def getDbs(self):
if len(kb.data.cachedDbs) > 0:
return kb.data.cachedDbs
infoMsg = "fetching database names"
logger.info(infoMsg)
rootQuery = queries[DBMS.SYBASE].dbs
query = rootQuery.inband.query
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
blinds = [False, True]
else:
blinds = [True]
for blind in blinds:
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName], blind=blind, alias=kb.aliasName)
if retVal:
kb.data.cachedDbs = next(six.itervalues(retVal[0]))
break
if kb.data.cachedDbs:
kb.data.cachedDbs.sort()
return kb.data.cachedDbs
def getTables(self, bruteForce=None):
if len(kb.data.cachedTables) > 0:
return kb.data.cachedTables
self.forceDbmsEnum()
if conf.db == CURRENT_DB:
conf.db = self.getCurrentDb()
if conf.db:
dbs = conf.db.split(',')
else:
dbs = self.getDbs()
for db in dbs:
dbs[dbs.index(db)] = safeSQLIdentificatorNaming(db)
dbs = [_ for _ in dbs if _]
infoMsg = "fetching tables for database"
infoMsg += "%s: %s" % ("s" if len(dbs) > 1 else "", ", ".join(
db if isinstance(db, six.string_types) else db[0]
for db in sorted(dbs)))
logger.info(infoMsg)
if any(
isTechniqueAvailable(_)
for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR,
PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
blinds = [False, True]
else:
blinds = [True]
rootQuery = queries[DBMS.SYBASE].tables
for db in dbs:
for blind in blinds:
query = rootQuery.inband.query % db
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName),
['%s.name' % kb.aliasName],
blind=blind,
alias=kb.aliasName)
if retVal:
for table in next(six.itervalues(retVal[0])):
if db not in kb.data.cachedTables:
kb.data.cachedTables[db] = [table]
else:
kb.data.cachedTables[db].append(table)
break
for db, tables in kb.data.cachedTables.items():
kb.data.cachedTables[db] = sorted(tables) if tables else tables
return kb.data.cachedTables
def getDbs(self):
if len(kb.data.cachedDbs) > 0:
return kb.data.cachedDbs
infoMsg = "fetching database names"
logger.info(infoMsg)
rootQuery = queries[DBMS.MAXDB].dbs
query = rootQuery.inband.query
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.schemaname' % kb.aliasName], blind=True)
if retVal:
kb.data.cachedDbs = next(six.itervalues(retVal[0]))
if kb.data.cachedDbs:
kb.data.cachedDbs.sort()
return kb.data.cachedDbs
def unionThread():
threadData = getCurrentThreadData()
while kb.threadContinue:
with kb.locks.limit:
try:
threadData.shared.counter += 1
num = next(threadData.shared.limits)
except StopIteration:
break
if Backend.getIdentifiedDbms() in (DBMS.MSSQL,
DBMS.SYBASE):
field = expressionFieldsList[0]
elif Backend.isDbms(DBMS.ORACLE):
field = expressionFieldsList
else:
field = None
limitedExpr = agent.limitQuery(
num, expression, field)
output = _oneShotUnionUse(limitedExpr, unpack,
True)
if not kb.threadContinue:
break
if output:
with kb.locks.value:
if all(_ in output
for _ in (kb.chars.start,
kb.chars.stop)):
items = parseUnionPage(output)
if threadData.shared.showEta:
threadData.shared.progress.progress(
threadData.shared.counter)
if isListLike(items):
# in case that we requested N columns and we get M!=N then we have to filter a bit
if len(items) > 1 and len(
expressionFieldsList) > 1:
items = [
item for item in items
if isListLike(item)
and len(item) == len(
expressionFieldsList)
]
items = [
_ for _ in flattenValue(items)
]
if len(items) > len(
expressionFieldsList):
filtered = OrderedDict()
for item in items:
key = re.sub(
r"[^A-Za-z0-9]", "",
item).lower()
if key not in filtered or re.search(
r"[^A-Za-z0-9]",
item):
filtered[key] = item
items = list(
six.itervalues(filtered))
items = [items]
index = None
for index in xrange(1 + len(
threadData.shared.buffered)):
if index < len(
threadData.shared.buffered
) and threadData.shared.buffered[
index][0] >= num:
break
threadData.shared.buffered.insert(
index or 0, (num, items))
else:
index = None
if threadData.shared.showEta:
threadData.shared.progress.progress(
threadData.shared.counter)
for index in xrange(1 + len(
threadData.shared.buffered)):
if index < len(
threadData.shared.buffered
) and threadData.shared.buffered[
index][0] >= num:
break
threadData.shared.buffered.insert(
index or 0, (num, None))
items = output.replace(
kb.chars.start, "").replace(
kb.chars.stop,
"").split(kb.chars.delimiter)
while threadData.shared.buffered and (
threadData.shared.lastFlushed + 1
>= threadData.shared.buffered[0][0]
or
len(threadData.shared.buffered) >
MAX_BUFFERED_PARTIAL_UNION_LENGTH):
threadData.shared.lastFlushed, _ = threadData.shared.buffered[
0]
if not isNoneValue(_):
threadData.shared.value.extend(
arrayizeValue(_))
del threadData.shared.buffered[0]
if conf.verbose == 1 and not (
threadData.resumed
and kb.suppressResumeInfo
