conf.tbl) pushValue(conf.tbl)
pushValue(conf.col)
conf.db = None conf.db = None
conf.tbl = None conf.tbl = None
conf.col = None
kb.data.cachedTables = {}
kb.data.cachedColumns = {}
self.getTables() self.getTables()
@ -1170,6 +1228,7 @@ class Enumeration:
self.getColumns() self.getColumns()
conf.col = popValue()
conf.tbl = popValue() conf.tbl = popValue()
conf.db = popValue() conf.db = popValue()