Blame: lib/controller/action.py - sqlmapproject/sqlmap

Automatic SQL injection and database takeover tool

36950 0 0 Python

Last preparations for DREI 2019-05-08 12:47:52 +02:00			`#!/usr/bin/env python`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`"""`
Year and version bump 2023-01-02 23:24:59 +01:00			`Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 14:50:46 +02:00			`See the file 'LICENSE' for copying permission`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`"""`

			`from lib.controller.handler import setHandler`
refactoring (class names should always be Capital cased) 2011-01-28 16:36:09 +00:00			`from lib.core.common import Backend`
			`from lib.core.common import Format`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`from lib.core.data import logger`
changes regarding EXISTS feature 2010-09-30 12:35:45 +00:00			`from lib.core.data import paths`
variable renamed 2013-01-30 15:30:34 +00:00			`from lib.core.enums import CONTENT_TYPE`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 14:14:19 +01:00			`from lib.core.exception import SqlmapNoneDataException`
			`from lib.core.exception import SqlmapUnsupportedDBMSException`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`from lib.core.settings import SUPPORTED_DBMS`
Moving brute from techniques to utils 2017-04-18 13:53:41 +02:00			`from lib.utils.brute import columnExists`
Implements #2908 2019-06-27 17:28:43 +02:00			`from lib.utils.brute import fileExists`
Moving brute from techniques to utils 2017-04-18 13:53:41 +02:00			`from lib.utils.brute import tableExists`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`def action():`
			`"""`
			`This function exploit the SQL injection on the affected`
Style and consistency update (url -> URL) 2013-04-09 11:48:42 +02:00			`URL parameter and extract requested data from the`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`back-end database management system or operating system`
			`if possible`
			`"""`

			`# First of all we have to identify the back-end database management`
			`# system to be able to go ahead with the injection`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-26 23:23:25 +00:00			`setHandler()`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
refactoring (class names should always be Capital cased) 2011-01-28 16:36:09 +00:00			`if not Backend.getDbms() or not conf.dbmsHandler:`
			`htmlParsed = Format.getErrorParsedDBMSes()`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Minor code restyling 2011-04-30 13:20:05 +00:00			`errMsg = "sqlmap was not able to fingerprint the "`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`errMsg += "back-end database management system"`

			`if htmlParsed:`
			`errMsg += ", but from the HTML error page it was "`
			`errMsg += "possible to determinate that the "`
minor update 2012-05-09 10:06:23 +00:00			`errMsg += "back-end DBMS is %s" % htmlParsed`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if htmlParsed and htmlParsed.lower() in SUPPORTED_DBMS:`
			`errMsg += ". Do not specify the back-end DBMS manually, "`
			`errMsg += "sqlmap will fingerprint the DBMS for you"`
update of dynamicity testing and few misc fixes 2010-11-05 13:14:12 +00:00			`elif kb.nullConnection:`
			`errMsg += ". You can try to rerun without using optimization "`
			`errMsg += "switch '%s'" % ("-o" if conf.optimize else "--null-connection")`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Replacing old and deprecated raise Exception style (PEP8) 2013-01-03 23:20:55 +01:00			`raise SqlmapUnsupportedDBMSException(errMsg)`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
minor fix: add also back-end DBMS and web app fingerprint output to log file 2012-12-17 13:02:09 +00:00			`conf.dumper.singleString(conf.dbmsHandler.getFingerprint())`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Minor update 2020-03-26 14:58:58 +01:00			`kb.fingerprinted = True`

After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`# Enumeration options`
			`if conf.getBanner:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 16:43:04 +00:00			`conf.dumper.banner(conf.dbmsHandler.getBanner())`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.getCurrentUser:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 16:43:04 +00:00			`conf.dumper.currentUser(conf.dbmsHandler.getCurrentUser())`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.getCurrentDb:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 16:43:04 +00:00			`conf.dumper.currentDb(conf.dbmsHandler.getCurrentDb())`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
added --hostname switch to retrieve DBMS server hostname - closes issue #69 2012-07-12 00:01:57 +01:00			`if conf.getHostname:`
			`conf.dumper.hostname(conf.dbmsHandler.getHostname())`

Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 20:41:11 +00:00			`if conf.isDba:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 16:43:04 +00:00			`conf.dumper.dba(conf.dbmsHandler.isDba())`
Minor enhancement to support an option (--is-dba) to show if the current user is a database management system administrator. 2008-12-18 20:41:11 +00:00
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`if conf.getUsers:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 16:43:04 +00:00			`conf.dumper.users(conf.dbmsHandler.getUsers())`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Implements #1222 2019-05-29 15:52:33 +02:00			`if conf.getStatements:`
			`conf.dumper.statements(conf.dbmsHandler.getStatements())`

After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`if conf.getPasswordHashes:`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`try:`
Minor cosmetics 2016-09-02 16:10:11 +02:00			`conf.dumper.userSettings("database management system users password hashes", conf.dbmsHandler.getPasswordHashes(), "password hash", CONTENT_TYPE.PASSWORDS)`
Baby steps (2 to 3 at a time) 2019-01-22 00:40:48 +01:00			`except SqlmapNoneDataException as ex:`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.getPrivileges:`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`try:`
Minor cosmetics 2016-09-02 16:10:11 +02:00			`conf.dumper.userSettings("database management system users privileges", conf.dbmsHandler.getPrivileges(), "privilege", CONTENT_TYPE.PRIVILEGES)`
Baby steps (2 to 3 at a time) 2019-01-22 00:40:48 +01:00			`except SqlmapNoneDataException as ex:`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 15:46:06 +00:00			`if conf.getRoles:`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`try:`
Minor cosmetics 2016-09-02 16:10:11 +02:00			`conf.dumper.userSettings("database management system users roles", conf.dbmsHandler.getRoles(), "role", CONTENT_TYPE.ROLES)`
Baby steps (2 to 3 at a time) 2019-01-22 00:40:48 +01:00			`except SqlmapNoneDataException as ex:`
Patch for an Issue #127 2012-10-05 10:49:31 +02:00			`logger.critical(ex)`
			`except:`
			`raise`
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180. Minor enhancement to Firebird to determine if a DB user is a DBA. Minor code refactoring. 2010-03-25 15:46:06 +00:00
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`if conf.getDbs:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbs(conf.dbmsHandler.getDbs())`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.getTables:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbTables(conf.dbmsHandler.getTables())`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-29 21:09:07 +00:00			`if conf.commonTables:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbTables(tableExists(paths.COMMON_TABLES))`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Added switch --schema to enumerate DBMS schema and now --columns does not require a mandatory table (-T) anymore, instead it will act as an alias for --schema 2011-04-28 23:59:00 +00:00			`if conf.getSchema:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbTableColumns(conf.dbmsHandler.getSchema(), CONTENT_TYPE.SCHEMA)`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
update regarding brute force retrieval of table names and table column names 2010-11-09 16:15:55 +00:00
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-29 21:09:07 +00:00			`if conf.getColumns:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns(), CONTENT_TYPE.COLUMNS)`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-29 21:09:07 +00:00
Added --count switch to count the number of entries for a specific table (when -T is provided), all database's tables (when only -D is provided) or all databases' tables when neither -D nor -T are provided 2011-04-30 00:22:22 +00:00			`if conf.getCount:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbTablesCount(conf.dbmsHandler.getCount())`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
Added --count switch to count the number of entries for a specific table (when -T is provided), all database's tables (when only -D is provided) or all databases' tables when neither -D nor -T are provided 2011-04-30 00:22:22 +00:00
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-29 21:09:07 +00:00			`if conf.commonColumns:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dumper.dbTableColumns(columnExists(paths.COMMON_COLUMNS))`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
Actually brute-force switches make more sense just after their "normal" version. Also, getSchema() method is preferably to be called before getColumns(), see next commit for reason 2011-04-29 21:09:07 +00:00
After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`if conf.dumpTable:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dbmsHandler.dumpTable()`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.dumpAll:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dbmsHandler.dumpAll()`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190: * --search -D foobar: searches all database names like the ones provided * --search -T foobar: searches all databases' table names like the ones provided (soon) * --search -C foobar: replaces --dump -C 2010-05-07 13:40:57 +00:00			`if conf.search:`
Fixes #373 2019-02-21 01:10:43 +01:00			`try:`
			`conf.dbmsHandler.search()`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`
Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190: * --search -D foobar: searches all database names like the ones provided * --search -T foobar: searches all databases' table names like the ones provided (soon) * --search -C foobar: replaces --dump -C 2010-05-07 13:40:57 +00:00
Minor update 2019-04-30 14:04:39 +02:00			`if conf.sqlQuery:`
Minor improvement 2019-11-26 13:36:06 +01:00			`for query in conf.sqlQuery.strip(';').split(';'):`
			`query = query.strip()`
			`if query:`
			`conf.dumper.sqlQuery(query, conf.dbmsHandler.sqlQuery(query))`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.sqlShell:`
			`conf.dbmsHandler.sqlShell()`