) and not threadData.shared.showEta and not kb.bruteMode:
_ = ','.join("'%s'" % _ for _ in (
flattenValue(arrayizeValue(items)) if
not isinstance(items, six.string_types)
else [items]))
status = "[%s] [INFO] %s: %s" % (
time.strftime("%X"), "resumed"
if threadData.resumed else "retrieved",
_ if kb.safeCharEncode else
safecharencode(_))
if len(status) > width:
status = "%s..." % status[:width - 3]
dataToStdout("%s\n" % status)
def dumpTable(self, foundData=None):
self.forceDbmsEnum()
if conf.db is None or conf.db == CURRENT_DB:
if conf.db is None:
warnMsg = "missing database parameter. sqlmap is going "
warnMsg += "to use the current database to enumerate "
warnMsg += "table(s) entries"
logger.warn(warnMsg)
conf.db = self.getCurrentDb()
elif conf.db is not None:
if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
conf.db = conf.db.upper()
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)
if conf.exclude and re.search(conf.exclude, conf.db,
re.I) is not None:
infoMsg = "skipping database '%s'" % unsafeSQLIdentificatorNaming(
conf.db)
singleTimeLogMessage(infoMsg)
return
conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.tbl:
if Backend.getIdentifiedDbms() in UPPER_CASE_DBMSES:
conf.tbl = conf.tbl.upper()
tblList = conf.tbl.split(',')
else:
self.getTables()
if len(kb.data.cachedTables) > 0:
tblList = list(six.itervalues(kb.data.cachedTables))
if tblList and isListLike(tblList[0]):
tblList = tblList[0]
elif not conf.search:
errMsg = "unable to retrieve the tables "
errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(
conf.db)
raise SqlmapNoneDataException(errMsg)
else:
return
for tbl in tblList:
tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True)
for tbl in tblList:
if kb.dumpKeyboardInterrupt:
break
if conf.exclude and re.search(conf.exclude, tbl, re.I) is not None:
infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(
tbl)
singleTimeLogMessage(infoMsg)
continue
conf.tbl = tbl
kb.data.dumpedTable = {}
if foundData is None:
kb.data.cachedColumns = {}
self.getColumns(onlyColNames=True, dumpMode=True)
else:
kb.data.cachedColumns = foundData
try:
if Backend.isDbms(DBMS.INFORMIX):
kb.dumpTable = "%s:%s" % (conf.db, tbl)
elif Backend.isDbms(DBMS.SQLITE):
kb.dumpTable = tbl
else:
kb.dumpTable = "%s.%s" % (conf.db, tbl)
if safeSQLIdentificatorNaming(
conf.db
) not in kb.data.cachedColumns or safeSQLIdentificatorNaming(
tbl, True
) not in kb.data.cachedColumns[safeSQLIdentificatorNaming(
conf.db
)] or not kb.data.cachedColumns[safeSQLIdentificatorNaming(
conf.db)][safeSQLIdentificatorNaming(tbl, True)]:
warnMsg = "unable to enumerate the columns for table "
warnMsg += "'%s' in database" % unsafeSQLIdentificatorNaming(
tbl)
warnMsg += " '%s'" % unsafeSQLIdentificatorNaming(conf.db)
warnMsg += ", skipping" if len(tblList) > 1 else ""
logger.warn(warnMsg)
continue
columns = kb.data.cachedColumns[safeSQLIdentificatorNaming(
conf.db)][safeSQLIdentificatorNaming(tbl, True)]
colList = sorted(column for column in columns if column)
if conf.exclude:
colList = [
_ for _ in colList
if re.search(conf.exclude, _, re.I) is None
]
if not colList:
warnMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(
tbl)
warnMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(
conf.db)
warnMsg += " (no usable column names)"
logger.warn(warnMsg)
continue
kb.dumpColumns = [
unsafeSQLIdentificatorNaming(_) for _ in colList
]
colNames = colString = ','.join(column for column in colList)
rootQuery = queries[Backend.getIdentifiedDbms()].dump_table
infoMsg = "fetching entries"
if conf.col:
infoMsg += " of column(s) '%s'" % colNames
infoMsg += " for table '%s'" % unsafeSQLIdentificatorNaming(
tbl)
infoMsg += " in database '%s'" % unsafeSQLIdentificatorNaming(
conf.db)
logger.info(infoMsg)
for column in colList:
_ = agent.preprocessField(tbl, column)
if _ != column:
colString = re.sub(r"\b%s\b" % re.escape(column),
_.replace("\\", r"\\"), colString)
entriesCount = 0
if any(
isTechniqueAvailable(_)
for _ in (PAYLOAD.TECHNIQUE.UNION,
PAYLOAD.TECHNIQUE.ERROR,
PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
entries = []
query = None
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2,
DBMS.DERBY,
DBMS.ALTIBASE,
DBMS.MIMERSQL):
query = rootQuery.inband.query % (
colString, tbl.upper() if not conf.db else
("%s.%s" % (conf.db.upper(), tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE,
DBMS.ACCESS,
DBMS.FIREBIRD,
DBMS.MAXDB,
DBMS.MCKOI,
DBMS.EXTREMEDB):
query = rootQuery.inband.query % (colString, tbl)
elif Backend.getIdentifiedDbms() in (DBMS.SYBASE,
DBMS.MSSQL):
# Partial inband and error
if not (isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION)
and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].
