mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-25 13:11:00 +03:00 
			
		
		
		
	Added support to search for tables (--search with -T). See #190.
This commit is contained in:
		
							parent
							
								
									e938331d8e
								
							
						
					
					
						commit
						c9ee11e0e4
					
				|  | @ -22,6 +22,8 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51 | |||
| Franklin St, Fifth Floor, Boston, MA  02110-1301  USA | ||||
| """ | ||||
| 
 | ||||
| from lib.core.agent import agent | ||||
| from lib.core.common import getRange | ||||
| from lib.core.data import conf | ||||
| from lib.core.data import kb | ||||
| from lib.core.data import logger | ||||
|  | @ -116,3 +118,89 @@ class Enumeration(GenericEnumeration): | |||
|             raise sqlmapNoneDataException(errMsg) | ||||
| 
 | ||||
|         return kb.data.cachedTables | ||||
| 
 | ||||
|     def searchTable(self): | ||||
|         rootQuery = queries[kb.dbms].searchTable | ||||
|         foundTbls = {} | ||||
|         tblList = conf.tbl.split(",") | ||||
|         tblCond = rootQuery["inband"]["condition"] | ||||
|         dbCond = rootQuery["inband"]["condition2"] | ||||
| 
 | ||||
|         tblConsider, tblCondParam = self.likeOrExact("table") | ||||
| 
 | ||||
|         if not len(kb.data.cachedDbs): | ||||
|             enumDbs = self.getDbs() | ||||
|         else: | ||||
|             enumDbs = kb.data.cachedDbs | ||||
| 
 | ||||
|         for db in enumDbs: | ||||
|             foundTbls[db] = [] | ||||
| 
 | ||||
|         for tbl in tblList: | ||||
|             infoMsg = "searching table" | ||||
|             if tblConsider == "1": | ||||
|                 infoMsg += "s like" | ||||
|             infoMsg += " '%s'" % tbl | ||||
|             logger.info(infoMsg) | ||||
| 
 | ||||
|             if conf.excludeSysDbs: | ||||
|                 exclDbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList) | ||||
|                 infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList) | ||||
|                 logger.info(infoMsg) | ||||
|             else: | ||||
|                 exclDbsQuery = "" | ||||
| 
 | ||||
|             tblQuery = "%s%s" % (tblCond, tblCondParam) | ||||
|             tblQuery = tblQuery % tbl | ||||
| 
 | ||||
|             for db in foundTbls.keys(): | ||||
|                 if kb.unionPosition or conf.direct: | ||||
|                     query = rootQuery["inband"]["query"] % db | ||||
|                     query += tblQuery | ||||
|                     query += exclDbsQuery | ||||
|                     values = inject.getValue(query, blind=False) | ||||
| 
 | ||||
|                     if values: | ||||
|                         if isinstance(values, str): | ||||
|                             values = [ values ] | ||||
| 
 | ||||
|                         for foundTbl in values: | ||||
|                             foundTbls[db].append(foundTbl) | ||||
|                 else: | ||||
|                     infoMsg = "fetching number of table" | ||||
|                     if tblConsider == "1": | ||||
|                         infoMsg += "s like" | ||||
|                     infoMsg += " '%s' in database '%s'" % (tbl, db) | ||||
|                     logger.info(infoMsg) | ||||
| 
 | ||||
|                     query = rootQuery["blind"]["count2"] | ||||
|                     query = query % db | ||||
|                     query += " AND %s" % tblQuery | ||||
|                     count = inject.getValue(query, inband=False, expected="int", charsetType=2) | ||||
| 
 | ||||
|                     if not count.isdigit() or not len(count) or count == "0": | ||||
|                         warnMsg = "no table" | ||||
|                         if tblConsider == "1": | ||||
|                             warnMsg += "s like" | ||||
|                         warnMsg += " '%s' " % tbl | ||||
|                         warnMsg += "in database '%s'" % db | ||||
|                         logger.warn(warnMsg) | ||||
| 
 | ||||
|                         continue | ||||
| 
 | ||||
|                     indexRange = getRange(count) | ||||
| 
 | ||||
|                     for index in indexRange: | ||||
|                         query = rootQuery["blind"]["query2"] | ||||
|                         query = query % db | ||||
|                         query += " AND %s" % tblQuery | ||||
|                         query = agent.limitQuery(index, query, tblCond) | ||||
|                         tbl = inject.getValue(query, inband=False) | ||||
|                         kb.hintValue = tbl | ||||
|                         foundTbls[db].append(tbl) | ||||
| 
 | ||||
|         for db, tbls in foundTbls.items(): | ||||