initial work for issue #33 2012-07-10 00:27:08 +01:00			`if conf.sqlFile:`
			`conf.dbmsHandler.sqlFile()`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-25 23:03:45 +00:00			`# User-defined function options`
			`if conf.udfInject:`
			`conf.dbmsHandler.udfInjectCustom()`

After the storm, a restore.. 2008-10-15 15:38:22 +00:00			`# File system options`
Minor refactoring 2018-08-28 14:31:20 +02:00			`if conf.fileRead:`
			`conf.dumper.rFile(conf.dbmsHandler.readFile(conf.fileRead))`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
Minor refactoring 2018-08-28 14:31:20 +02:00			`if conf.fileWrite:`
			`conf.dbmsHandler.writeFile(conf.fileWrite, conf.fileDest, conf.fileWriteType)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 11:48:07 +00:00
Implements #2908 2019-06-27 17:28:43 +02:00			`if conf.commonFiles:`
			`try:`
			`conf.dumper.rFile(fileExists(paths.COMMON_FILES))`
			`except SqlmapNoneDataException as ex:`
			`logger.critical(ex)`
			`except:`
			`raise`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 11:48:07 +00:00			`# Operating system options`
			`if conf.osCmd:`
			`conf.dbmsHandler.osCmd()`
After the storm, a restore.. 2008-10-15 15:38:22 +00:00
			`if conf.osShell:`
			`conf.dbmsHandler.osShell()`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 11:48:07 +00:00
			`if conf.osPwn:`
			`conf.dbmsHandler.osPwn()`

			`if conf.osSmb:`
			`conf.dbmsHandler.osSmb()`

			`if conf.osBof:`
			`conf.dbmsHandler.osBof()`

Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-25 23:03:45 +00:00			`# Windows registry options`
			`if conf.regRead:`
Adapted and merged in patch to support XML output (-x switch) - still in beta. Minor bug fixes and adjustments. 2010-05-28 16:43:04 +00:00			`conf.dumper.registerValue(conf.dbmsHandler.regRead())`
Merged back from personal branch to trunk (svn merge -r846:940 ...) Changes: * Major enhancement to the Microsoft SQL Server stored procedure heap-based buffer overflow exploit (--os-bof) to automatically bypass DEP memory protection. * Added support for MySQL and PostgreSQL to execute Metasploit shellcode via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an option instead of uploading the standalone payload stager executable. * Added options for MySQL, PostgreSQL and Microsoft SQL Server to read/add/delete Windows registry keys. * Added options for MySQL and PostgreSQL to inject custom user-defined functions. * Added support for --first and --last so the user now has even more granularity in what to enumerate in the query output. * Minor enhancement to save the session by default in 'output/hostname/session' file if -s option is not specified. * Minor improvement to automatically remove sqlmap created temporary files from the DBMS underlying file system. * Minor bugs fixed. * Major code refactoring. 2009-09-25 23:03:45 +00:00
			`if conf.regAdd:`
			`conf.dbmsHandler.regAdd()`

			`if conf.regDel:`
			`conf.dbmsHandler.regDel()`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 11:48:07 +00:00			`# Miscellaneous options`
			`if conf.cleanup:`
			`conf.dbmsHandler.cleanup()`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-26 23:23:25 +00:00
			`if conf.direct:`
			`conf.dbmsConnector.close()`