where == PAYLOAD.WHERE.ORIGINAL):
table = "%s.%s" % (conf.db, tbl)
if Backend.isDbms(
DBMS.MSSQL) and not conf.forcePivoting:
warnMsg = "in case of table dumping problems (e.g. column entry order) "
warnMsg += "you are advised to rerun with '--force-pivoting'"
singleTimeWarnMessage(warnMsg)
query = rootQuery.blind.count % table
query = agent.whereQuery(query)
count = inject.getValue(
query,
blind=False,
time=False,
expected=EXPECTED.INT,
charsetType=CHARSET_TYPE.DIGITS)
if isNumPosStrValue(count):
try:
indexRange = getLimitRange(
count, plusOne=True)
for index in indexRange:
row = []
for column in colList:
query = rootQuery.blind.query3 % (
column, column, table,
index)
query = agent.whereQuery(query)
value = inject.getValue(
query,
blind=False,
time=False,
dump=True) or ""
row.append(value)
if not entries and isNoneValue(
row):
break
entries.append(row)
except KeyboardInterrupt:
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if isNoneValue(
entries) and not kb.dumpKeyboardInterrupt:
try:
retVal = pivotDumpTable(table,
colList,
blind=False)
except KeyboardInterrupt:
retVal = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if retVal:
entries, _ = retVal
entries = BigArray(
_zip(*[
entries[colName]
for colName in colList
]))
else:
query = rootQuery.inband.query % (colString,
conf.db, tbl)
elif Backend.getIdentifiedDbms() in (DBMS.MYSQL,
DBMS.PGSQL,
DBMS.HSQLDB, DBMS.H2,
DBMS.VERTICA,
DBMS.PRESTO,
DBMS.CRATEDB,
DBMS.CACHE):
query = rootQuery.inband.query % (
colString, conf.db, tbl,
prioritySortColumns(colList)[0])
else:
query = rootQuery.inband.query % (colString, conf.db,
tbl)
query = agent.whereQuery(query)
if not entries and query and not kb.dumpKeyboardInterrupt:
try:
entries = inject.getValue(query,
blind=False,
time=False,
dump=True)
except KeyboardInterrupt:
entries = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if not isNoneValue(entries):
if isinstance(entries, six.string_types):
entries = [entries]
elif not isListLike(entries):
entries = []
entriesCount = len(entries)
for index, column in enumerate(colList):
if column not in kb.data.dumpedTable:
kb.data.dumpedTable[column] = {
"length": len(column),
"values": BigArray()
}
for entry in entries:
if entry is None or len(entry) == 0:
continue
if isinstance(entry, six.string_types):
colEntry = entry
else:
colEntry = unArrayizeValue(
entry[index]
) if index < len(entry) else u''
maxLen = max(
getConsoleLength(column),
getConsoleLength(
DUMP_REPLACEMENTS.get(
getUnicode(colEntry),
getUnicode(colEntry))))
if maxLen > kb.data.dumpedTable[column][
"length"]:
kb.data.dumpedTable[column][
"length"] = maxLen
kb.data.dumpedTable[column]["values"].append(
colEntry)
if not kb.data.dumpedTable and isInferenceAvailable(
) and not conf.direct:
infoMsg = "fetching number of "
if conf.col:
infoMsg += "column(s) '%s' " % colNames
infoMsg += "entries for table '%s' " % unsafeSQLIdentificatorNaming(
tbl)
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(
conf.db)
logger.info(infoMsg)
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2,
DBMS.DERBY,
DBMS.ALTIBASE,
DBMS.MIMERSQL):
query = rootQuery.blind.count % (
tbl.upper() if not conf.db else
("%s.%s" % (conf.db.upper(), tbl.upper())))
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE,
DBMS.ACCESS,
DBMS.FIREBIRD,
DBMS.MCKOI,
DBMS.EXTREMEDB):
query = rootQuery.blind.count % tbl
elif Backend.getIdentifiedDbms() in (DBMS.SYBASE,
DBMS.MSSQL):
query = rootQuery.blind.count % ("%s.%s" %
(conf.db, tbl))
elif Backend.isDbms(DBMS.MAXDB):
query = rootQuery.blind.count % tbl
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.count % (conf.db, tbl)
else:
query = rootQuery.blind.count % (conf.db, tbl)
query = agent.whereQuery(query)
count = inject.getValue(query,
union=False,
error=False,
expected=EXPECTED.INT,
charsetType=CHARSET_TYPE.DIGITS)
lengths = {}
entries = {}
if count == 0:
warnMsg = "table '%s' " % unsafeSQLIdentificatorNaming(
tbl)
warnMsg += "in database '%s' " % unsafeSQLIdentificatorNaming(
conf.db)
warnMsg += "appears to be empty"
logger.warn(warnMsg)
for column in colList:
lengths[column] = len(column)
entries[column] = []
elif not isNumPosStrValue(count):
warnMsg = "unable to retrieve the number of "
if conf.col:
warnMsg += "column(s) '%s' " % colNames
warnMsg += "entries for table '%s' " % unsafeSQLIdentificatorNaming(
tbl)
warnMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(
conf.db)
logger.warn(warnMsg)
continue
elif Backend.getIdentifiedDbms() in (DBMS.ACCESS,
