def unionTest(comment, place, parameter, value, prefix, suffix):
"""
This method tests if the target URL is affected by an union
SQL injection vulnerability. The test is done up to 3*50 times
"""
if conf.direct:
return
negativeLogic = kb.negativeLogic
setTechnique(PAYLOAD.TECHNIQUE.UNION)
try:
if negativeLogic:
pushValue(kb.negativeLogic)
pushValue(conf.string)
pushValue(conf.code)
kb.negativeLogic = False
conf.string = conf.code = None
validPayload, vector = _unionTestByCharBruteforce(
comment, place, parameter, value, prefix, suffix)
finally:
if negativeLogic:
conf.code = popValue()
conf.string = popValue()
kb.negativeLogic = popValue()
if validPayload:
validPayload = agent.removePayloadDelimiters(validPayload)
return validPayload, vector
def goStacked(expression, silent=False):
if PAYLOAD.TECHNIQUE.STACKED in kb.injection.data:
setTechnique(PAYLOAD.TECHNIQUE.STACKED)
else:
for technique in getPublicTypeMembers(PAYLOAD.TECHNIQUE, True):
_ = getTechniqueData(technique)
if _ and "stacked" in _["title"].lower():
setTechnique(technique)
break
expression = cleanQuery(expression)
if conf.direct:
return direct(expression)
query = agent.prefixQuery(";%s" % expression)
query = agent.suffixQuery(query)
payload = agent.payload(newValue=query)
Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare="SELECT" in (payload or "").upper())
def getValue(expression,
blind=True,
union=True,
error=True,
time=True,
fromUser=False,
expected=None,
batch=False,
unpack=True,
resumeValue=True,
charsetType=None,
firstChar=None,
lastChar=None,
dump=False,
suppressOutput=None,
expectingNone=False,
safeCharEncode=True):
"""
Called each time sqlmap inject a SQL query on the SQL injection
affected parameter.
"""
if conf.hexConvert and expected != EXPECTED.BOOL and Backend.getIdentifiedDbms(
):
if not hasattr(queries[Backend.getIdentifiedDbms()], "hex"):
warnMsg = "switch '--hex' is currently not supported on DBMS %s" % Backend.getIdentifiedDbms(
)
singleTimeWarnMessage(warnMsg)
conf.hexConvert = False
else:
charsetType = CHARSET_TYPE.HEXADECIMAL
kb.safeCharEncode = safeCharEncode
kb.resumeValues = resumeValue
for keyword in GET_VALUE_UPPERCASE_KEYWORDS:
expression = re.sub(r"(?i)(\A|\(|\)|\s)%s(\Z|\(|\)|\s)" % keyword,
r"\g<1>%s\g<2>" % keyword, expression)
if suppressOutput is not None:
pushValue(getCurrentThreadData().disableStdOut)
getCurrentThreadData().disableStdOut = suppressOutput
try:
pushValue(conf.db)
pushValue(conf.tbl)
if expected == EXPECTED.BOOL:
forgeCaseExpression = booleanExpression = expression
if expression.startswith("SELECT "):
booleanExpression = "(%s)=%s" % (booleanExpression,
"'1'" if "'1'"
in booleanExpression else "1")
else:
forgeCaseExpression = agent.forgeCaseStatement(expression)
if conf.direct:
value = direct(forgeCaseExpression if expected ==
EXPECTED.BOOL else expression)
elif any(
isTechniqueAvailable(_)
for _ in getPublicTypeMembers(PAYLOAD.TECHNIQUE,
onlyValues=True)):
query = cleanQuery(expression)
query = expandAsteriskForColumns(query)
value = None
found = False
count = 0
if query and not re.search(r"COUNT.*FROM.*\(.*DISTINCT", query,
re.I):
query = query.replace("DISTINCT ", "")
if not conf.forceDns:
if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
setTechnique(PAYLOAD.TECHNIQUE.UNION)
kb.forcePartialUnion = kb.injection.data[
PAYLOAD.TECHNIQUE.UNION].vector[8]
fallback = not expected and kb.injection.data[
PAYLOAD.TECHNIQUE.