|             if len(tbls) == 0: | ||||
|                 foundTbls.pop(db) | ||||
| 
 | ||||
|         return foundTbls | ||||
|  |  | |||
|  | @ -1269,8 +1269,125 @@ class Enumeration: | |||
|         return foundDbs | ||||
| 
 | ||||
|     def searchTable(self): | ||||
|         errMsg = "search for table names is not supported yet" | ||||
|         raise sqlmapUnsupportedFeatureException, errMsg | ||||
|         if kb.dbms == "MySQL" and not kb.data.has_information_schema: | ||||
|             errMsg  = "information_schema not available, " | ||||
|             errMsg += "back-end DBMS is MySQL < 5.0" | ||||
|             raise sqlmapUnsupportedFeatureException, errMsg | ||||
| 
 | ||||
|         rootQuery = queries[kb.dbms].searchTable | ||||
|         foundTbls = {} | ||||
|         tblList = conf.tbl.split(",") | ||||
|         tblCond = rootQuery["inband"]["condition"] | ||||
|         dbCond = rootQuery["inband"]["condition2"] | ||||
| 
 | ||||
|         tblConsider, tblCondParam = self.likeOrExact("table") | ||||
| 
 | ||||
|         for tbl in tblList: | ||||
|             if kb.dbms == "Oracle": | ||||
|                 tbl = tbl.upper() | ||||
| 
 | ||||
|             infoMsg = "searching table" | ||||
|             if tblConsider == "1": | ||||
|                 infoMsg += "s like" | ||||
|             infoMsg += " '%s'" % tbl | ||||
|             logger.info(infoMsg) | ||||
| 
 | ||||
|             if conf.excludeSysDbs: | ||||
|                 exclDbsQuery = "".join(" AND '%s' != %s" % (db, dbCond) for db in self.excludeDbsList) | ||||
|                 infoMsg = "skipping system databases '%s'" % ", ".join(db for db in self.excludeDbsList) | ||||
|                 logger.info(infoMsg) | ||||
|             else: | ||||
|                 exclDbsQuery = "" | ||||
| 
 | ||||
|             tblQuery = "%s%s" % (tblCond, tblCondParam) | ||||
|             tblQuery = tblQuery % tbl | ||||
| 
 | ||||
|             if kb.unionPosition or conf.direct: | ||||
|                 query = rootQuery["inband"]["query"] | ||||
|                 query += tblQuery | ||||
|                 query += exclDbsQuery | ||||
|                 values = inject.getValue(query, blind=False) | ||||
| 
 | ||||
|                 if values: | ||||
|                     if isinstance(values, str): | ||||
|                         values = [ values ] | ||||
| 
 | ||||
|                     for foundDb, foundTbl in values: | ||||
|                         if foundDb in foundTbls: | ||||
|                             foundTbls[foundDb].append(foundTbl) | ||||
|                         else: | ||||
|                             foundTbls[foundDb] = [ foundTbl ] | ||||
|             else: | ||||
|                 infoMsg = "fetching number of databases with table" | ||||
|                 if tblConsider == "1": | ||||
|                     infoMsg += "s like" | ||||
|                 infoMsg += " '%s'" % tbl | ||||
|                 logger.info(infoMsg) | ||||
| 
 | ||||
|                 query = rootQuery["blind"]["count"] | ||||
|                 query += tblQuery | ||||
|                 query += exclDbsQuery | ||||
|                 count = inject.getValue(query, inband=False, expected="int", charsetType=2) | ||||
| 
 | ||||
|                 if not count.isdigit() or not len(count) or count == "0": | ||||
|                     warnMsg  = "no databases have table" | ||||
|                     if tblConsider == "1": | ||||
|                         warnMsg += "s like" | ||||
|                     warnMsg += " '%s'" % tbl | ||||
|                     logger.warn(warnMsg) | ||||
| 
 | ||||
|                     continue | ||||
| 
 | ||||
|                 indexRange = getRange(count) | ||||
| 
 | ||||
|                 for index in indexRange: | ||||
|                     query = rootQuery["blind"]["query"] | ||||
|                     query += tblQuery | ||||
|                     query += exclDbsQuery | ||||
|                     query = agent.limitQuery(index, query) | ||||
|                     foundDb = inject.getValue(query, inband=False) | ||||
|                     foundTbls[foundDb] = [] | ||||
| 
 | ||||
|                     if tblConsider == "2": | ||||
|                         foundTbls[foundDb].append(tbl) | ||||
| 
 | ||||
|                 if tblConsider == "2": | ||||
|                     continue | ||||
| 
 | ||||
|                 for db in foundTbls.keys(): | ||||
|                     infoMsg = "fetching number of table" | ||||
|                     if tblConsider == "1": | ||||
|                         infoMsg += "s like" | ||||
|                     infoMsg += " '%s' in database '%s'" % (tbl, db) | ||||