DBMS.SYBASE,
DBMS.MAXDB,
DBMS.MSSQL,
DBMS.INFORMIX,
DBMS.MCKOI):
if Backend.getIdentifiedDbms() in (DBMS.ACCESS,
DBMS.MCKOI,
DBMS.EXTREMEDB):
table = tbl
elif Backend.getIdentifiedDbms() in (DBMS.SYBASE,
DBMS.MSSQL,
DBMS.MAXDB):
table = "%s.%s" % (conf.db, tbl)
elif Backend.isDbms(DBMS.INFORMIX):
table = "%s:%s" % (conf.db, tbl)
if Backend.isDbms(
DBMS.MSSQL) and not conf.forcePivoting:
warnMsg = "in case of table dumping problems (e.g. column entry order) "
warnMsg += "you are advised to rerun with '--force-pivoting'"
singleTimeWarnMessage(warnMsg)
try:
indexRange = getLimitRange(count, plusOne=True)
for index in indexRange:
for column in colList:
query = rootQuery.blind.query3 % (
column, column, table, index)
query = agent.whereQuery(query)
value = inject.getValue(
query,
union=False,
error=False,
dump=True) or ""
if column not in lengths:
lengths[column] = 0
if column not in entries:
entries[column] = BigArray()
lengths[column] = max(
lengths[column],
len(
DUMP_REPLACEMENTS.get(
getUnicode(value),
getUnicode(value))))
entries[column].append(value)
except KeyboardInterrupt:
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if not entries and not kb.dumpKeyboardInterrupt:
try:
retVal = pivotDumpTable(table,
colList,
count,
blind=True)
except KeyboardInterrupt:
retVal = None
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
if retVal:
entries, lengths = retVal
else:
emptyColumns = []
plusOne = Backend.getIdentifiedDbms(
) in PLUS_ONE_DBMSES
indexRange = getLimitRange(count, plusOne=plusOne)
if len(colList) < len(
indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD:
debugMsg = "checking for empty columns"
logger.debug(infoMsg)
for column in colList:
if not inject.checkBooleanExpression(
"(SELECT COUNT(%s) FROM %s)>0" %
(column, kb.dumpTable)):
emptyColumns.append(column)
debugMsg = "column '%s' of table '%s' will not be " % (
column, kb.dumpTable)
debugMsg += "dumped as it appears to be empty"
logger.debug(debugMsg)
try:
for index in indexRange:
for column in colList:
value = ""
if column not in lengths:
lengths[column] = 0
if column not in entries:
entries[column] = BigArray()
if Backend.getIdentifiedDbms() in (
DBMS.MYSQL, DBMS.PGSQL,
DBMS.HSQLDB, DBMS.H2, DBMS.VERTICA,
DBMS.PRESTO, DBMS.CRATEDB,
DBMS.CACHE):
query = rootQuery.blind.query % (
agent.preprocessField(tbl, column),
conf.db, conf.tbl,
sorted(colList, key=len)[0], index)
elif Backend.getIdentifiedDbms() in (
DBMS.ORACLE,
DBMS.DB2,
DBMS.DERBY,
DBMS.ALTIBASE,
):
query = rootQuery.blind.query % (
agent.preprocessField(tbl, column),
tbl.upper() if not conf.db else
("%s.%s" %
(conf.db.upper(), tbl.upper())),
index)
elif Backend.getIdentifiedDbms() in (
DBMS.MIMERSQL, ):
query = rootQuery.blind.query % (
agent.preprocessField(tbl, column),
tbl.upper() if not conf.db else
("%s.%s" %
(conf.db.upper(), tbl.upper())),
sorted(colList, key=len)[0], index)
elif Backend.getIdentifiedDbms() in (
DBMS.SQLITE, DBMS.EXTREMEDB):
query = rootQuery.blind.query % (
agent.preprocessField(
tbl, column), tbl, index)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % (
index,
agent.preprocessField(tbl,
column), tbl)
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.query % (
index,
agent.preprocessField(
tbl, column), conf.db, tbl,
sorted(colList, key=len)[0])
elif Backend.isDbms(DBMS.FRONTBASE):
query = rootQuery.blind.query % (
index,
agent.preprocessField(
tbl, column), conf.db, tbl)
else:
query = rootQuery.blind.query % (
agent.preprocessField(tbl, column),
conf.db, tbl, index)
query = agent.whereQuery(query)
value = NULL if column in emptyColumns else inject.getValue(
query,
union=False,
error=False,
dump=True)
value = '' if value is None else value
lengths[column] = max(
lengths[column],
len(
DUMP_REPLACEMENTS.get(
getUnicode(value),
getUnicode(value))))
entries[column].append(value)
except KeyboardInterrupt:
kb.dumpKeyboardInterrupt = True
clearConsoleLine()
warnMsg = "Ctrl+C detected in dumping phase"
logger.warn(warnMsg)
for column, columnEntries in entries.items():
length = max(lengths[column], len(column))
kb.data.dumpedTable[column] = {
"length": length,
"values": columnEntries
}
entriesCount = len(columnEntries)
if len(kb.data.dumpedTable) == 0 or (entriesCount == 0
and kb.permissionFlag):
warnMsg = "unable to retrieve the entries "
if conf.col:
warnMsg += "of columns '%s' " % colNames
warnMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(
tbl)
warnMsg += "in database '%s'%s" % (
unsafeSQLIdentificatorNaming(conf.db),