UNION].where == PAYLOAD.WHERE.ORIGINAL and not kb.forcePartialUnion
try:
value = _goUnion(
forgeCaseExpression if expected == EXPECTED.BOOL
else query, unpack, dump)
except SqlmapConnectionException:
if not fallback:
raise
count += 1
found = (value is not None) or (
value is None
and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
if not found and fallback:
warnMsg = "something went wrong with full UNION "
warnMsg += "technique (could be because of "
warnMsg += "limitation on retrieved number of entries)"
if " FROM " in query.upper():
warnMsg += ". Falling back to partial UNION technique"
singleTimeWarnMessage(warnMsg)
try:
pushValue(kb.forcePartialUnion)
kb.forcePartialUnion = True
value = _goUnion(query, unpack, dump)
found = (value
is not None) or (value is None
and expectingNone)
finally:
kb.forcePartialUnion = popValue()
else:
singleTimeWarnMessage(warnMsg)
if error and any(
isTechniqueAvailable(_)
for _ in (PAYLOAD.TECHNIQUE.ERROR,
PAYLOAD.TECHNIQUE.QUERY)) and not found:
setTechnique(PAYLOAD.TECHNIQUE.ERROR if
isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR)
else PAYLOAD.TECHNIQUE.QUERY)
value = errorUse(
forgeCaseExpression
if expected == EXPECTED.BOOL else query, dump)
count += 1
found = (value is not None) or (
value is None
and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
if found and conf.dnsDomain:
_ = "".join(
filterNone(
key if isTechniqueAvailable(value) else None
for key, value in {
'E': PAYLOAD.TECHNIQUE.ERROR,
'Q': PAYLOAD.TECHNIQUE.QUERY,
'U': PAYLOAD.TECHNIQUE.UNION
}.items()))
warnMsg = "option '--dns-domain' will be ignored "
warnMsg += "as faster techniques are usable "
warnMsg += "(%s) " % _
singleTimeWarnMessage(warnMsg)
if blind and isTechniqueAvailable(
PAYLOAD.TECHNIQUE.BOOLEAN) and not found:
setTechnique(PAYLOAD.TECHNIQUE.BOOLEAN)
if expected == EXPECTED.BOOL:
value = _goBooleanProxy(booleanExpression)
else:
value = _goInferenceProxy(query, fromUser, batch, unpack,
charsetType, firstChar, lastChar,
dump)
count += 1
found = (value is not None) or (
value is None
and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
if time and (isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME)
or isTechniqueAvailable(
PAYLOAD.TECHNIQUE.STACKED)) and not found:
match = re.search(r"\bFROM\b ([^ ]+).+ORDER BY ([^ ]+)",
expression)
kb.responseTimeMode = "%s|%s" % (
match.group(1), match.group(2)) if match else None
if isTechniqueAvailable(PAYLOAD.TECHNIQUE.TIME):
setTechnique(PAYLOAD.TECHNIQUE.TIME)
else:
setTechnique(PAYLOAD.TECHNIQUE.STACKED)
if expected == EXPECTED.BOOL:
value = _goBooleanProxy(booleanExpression)
else:
value = _goInferenceProxy(query, fromUser, batch, unpack,
charsetType, firstChar, lastChar,
dump)
else:
errMsg = "none of the injection types identified can be "
errMsg += "leveraged to retrieve queries output"
raise SqlmapNotVulnerableException(errMsg)
finally:
kb.resumeValues = True
kb.responseTimeMode = None
conf.tbl = popValue()
conf.db = popValue()
if suppressOutput is not None:
getCurrentThreadData().disableStdOut = popValue()
kb.safeCharEncode = False
if not any(
(kb.testMode, conf.dummy,
conf.offline)) and value is None and Backend.getDbms(
) and conf.dbmsHandler and not conf.noCast and not conf.hexConvert:
warnMsg = "in case of continuous data retrieval problems you are advised to try "
warnMsg += "a switch '--no-cast' "
warnMsg += "or switch '--hex'" if Backend.getIdentifiedDbms() not in (
DBMS.ACCESS, DBMS.FIREBIRD) else ""
singleTimeWarnMessage(warnMsg)
# Dirty patch (safe-encoded unicode characters)
if isinstance(value, six.text_type) and "\\x" in value:
try:
candidate = eval(
repr(value).replace("\\\\x", "\\x").replace(
"u'", "'", 1)).decode(conf.encoding or UNICODE_ENCODING)
if "\\x" not in candidate:
value = candidate
except:
pass
return extractExpectedValue(value, expected)