|                     logger.info(infoMsg) | ||||
| 
 | ||||
|                     query = rootQuery["blind"]["count2"] | ||||
|                     query = query % db | ||||
|                     query += " AND %s" % tblQuery | ||||
|                     count = inject.getValue(query, inband=False, expected="int", charsetType=2) | ||||
| 
 | ||||
|                     if not count.isdigit() or not len(count) or count == "0": | ||||
|                         warnMsg = "no table" | ||||
|                         if tblConsider == "1": | ||||
|                             warnMsg += "s like" | ||||
|                         warnMsg += " '%s' " % tbl | ||||
|                         warnMsg += "in database '%s'" % db | ||||
|                         logger.warn(warnMsg) | ||||
| 
 | ||||
|                         continue | ||||
| 
 | ||||
|                     indexRange = getRange(count) | ||||
| 
 | ||||
|                     for index in indexRange: | ||||
|                         query = rootQuery["blind"]["query2"] | ||||
|                         query = query % db | ||||
|                         query += " AND %s" % tblQuery | ||||
|                         query = agent.limitQuery(index, query) | ||||
|                         foundTbl = inject.getValue(query, inband=False) | ||||
|                         kb.hintValue = foundTbl | ||||
|                         foundTbls[db].append(foundTbl) | ||||
| 
 | ||||
|         return foundTbls | ||||
| 
 | ||||
|     def searchColumn(self): | ||||
|         if kb.dbms == "MySQL" and not kb.data.has_information_schema: | ||||
|  | @ -1291,7 +1408,16 @@ class Enumeration: | |||
|             if kb.dbms == "Oracle": | ||||
|                 column = column.upper() | ||||
|                 conf.db = "USERS" | ||||
|             elif kb.dbms == "Microsoft SQL Server": | ||||
| 
 | ||||
|             infoMsg = "searching column" | ||||
|             if colConsider == "1": | ||||
|                 infoMsg += "s like" | ||||
|             infoMsg += " '%s'" % column | ||||
|             logger.info(infoMsg) | ||||
| 
 | ||||
|             foundCols[column] = {} | ||||
| 
 | ||||
|             if kb.dbms == "Microsoft SQL Server": | ||||
|                 if not conf.db: | ||||
|                     if not len(kb.data.cachedDbs): | ||||
|                         enumDbs = self.getDbs() | ||||
|  | @ -1300,8 +1426,6 @@ class Enumeration: | |||
| 
 | ||||
|                     conf.db = ",".join(db for db in enumDbs) | ||||
| 
 | ||||
|             foundCols[column] = {} | ||||
| 
 | ||||
|             if conf.db: | ||||
|                 for db in conf.db.split(","): | ||||
|                     dbs[db] = {} | ||||
|  |  | |||
|  | @ -32,6 +32,7 @@ from lib.core.data import conf | |||
| from lib.core.data import kb | ||||
| from lib.core.data import logger | ||||
| from lib.core.data import queries | ||||
| from lib.core.exception import sqlmapNoneDataException | ||||
| from lib.core.exception import sqlmapUnsupportedFeatureException | ||||
| from lib.core.session import setRemoteTempPath | ||||
| from lib.request import inject | ||||
|  |  | |||
|  | @ -63,7 +63,10 @@ | |||
|             <inband query="SELECT schema_name FROM information_schema.SCHEMATA WHERE " query2="SELECT db FROM mysql.db WHERE " condition="schema_name" condition2="db"/> | ||||
|             <blind query="SELECT DISTINCT(schema_name) FROM information_schema.SCHEMATA WHERE " query2="SELECT DISTINCT(db) FROM mysql.db WHERE " count="SELECT COUNT(DISTINCT(schema_name)) FROM information_schema.SCHEMATA WHERE " count2="SELECT COUNT(DISTINCT(db)) FROM mysql.db WHERE " condition="schema_name" condition2="db"/> | ||||
|         </search_db> | ||||
|         <search_table/> | ||||
|         <search_table> | ||||
|             <inband query="SELECT table_schema, table_name FROM information_schema.TABLES WHERE " condition="table_name" condition2="table_schema"/> | ||||
|             <blind query="SELECT DISTINCT(table_schema) FROM information_schema.TABLES WHERE " query2="SELECT DISTINCT(table_name) FROM information_schema.TABLES WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM information_schema.TABLES WHERE " count2="SELECT COUNT(DISTINCT(table_name)) FROM information_schema.TABLES WHERE table_schema='%s'" condition="table_name" condition2="table_schema"/> | ||||
|         </search_table> | ||||
|         <search_column> | ||||
|             <inband query="SELECT table_schema FROM information_schema.COLUMNS WHERE " query2="SELECT table_name FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/> | ||||