" (permission denied)" if kb.permissionFlag else "")
logger.warn(warnMsg)
else:
kb.data.dumpedTable["__infos__"] = {
"count": entriesCount,
"table": safeSQLIdentificatorNaming(tbl, True),
"db": safeSQLIdentificatorNaming(conf.db)
}
try:
attackDumpedTable()
except (IOError, OSError) as ex:
errMsg = "an error occurred while attacking "
errMsg += "table dump ('%s')" % getSafeExString(ex)
logger.critical(errMsg)
conf.dumper.dbTableValues(kb.data.dumpedTable)
except SqlmapConnectionException as ex:
errMsg = "connection exception detected in dumping phase "
errMsg += "('%s')" % getSafeExString(ex)
logger.critical(errMsg)
finally:
kb.dumpColumns = None
kb.dumpTable = None
def getColumns(self, onlyColNames=False, colTuple=None, bruteForce=None, dumpMode=False):
self.forceDbmsEnum()
if conf.db is None or conf.db == CURRENT_DB:
if conf.db is None:
warnMsg = "missing database parameter. sqlmap is going "
warnMsg += "to use the current database to enumerate "
warnMsg += "table(s) columns"
logger.warn(warnMsg)
conf.db = self.getCurrentDb()
elif conf.db is not None:
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)
conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.col:
colList = conf.col.split(',')
else:
colList = []
if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
for col in colList:
colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
if conf.tbl:
tblList = conf.tbl.split(',')
else:
self.getTables()
if len(kb.data.cachedTables) > 0:
tblList = list(six.itervalues(kb.data.cachedTables))
if tblList and isListLike(tblList[0]):
tblList = tblList[0]
else:
errMsg = "unable to retrieve the tables "
errMsg += "on database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
raise SqlmapNoneDataException(errMsg)
for tbl in tblList:
tblList[tblList.index(tbl)] = safeSQLIdentificatorNaming(tbl, True)
if bruteForce:
resumeAvailable = False
for tbl in tblList:
for db, table, colName, colType in kb.brute.columns:
if db == conf.db and table == tbl:
resumeAvailable = True
break
if resumeAvailable and not conf.freshQueries or colList:
columns = {}
for column in colList:
columns[column] = None
for tbl in tblList:
for db, table, colName, colType in kb.brute.columns:
if db == conf.db and table == tbl:
columns[colName] = colType
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)] = columns
else:
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = {safeSQLIdentificatorNaming(tbl, True): columns}
return kb.data.cachedColumns
message = "do you want to use common column existence check? [y/N/q] "
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if choice == 'N':
return
elif choice == 'Q':
raise SqlmapUserQuitException
else:
return columnExists(paths.COMMON_COLUMNS)
rootQuery = queries[DBMS.SYBASE].columns
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
blinds = [False, True]
else:
blinds = [True]
for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
and conf.db in kb.data.cachedColumns and tbl in \
kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on "
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
return {conf.db: kb.data.cachedColumns[conf.db]}
if dumpMode and colList:
table = {}
table[safeSQLIdentificatorNaming(tbl, True)] = dict((_, None) for _ in colList)
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = table
continue
infoMsg = "fetching columns "
infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
infoMsg += "on database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
for blind in blinds:
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
retVal = pivotDumpTable("(%s) AS %s" % (query, kb.aliasName), ['%s.name' % kb.aliasName, '%s.usertype' % kb.aliasName], blind=blind, alias=kb.aliasName)
if retVal:
table = {}
columns = {}
for name, type_ in filterPairValues(_zip(retVal[0]["%s.name" % kb.aliasName], retVal[0]["%s.usertype" % kb.aliasName])):
columns[name] = SYBASE_TYPES.get(int(type_) if hasattr(type_, "isdigit") and type_.isdigit() else type_, type_)
table[safeSQLIdentificatorNaming(tbl, True)] = columns
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = table
break
return kb.data.cachedColumns
def getColumns(self, onlyColNames=False, colTuple=None, bruteForce=None, dumpMode=False):
self.forceDbmsEnum()
if conf.db is None or conf.db == CURRENT_DB:
if conf.db is None:
warnMsg = "missing database parameter. sqlmap is going "
warnMsg += "to use the current database to enumerate "
warnMsg += "table(s) columns"
logger.warn(warnMsg)
conf.db = self.getCurrentDb()
if not conf.db:
errMsg = "unable to retrieve the current "
errMsg += "database name"
raise SqlmapNoneDataException(errMsg)
elif conf.db is not None:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB, DBMS.H2):
conf.db = conf.db.upper()
if ',' in conf.db:
errMsg = "only one database name is allowed when enumerating "
errMsg += "the tables' columns"
raise SqlmapMissingMandatoryOptionException(errMsg)
conf.db = safeSQLIdentificatorNaming(conf.db)
if conf.col:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
conf.col = conf.col.upper()
colList = conf.col.split(',')
else:
colList = []
if conf.exclude:
colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None]
for col in colList:
colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
colList = [_ for _ in colList if _]
if conf.tbl:
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2, DBMS.HSQLDB, DBMS.H2):
conf.tbl = conf.tbl.upper()
tblList = conf.tbl.split(',')
else:
self.getTables()
if len(kb.data.cachedTables) > 0:
if conf.db in kb.data.cachedTables:
tblList = kb.data.cachedTables[conf.db]
else:
tblList = list(six.itervalues(kb.data.cachedTables))
if tblList and isListLike(tblList[0]):
tblList = tblList[0]
tblList = list(tblList)
elif not conf.search:
errMsg = "unable to retrieve the tables "
errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
raise SqlmapNoneDataException(errMsg)
else:
return kb.data.cachedColumns
tblList = filterNone(safeSQLIdentificatorNaming(_, True) for _ in tblList)
if bruteForce is None:
if Backend.isDbms(DBMS.MYSQL) and not kb.data.has_information_schema:
errMsg = "information_schema not available, "
errMsg += "back-end DBMS is MySQL < 5.0"
logger.error(errMsg)
bruteForce = True
elif Backend.isDbms(DBMS.ACCESS):
errMsg = "cannot retrieve column names, "
errMsg += "back-end DBMS is %s" % DBMS.ACCESS
logger.error(errMsg)
bruteForce = True
if bruteForce:
resumeAvailable = False
for tbl in tblList:
for db, table, colName, colType in kb.brute.columns:
if db == conf.db and table == tbl:
resumeAvailable = True
break
if resumeAvailable and not conf.freshQueries or colList:
columns = {}
for column in colList:
columns[column] = None
for tbl in tblList:
for db, table, colName, colType in kb.brute.columns:
if db == conf.db and table == tbl:
columns[colName] = colType
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)] = columns
else:
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = {safeSQLIdentificatorNaming(tbl, True): columns}
return kb.data.cachedColumns
message = "do you want to use common column existence check? %s" % ("[Y/n/q]" if Backend.getIdentifiedDbms() in (DBMS.ACCESS,) else "[y/N/q]")
choice = readInput(message, default='Y' if 'Y' in message else 'N').upper()
if choice == 'N':
return
elif choice == 'Q':
raise SqlmapUserQuitException
else:
return columnExists(paths.COMMON_COLUMNS)
rootQuery = queries[Backend.getIdentifiedDbms()].columns
condition = rootQuery.blind.condition if 'condition' in rootQuery.blind else None
if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
and conf.db in kb.data.cachedColumns and tbl in \
kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on "
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
return {conf.db: kb.data.cachedColumns[conf.db]}
infoMsg = "fetching columns "
condQuery = ""
if len(colList) > 0:
if colTuple:
_, colCondParam = colTuple
infoMsg += "LIKE '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
else:
colCondParam = "='%s'"
infoMsg += "'%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
condQueryStr = "%%s%s" % colCondParam
condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2):
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db,
conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query += condQuery.replace("[DB]", conf.db)
elif Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.FIREBIRD):
query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(tbl)
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
query += condQuery
if dumpMode and colList:
values = [(_,) for _ in colList]
else:
infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
values = None
if Backend.isDbms(DBMS.MSSQL) and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
expression = query
kb.dumpColumns = []
kb.rowXmlMode = True
for column in (extractRegexResult(r"SELECT (?P<result>.+?) FROM", query) or "").split(','):
kb.dumpColumns.append(randomStr().lower())
expression = expression.replace(column, "%s AS %s" % (column, kb.dumpColumns[-1]), 1)