|             <blind query="SELECT DISTINCT(table_schema) FROM information_schema.COLUMNS WHERE " query2="SELECT DISTINCT(table_name) FROM information_schema.COLUMNS WHERE table_schema='%s'" count="SELECT COUNT(DISTINCT(table_schema)) FROM information_schema.COLUMNS WHERE " count2="SELECT COUNT(DISTINCT(table_name)) FROM information_schema.COLUMNS WHERE table_schema='%s'" condition="column_name" condition2="table_schema"/> | ||||
|  | @ -136,7 +139,11 @@ | |||
|             <blind query="SELECT %s FROM (SELECT %s, ROWNUM AS LIMIT FROM %s) WHERE LIMIT=%d" count="SELECT COUNT(*) FROM %s"/> | ||||
|         </dump_table> | ||||
|         <search_db/> | ||||
|         <search_table/> | ||||
|         <search_table> | ||||
|             <!-- NOTE: in Oracle the TABLESPACE_NAME is the spacename corresponding to SYS, SYSDBA, USERS. It is NOT the database name --> | ||||
|             <inband query="SELECT TABLESPACE_NAME, TABLE_NAME FROM SYS.ALL_TABLES WHERE " condition="TABLE_NAME" condition2="TABLESPACE_NAME"/> | ||||
|             <blind query="SELECT DISTINCT(TABLESPACE_NAME) FROM SYS.ALL_TABLES WHERE " query2="SELECT TABLE_NAME FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" count="SELECT COUNT(DISTINCT(TABLESPACE_NAME)) FROM SYS.ALL_TABLES WHERE " count2="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE TABLESPACE_NAME='%s'" condition="TABLE_NAME" condition2="TABLESPACE_NAME"/> | ||||
|         </search_table> | ||||
|         <search_column> | ||||
|             <inband query="" query2="SELECT TABLE_NAME FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/> | ||||
|             <blind query="" query2="SELECT DISTINCT(TABLE_NAME) FROM SYS.ALL_TAB_COLUMNS" count="" count2="SELECT COUNT(DISTINCT(TABLE_NAME)) FROM SYS.ALL_TAB_COLUMNS" condition="COLUMN_NAME" condition2="TABLESPACE_NAME"/> | ||||
|  | @ -205,7 +212,10 @@ | |||
|             <inband query="SELECT datname FROM pg_database WHERE " query2="" condition="datname" condition2=""/> | ||||
|             <blind query="SELECT DISTINCT(datname) FROM pg_database WHERE " query2="" count="SELECT COUNT(DISTINCT(datname)) FROM pg_database WHERE " count2="" condition="datname" condition2=""/> | ||||
|         </search_db> | ||||
|         <search_table/> | ||||
|         <search_table> | ||||
|             <inband query="SELECT schemaname, tablename FROM pg_tables WHERE " condition="tablename" condition2="schemaname"/> | ||||
|             <blind query="SELECT DISTINCT(schemaname) FROM pg_tables WHERE " query2="SELECT tablename FROM pg_tables WHERE schemaname='%s'" count="SELECT COUNT(DISTINCT(schemaname)) FROM pg_tables WHERE " count2="SELECT COUNT(tablename) FROM pg_tables WHERE schemaname='%s'" condition="tablename" condition2="schemaname"/> | ||||
|         </search_table> | ||||
|         <search_column> | ||||
|             <inband query="SELECT nspname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT relname FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/> | ||||
|             <blind query="SELECT DISTINCT(nspname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " query2="SELECT DISTINCT(relname) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" count="SELECT COUNT(DISTINCT(nspname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND " count2="SELECT COUNT(DISTINCT(relname)) FROM pg_namespace, pg_type, pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND nspname='%s'" condition="attname" condition2="nspname"/> | ||||
|  | @ -265,7 +275,10 @@ | |||
|             <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/> | ||||
|             <blind query="SELECT name FROM master..sysdatabases WHERE " count="SELECT LTRIM(STR(COUNT(name))) FROM master..sysdatabases WHERE " condition="name"/> | ||||
|         </search_db> | ||||
|         <search_table/> | ||||
|         <search_table> | ||||
|             <inband query="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v') AND " condition="name" condition2="name"/> | ||||
|             <blind query="" query2="SELECT name FROM %s..sysobjects WHERE xtype IN ('u', 'v') " count="" count2="SELECT LTRIM(STR(COUNT(name))) FROM %s..sysobjects WHERE xtype IN ('u', 'v')" condition="name" condition2="name"/> | ||||
|         </search_table> | ||||
|         <search_column> | ||||
|             <inband query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/> | ||||
|             <blind query="" query2="SELECT %s..sysobjects.name FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" count="" count2="SELECT COUNT(%s..sysobjects.name) FROM %s..syscolumns, %s..sysobjects WHERE %s..syscolumns.id=%s..sysobjects.id" condition="[DB]..syscolumns.name"/> | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	Block a user