values = unionUse(expression)
kb.rowXmlMode = False
kb.dumpColumns = None
if values is None:
values = inject.getValue(query, blind=False, time=False)
if values and isinstance(values[0], six.string_types):
values = [values]
if Backend.isDbms(DBMS.MSSQL) and isNoneValue(values):
index, values = 1, []
while True:
query = rootQuery.inband.query2 % (conf.db, unsafeSQLIdentificatorNaming(tbl), index)
value = unArrayizeValue(inject.getValue(query, blind=False, time=False))
if isNoneValue(value) or value == " ":
break
else:
values.append((value,))
index += 1
if Backend.isDbms(DBMS.SQLITE):
if dumpMode and colList:
if conf.db not in kb.data.cachedColumns:
kb.data.cachedColumns[conf.db] = {}
kb.data.cachedColumns[conf.db][safeSQLIdentificatorNaming(conf.tbl, True)] = dict((_, None) for _ in colList)
else:
parseSqliteTableSchema(unArrayizeValue(values))
elif not isNoneValue(values):
table = {}
columns = {}
for columnData in values:
if not isNoneValue(columnData):
columnData = [unArrayizeValue(_) for _ in columnData]
name = safeSQLIdentificatorNaming(columnData[0])
if name:
if conf.getComments:
_ = queries[Backend.getIdentifiedDbms()].column_comment
if hasattr(_, "query"):
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = _.query % (unsafeSQLIdentificatorNaming(conf.db.upper()), unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(name.upper()))
else:
query = _.query % (unsafeSQLIdentificatorNaming(conf.db), unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(name))
comment = unArrayizeValue(inject.getValue(query, blind=False, time=False))
if not isNoneValue(comment):
infoMsg = "retrieved comment '%s' for column '%s'" % (comment, name)
logger.info(infoMsg)
else:
warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
warnMsg += "possible to get column comments"
singleTimeWarnMessage(warnMsg)
if len(columnData) == 1:
columns[name] = None
else:
key = int(columnData[1]) if isinstance(columnData[1], six.string_types) and columnData[1].isdigit() else columnData[1]
if Backend.isDbms(DBMS.FIREBIRD):
columnData[1] = FIREBIRD_TYPES.get(key, columnData[1])
elif Backend.isDbms(DBMS.INFORMIX):
notNull = False
if isinstance(key, int) and key > 255:
key -= 256
notNull = True
columnData[1] = INFORMIX_TYPES.get(key, columnData[1])
if notNull:
columnData[1] = "%s NOT NULL" % columnData[1]
columns[name] = columnData[1]
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)] = columns
else:
table[safeSQLIdentificatorNaming(tbl, True)] = columns
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = table
elif isInferenceAvailable() and not conf.direct:
for tbl in tblList:
if conf.db is not None and len(kb.data.cachedColumns) > 0 \
and conf.db in kb.data.cachedColumns and tbl in \
kb.data.cachedColumns[conf.db]:
infoMsg = "fetched tables' columns on "
infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
return {conf.db: kb.data.cachedColumns[conf.db]}
infoMsg = "fetching columns "
condQuery = ""
if len(colList) > 0:
if colTuple:
_, colCondParam = colTuple
infoMsg += "LIKE '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
else:
colCondParam = "='%s'"
infoMsg += "'%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
condQueryStr = "%%s%s" % colCondParam
condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2):
query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.count % (conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
query += condQuery.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl)
query += condQuery
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.count % (conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
query += condQuery
elif Backend.isDbms(DBMS.SQLITE):
if dumpMode and colList:
if conf.db not in kb.data.cachedColumns:
kb.data.cachedColumns[conf.db] = {}
kb.data.cachedColumns[conf.db][safeSQLIdentificatorNaming(conf.tbl, True)] = dict((_, None) for _ in colList)
else:
query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl)
value = unArrayizeValue(inject.getValue(query, union=False, error=False))
parseSqliteTableSchema(unArrayizeValue(value))
return kb.data.cachedColumns
table = {}
columns = {}
if dumpMode and colList:
count = 0
for value in colList:
columns[safeSQLIdentificatorNaming(value)] = None
else:
infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.info(infoMsg)
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
if not isNumPosStrValue(count):
if Backend.isDbms(DBMS.MSSQL):
count, index, values = 0, 1, []
while True:
query = rootQuery.blind.query3 % (conf.db, unsafeSQLIdentificatorNaming(tbl), index)
value = unArrayizeValue(inject.getValue(query, union=False, error=False))
if isNoneValue(value) or value == " ":
break
else:
columns[safeSQLIdentificatorNaming(value)] = None
index += 1
if not columns:
errMsg = "unable to retrieve the %scolumns " % ("number of " if not Backend.isDbms(DBMS.MSSQL) else "")
errMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
errMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.error(errMsg)
continue
for index in getLimitRange(count):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB):
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query += condQuery
field = None
elif Backend.isDbms(DBMS.H2):
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
query = query.replace(" ORDER BY ", "%s ORDER BY " % condQuery)
field = None
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(conf.db.upper()))
query += condQuery
field = None
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query.replace("'%s'", "'%s'" % unsafeSQLIdentificatorNaming(tbl).split(".")[-1]).replace("%s", conf.db).replace("%d", str(index))
query += condQuery.replace("[DB]", conf.db)
field = condition.replace("[DB]", conf.db)
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl)
query += condQuery
field = None
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.query % (index, conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl))
query += condQuery
field = condition
query = agent.limitQuery(index, query, field, field)
column = unArrayizeValue(inject.getValue(query, union=False, error=False))
if not isNoneValue(column):
if conf.getComments:
_ = queries[Backend.getIdentifiedDbms()].column_comment
if hasattr(_, "query"):
if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = _.query % (unsafeSQLIdentificatorNaming(conf.db.upper()), unsafeSQLIdentificatorNaming(tbl.upper()), unsafeSQLIdentificatorNaming(column.upper()))
else:
query = _.query % (unsafeSQLIdentificatorNaming(conf.db), unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(column))
comment = unArrayizeValue(inject.getValue(query, union=False, error=False))
if not isNoneValue(comment):
infoMsg = "retrieved comment '%s' for column '%s'" % (comment, column)
logger.info(infoMsg)
else:
warnMsg = "on %s it is not " % Backend.getIdentifiedDbms()
warnMsg += "possible to get column comments"
singleTimeWarnMessage(warnMsg)
if not onlyColNames:
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.HSQLDB, DBMS.H2):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column, unsafeSQLIdentificatorNaming(conf.db))
elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl.upper()), column, unsafeSQLIdentificatorNaming(conf.db.upper()))
elif Backend.isDbms(DBMS.MSSQL):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, column, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
elif Backend.isDbms(DBMS.FIREBIRD):
query = rootQuery.blind.query2 % (unsafeSQLIdentificatorNaming(tbl), column)
elif Backend.isDbms(DBMS.INFORMIX):
query = rootQuery.blind.query2 % (conf.db, conf.db, conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl), column)
colType = unArrayizeValue(inject.getValue(query, union=False, error=False))
key = int(colType) if hasattr(colType, "isdigit") and colType.isdigit() else colType
if Backend.isDbms(DBMS.FIREBIRD):
colType = FIREBIRD_TYPES.get(key, colType)
elif Backend.isDbms(DBMS.INFORMIX):
notNull = False
if isinstance(key, int) and key > 255:
key -= 256
notNull = True
colType = INFORMIX_TYPES.get(key, colType)
if notNull:
colType = "%s NOT NULL" % colType
column = safeSQLIdentificatorNaming(column)
columns[column] = colType
else:
column = safeSQLIdentificatorNaming(column)
columns[column] = None
if columns:
if conf.db in kb.data.cachedColumns:
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)][safeSQLIdentificatorNaming(tbl, True)] = columns
else:
table[safeSQLIdentificatorNaming(tbl, True)] = columns
kb.data.cachedColumns[safeSQLIdentificatorNaming(conf.db)] = table
if not kb.data.cachedColumns:
warnMsg = "unable to retrieve column names for "
warnMsg += ("table '%s' " % unsafeSQLIdentificatorNaming(unArrayizeValue(tblList))) if len(tblList) == 1 else "any table "
warnMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
logger.warn(warnMsg)
if bruteForce is None:
return self.getColumns(onlyColNames=onlyColNames, colTuple=colTuple, bruteForce=True)
return kb.data.cachedColumns
